diff options
Diffstat (limited to 'docs/manual/ssl')
| -rw-r--r-- | docs/manual/ssl/ssl_compat.html.en | 6 | ||||
| -rw-r--r-- | docs/manual/ssl/ssl_faq.html.en | 320 | ||||
| -rw-r--r-- | docs/manual/ssl/ssl_howto.html.en | 26 | ||||
| -rw-r--r-- | docs/manual/ssl/ssl_intro.html.en | 72 | ||||
| -rw-r--r-- | docs/manual/ssl/ssl_intro.xml.ja | 2 |
5 files changed, 213 insertions, 213 deletions
diff --git a/docs/manual/ssl/ssl_compat.html.en b/docs/manual/ssl/ssl_compat.html.en index c2efd1b09f..1594971f93 100644 --- a/docs/manual/ssl/ssl_compat.html.en +++ b/docs/manual/ssl/ssl_compat.html.en @@ -69,9 +69,9 @@ doesn't provide.</p> <tr class="odd"><td><code>SSLDisable</code></td><td><code>SSLEngine off</code></td><td>compactified</td></tr> <tr><td><code>SSLLogFile</code> <em>file</em></td><td><code>SSLLog</code> <em>file</em></td><td>compactified</td></tr> <tr class="odd"><td><code>SSLRequiredCiphers</code> <em>spec</em></td><td><code>SSLCipherSuite</code> <em>spec</em></td><td>renamed</td></tr> -<tr><td><code>SSLRequireCipher</code> <em>c1</em> ...</td><td><code>SSLRequire %{SSL_CIPHER} in {"</code><em>c1</em><code>", +<tr><td><code>SSLRequireCipher</code> <em>c1</em> ...</td><td><code>SSLRequire %{SSL_CIPHER} in {"</code><em>c1</em><code>", ...}</code></td><td>generalized</td></tr> -<tr class="odd"><td><code>SSLBanCipher</code> <em>c1</em> ...</td><td><code>SSLRequire not (%{SSL_CIPHER} in {"</code><em>c1</em><code>", +<tr class="odd"><td><code>SSLBanCipher</code> <em>c1</em> ...</td><td><code>SSLRequire not (%{SSL_CIPHER} in {"</code><em>c1</em><code>", ...})</code></td><td>generalized</td></tr> <tr><td><code>SSLFakeBasicAuth</code></td><td><code>SSLOptions +FakeBasicAuth</code></td><td>merged</td></tr> <tr class="odd"><td><code>SSLCacheServerPath</code> <em>dir</em></td><td>-</td><td>functionality removed</td></tr> @@ -115,7 +115,7 @@ doesn't provide.</p> </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> <div class="section"> -<h2><a name="variables" id="variables">Environment Variables</a></h2> +<h2><a name="variables" id="variables">Environment Variables</a></h2> <p>The mapping between environment variable names used by the older SSL solutions and the names used by mod_ssl is given in <a href="#table2">Table 2</a>.</p> diff --git a/docs/manual/ssl/ssl_faq.html.en b/docs/manual/ssl/ssl_faq.html.en index 4cfc73a947..62b34cb815 100644 --- a/docs/manual/ssl/ssl_faq.html.en +++ b/docs/manual/ssl/ssl_faq.html.en @@ -39,13 +39,13 @@ he poses the right questions.</p> <div class="section"> <h2><a name="installation" id="installation">Installation</a></h2> <ul> -<li><a href="#mutex">Why do I get permission errors related to +<li><a href="#mutex">Why do I get permission errors related to SSLMutex when I start Apache?</a></li> -<li><a href="#entropy">Why does mod_ssl stop with the error "Failed to +<li><a href="#entropy">Why does mod_ssl stop with the error "Failed to generate temporary 512 bit RSA private key" when I start Apache?</a></li> </ul> -<h3><a name="mutex" id="mutex">Why do I get permission errors related to +<h3><a name="mutex" id="mutex">Why do I get permission errors related to SSLMutex when I start Apache?</a></h3> <p>Errors such as ``<code>mod_ssl: Child could not open SSLMutex lockfile /opt/apache/logs/ssl_mutex.18332 (System error follows) @@ -58,7 +58,7 @@ generate temporary 512 bit RSA private key" when I start Apache?</a></li> <h3><a name="entropy" id="entropy">Why does mod_ssl stop with the error - "Failed to generate temporary 512 bit RSA private key" when I start + "Failed to generate temporary 512 bit RSA private key" when I start Apache?</a></h3> <p>Cryptographic software needs a source of unpredictable data to work correctly. Many open source operating systems provide @@ -69,38 +69,38 @@ generate temporary 512 bit RSA private key" when I start Apache?</a></li> encryption. As of version 0.9.5, the OpenSSL functions that need randomness report an error if the PRNG has not been seeded with at least 128 bits of randomness.</p> - <p>To prevent this error, <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> has to provide - enough entropy to the PRNG to allow it to work correctly. This can - be done via the <code class="directive"><a href="../mod/mod_ssl.html#sslrandomseed">SSLRandomSeed</a></code> + <p>To prevent this error, <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> has to provide + enough entropy to the PRNG to allow it to work correctly. This can + be done via the <code class="directive"><a href="../mod/mod_ssl.html#sslrandomseed">SSLRandomSeed</a></code> directive.</p> </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> <div class="section"> <h2><a name="aboutconfig" id="aboutconfig">Configuration</a></h2> <ul> -<li><a href="#parallel">Is it possible to provide HTTP and HTTPS from +<li><a href="#parallel">Is it possible to provide HTTP and HTTPS from the same server?</a></li> <li><a href="#ports">Which port does HTTPS use?</a></li> -<li><a href="#httpstest">How do I speak HTTPS manually for testing +<li><a href="#httpstest">How do I speak HTTPS manually for testing purposes?</a></li> -<li><a href="#hang">Why does the connection hang when I connect to my +<li><a href="#hang">Why does the connection hang when I connect to my SSL-aware Apache server?</a></li> -<li><a href="#refused">Why do I get ``Connection Refused'' errors, when +<li><a href="#refused">Why do I get ``Connection Refused'' errors, when trying to access my newly installed Apache+mod_ssl server via HTTPS?</a></li> <li><a href="#envvars">Why are the <code>SSL_XXX</code> variables not available to my CGI & SSI scripts?</a></li> -<li><a href="#relative">How can I switch between HTTP and HTTPS in +<li><a href="#relative">How can I switch between HTTP and HTTPS in relative hyperlinks?</a></li> </ul> -<h3><a name="parallel" id="parallel">Is it possible to provide HTTP and HTTPS +<h3><a name="parallel" id="parallel">Is it possible to provide HTTP and HTTPS from the same server?</a></h3> - <p>Yes. HTTP and HTTPS use different server ports (HTTP binds to - port 80, HTTPS to port 443), so there is no direct conflict between - them. You can either run two separate server instances bound to - these ports, or use Apache's elegant virtual hosting facility to - create two virtual servers, both served by the same instance of Apache - - one responding over HTTP to requests on port 80, and the other + <p>Yes. HTTP and HTTPS use different server ports (HTTP binds to + port 80, HTTPS to port 443), so there is no direct conflict between + them. You can either run two separate server instances bound to + these ports, or use Apache's elegant virtual hosting facility to + create two virtual servers, both served by the same instance of Apache + - one responding over HTTP to requests on port 80, and the other responding over HTTPS to requests on port 443.</p> @@ -114,15 +114,15 @@ relative hyperlinks?</a></li> <h3><a name="httpstest" id="httpstest">How do I speak HTTPS manually for testing purposes?