www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-07-30 20:03:10 +03:00
Code Activity

Begin adding the SSL doc to the httpd-2.0 tree. Start with the html files.

Browse Source 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@91752 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Bill Stoddard
2001-11-05 17:42:41 +00:00
parent 507ac1590a
commit e3fbbd9e2d
9 changed files with 7916 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

223
docs/manual/ssl/index.html Normal file
View File

@ -0,0 +1,223 @@
<html>
<head>
<title>mod_ssl: Title Page</title>
<!--
Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above
copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials
provided with the distribution.
3. All advertising materials mentioning features or use of this
software must display the following acknowledgment:
"This product includes software developed by
Ralf S. Engelschall <rse@engelschall.com> for use in the
mod_ssl project (http://www.modssl.org/)."
4. The name "mod_ssl" must not be used to endorse or promote
products derived from this software without prior written
permission.
5. Redistributions of any form whatsoever must retain the
following acknowledgment:
"This product includes software developed by
Ralf S. Engelschall <rse@engelschall.com> for use in the
mod_ssl project (http://www.modssl.org/)."
THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY
EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S. ENGELSCHALL OR
HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
-->
<style type="text/css"><!--
A:link {
text-decoration: none;
color: #6666cc;
}
A:active {
text-decoration: none;
color: #6666cc;
}
A:visited {
text-decoration: none;
color: #6666cc;
}
#sf {
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
H1 {
font-weight: bold;
font-size: 24pt;
line-height: 24pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
H2 {
font-weight: bold;
font-size: 18pt;
line-height: 18pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
H3 {
font-weight: bold;
font-size: 14pt;
line-height: 14pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
H4 {
font-weight: bold;
font-size: 12pt;
line-height: 12pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
#H {
}
#D {
background-color: #f0f0f0;
}
#faq {
font-weight: bold;
font-size: 16pt;
line-height: 16pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
#howto {
font-weight: bold;
font-size: 16pt;
line-height: 16pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
#term {
font-weight: bold;
font-size: 16pt;
line-height: 16pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
--></style>
<script type="text/javascript" language="JavaScript">
<!-- Hiding the code
function ro_imgNormal(imgName) {
if (document.images) {
document[imgName].src = eval(imgName + '_n.src');
self.status = '';
}
}
function ro_imgOver(imgName, descript) {
if (document.images) {
document[imgName].src = eval(imgName + '_o.src');
self.status = descript;
}
}
// done hiding -->
</script>
<script type="text/javascript" language="JavaScript">
<!-- Hiding the code
if (document.images) {
ro_img_unknown1_n = new Image();
ro_img_unknown1_n.src = 'ssl_template.navbut-next-n.gif';
ro_img_unknown1_o = new Image();
ro_img_unknown1_o.src = 'ssl_template.navbut-next-s.gif';
}
// done hiding -->
</script>
</head>
<body bgcolor="#ffffff" text="#000000" link="#333399" alink="#9999ff" vlink="#000066">
<div align="center">
<table width="600" cellspacing="0" cellpadding="0" border="0" summary="">
<tr>
<td>
<br>
<table cellspacing="0" cellpadding="0" border="0" summary="">
<tr>
<td>
<table cellspacing="0" cellpadding="0" border="0" summary="">
<tr>
<td>
<img
src="ssl_cover_title.jpg"
alt="User Manual"
width="421" height="73">
</td>
</tr>
<tr>
<td align="right">
<font face="Arial,Helvetica">mod_ssl version 2.8</font> &nbsp;&nbsp;
</td>
</tr>
</table>
<br>
</td>
</tr>
<tr>
<td>
<a
href="http://www.modssl.org/"
><img
src="ssl_cover_logo.jpg"
alt="mod_ssl - The Apache Interface to OpenSSL"
border="0"
width="504" height="231"></a>
</td>
</tr>
<tr>
<td align="right">
<table summary="">
<tr>
<td>
<tt>Ralf S. Engelschall</tt><br>
<tt>rse@engelschall.com</tt><br>
<tt>www.engelschall.com</tt><br>
</td>
<td>
&nbsp;&nbsp;&nbsp;&nbsp;
</td>
<td align="right" valign="bottom">
<a href="ssl_overview.html" onmouseover="ro_imgOver('ro_img_unknown1', 'next page'); return true" onmouseout="ro_imgNormal('ro_img_unknown1'); return true" onfocus="ro_imgOver('ro_img_unknown1', 'next page'); return true" onblur="ro_imgNormal('ro_img_unknown1'); return true"><img name="ro_img_unknown1" src="ssl_template.navbut-next-n.gif" alt="next page" width="70" height="18" border="0"></a><br>Overview
</td>
<td>
<img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="30" height="1" align="bottom" border="0">
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</div>
</body>
</html>

223
docs/manual/ssl/index.html.en Normal file
View File

@ -0,0 +1,223 @@
<html>
<head>
<title>mod_ssl: Title Page</title>
<!--
Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above
copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials
provided with the distribution.
3. All advertising materials mentioning features or use of this
software must display the following acknowledgment:
"This product includes software developed by
Ralf S. Engelschall <rse@engelschall.com> for use in the
mod_ssl project (http://www.modssl.org/)."
4. The name "mod_ssl" must not be used to endorse or promote
products derived from this software without prior written
permission.
5. Redistributions of any form whatsoever must retain the
following acknowledgment:
"This product includes software developed by
Ralf S. Engelschall <rse@engelschall.com> for use in the
mod_ssl project (http://www.modssl.org/)."
THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY
EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S. ENGELSCHALL OR
HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
-->
<style type="text/css"><!--
A:link {
text-decoration: none;
color: #6666cc;
}
A:active {
text-decoration: none;
color: #6666cc;
}
A:visited {
text-decoration: none;
color: #6666cc;
}
#sf {
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
H1 {
font-weight: bold;
font-size: 24pt;
line-height: 24pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
H2 {
font-weight: bold;
font-size: 18pt;
line-height: 18pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
H3 {
font-weight: bold;
font-size: 14pt;
line-height: 14pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
H4 {
font-weight: bold;
font-size: 12pt;
line-height: 12pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
#H {
}
#D {
background-color: #f0f0f0;
}
#faq {
font-weight: bold;
font-size: 16pt;
line-height: 16pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
#howto {
font-weight: bold;
font-size: 16pt;
line-height: 16pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
#term {
font-weight: bold;
font-size: 16pt;
line-height: 16pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
--></style>
<script type="text/javascript" language="JavaScript">
<!-- Hiding the code
function ro_imgNormal(imgName) {
if (document.images) {
document[imgName].src = eval(imgName + '_n.src');
self.status = '';
}
}
function ro_imgOver(imgName, descript) {
if (document.images) {
document[imgName].src = eval(imgName + '_o.src');
self.status = descript;
}
}
// done hiding -->
</script>
<script type="text/javascript" language="JavaScript">
<!-- Hiding the code
if (document.images) {
ro_img_unknown1_n = new Image();
ro_img_unknown1_n.src = 'ssl_template.navbut-next-n.gif';
ro_img_unknown1_o = new Image();
ro_img_unknown1_o.src = 'ssl_template.navbut-next-s.gif';
}
// done hiding -->
</script>
</head>
<body bgcolor="#ffffff" text="#000000" link="#333399" alink="#9999ff" vlink="#000066">
<div align="center">
<table width="600" cellspacing="0" cellpadding="0" border="0" summary="">
<tr>
<td>
<br>
<table cellspacing="0" cellpadding="0" border="0" summary="">
<tr>
<td>
<table cellspacing="0" cellpadding="0" border="0" summary="">
<tr>
<td>
<img
src="ssl_cover_title.jpg"
alt="User Manual"
width="421" height="73">
</td>
</tr>
<tr>
<td align="right">
<font face="Arial,Helvetica">mod_ssl version 2.8</font> &nbsp;&nbsp;
</td>
</tr>
</table>
<br>
</td>
</tr>
<tr>
<td>
<a
href="http://www.modssl.org/"
><img
src="ssl_cover_logo.jpg"
alt="mod_ssl - The Apache Interface to OpenSSL"
border="0"
width="504" height="231"></a>
</td>
</tr>
<tr>
<td align="right">
<table summary="">
<tr>
<td>
<tt>Ralf S. Engelschall</tt><br>
<tt>rse@engelschall.com</tt><br>
<tt>www.engelschall.com</tt><br>
</td>
<td>
&nbsp;&nbsp;&nbsp;&nbsp;
</td>
<td align="right" valign="bottom">
<a href="ssl_overview.html" onmouseover="ro_imgOver('ro_img_unknown1', 'next page'); return true" onmouseout="ro_imgNormal('ro_img_unknown1'); return true" onfocus="ro_imgOver('ro_img_unknown1', 'next page'); return true" onblur="ro_imgNormal('ro_img_unknown1'); return true"><img name="ro_img_unknown1" src="ssl_template.navbut-next-n.gif" alt="next page" width="70" height="18" border="0"></a><br>Overview
</td>
<td>
<img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="30" height="1" align="bottom" border="0">
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</div>
</body>
</html>

551
docs/manual/ssl/ssl_compat.html Normal file
View File

@ -0,0 +1,551 @@
<html>
<head>
<title>mod_ssl: Compatibility</title>
<!--
Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above
copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials
provided with the distribution.
3. All advertising materials mentioning features or use of this
software must display the following acknowledgment:
"This product includes software developed by
Ralf S. Engelschall <rse@engelschall.com> for use in the
mod_ssl project (http://www.modssl.org/)."
4. The name "mod_ssl" must not be used to endorse or promote
products derived from this software without prior written
permission.
5. Redistributions of any form whatsoever must retain the
following acknowledgment:
"This product includes software developed by
Ralf S. Engelschall <rse@engelschall.com> for use in the
mod_ssl project (http://www.modssl.org/)."
THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY
EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S. ENGELSCHALL OR
HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
-->
<style type="text/css"><!--
A:link {
text-decoration: none;
color: #6666cc;
}
A:active {
text-decoration: none;
color: #6666cc;
}
A:visited {
text-decoration: none;
color: #6666cc;
}
#sf {
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
H1 {
font-weight: bold;
font-size: 24pt;
line-height: 24pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
H2 {
font-weight: bold;
font-size: 18pt;
line-height: 18pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
H3 {
font-weight: bold;
font-size: 14pt;
line-height: 14pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
H4 {
font-weight: bold;
font-size: 12pt;
line-height: 12pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
#H {
}
#D {
background-color: #f0f0f0;
}
#faq {
font-weight: bold;
font-size: 16pt;
line-height: 16pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
#howto {
font-weight: bold;
font-size: 16pt;
line-height: 16pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
#term {
font-weight: bold;
font-size: 16pt;
line-height: 16pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
--></style>
<script type="text/javascript" language="JavaScript">
<!-- Hiding the code
function ro_imgNormal(imgName) {
if (document.images) {
document[imgName].src = eval(imgName + '_n.src');
self.status = '';
}
}
function ro_imgOver(imgName, descript) {
if (document.images) {
document[imgName].src = eval(imgName + '_o.src');
self.status = descript;
}
}
// done hiding -->
</script>
<script type="text/javascript" language="JavaScript">
<!-- Hiding the code
if (document.images) {
ro_img_prev_top_n = new Image();
ro_img_prev_top_n.src = 'ssl_template.navbut-prev-n.gif';
ro_img_prev_top_o = new Image();
ro_img_prev_top_o.src = 'ssl_template.navbut-prev-s.gif';
}
// done hiding -->
</script>
<script type="text/javascript" language="JavaScript">
<!-- Hiding the code
if (document.images) {
ro_img_prev_bot_n = new Image();
ro_img_prev_bot_n.src = 'ssl_template.navbut-prev-n.gif';
ro_img_prev_bot_o = new Image();
ro_img_prev_bot_o.src = 'ssl_template.navbut-prev-s.gif';
}
// done hiding -->
</script>
<script type="text/javascript" language="JavaScript">
<!-- Hiding the code
if (document.images) {
ro_img_next_top_n = new Image();
ro_img_next_top_n.src = 'ssl_template.navbut-next-n.gif';
ro_img_next_top_o = new Image();
ro_img_next_top_o.src = 'ssl_template.navbut-next-s.gif';
}
// done hiding -->
</script>
<script type="text/javascript" language="JavaScript">
<!-- Hiding the code
if (document.images) {
ro_img_next_bot_n = new Image();
ro_img_next_bot_n.src = 'ssl_template.navbut-next-n.gif';
ro_img_next_bot_o = new Image();
ro_img_next_bot_o.src = 'ssl_template.navbut-next-s.gif';
}
// done hiding -->
</script>
</head>
<body bgcolor="#ffffff" text="#000000" link="#333399" alink="#9999ff" vlink="#000066">
<div align="center">
<table width="600" cellspacing="0" cellpadding="0" border="0" summary="">
<tr>
<td>
<img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="600" height="1" align="bottom" border="0"><br>
<table width="600" cellspacing="0" cellpadding="0" summary="">
<tr>
<td>
<table width="600" summary="">
<tr>
<td align="left" valign="bottom">
<font face="Arial,Helvetica" size="+2"><b>mod_ssl</b></font>
</td>
<td align="right">
<img src="ssl_template.head-chapter.gif" alt="Chapter" width="175" height="94"> <img src="ssl_template.head-num-4.gif" alt="4" width="74" height="89">
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td><img src="ssl_template.imgdot-1x1-000000.gif" alt="" width="600" height="2" align="bottom" border="0"></td>
</tr>
<tr>
<td>
<table width="600" border="0" summary="">
<tr>
<td valign="top" align="left" width="250">
<a href="ssl_reference.html" onmouseover="ro_imgOver('ro_img_prev_top', 'previous page'); return true" onmouseout="ro_imgNormal('ro_img_prev_top'); return true" onfocus="ro_imgOver('ro_img_prev_top', 'previous page'); return true" onblur="ro_imgNormal('ro_img_prev_top'); return true"><img name="ro_img_prev_top" src="ssl_template.navbut-prev-n.gif" alt="previous page" width="70" height="18" border="0"></a><br><font color="#000000">Reference</font>
</td>
<td valign="top" align="right" width="250">
<a href="ssl_howto.html" onmouseover="ro_imgOver('ro_img_next_top', 'next page'); return true" onmouseout="ro_imgNormal('ro_img_next_top'); return true" onfocus="ro_imgOver('ro_img_next_top', 'next page'); return true" onblur="ro_imgNormal('ro_img_next_top'); return true"><img name="ro_img_next_top" src="ssl_template.navbut-next-n.gif" alt="next page" width="70" height="18" border="0"></a><br><font color="#000000">HowTo</font>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td>
<br>
<img src="ssl_template.title-compat.gif" alt="Compatibility" width="456" height="60">
</td>
</tr>
</table>
<div align="right">
<table cellspacing="0" cellpadding="0" width="200" summary="">
<tr>
<td>
<em>
All PCs are compatible. But some of
them are more compatible than others.
</em>
</td>
</tr>
<tr>
<td align="right">
<font size="-1">
Unknown
</font>
</td>
</tr>
</table>
</div>
<p>
<table cellspacing="0" cellpadding="0" border="0" summary="">
<tr valign="bottom">
<td>
<img src="ssl_compat.gfont000.gif" alt="H" width="40" height="34" border="0" align="left">
ere we talk about backward compatibility to other SSL solutions. As you
perhaps know, mod_ssl is not the only existing SSL solution for Apache.
Actually there are four additional major products available on the market: Ben
Laurie's freely available <a href="http://www.apache-ssl.org/">Apache-SSL</a>
(from where mod_ssl were originally derived in 1998), RedHat's commercial <a
href="http://www.redhat.com/products/product-details.phtml?id=rhsa">Secure Web
Server</a> (which is based on mod_ssl), Covalent's commercial <a
href="http://raven.covalent.net/">Raven SSL Module</a> (also based on mod_ssl)
and finally C2Net's commercial product <a
href="http://www.c2.net/products/stronghold/">Stronghold</a> (based on a
different evolution branch named Sioux up to Stronghold 2.x and based on
mod_ssl since Stronghold 3.x).
</td>
<td>
&nbsp;&nbsp;
</td>
<td>
<div align="right">
<table cellspacing="0" cellpadding="5" border="0" bgcolor="#ccccff" summary="">
<tr>
<td bgcolor="#333399">
<font face="Arial,Helvetica" color="#ccccff">
<b>Table Of Contents</b>
</font>
</td>
</tr>
<tr>
<td>
<font face="Arial,Helvetica" size="-1">
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC1"><strong>Configuration Directives</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC2"><strong>Environment Variables</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC3"><strong>Custom Log Functions</strong></a><br>
</font>
</td>
</tr>
</table>
</div>
</td>
</tr>
</table>
<p>
The idea in mod_ssl is mainly the following: because mod_ssl provides mostly a
superset of the functionality of all other solutions we can easily provide
backward compatibility for most of the cases. Actually there are three
compatibility areas we currently address: configuration directives,
environment variables and custom log functions.
<h2><a name="ToC1">Configuration Directives</a></h2>
For backward compatibility to the configuration directives of other SSL
solutions we do an on-the-fly mapping: directives which have a direct
counterpart in mod_ssl are mapped silently while other directives lead to a
warning message in the logfiles. The currently implemented directive mapping
is listed in <a href="#table1">Table 1</a>. Currently full backward
compatibilty is provided only for Apache-SSL 1.x and mod_ssl 2.0.x.
Compatibility to Sioux 1.x and Stronghold 2.x is only partial because of
special functionality in these interfaces which mod_ssl (still) doesn't
provide.