</a></h3> <p>While you usually just use</p> - + <div class="example"><p><code>$ telnet localhost 80<br /> GET / HTTP/1.0</code></p></div> <p>for simple testing of Apache via HTTP, it's not so easy for HTTPS because of the SSL protocol between TCP and HTTP. With the - help of OpenSSL's <code>s_client</code> command, however, you can + help of OpenSSL's <code>s_client</code> command, however, you can do a similar check via HTTPS:</p> - + <div class="example"><p><code>$ openssl s_client -connect localhost:443 -state -debug<br /> GET / HTTP/1.0</code></p></div> @@ -139,7 +139,7 @@ relative hyperlinks?</a></li> $ curl https://localhost/</code></p></div> -<h3><a name="hang" id="hang">Why does the connection hang when I connect +<h3><a name="hang" id="hang">Why does the connection hang when I connect to my SSL-aware Apache server?</a></h3> <p>This can happen when you try to connect to a HTTPS server (or virtual @@ -150,28 +150,28 @@ relative hyperlinks?</a></li> or which supports it on a non-standard port). Make sure that you're connecting to a (virtual) server that supports SSL.</p> -<h3><a name="refused" id="refused">Why do I get ``Connection Refused'' messages, +<h3><a name="refused" id="refused">Why do I get ``Connection Refused'' messages, when trying to access my newly installed Apache+mod_ssl server via HTTPS?</a></h3> <p> This error can be caused by an incorrect configuration. - Please make sure that your <code class="directive"><a href="../mod/mpm_common.html#listen">Listen</a></code> directives match your + Please make sure that your <code class="directive"><a href="../mod/mpm_common.html#listen">Listen</a></code> directives match your <code class="directive"><a href="../mod/core.html#virtualhost"><VirtualHost></a></code> - directives. If all else fails, please start afresh, using the default + directives. If all else fails, please start afresh, using the default configuration provided by <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>.</p> -<h3><a name="envvars" id="envvars">Why are the <code>SSL_XXX</code> variables +<h3><a name="envvars" id="envvars">Why are the <code>SSL_XXX</code> variables not available to my CGI & SSI scripts?</a></h3> <p>Please make sure you have ``<code>SSLOptions +StdEnvVars</code>'' enabled for the context of your CGI/SSI requests.</p> -<h3><a name="relative" id="relative">How can I switch between HTTP and HTTPS in relative +<h3><a name="relative" id="relative">How can I switch between HTTP and HTTPS in relative hyperlinks?</a></h3> -<p>Usually, to switch between HTTP and HTTPS, you have to use - fully-qualified hyperlinks (because you have to change the URL - scheme). Using <code class="module"><a href="../mod/mod_rewrite.html">mod_rewrite</a></code> however, you can +<p>Usually, to switch between HTTP and HTTPS, you have to use + fully-qualified hyperlinks (because you have to change the URL + scheme). Using <code class="module"><a href="../mod/mod_rewrite.html">mod_rewrite</a></code> however, you can manipulate relative hyperlinks, to achieve the same effect.</p> <div class="example"><p><code> RewriteEngine on<br /> @@ -187,24 +187,24 @@ relative hyperlinks?</a></li> <div class="section"> <h2><a name="aboutcerts" id="aboutcerts">Certificates</a></h2> <ul> -<li><a href="#keyscerts">What are RSA Private Keys, CSRs and +<li><a href="#keyscerts">What are RSA Private Keys, CSRs and Certificates?</a></li> <li><a href="#startup">Is there a difference on startup between a non-SSL-aware Apache and an SSL-aware Apache?</a></li> -<li><a href="#selfcert">How do I create a self-signed SSL +<li><a href="#selfcert">How do I create a self-signed SSL Certificate for testing purposes?</a></li> <li><a href="#realcert">How do I create a real SSL Certificate?</a></li> -<li><a href="#ownca">How do I create and use my own Certificate +<li><a href="#ownca">How do I create and use my own Certificate Authority (CA)?</a></li> -<li><a href="#passphrase">How can I change the pass-phrase on my private +<li><a href="#passphrase">How can I change the pass-phrase on my private key file?</a></li> -<li><a href="#removepassphrase">How can I get rid of the pass-phrase +<li><a href="#removepassphrase">How can I get rid of the pass-phrase dialog at Apache startup time?</a></li> -<li><a href="#verify">How do I verify that a private key matches its +<li><a href="#verify">How do I verify that a private key matches its Certificate?</a></li> -<li><a href="#badcert">Why do connections fail with an "alert bad +<li><a href="#badcert">Why do connections fail with an "alert bad certificate" error?</a></li> -<li><a href="#pemder">How can I convert a certificate from PEM to DER +<li><a href="#pemder">How can I convert a certificate from PEM to DER format?</a></li> <li><a href="#gid">Why do browsers complain that they cannot verify my Verisign Global ID server certificate?</a></li> @@ -217,7 +217,7 @@ verify my Verisign Global ID server certificate?</a></li> you.</p> <p>A Certificate Signing Request (CSR) is a digital file which contains your public key and your name. You send the CSR to a Certifying Authority - (CA), who will convert it into a real Certificate, by signing it.</p> + (CA), who will convert it into a real Certificate, by signing it.</p> <p>A Certificate contains your RSA public key, your name, the name of the CA, and is digitally signed by the CA. Browsers that know the CA can verify the signature on that @@ -227,23 +227,23 @@ verify my Verisign Global ID server certificate?</a></li> description of the SSL protocol.</p> -<h3><a name="startup" id="startup">Is there a difference on startup between +<h3><a name="startup" id="startup">Is there a difference on startup between a non-SSL-aware Apache and an SSL-aware Apache?</a></h3> -<p>Yes. In general, starting Apache with - <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> built-in is just like starting Apache - without it. However, if you have a passphrase on your SSL private - key file, a startup dialog will pop up which asks you to enter the +<p>Yes. In general, starting Apache with + <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> built-in is just like starting Apache + without it. However, if you have a passphrase on your SSL private + key file, a startup dialog will pop up which asks you to enter the pass phrase.</p> - - <p>Having to manually enter the passphrase when starting the server - can be problematic - for example, when starting the server from the + + <p>Having to manually enter the passphrase when starting the server + can be problematic - for example, when starting the server from the system boot scripts. In this case, you can follow the steps <a href="#removepassphrase">below</a> to remove the passphrase from your private key. Bear in mind that doing so brings additional security risks - proceed with caution!</p> -<h3><a name="selfcert" id="selfcert">How do I create a self-signed SSL +<h3><a name="selfcert" id="selfcert">How do I create a self-signed SSL Certificate for testing purposes?</a></h3> <ol> <li>Make sure OpenSSL is installed and in your <code>PATH</code>.<br /> @@ -251,23 +251,23 @@ Certificate for testing purposes?</a></h3> </li> <li>Run the following command, to create <code>server.key</code> and <code>server.crt</code> files:<br /> - <code><strong>$ openssl req -new -x509 -nodes -out server.crt + <code><strong>$ openssl req -new -x509 -nodes -out server.crt -keyout server.key</strong></code><br /> - These can be used as follows in your <code>httpd.conf</code> + These can be used as follows in your <code>httpd.conf</code> file: <pre> SSLCertificateFile /path/to/this/server.crt SSLCertificateKeyFile /path/to/this/server.key </pre> </li> - <li>It is important that you are aware that this + <li>It is important that you are aware that this <code>server.key</code> does <em>not</em> have any passphrase. - To add a passphrase to the key, you should run the following + To add a passphrase to the key, you should run the following command, and enter & verify the passphrase as requested.<br /> - <p><code><strong>$ openssl rsa -des3 -in server.key -out + <p><code><strong>$ openssl rsa -des3 -in server.key -out server.key.new</strong></code><br /> <code><strong>$ mv server.key.new server.key</strong></code><br /></p> - Please backup the <code>server.key</code> file, and the passphrase + Please backup the <code>server.key</code> file, and the passphrase you entered, in a secure location. </li> </ol> @@ -292,7 +292,7 @@ Certificate for testing purposes?</a></h3> <br /> <code><strong>$ openssl rsa -noout -text -in server.key</strong></code><br /> <br /> - If necessary, you can also create a decrypted PEM version (not + If necessary, you can also create a decrypted PEM version (not recommended) of this RSA private key with:<br /> <br /> <code><strong>$ openssl rsa -in server.key -out server.key.unsecure</strong></code><br /> @@ -315,18 +315,18 @@ Certificate for testing purposes?</a></h3> <br /> </li> <li>You now have to send this Certificate Signing Request (CSR) to - a Certifying Authority (CA) to be signed. Once the CSR has been + a Certifying Authority (CA) to be signed. Once the CSR has been signed, you will have a real Certificate, which can be used by - Apache. You can have a CSR signed by a commercial CA, or you can + Apache. You can have a CSR signed by a commercial CA, or you can create your own CA to sign it.<br /> - Commercial CAs usually ask you to post the CSR into a web form, - pay for the signing, and then send a signed Certificate, which + Commercial CAs usually ask you to post the CSR into a web form, + pay for the signing, and then send a signed Certificate, which you can store in a server.crt file.<br /> For details on how to create your own CA, and use this to sign a CSR, see <a href="#ownca">below</a>.<br /> - - Once your CSR has been signed, you can see the details of the + + Once your CSR has been signed, you can see the details of the Certificate as follows:<br /> <br /> <code><strong>$ openssl x509 -noout -text -in server.crt</strong></code><br /> @@ -347,10 +347,10 @@ Certificate for testing purposes?</a></h3> <h3><a name="ownca" id="ownca">How do I create and use my own Certificate Authority (CA)?</a></h3> <p>The short answer is to use the <code>CA.sh</code> or <code>CA.pl</code> - script provided by OpenSSL. Unless you have a good reason not to, + script provided by OpenSSL. Unless you have a good reason not to, you should use these for preference. If you cannot, you can create a self-signed Certificate as follows:</p> - + <ol> <li>Create a RSA private key for your server (will be Triple-DES encrypted and PEM formatted):<br /> @@ -359,11 +359,11 @@ Certificate for testing purposes?</a></h3> <br /> Please backup this <code>host.key</code> file and the pass-phrase you entered in a secure location. - You can see the details of this RSA private key by using the + You can see the details of this RSA private key by using the command:<br /> <code><strong>$ openssl rsa -noout -text -in server.key</strong></code><br /> <br /> - If necessary, you can also create a decrypted PEM version (not + If necessary, you can also create a decrypted PEM version (not recommended) of this RSA private key with:<br /> <br /> <code><strong>$ openssl rsa -in server.key -out server.key.unsecure</strong></code><br /> @@ -372,7 +372,7 @@ Certificate for testing purposes?</a></h3> <li>Create a self-signed Certificate (X509 structure) with the RSA key you just created (output will be PEM formatted):<br /> <br /> - <code><strong>$ openssl req -new -x509 -nodes -sha1 -days 365 + <code><strong>$ openssl req -new -x509 -nodes -sha1 -days 365 -key server.key -out server.crt</strong></code><br /> <br /> This signs the server CSR and results in a <code>server.crt</code> file.<br /> @@ -389,14 +389,14 @@ Certificate for testing purposes?</a></h3> specifying the new pass-phrase. You can accomplish this with the following commands:</p> - + <p><code><strong>$ openssl rsa -des3 -in server.key -out server.key.new</strong></code><br /> <code><strong>$ mv server.key.new server.key</strong></code><br /></p> - + <p>The first time you're asked for a PEM pass-phrase, you should - enter the old pass-phrase. After that, you'll be asked again to + enter the old pass-phrase. After that, you'll be asked again to enter a pass-phrase - this time, use the new pass-phrase. If you - are asked to verify the pass-phrase, you'll need to enter the new + are asked to verify the pass-phrase, you'll need to enter the new pass-phrase a second time.</p> @@ -404,7 +404,7 @@ Certificate for testing purposes?</a></h3> <p>The reason this dialog pops up at startup and every re-start is that the RSA private key inside your server.key file is stored in encrypted format for security reasons. The pass-phrase is needed to decrypt - this file, so it can be read and parsed. Removing the pass-phrase + this file, so it can be read and parsed. Removing the pass-phrase removes a layer of security from your server - proceed with caution!</p> <ol> <li>Remove the encryption from the RSA private key (while @@ -429,7 +429,7 @@ Certificate for testing purposes?</a></h3> file are such that only root or the web server user can read it (preferably get your web server to start as root but run as another user, and have the key readable only by root).</p> - + <p>As an alternative approach you can use the ``<code>SSLPassPhraseDialog exec:/path/to/program</code>'' facility. Bear in mind that this is neither more nor less secure, of course.</p> @@ -441,28 +441,28 @@ Certificate for testing purposes?</a></h3> key" bits are included when you generate a CSR, and subsequently form part of the associated Certificate.</p> <p>To check that the public key in your Certificate matches the public - portion of your private key, you simply need to compare these numbers. + portion of your private key, you simply need to compare these numbers. To view the Certificate and the key run the commands:</p> - + <p><code><strong>$ openssl x509 -noout -text -in server.crt</strong></code><br /> <code><strong>$ openssl rsa -noout -text -in server.key</strong></code></p> - + <p>The `modulus' and the `public exponent' portions in the key and the Certificate must match. As the public exponent is usually 65537 and it's difficult to visually check that the long modulus numbers are the same, you can use the following approach:</p> - + <p><code><strong>$ openssl x509 -noout -modulus -in server.crt | openssl md5</strong></code><br /> <code><strong>$ openssl rsa -noout -modulus -in server.key | openssl md5</strong></code></p> - + <p>This leaves you with two rather shorter numbers to compare. It is, - in theory, possible that these numbers may be the same, without the - modulus numbers being the same, but the chances of this are + in theory, possible that these numbers may be the same, without the + modulus numbers being the same, but the chances of this are overwhelmingly remote.