<p>
<div align="center">
<a name="table1"></a>
<table width="600" cellspacing="0" cellpadding="1" border="0" summary="">
<caption align="bottom" id="sf">Table 1: Configuration Directive Mapping</caption>
<tr><td bgcolor="#cccccc">
<table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
<tr><td valign="top" align="center" bgcolor="#ffffff">
<table border="0" cellspacing="0" cellpadding="2" width="598" summary="">
<tr id="D">
<td><strong>Old Directive</strong></td>
<td><strong>mod_ssl Directive</strong></td>
<td><strong>Comment</strong></td>
</tr>
<tr id="H"><td colspan="3"><b>Apache-SSL 1.x &amp; mod_ssl 2.0.x compatibility:</b></td></tr>
<tr id="D"><td><code>SSLEnable</code></td><td><code>SSLEngine on</code></td><td>compactified</td></tr>
<tr id="H"><td><code>SSLDisable</code></td><td><code>SSLEngine off</code></td><td>compactified</td></tr>
<tr id="D"><td><code>SSLLogFile</code> <em>file</em></td><td><code>SSLLog</code> <em>file</em></td><td>compactified</td></tr>
<tr id="H"><td><code>SSLRequiredCiphers</code> <em>spec</em></td><td><code>SSLCipherSuite</code> <em>spec</em></td><td>renamed</td></tr>
<tr id="D"><td><code>SSLRequireCipher</code> <em>c1</em> ...</td><td><code>SSLRequire %{SSL_CIPHER} in {"</code><em>c1</em><code>", ...}</code></td><td>generalized</td></tr>
<tr id="H"><td><code>SSLBanCipher</code> <em>c1</em> ...</td><td><code>SSLRequire not (%{SSL_CIPHER} in {"</code><em>c1</em><code>", ...})</code></td><td>generalized</td></tr>
<tr id="D"><td><code>SSLFakeBasicAuth</td><td><code>SSLOptions +FakeBasicAuth</code></td><td>merged</td></tr>
<tr id="H"><td><code>SSLCacheServerPath</code> <em>dir</em></td><td>-</td><td>functionality removed</td></tr>
<tr id="D"><td><code>SSLCacheServerPort</code> <em>integer</em></td><td>-</td><td>functionality removed</td></tr>
<tr id="H"><td colspan="3"><b>Apache-SSL 1.x compatibility:</b></td></tr>
<tr id="D"><td><code>SSLExportClientCertificates</td><td><code>SSLOptions +ExportCertData</code></td><td>merged</td></tr>
<tr id="H"><td><code>SSLCacheServerRunDir</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr>
<tr id="D"><td colspan="3"><b>Sioux 1.x compatibility:</b></td></tr>
<tr id="H"><td><code>SSL_CertFile</code> <em>file</em></td><td><code>SSLCertificateFile</code> <em>file</em></td><td>renamed</td></tr>
<tr id="D"><td><code>SSL_KeyFile</code> <em>file</em></td><td><code>SSLCertificateKeyFile</code> <em>file</em></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_CipherSuite</code> <em>arg</em></td><td><code>SSLCipherSuite</code> <em>arg</em></td><td>renamed</td></tr>
<tr id="D"><td><code>SSL_X509VerifyDir</code> <em>arg</em></td><td><code>SSLCACertificatePath</code> <em>arg</em></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_Log</code> <em>file</em></td><td><code>SSLLogFile</code> <em>file</em></td><td>renamed</td></tr>
<tr id="D"><td><code>SSL_Connect</code> <em>flag</em></td><td><code>SSLEngine</code> <em>flag</em></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_ClientAuth</code> <em>arg</em></td><td><code>SSLVerifyClient</code> <em>arg</em></td><td>renamed</td></tr>
<tr id="D"><td><code>SSL_X509VerifyDepth</code> <em>arg</em></td><td><code>SSLVerifyDepth</code> <em>arg</em></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_FetchKeyPhraseFrom</code> <em>arg</em></td><td>-</td><td>not directly mappable; use SSLPassPhraseDialog</td></tr>
<tr id="D"><td><code>SSL_SessionDir</code> <em>dir</em></td><td>-</td><td>not directly mappable; use SSLSessionCache</td></tr>
<tr id="H"><td><code>SSL_Require</code> <em>expr</em></td><td>-</td><td>not directly mappable; use SSLRequire</td></tr>
<tr id="D"><td><code>SSL_CertFileType</code> <em>arg</em></td><td>-</td><td>functionality not supported</td></tr>
<tr id="H"><td><code>SSL_KeyFileType</code> <em>arg</em></td><td>-</td><td>functionality not supported</td></tr>
<tr id="D"><td><code>SSL_X509VerifyPolicy</code> <em>arg</em></td><td>-</td><td>functionality not supported</td></tr>
<tr id="H"><td><code>SSL_LogX509Attributes</code> <em>arg</em></td><td>-</td><td>functionality not supported</td></tr>
<tr id="D"><td colspan="3"><b>Stronghold 2.x compatibility:</b></td></tr>
<tr id="H"><td><code>StrongholdAccelerator</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr>
<tr id="H"><td><code>StrongholdKey</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr>
<tr id="H"><td><code>StrongholdLicenseFile</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr>
<tr id="H"><td><code>SSLFlag</code> <em>flag</em></td><td><code>SSLEngine</code> <em>flag</em></td><td>renamed</td></tr>
<tr id="D"><td><code>SSLSessionLockFile</code> <em>file</em></td><td><code>SSLMutex</code> <em>file</em></td><td>renamed</td></tr>
<tr id="H"><td><code>SSLCipherList</code> <em>spec</em></td><td><code>SSLCipherSuite</code> <em>spec</em></td><td>renamed</td></tr>
<tr id="D"><td><code>RequireSSL</code></td><td><code>SSLRequireSSL</code></td><td>renamed</td></tr>
<tr id="H"><td><code>SSLErrorFile</code> <em>file</em></td><td>-</td><td>functionality not supported</td></tr>
<tr id="H"><td><code>SSLRoot</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr>
<tr id="D"><td><code>SSL_CertificateLogDir</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr>
<tr id="H"><td><code>AuthCertDir</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr>
<tr id="D"><td><code>SSL_Group</code> <em>name</em></td><td>-</td><td>functionality not supported</td></tr>
<tr id="H"><td><code>SSLProxyMachineCertPath</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr>
<tr id="D"><td><code>SSLProxyMachineCertFile</code> <em>file</em></td><td>-</td><td>functionality not supported</td></tr>
<tr id="H"><td><code>SSLProxyCACertificatePath</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr>
<tr id="D"><td><code>SSLProxyCACertificateFile</code> <em>file</em></td><td>-</td><td>functionality not supported</td></tr>
<tr id="H"><td><code>SSLProxyVerifyDepth</code> <em>number</em></td><td>-</td><td>functionality not supported</td></tr>
<tr id="D"><td><code>SSLProxyCipherList</code> <em>spec</em></td><td>-</td><td>functionality not supported</td></tr>
</table>
</td>
</tr></table>
</td></tr></table>
</div>
<p>
<br>
<h2><a name="ToC2">Environment Variables</a></h2>
When you use ``<code>SSLOptions +CompatEnvVars</code>'' additional environment
variables are generated. They all correspond to existing official mod_ssl
variables. The currently implemented variable derivation is listed in <a
href="#table2">Table 2</a>.