</p> - <p>Should you wish to check to which key or certificate a particular - CSR belongs you can perform the same calculation on the CSR as + <p>Should you wish to check to which key or certificate a particular + CSR belongs you can perform the same calculation on the CSR as follows:</p> - + <p><code><strong>$ openssl req -noout -modulus -in server.csr | openssl md5</strong></code></p> @@ -475,22 +475,22 @@ Certificate for testing purposes?</a></h3> <code><strong>$ openssl x509 -in cert.pem -out cert.der -outform DER</strong></code></p> -<h3><a name="gid" id="gid">Why do browsers complain that they cannot +<h3><a name="gid" id="gid">Why do browsers complain that they cannot verify my Verisign Global ID server certificate?</a></h3> -<p>Verisign uses an intermediate CA certificate between the root CA - certificate (which is installed in the browsers) and the server - certificate (which you installed on the server). You should have +<p>Verisign uses an intermediate CA certificate between the root CA + certificate (which is installed in the browsers) and the server + certificate (which you installed on the server). You should have received this additional CA certificate from Verisign. If not, complain to them. Then, configure this certificate with the - <code class="directive"><a href="../mod/mod_ssl.html#sslcertificatechainfile">SSLCertificateChainFile</a></code> - directive. This ensures that the intermediate CA certificate is + <code class="directive"><a href="../mod/mod_ssl.html#sslcertificatechainfile">SSLCertificateChainFile</a></code> + directive. This ensures that the intermediate CA certificate is sent to the browser, filling the gap in the certificate chain.</p> </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> <div class="section"> <h2><a name="aboutssl" id="aboutssl">The SSL Protocol</a></h2> <ul> -<li><a href="#random">Why do I get lots of random SSL protocol +<li><a href="#random">Why do I get lots of random SSL protocol errors under heavy server load?</a></li> <li><a href="#load">Why does my webserver have a higher load, now that it serves SSL encrypted traffic?</a></li> @@ -501,7 +501,7 @@ sometimes take up to 30 seconds to establish a connection?</a></li> trying to use Anonymous Diffie-Hellman (ADH) ciphers?</a></li> <li><a href="#sharedciphers">Why do I get a 'no shared ciphers' error when connecting to my newly installed server?</a></li> -<li><a href="#vhosts">Why can't I use SSL with name-based/non-IP-based +<li><a href="#vhosts">Why can't I use SSL with name-based/non-IP-based virtual hosts?</a></li> <li><a href="#vhosts2">Is it possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?</a></li> @@ -510,11 +510,11 @@ Hosting to identify different SSL virtual hosts?</a></li> the lock icon in Netscape browsers stays unlocked when the dialog pops up. Does this mean the username/password is being sent unencrypted?</a></li> <li><a href="#msie">Why do I get I/O errors when connecting via -HTTPS to an Apache+mod_ssl server with Microsoft Internet Explorer +HTTPS to an Apache+mod_ssl server with Microsoft Internet Explorer (MSIE)?</a></li> </ul> -<h3><a name="random" id="random">Why do I get lots of random SSL protocol +<h3><a name="random" id="random">Why do I get lots of random SSL protocol errors under heavy server load?</a></h3> <p>There can be a number of reasons for this, but the main one is problems with the SSL session Cache specified by the @@ -523,7 +523,7 @@ errors under heavy server load?</a></h3> no cache at all) may help.</p> -<h3><a name="load" id="load">Why does my webserver have a higher load, now +<h3><a name="load" id="load">Why does my webserver have a higher load, now that it serves SSL encrypted traffic?</a></h3> <p>SSL uses strong cryptographic encryption, which necessitates a lot of number crunching. When you request a webpage via HTTPS, everything (even @@ -531,62 +531,62 @@ that it serves SSL encrypted traffic?</a></h3> traffic leads to load increases.</p> -<h3><a name="establishing" id="establishing">Why do HTTPS connections to my server +<h3><a name="establishing" id="establishing">Why do HTTPS connections to my server sometimes take up to 30 seconds to establish a connection?</a></h3> <p>This is usually caused by a <code>/dev/random</code> device for - <code class="directive"><a href="../mod/mod_ssl.html#sslrandomseed">SSLRandomSeed</a></code> which blocks the - read(2) call until enough entropy is available to service the + <code class="directive"><a href="../mod/mod_ssl.html#sslrandomseed">SSLRandomSeed</a></code> which blocks the + read(2) call until enough entropy is available to service the request. More information is available in the reference manual for the <code class="directive"><a href="../mod/mod_ssl.html#sslrandomseed">SSLRandomSeed</a></code> directive.</p> <h3><a name="ciphers" id="ciphers">What SSL Ciphers are supported by mod_ssl?</a></h3> -<p>Usually, any SSL ciphers supported by the version of OpenSSL in use, - are also supported by <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>. Which ciphers are - available can depend on the way you built OpenSSL. Typically, at +<p>Usually, any SSL ciphers supported by the version of OpenSSL in use, + are also supported by <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>. Which ciphers are + available can depend on the way you built OpenSSL. Typically, at least the following ciphers are supported:</p> - + <ol> <li>RC4 with SHA1</li> <li>AES with SHA1</li> <li>Triple-DES with SHA1</li> </ol> - - <p>To determine the actual list of ciphers available, you should run + + <p>To determine the actual list of ciphers available, you should run the following:</p> <div class="example"><p><code>$ openssl ciphers -v</code></p></div> -<h3><a name="adh" id="adh">Why do I get ``no shared cipher'' errors, when +<h3><a name="adh" id="adh">Why do I get ``no shared cipher'' errors, when trying to use Anonymous Diffie-Hellman (ADH) ciphers?</a></h3> <p>By default, OpenSSL does <em>not</em> allow ADH ciphers, for security - reasons. Please be sure you are aware of the potential side-effects + reasons. Please be sure you are aware of the potential side-effects if you choose to enable these ciphers.</p> - <p>In order to use Anonymous Diffie-Hellman (ADH) ciphers, you must + <p>In order to use Anonymous Diffie-Hellman (ADH) ciphers, you must build OpenSSL with ``<code>-DSSL_ALLOW_ADH</code>'', and then add ``<code>ADH</code>'' into your <code class="directive"><a href="../mod/mod_ssl.html#sslciphersuite">SSLCipherSuite</a></code>.</p> -<h3><a name="sharedciphers" id="sharedciphers">Why do I get a 'no shared ciphers' +<h3><a name="sharedciphers" id="sharedciphers">Why do I get a 'no shared ciphers' error when connecting to my newly installed server?</a></h3> -<p>Either you have made a mistake with your +<p>Either you have made a mistake with your <code class="directive"><a href="../mod/mod_ssl.html#sslciphersuite">SSLCipherSuite</a></code> directive (compare it with the pre-configured example in <code>extra/httpd-ssl.conf</code>) or you chose to use DSA/DH algorithms instead of RSA when you generated your private key and ignored or overlooked the warnings. If you have chosen - DSA/DH, then your server cannot communicate using RSA-based SSL + DSA/DH, then your server cannot communicate using RSA-based SSL ciphers (at least until you configure an additional RSA-based - certificate/key pair). Modern browsers like NS or IE can only - communicate over SSL using RSA ciphers. The result is the - "no shared ciphers" error. To fix this, regenerate your server + certificate/key pair). Modern browsers like NS or IE can only + communicate over SSL using RSA ciphers. The result is the + "no shared ciphers" error. To fix this, regenerate your server certificate/key pair, using the RSA algorithm.</p> <h3><a name="vhosts" id="vhosts">Why can't I use SSL with name-based/non-IP-based virtual hosts?</a></h3> -<p>The reason is very technical, and a somewhat "chicken and egg" problem. - The SSL protocol layer stays below the HTTP protocol layer and +<p>The reason is very technical, and a somewhat "chicken and egg" problem. + The SSL protocol layer stays below the HTTP protocol layer and encapsulates HTTP. When an SSL connection (HTTPS) is established Apache/mod_ssl has to negotiate the SSL protocol parameters with the client. For this, mod_ssl has to consult the configuration of the virtual @@ -594,7 +594,7 @@ error when connecting to my newly installed server?</a></h3> certificate, etc.). But in order to go to the correct virtual server Apache has to know the <code>Host</code> HTTP header field. To do this, the HTTP request header has to be read. This cannot be done before the SSL - handshake is finished, but the information is needed in order to + handshake is finished, but the information is needed in order to complete the SSL handshake phase. See the next question for how to circumvent this issue.</p> @@ -613,12 +613,12 @@ Virtual Hosting to identify different SSL virtual hosts?</a></h3> specification added, called Server Name Indication (SNI).</p> <p>The reason is that the SSL protocol is a separate layer which - encapsulates the HTTP protocol. So the SSL session is a separate - transaction, that takes place before the HTTP session has begun. - The server receives an SSL request on IP address X and port Y - (usually 443). Since the SSL request did not contain any Host: + encapsulates the HTTP protocol. So the SSL session is a separate + transaction, that takes place before the HTTP session has begun. + The server receives an SSL request on IP address X and port Y + (usually 443). Since the SSL request did not contain any Host: field, the server had no way to decide which SSL virtual host to use. - Usually, it just used the first one it found which matched the + Usually, it just used the first one it found which matched the port and IP address specified.</p> <p>If you are using a version of the web server and OpenSSL that @@ -627,19 +627,19 @@ Virtual Hosting to identify different SSL virtual hosts?</a></h3> web server can select the correct SSL virtual host.</p> <p>You can, of course, use Name-Based Virtual Hosting to identify many - non-SSL virtual hosts (all on port 80, for example) and then + non-SSL virtual hosts (all on port 80, for example) and then have a single SSL virtual host (on port 443). But if you do this, you must make sure to put the non-SSL port number on the NameVirtualHost - directive, e.g.</p> + directive, e.g.</p> <div class="example"><p><code> NameVirtualHost 192.168.1.1:80 </code></p></div> - + <p>Other workaround solutions include: </p> - <p>Using separate IP addresses for different SSL hosts. - Using different port numbers for different SSL hosts.</p> + <p>Using separate IP addresses for different SSL hosts. + Using different port numbers for different SSL hosts.</p> <h3><a name="comp" id="comp">How do I get SSL compression working?</a></h3> @@ -653,50 +653,50 @@ it will be used. However, most clients still try to initially connect with an SSLv2 Hello. As SSLv2 did not include an array of prefered compression algorithms in its handshake, compression cannot be negotiated with these clients. If the client disables support for SSLv2, either an SSLv3 or TLS Hello -may be sent, depending on which SSL library is used, and compression may -be set up. You can verify whether clients make use of SSL compression by +may be sent, depending on which SSL library is used, and compression may +be set up. You can verify whether clients make use of SSL compression by logging the <code>%{SSL_COMPRESS_METHOD}x</code> variable. </p> -<h3><a name="lockicon" id="lockicon">When I use Basic Authentication over HTTPS -the lock icon in Netscape browsers stays unlocked when the dialog pops up. +<h3><a name="lockicon" id="lockicon">When I use Basic Authentication over HTTPS +the lock icon in Netscape browsers stays unlocked when the dialog pops up. Does this mean the username/password is being sent unencrypted?</a></h3> <p>No, the username/password is transmitted encrypted. The icon in Netscape browsers is not actually synchronized with the SSL/TLS layer. - It only toggles to the locked state when the first part of the actual - webpage data is transferred, which may confuse people. The Basic - Authentication facility is part of the HTTP layer, which is above - the SSL/TLS layer in HTTPS. Before any HTTP data communication takes - place in HTTPS, the SSL/TLS layer has already completed its handshake + It only toggles to the locked state when the first part of the actual + webpage data is transferred, which may confuse people. The Basic + Authentication facility is part of the HTTP layer, which is above + the SSL/TLS layer in HTTPS. Before any HTTP data communication takes + place in HTTPS, the SSL/TLS layer has already completed its handshake phase, and switched to encrypted communication. So don't be confused by this icon.</p> -<h3><a name="msie" id="msie">Why do I get I/O errors when connecting via +<h3><a name="msie" id="msie">Why do I get I/O errors when connecting via HTTPS to an Apache+mod_ssl server with older versions of Microsoft Internet Explorer (MSIE)?</a></h3> <p>The first reason is that the SSL implementation in some MSIE versions has some subtle bugs related to the HTTP keep-alive facility and the SSL close notify alerts on socket connection close. Additionally the interaction - between SSL and HTTP/1.1 features are problematic in some MSIE versions. - You can work around these problems by forcing Apache not to use HTTP/1.1, - keep-alive connections or send the SSL close notify messages to MSIE clients. - This can be done by using the following directive in your SSL-aware + between SSL and HTTP/1.1 features are problematic in some MSIE versions. + You can work around these problems by forcing Apache not to use HTTP/1.1, + keep-alive connections or send the SSL close notify messages to MSIE clients. + This can be done by using the following directive in your SSL-aware virtual host section:</p> <div class="example"><p><code> SetEnvIf User-Agent "MSIE [2-5]" \<br /> nokeepalive ssl-unclean-shutdown \<br /> downgrade-1.0 force-response-1.0 </code></p></div> - <p>Further, some MSIE versions have problems with particular ciphers. - Unfortunately, it is not possible to implement a MSIE-specific - workaround for this, because the ciphers are needed as early as the - SSL handshake phase. So a MSIE-specific - <code class="directive"><a href="../mod/mod_setenvif.html#setenvif">SetEnvIf</a></code> won't solve these + <p>Further, some MSIE versions have problems with particular ciphers. + Unfortunately, it is not possible to implement a MSIE-specific + workaround for this, because the ciphers are needed as early as the + SSL handshake phase. So a MSIE-specific + <code class="directive"><a href="../mod/mod_setenvif.html#setenvif">SetEnvIf</a></code> won't solve these problems. Instead, you will have to make more drastic adjustments to the global parameters. Before you decide to do - this, make sure your clients really have problems. If not, do not + this, make sure your clients really have problems. If not, do not make these changes - they will affect <em>all</em> your clients, MSIE or otherwise.