<p>
<div align="center">
<a name="table2"></a>
<table width="600" cellspacing="0" cellpadding="1" border="0" summary="">
<caption align="bottom" id="sf">Table 2: Environment Variable Derivation</caption>
<tr><td bgcolor="#cccccc">
<table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
<tr><td valign="top" align="center" bgcolor="#ffffff">
<table border="0" cellspacing="0" cellpadding="2" width="598" summary="">
<tr id="D">
<td><strong>Old Variable</strong></td>
<td><strong>mod_ssl Variable</strong></td>
<td><strong>Comment</strong></td>
</tr>
<tr id="H"><td><code>SSL_PROTOCOL_VERSION</code></td><td><code>SSL_PROTOCOL</code></td><td>renamed</td></tr>
<tr id="D"><td><code>SSLEAY_VERSION</code></td><td><code>SSL_VERSION_LIBRARY</code></td><td>renamed</td></tr>
<tr id="H"><td><code>HTTPS_SECRETKEYSIZE</code></td><td><code>SSL_CIPHER_USEKEYSIZE</code></td><td>renamed</td></tr>
<tr id="D"><td><code>HTTPS_KEYSIZE</code></td><td><code>SSL_CIPHER_ALGKEYSIZE</code></td><td>renamed</td></tr>
<tr id="H"><td><code>HTTPS_CIPHER</code></td><td><code>SSL_CIPHER</code></td><td>renamed</td></tr>
<tr id="D"><td><code>HTTPS_EXPORT</code></td><td><code>SSL_CIPHER_EXPORT</code></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_SERVER_KEY_SIZE</code></td><td><code>SSL_CIPHER_ALGKEYSIZE</code></td><td>renamed</td></tr>
<tr id="D"><td><code>SSL_SERVER_CERTIFICATE</code></td><td><code>SSL_SERVER_CERT</code></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_SERVER_CERT_START</code></td><td><code>SSL_SERVER_V_START</code></td><td>renamed</td></tr>
<tr id="D"><td><code>SSL_SERVER_CERT_END</code></td><td><code>SSL_SERVER_V_END</code></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_SERVER_CERT_SERIAL</code></td><td><code>SSL_SERVER_M_SERIAL</code></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_SERVER_SIGNATURE_ALGORITHM</code></td><td><code>SSL_SERVER_A_SIG</code></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_SERVER_DN</code></td><td><code>SSL_SERVER_S_DN</code></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_SERVER_CN</code></td><td><code>SSL_SERVER_S_DN_CN</code></td><td>renamed</td></tr>
<tr id="D"><td><code>SSL_SERVER_EMAIL</code></td><td><code>SSL_SERVER_S_DN_Email</code></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_SERVER_O</code></td><td><code>SSL_SERVER_S_DN_O</code></td><td>renamed</td></tr>
<tr id="D"><td><code>SSL_SERVER_OU</code></td><td><code>SSL_SERVER_S_DN_OU</code></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_SERVER_C</code></td><td><code>SSL_SERVER_S_DN_C</code></td><td>renamed</td></tr>
<tr id="D"><td><code>SSL_SERVER_SP</code></td><td><code>SSL_SERVER_S_DN_SP</code></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_SERVER_L</code></td><td><code>SSL_SERVER_S_DN_L</code></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_SERVER_IDN</code></td><td><code>SSL_SERVER_I_DN</code></td><td>renamed</td></tr>
<tr id="D"><td><code>SSL_SERVER_ICN</code></td><td><code>SSL_SERVER_I_DN_CN</code></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_SERVER_IEMAIL</code></td><td><code>SSL_SERVER_I_DN_Email</code></td><td>renamed</td></tr>
<tr id="D"><td><code>SSL_SERVER_IO</code></td><td><code>SSL_SERVER_I_DN_O</code></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_SERVER_IOU</code></td><td><code>SSL_SERVER_I_DN_OU</code></td><td>renamed</td></tr>
<tr id="D"><td><code>SSL_SERVER_IC</code></td><td><code>SSL_SERVER_I_DN_C</code></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_SERVER_ISP</code></td><td><code>SSL_SERVER_I_DN_SP</code></td><td>renamed</td></tr>
<tr id="D"><td><code>SSL_SERVER_IL</code></td><td><code>SSL_SERVER_I_DN_L</code></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_CLIENT_CERTIFICATE</code></td><td><code>SSL_CLIENT_CERT</code></td><td>renamed</td></tr>
<tr id="D"><td><code>SSL_CLIENT_CERT_START</code></td><td><code>SSL_CLIENT_V_START</code></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_CLIENT_CERT_END</code></td><td><code>SSL_CLIENT_V_END</code></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_CLIENT_CERT_SERIAL</code></td><td><code>SSL_CLIENT_M_SERIAL</code></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_CLIENT_SIGNATURE_ALGORITHM</code></td><td><code>SSL_CLIENT_A_SIG</code></td><td>renamed</td></tr>
<tr id="D"><td><code>SSL_CLIENT_DN</code></td><td><code>SSL_CLIENT_S_DN</code></td><td>renamed</td></tr>
<tr id="D"><td><code>SSL_CLIENT_CN</code></td><td><code>SSL_CLIENT_S_DN_CN</code></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_CLIENT_EMAIL</code></td><td><code>SSL_CLIENT_S_DN_Email</code></td><td>renamed</td></tr>
<tr id="D"><td><code>SSL_CLIENT_O</code></td><td><code>SSL_CLIENT_S_DN_O</code></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_CLIENT_OU</code></td><td><code>SSL_CLIENT_S_DN_OU</code></td><td>renamed</td></tr>
<tr id="D"><td><code>SSL_CLIENT_C</code></td><td><code>SSL_CLIENT_S_DN_C</code></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_CLIENT_SP</code></td><td><code>SSL_CLIENT_S_DN_SP</code></td><td>renamed</td></tr>
<tr id="D"><td><code>SSL_CLIENT_L</code></td><td><code>SSL_CLIENT_S_DN_L</code></td><td>renamed</td></tr>
<tr id="D"><td><code>SSL_CLIENT_IDN</code></td><td><code>SSL_CLIENT_I_DN</code></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_CLIENT_ICN</code></td><td><code>SSL_CLIENT_I_DN_CN</code></td><td>renamed</td></tr>
<tr id="D"><td><code>SSL_CLIENT_IEMAIL</code></td><td><code>SSL_CLIENT_I_DN_Email</code></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_CLIENT_IO</code></td><td><code>SSL_CLIENT_I_DN_O</code></td><td>renamed</td></tr>
<tr id="D"><td><code>SSL_CLIENT_IOU</code></td><td><code>SSL_CLIENT_I_DN_OU</code></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_CLIENT_IC</code></td><td><code>SSL_CLIENT_I_DN_C</code></td><td>renamed</td></tr>