</p> @@ -705,11 +705,11 @@ Explorer (MSIE)?</a></h3> <div class="section"> <h2><a name="support" id="support">mod_ssl Support</a></h2> <ul> -<li><a href="#resources">What information resources are available in +<li><a href="#resources">What information resources are available in case of mod_ssl problems?</a></li> -<li><a href="#contact">What support contacts are available in case of +<li><a href="#contact">What support contacts are available in case of mod_ssl problems?</a></li> -<li><a href="#reportdetails">What information should I +<li><a href="#reportdetails">What information should I provide when writing a bug report?</a></li> <li><a href="#coredumphelp">I had a core dump, can you help me?</a></li> <li><a href="#backtrace">How do I get a backtrace, to help find the reason @@ -731,10 +731,10 @@ for my core dump?</a></li> </dl> -<h3><a name="contact" id="contact">What support contacts are available in case +<h3><a name="contact" id="contact">What support contacts are available in case of mod_ssl problems?</a></h3> <p>The following lists all support possibilities for mod_ssl, in order of - preference. Please go through these possibilities + preference. Please go through these possibilities <em>in this order</em> - don't just pick the one you like the look of. </p> <ol> @@ -772,22 +772,22 @@ provide when writing a bug report?</a></h3> <dt>The details on how you built and installed Apache httpd and OpenSSL</dt> <dd>For this you can provide a logfile of your terminal session which shows - the configuration and install steps. If this is not possible, you + the configuration and install steps. If this is not possible, you should at least provide the <code class="program"><a href="../programs/configure.html">configure</a></code> command line you used. </dd> <dt>In case of core dumps please include a Backtrace</dt> <dd>If your Apache httpd dumps its core, please attach - a stack-frame ``backtrace'' (see <a href="#backtrace">below</a> + a stack-frame ``backtrace'' (see <a href="#backtrace">below</a> for information on how to get this). This information is required in order to find a reason for your core dump. </dd> - + <dt>A detailed description of your problem</dt> - <dd>Don't laugh, we really mean it! Many problem reports don't + <dd>Don't laugh, we really mean it! Many problem reports don't include a description of what the actual problem is. Without this, - it's very difficult for anyone to help you. So, it's in your own - interest (you want the problem be solved, don't you?) to include as + it's very difficult for anyone to help you. So, it's in your own + interest (you want the problem be solved, don't you?) to include as much detail as possible, please. Of course, you should still include all the essentials above too. </dd> @@ -802,7 +802,7 @@ provide when writing a bug report?</a></h3> fixing it.</p> -<h3><a name="backtrace" id="backtrace">How do I get a backtrace, to help find +<h3><a name="backtrace" id="backtrace">How do I get a backtrace, to help find the reason for my core dump?</a></h3> <p>Following are the steps you will need to complete, to get a backtrace:</p> <ol> @@ -816,7 +816,7 @@ the reason for my core dump?</a></h3> want to use a directive like ``<code>CoreDumpDirectory /tmp</code>'' to make sure that the core-dump file can be written. This should result in a <code>/tmp/core</code> or <code>/tmp/httpd.core</code> file. If you - don't get one of these, try running your server under a non-root UID. + don't get one of these, try running your server under a non-root UID. Many modern kernels do not allow a process to dump core after it has done a <code>setuid()</code> (unless it does an <code>exec()</code>) for security reasons (there can be privileged information left over in @@ -825,9 +825,9 @@ the reason for my core dump?</a></h3> </li> <li>Analyze the core-dump. For this, run <code>gdb /path/to/httpd - /tmp/httpd.core</code> or a similar command. In GDB, all you + /tmp/httpd.core</code> or a similar command. In GDB, all you have to do then is to enter <code>bt</code>, and voila, you get the - backtrace. For other debuggers consult your local debugger manual. + backtrace. For other debuggers consult your local debugger manual. </li> </ol> diff --git a/docs/manual/ssl/ssl_howto.html.en b/docs/manual/ssl/ssl_howto.html.en index 733025c455..32c891ed34 100644 --- a/docs/manual/ssl/ssl_howto.html.en +++ b/docs/manual/ssl/ssl_howto.html.en @@ -59,7 +59,7 @@ following directives.</p> <ul> <li><a href="#onlystrong">How can I create an SSL server which accepts strong encryption only?</a></li> -<li><a href="#strongurl">How can I create an SSL server which accepts all types of ciphers in general, but +<li><a href="#strongurl">How can I create an SSL server which accepts all types of ciphers in general, but requires a strong cipher for access to a particular URL?</a></li> </ul> @@ -88,8 +88,8 @@ only?</a></h3> in general, but requires a strong ciphers for access to a particular URL?</a></h3> - <p>Obviously, a server-wide <code class="directive"><a href="../mod/mod_ssl.html#sslciphersuite">SSLCipherSuite</a></code> which restricts - ciphers to the strong variants, isn't the answer here. However, + <p>Obviously, a server-wide <code class="directive"><a href="../mod/mod_ssl.html#sslciphersuite">SSLCipherSuite</a></code> which restricts + ciphers to the strong variants, isn't the answer here. However, <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> can be reconfigured within <code>Location</code> blocks, to give a per-directory solution, and can automatically force a renegotiation of the SSL parameters to meet the new configuration. @@ -111,7 +111,7 @@ URL?</a></h3> <ul> <li><a href="#allclients">How can I force clients to authenticate using certificates?</a></li> -<li><a href="#arbitraryclients">How can I force clients to authenticate using certificates for a +<li><a href="#arbitraryclients">How can I force clients to authenticate using certificates for a particular URL, but still allow arbitrary clients to access the rest of the server?</a></li> <li><a href="#certauthenticate">How can I allow only clients who have certificates to access a particular URL, but allow all clients to access the rest of the server?</a></li> @@ -164,14 +164,14 @@ Intranet website, for clients coming from the Internet?