<tr id="D"><td><code>SSL_CLIENT_ISP</code></td><td><code>SSL_CLIENT_I_DN_SP</code></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_CLIENT_IL</code></td><td><code>SSL_CLIENT_I_DN_L</code></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_EXPORT</code></td><td><code>SSL_CIPHER_EXPORT</code></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_KEYSIZE</code></td><td><code>SSL_CIPHER_ALGKEYSIZE</code></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_SECKEYSIZE</code></td><td><code>SSL_CIPHER_USEKEYSIZE</code></td><td>renamed</td></tr>
<tr id="H"><td><code>SSL_SSLEAY_VERSION</code></td><td><code>SSL_VERSION_LIBRARY</code></td><td>renamed</td></tr>
<tr id="D"><td><code>SSL_STRONG_CRYPTO</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
<tr id="D"><td><code>SSL_SERVER_KEY_EXP</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
<tr id="H"><td><code>SSL_SERVER_KEY_ALGORITHM</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
<tr id="D"><td><code>SSL_SERVER_KEY_SIZE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
<tr id="H"><td><code>SSL_SERVER_SESSIONDIR</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
<tr id="D"><td><code>SSL_SERVER_CERTIFICATELOGDIR</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
<tr id="H"><td><code>SSL_SERVER_CERTFILE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
<tr id="D"><td><code>SSL_SERVER_KEYFILE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
<tr id="H"><td><code>SSL_SERVER_KEYFILETYPE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
<tr id="D"><td><code>SSL_CLIENT_KEY_EXP</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
<tr id="H"><td><code>SSL_CLIENT_KEY_ALGORITHM</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
<tr id="D"><td><code>SSL_CLIENT_KEY_SIZE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
</table>
</td>
</tr></table>
</td></tr></table>
</div>
<p>
<br>
<h2><a name="ToC3">Custom Log Functions</a></h2>
When mod_ssl is built into Apache or at least loaded (under DSO situation)
additional functions exist for the <a
href="../mod_log_config.html#formats">Custom Log Format</a> of <a
href="../mod_log_config.html">mod_log_config</a> as documented in the Reference
Chapter. Beside the ``<code>%{</code><em>varname</em><code>}x</code>''
eXtension format function which can be used to expand any variables provided
by any module, an additional Cryptography
``<code>%{</code><em>name</em><code>}c</code>'' cryptography format function
exists for backward compatibility. The currently implemented function calls
are listed in <a href="#table3">Table 3</a>.
<p>
<div align="center">
<a name="table3"></a>
<table width="600" cellspacing="0" cellpadding="1" border="0" summary="">
<caption align="bottom" id="sf">Table 3: Custom Log Cryptography Function</caption>
<tr><td bgcolor="#cccccc">
<table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
<tr><td valign="top" align="center" bgcolor="#ffffff">
<table border="0" cellspacing="0" cellpadding="2" width="598" summary="">
<tr id="H">
<td><strong>Function Call</strong></td>
<td><strong>Description</strong></td>
</tr>
<tr id="D"><td><code>%...{version}c</code></td> <td>SSL protocol version</td></tr>
<tr id="H"><td><code>%...{cipher}c</code></td> <td>SSL cipher</td></tr>
<tr id="D"><td><code>%...{subjectdn}c</code></td> <td>Client Certificate Subject Distinguished Name</td></tr>
<tr id="H"><td><code>%...{issuerdn}c</code></td> <td>Client Certificate Issuer Distinguished Name</td></tr>
<tr id="D"><td><code>%...{errcode}c</code></td> <td>Certificate Verification Error (numerical)</td></tr>
<tr id="H"><td><code>%...{errstr}c</code></td> <td>Certificate Verification Error (string)</td></tr>
</table>
</td>
</tr></table>
</td></tr></table>
</div>
<p>
<br>
<table summary="">
<tr>
<td>
<table width="600" border="0" summary="">
<tr>
<td valign="top" align="left" width="250">
<a href="ssl_reference.html" onmouseover="ro_imgOver('ro_img_prev_bot', 'previous page'); return true" onmouseout="ro_imgNormal('ro_img_prev_bot'); return true" onfocus="ro_imgOver('ro_img_prev_bot', 'previous page'); return true" onblur="ro_imgNormal('ro_img_prev_bot'); return true"><img name="ro_img_prev_bot" src="ssl_template.navbut-prev-n.gif" alt="previous page" width="70" height="18" border="0"></a><br><font color="#000000">Reference</font>
</td>
<td valign="top" align="right" width="250">
<a href="ssl_howto.html" onmouseover="ro_imgOver('ro_img_next_bot', 'next page'); return true" onmouseout="ro_imgNormal('ro_img_next_bot'); return true" onfocus="ro_imgOver('ro_img_next_bot', 'next page'); return true" onblur="ro_imgNormal('ro_img_next_bot'); return true"><img name="ro_img_next_bot" src="ssl_template.navbut-next-n.gif" alt="next page" width="70" height="18" border="0"></a><br><font color="#000000">HowTo</font>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td><img src="ssl_template.imgdot-1x1-000000.gif" alt="" width="600" height="2" align="bottom" border="0"></td>
</tr>
<tr>
<td><table width="598" summary="">
<tr>
<td align="left"><font face="Arial,Helvetica">
<a href="http://www.modssl.org/">mod_ssl</a> 2.8, User Manual<br>
The Apache Interface to OpenSSL
</font>
</td>
<td align="right"><font face="Arial,Helvetica">
Copyright &copy; 1998-2001
<a href="http://www.engelschall.com/">Ralf S. Engelschall</a><br>
All Rights Reserved<br>
</font>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</div>
</body>
</html>

1643
docs/manual/ssl/ssl_faq.html Normal file
View File

File diff suppressed because it is too large Load Diff

413
docs/manual/ssl/ssl_glossary.html Normal file
View File

@ -0,0 +1,413 @@
<html>
<head>
<title>mod_ssl: Glossary</title>
<!--
Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above
copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials
provided with the distribution.
3. All advertising materials mentioning features or use of this
software must display the following acknowledgment:
"This product includes software developed by
Ralf S. Engelschall <rse@engelschall.com> for use in the
mod_ssl project (http://www.modssl.org/)."
4. The name "mod_ssl" must not be used to endorse or promote
products derived from this software without prior written
permission.
5. Redistributions of any form whatsoever must retain the
following acknowledgment:
"This product includes software developed by
Ralf S. Engelschall <rse@engelschall.com> for use in the
mod_ssl project (http://www.modssl.org/)."
THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY
EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S. ENGELSCHALL OR
HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
-->
<style type="text/css"><!--
A:link {
text-decoration: none;
color: #6666cc;
}
A:active {
text-decoration: none;
color: #6666cc;
}
A:visited {
text-decoration: none;
color: #6666cc;
}
#sf {
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
H1 {
font-weight: bold;
font-size: 24pt;
line-height: 24pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
H2 {
font-weight: bold;
font-size: 18pt;
line-height: 18pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
H3 {
font-weight: bold;
font-size: 14pt;
line-height: 14pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
H4 {
font-weight: bold;
font-size: 12pt;
line-height: 12pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
#H {
}
#D {
background-color: #f0f0f0;
}
#faq {
font-weight: bold;
font-size: 16pt;
line-height: 16pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
#howto {
font-weight: bold;
font-size: 16pt;
line-height: 16pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
#term {
font-weight: bold;
font-size: 16pt;
line-height: 16pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
--></style>
<script type="text/javascript" language="JavaScript">
<!-- Hiding the code
function ro_imgNormal(imgName) {
if (document.images) {
document[imgName].src = eval(imgName + '_n.src');
self.status = '';
}
}
function ro_imgOver(imgName, descript) {
if (document.images) {
document[imgName].src = eval(imgName + '_o.src');
self.status = descript;
}
}
// done hiding -->
</script>
<script type="text/javascript" language="JavaScript">
<!-- Hiding the code
if (document.images) {
ro_img_prev_top_n = new Image();
ro_img_prev_top_n.src = 'ssl_template.navbut-prev-n.gif';
ro_img_prev_top_o = new Image();
ro_img_prev_top_o.src = 'ssl_template.navbut-prev-s.gif';
}
// done hiding -->
</script>
<script type="text/javascript" language="JavaScript">
<!-- Hiding the code
if (document.images) {
ro_img_prev_bot_n = new Image();
ro_img_prev_bot_n.src = 'ssl_template.navbut-prev-n.gif';
ro_img_prev_bot_o = new Image();
ro_img_prev_bot_o.src = 'ssl_template.navbut-prev-s.gif';
}
// done hiding -->
</script>
</head>
<body bgcolor="#ffffff" text="#000000" link="#333399" alink="#9999ff" vlink="#000066">
<div align="center">
<table width="600" cellspacing="0" cellpadding="0" border="0" summary="">
<tr>
<td>
<img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="600" height="1" align="bottom" border="0"><br>
<table width="600" cellspacing="0" cellpadding="0" summary="">
<tr>
<td>
<table width="600" summary="">
<tr>
<td align="left" valign="bottom">
<font face="Arial,Helvetica" size="+2"><b>mod_ssl</b></font>
</td>
<td align="right">
<img src="ssl_template.head-chapter.gif" alt="Chapter" width="175" height="94"> <img src="ssl_template.head-num-7.gif" alt="7" width="74" height="89">
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td><img src="ssl_template.imgdot-1x1-000000.gif" alt="" width="600" height="2" align="bottom" border="0"></td>
</tr>
<tr>
<td>
<table width="600" border="0" summary="">
<tr>
<td valign="top" align="left" width="250">
<a href="ssl_faq.html" onmouseover="ro_imgOver('ro_img_prev_top', 'previous page'); return true" onmouseout="ro_imgNormal('ro_img_prev_top'); return true" onfocus="ro_imgOver('ro_img_prev_top', 'previous page'); return true" onblur="ro_imgNormal('ro_img_prev_top'); return true"><img name="ro_img_prev_top" src="ssl_template.navbut-prev-n.gif" alt="previous page" width="70" height="18" border="0"></a><br><font color="#000000">F.A.Q. List</font>
</td>
<td valign="top" align="right" width="250">
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td>
<br>
<img src="ssl_template.title-gloss.gif" alt="Glossary" width="456" height="60">
</td>
</tr>
</table>
<div align="right">
<table cellspacing="0" cellpadding="0" width="300" summary="">
<tr>
<td>
<em>
``I know you believe you understand what you think I said, but I am not sure you
realize that what you heard is not what I meant.''
</em>
</td>
</tr>
<tr>
<td align="right">
<font size="-1">
Richard Nixon
</font>
</td>
</tr>
</table>
</div>
<dl>
<dt><div id="term">Authentication</div>
<dd>The positive identification of a network entity such as a server, a
client, or a user. In SSL context the server and client
<em>Certificate</em> verification process.
<p>
<dt><div id="term">Access Control</div>
<dd>The restriction of access to network realms. In Apache context
usually the restriction of access to certain <em>URLs</em>.
<p>
<dt><div id="term">Algorithm</div>
<dd>An unambiguous formula or set of rules for solving a problem in a finite
number of steps. Algorithms for encryption are usually called <em>Ciphers</em>.