</a></li> matches what you expect. Usually this means checking all or part of the Distinguished Name (DN), to see if it contains some known string. There are two ways to do this, using either <code class="module"><a href="../mod/mod_auth_basic.html">mod_auth_basic</a></code> or - <code class="directive"><a href="../mod/mod_ssl.html#sslrequire">SSLRequire</a></code>.</p> - + <code class="directive"><a href="../mod/mod_ssl.html#sslrequire">SSLRequire</a></code>.</p> + <p>The <code class="module"><a href="../mod/mod_auth_basic.html">mod_auth_basic</a></code> method is generally required when the certificates are completely arbitrary, or when their DNs have no common fields (usually the organisation, etc.). In this case, you should establish a password database containing <em>all</em> clients allowed, as follows:</p> - + <div class="example"><h3>httpd.conf</h3><pre> SSLVerifyClient none <Directory /usr/local/apache2/htdocs/secure/area> @@ -188,11 +188,11 @@ AuthBasicProvider file AuthUserFile /usr/local/apache2/conf/httpd.passwd Require valid-user </Directory></pre></div> - + <p>The password used in this example is the DES encrypted string "password". - See the <code class="directive"><a href="../mod/mod_ssl.html#ssloptions">SSLOptions</a></code> docs for more + See the <code class="directive"><a href="../mod/mod_ssl.html#ssloptions">SSLOptions</a></code> docs for more information.</p> - + <div class="example"><h3>httpd.passwd</h3><pre> /C=DE/L=Munich/O=Snake Oil, Ltd./OU=Staff/CN=Foo:xxj31ZMTZzkVA /C=US/L=S.F./O=Snake Oil, Ltd./OU=CA/CN=Bar:xxj31ZMTZzkVA @@ -222,10 +222,10 @@ authentication or client certificates, for access to part of the Intranet website, for clients coming from the Internet? I still want to allow plain HTTP access for clients on the Intranet.</a></h3> - - <p>These examples presume that clients on the Intranet have IPs in the range + + <p>These examples presume that clients on the Intranet have IPs in the range 192.168.1.0/24, and that the part of the Intranet website you want to allow - internet access to is <code>/usr/local/apache2/htdocs/subarea</code>. + internet access to is <code>/usr/local/apache2/htdocs/subarea</code>. This configuration should remain outside of your HTTPS virtual host, so that it applies to both HTTPS and HTTP.</p> diff --git a/docs/manual/ssl/ssl_intro.html.en b/docs/manual/ssl/ssl_intro.html.en index 08ea378ec8..65bd701aaa 100644 --- a/docs/manual/ssl/ssl_intro.html.en +++ b/docs/manual/ssl/ssl_intro.html.en @@ -37,7 +37,7 @@ with the Web, HTTP, and Apache, but are not security experts. It is not intended to be a definitive guide to the SSL protocol, nor does it discuss specific techniques for managing certificates in an organization, or the important legal issues of patents and import and export restrictions. -Rather, it is intended to provide a common background to <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> users by pulling together various concepts, definitions, +Rather, it is intended to provide a common background to <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> users by pulling together various concepts, definitions, and examples as a starting point for further exploration.</p> <p>The presented content is mainly derived, with the author's permission, @@ -72,7 +72,7 @@ integrity, and authentication.</p> solution is to use a cryptographic algorithm, a technique that would transform her message into an encrypted form, unreadable until it is decrypted. Once in this form, the message can only be - decrypted by using a secret key. Without the key the message is useless: + decrypted by using a secret key. Without the key the message is useless: good cryptographic algorithms make it so difficult for intruders to decode the original text that it isn't worth their effort.</p> @@ -84,11 +84,11 @@ integrity, and authentication.</p> <dt>Conventional cryptography</dt> <dd>also known as symmetric cryptography, requires the sender and receiver to share a key: a secret piece of information that may be - used to encrypt or decrypt a message. As long as this key is kept - secret, nobody other than the sender or recipient can read the message. + used to encrypt or decrypt a message. As long as this key is kept + secret, nobody other than the sender or recipient can read the message. If Alice and the bank know a secret key, then they can send each other private messages. The task of sharing a key between sender and recipient - before communicating, while also keeping it secret from others, can be + before communicating, while also keeping it secret from others, can be problematic.</dd> <dt>Public key cryptography</dt> @@ -113,9 +113,9 @@ integrity, and authentication.</p> is still a concern that someone might modify her original message or substitute it with a different one, in order to transfer the money to themselves, for instance. One way of guaranteeing the integrity - of Alice's message is for her to create a concise summary of her - message and send this to the bank as well. Upon receipt of the message, - the bank creates its own summary and compares it with the one Alice + of Alice's message is for her to create a concise summary of her + message and send this to the bank as well. Upon receipt of the message, + the bank creates its own summary and compares it with the one Alice sent. If the summaries are the same then the message has been received intact.</p> @@ -123,10 +123,10 @@ integrity, and authentication.</p> function</em> or <em>hash function</em>. Message digests are used to create a short, fixed-length representation of a longer, variable-length message. Digest algorithms are designed to produce a unique digest for each - message. Message digests are designed to make it impractically difficult - to determine the message from the digest and (in theory) impossible to - find two different messages which create the same digest -- thus - eliminating the possibility of substituting one message for another while + message. Message digests are designed to make it impractically difficult + to determine the message from the digest and (in theory) impossible to + find two different messages which create the same digest -- thus + eliminating the possibility of substituting one message for another while maintaining the same digest.</p> <p>Another challenge that Alice faces is finding a way to send the digest @@ -134,8 +134,8 @@ integrity, and authentication.</p> be compromised and with it the possibility for the bank to determine the integrity of the original message. Only if the digest is sent securely can the integrity of the associated message be determined.</p> - - <p>One way to send the digest securely is to include it in a digital + + <p>One way to send the digest securely is to include it in a digital signature.</p> @@ -164,7 +164,7 @@ the bank from a fraudulent claim from Alice that she did not send the message <p>Although Alice could have sent a private message to the bank, signed it and ensured the integrity of the message, she still needs to be sure that she is really communicating with the bank. This means that she needs -to be sure that the public key she is using is part of the bank's key-pair, +to be sure that the public key she is using is part of the bank's key-pair, and not an intruder's. Similarly, the bank needs to verify that the message signature really was signed by the private key that belongs to Alice.</p> @@ -250,7 +250,7 @@ certificates are used for authentication.</p> distinguished field names are optional and which are required. It may also place requirements upon the field contents, as may users of certificates. For example, a Netscape browser requires that the - Common Name for a certificate representing a server matches a wildcard + Common Name for a certificate representing a server matches a wildcard pattern for the domain name of that server, such as <code>*.snakeoil.com</code>.</p> @@ -290,9 +290,9 @@ dUHzICxBVC1lnHyYGjDuAMhe396lYAn8bCld1/L4NMGBCQ== <p>By verifying the information in a certificate request before granting the certificate, the Certificate Authority assures - itself of the identity of the private key owner of a key-pair. - For instance, if Alice requests a personal certificate, the - Certificate Authority must first make sure that Alice really is the + itself of the identity of the private key owner of a key-pair. + For instance, if Alice requests a personal certificate, the + Certificate Authority must first make sure that Alice really is the person the certificate request claims she is.</p> <h4><a name="certificatechains" id="certificatechains">Certificate Chains</a></h4> @@ -345,17 +345,17 @@ dUHzICxBVC1lnHyYGjDuAMhe396lYAn8bCld1/L4NMGBCQ== they also manage them -- that is, they determine for how long certificates remain valid, they renew them and keep lists of certificates that were issued in the past but are no longer valid - (Certificate Revocation Lists, or CRLs).</p> + (Certificate Revocation Lists, or CRLs).</p> - <p>For example, if Alice is entitled to a certificate as an + <p>For example, if Alice is entitled to a certificate as an employee of a company but has now left that company, her certificate may need to be revoked. Because certificates are only issued after the subject's identity has - been verified and can then be passed around to all those with whom - the subject may communicate, it is impossible to tell from the - certificate alone that it has been revoked. - Therefore when examining certificates for validity - it is necessary to contact the issuing Certificate Authority to + been verified and can then be passed around to all those with whom + the subject may communicate, it is impossible to tell from the + certificate alone that it has been revoked. + Therefore when examining certificates for validity + it is necessary to contact the issuing Certificate Authority to check CRLs -- this is usually not an automated part of the process.</p> <div class="note"><h3>Note</h3> @@ -417,14 +417,14 @@ establishing a protocol session.</p> </table> -<p>There are a number of versions of the SSL protocol, as shown in +<p>There are a number of versions of the SSL protocol, as shown in <a href="#table4">Table 4</a>. As noted there, one of the benefits in SSL 3.0 is that it adds support of certificate chain loading. This feature allows a server to pass a server certificate along with issuer certificates to the browser. Chain loading also permits the browser to validate the server certificate, even if Certificate Authority certificates are not installed for the intermediate issuers, since they are included in the -certificate chain. SSL 3.0 is the basis for the Transport Layer Security +certificate chain. SSL 3.0 is the basis for the Transport Layer Security [<a href="#TLS1">TLS</a>] protocol standard, currently in development by the Internet Engineering Task Force (IETF).</p> @@ -488,14 +488,14 @@ the Internet Engineering Task Force (IETF).</p> <p>One variable in the choice of key exchange methods is digital signatures -- whether or not to use them, and if so, what kind of - signatures to use. Signing with a private key provides protection + signatures to use. Signing with a private key provides protection against a man-in-the-middle-attack during the information exchange used to generating the shared key [<a href="#AC96">AC96</a>, p516].</p> <h3><a name="ciphertransfer" id="ciphertransfer">Cipher for Data Transfer</a></h3> - <p>SSL uses conventional symmetric cryptography, as described earlier, + <p>SSL uses conventional symmetric cryptography, as described earlier, for encrypting messages in a session. There are nine choices of how to encrypt, including the option not to encrypt:</p> @@ -521,8 +521,8 @@ the Internet Engineering Task Force (IETF).</p> portion of the previously encrypted cipher text is used in the encryption of the current block. "DES" refers to the Data Encryption Standard [<a href="#AC96">AC96</a>, ch12], which has a number of - variants (including DES40 and 3DES_EDE). "Idea" is currently one of - the best and cryptographically strongest algorithms available, + variants (including DES40 and 3DES_EDE). "Idea" is currently one of + the best and cryptographically strongest algorithms available, and "RC2" is a proprietary algorithm from RSA DSI [<a href="#AC96">AC96</a>, ch13].</p> @@ -569,7 +569,7 @@ the Internet Engineering Task Force (IETF).</p> <p>The encapsulation of SSL control protocols by the record protocol means that if an active session is renegotiated the control protocols - will be transmitted securely. If there was no previous session, + will be transmitted securely. If there was no previous session, the Null cipher suite is used, which means there will be no encryption and messages will have no integrity digests, until the session has been established.</p> @@ -596,8 +596,8 @@ the Internet Engineering Task Force (IETF).</p> <p>One common use of SSL is to secure Web HTTP communication between a browser and a webserver. This does not preclude the use of - non-secured HTTP - the secure version (called HTTPS) is the same as - plain HTTP over SSL, but uses the URL scheme <code>https</code> + non-secured HTTP - the secure version (called HTTPS) is the same as + plain HTTP over SSL, but uses the URL scheme <code>https</code> rather than <code>http</code>, and a different server port (by default, port 443). This functionality is a large part of what <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> provides for the Apache webserver.</p> @@ -622,7 +622,7 @@ Framework</q>. See for instance <a href="http://www.itu.int/rec/recommendation.a </dd> <dt><a id="PKCS" name="PKCS">[PKCS]</a></dt> -<dd><q>Public Key Cryptography Standards (PKCS)</q>, +<dd><q>Public Key Cryptography Standards (PKCS)</q>, RSA Laboratories Technical Notes, See <a href="http://www.rsasecurity.com/rsalabs/pkcs/">http://www.rsasecurity.com/rsalabs/pkcs/</a>.</dd> <dt><a id="MIME" name="MIME">[MIME]</a></dt> diff --git a/docs/manual/ssl/ssl_intro.xml.ja b/docs/manual/ssl/ssl_intro.xml.ja index e25672da08..fd6d1756e5 100644 --- a/docs/manual/ssl/ssl_intro.xml.ja +++ b/docs/manual/ssl/ssl_intro.xml.ja @@ -1,7 +1,7 @@ <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE manualpage SYSTEM "../style/manualpage.dtd"> <?xml-stylesheet type="text/xsl" href="../style/manual.ja.xsl"?> -<!-- English Revision: 659902:713605 (outdated) --> +<!-- English Revision: 659902:1174747 (outdated) --> <!-- Licensed to the Apache Software Foundation (ASF) under one or more |