<p>
<dt><div id="term">Certificate</div>
<dd>A data record used for authenticating network entities such
as a server or a client. A certificate contains X.509 information pieces
about its owner (called the subject) and the signing <em>Certificate
Authority</em> (called the issuer), plus the owner's public key and the
signature made by the CA. Network entities verify these signatures using
CA certificates.
<p>
<dt><div id="term">Certification Authority (CA)</div>
<dd>A trusted third party whose purpose is to sign certificates for network
entities it has authenticated using secure means. Other network entities
can check the signature to verify that a CA has authenticated the bearer
of a certificate.
<p>
<dt><div id="term">Certificate Signing Request (CSR)</div>
<dd>An unsigned certificate for submission to a <em>Certification Authority</em>,
which signs it with the <em>Private Key</em> of their CA <em>Certificate</em>. Once
the CSR is signed, it becomes a real certificate.
<p>
<dt><div id="term">Cipher</div>
<dd>An algorithm or system for data encryption. Examples are DES, IDEA, RC4, etc.
<p>
<dt><div id="term">Ciphertext</div>
<dd>The result after a <em>Plaintext</em> passed a <em>Cipher</em>.
<p>
<dt><div id="term">Configuration Directive</div>
<dd>A configuration command that controls one or more aspects of a program's
behavior. In Apache context these are all the command names in the first
column of the configuration files.
<p>
<dt><div id="term">CONNECT</div>
<dd>A HTTP command for proxying raw data channels over HTTP. It can be used to
encapsulate other protocols, such as the SSL protocol.
<p>
<dt><div id="term">Digital Signature</div>
<dd>An encrypted text block that validates a certificate or other file. A
<em>Certification Authority</em> creates a signature by generating a
hash of the <em>Public Key</em> embedded in a <em>Certificate</em>, then
encrypting the hash with its own <em>Private Key</em>. Only the CA's
public key can decrypt the signature, verifying that the CA has
authenticated the network entity that owns the <em>Certificate</em>.
<p>
<dt><div id="term">Export-Crippled</div>
<dd>Diminished in cryptographic strength (and security) in order to comply
with the United States' Export Administration Regulations (EAR).
Export-crippled cryptographic software is limited to a small key size,
resulting in <em>Ciphertext</em> which usually can be decrypted by brute
force.
<p>
<dt><div id="term">Fully-Qualified Domain-Name (FQDN)</div>
<dd>The unique name of a network entity, consisting of a hostname and a domain
name that can resolve to an IP address. For example, <code>www</code> is a
hostname, <code>whatever.com</code> is a domain name, and
<code>www.whatever.com</code> is a fully-qualified domain name.
<p>
<dt><div id="term">HyperText Transfer Protocol (HTTP)</div>
<dd>The HyperText Transport Protocol is the standard transmission protocol used
on the World Wide Web.
<p>
<dt><div id="term">HTTPS</div>
<dd>The HyperText Transport Protocol (Secure), the standard encrypted
communication mechanism on the World Wide Web. This is actually just HTTP
over SSL.
<p>
<dt><div id="term">Message Digest</div>
<dd>A hash of a message, which can be used to verify that the contents of
the message have not been altered in transit.
<p>
<dt><div id="term">OpenSSL</div>
<dd>The Open Source toolkit for SSL/TLS;
see <a href="http://www.openssl.org/">http://www.openssl.org/</a>
<p>
<dt><div id="term">Pass Phrase</div>
<dd>The word or phrase that protects private key files.
It prevents unauthorized users from encrypting them. Usually it's just
the secret encryption/decryption key used for <em>Ciphers</em>.
<p>
<dt><div id="term">Plaintext</div>
<dd>The unencrypted text.
<p>
<dt><div id="term">Private Key</div>
<dd>The secret key in a <em>Public Key Cryptography</em> system, used to
decrypt incoming messages and sign outgoing ones.
<p>
<dt><div id="term">Public Key</div>
<dd>The publically available key in a <em>Public Key Cryptography</em> system, used to
encrypt messages bound for its owner and to decrypt signatures made by its
owner.
<p>
<dt><div id="term">Public Key Cryptography</div>
<dd>The study and application of asymmetric encryption systems, which use one
key for encryption and another for decryption. A corresponding pair of
such keys constitutes a key pair. Also called Asymmetric Crypography.
<p>
<dt><div id="term">Secure Sockets Layer (SSL)</div>
<dd>A protocol created by Netscape Communications Corporation for
general communication authentication and encryption over TCP/IP networks.
The most popular usage is <em>HTTPS</em>, i.e. the HyperText Transfer
Protocol (HTTP) over SSL.
<p>
<dt><div id="term">Session</div>
<dd>The context information of an SSL communication.
<p>
<dt><div id="term">SSLeay</div>
<dd>The original SSL/TLS implementation library developed by
Eric A. Young &lt;eay@aus.rsa.com&gt;;
see <a href="http://www.ssleay.org/">http://www.ssleay.org/</a>
<p>
<dt><div id="term">Symmetric Cryptography</div>
<dd>The study and application of <em>Ciphers</em> that use a single secret key
for both encryption and decryption operations.
<p>
<dt><div id="term">Transport Layer Security (TLS)</div>
<dd>The successor protocol to SSL, created by the Internet Engineering Task
Force (IETF) for general communication authentication and encryption over
TCP/IP networks. TLS version 1 and is nearly identical with SSL version 3.
<p>
<dt><div id="term">Uniform Resource Locator (URL)</div>
<dd>The formal identifier to locate various resources on the World Wide Web.
The most popular URL scheme is <code>http</code>. SSL uses the
scheme <code>https</code>
<p>
<dt><div id="term">X.509</div>
<dd>An authentication certificate scheme recommended by the International
Telecommunication Union (ITU-T) which is used for SSL/TLS authentication.
</dl>
<p>
<br>
<table summary="">
<tr>
<td>
<table width="600" border="0" summary="">
<tr>
<td valign="top" align="left" width="250">
<a href="ssl_faq.html" onmouseover="ro_imgOver('ro_img_prev_bot', 'previous page'); return true" onmouseout="ro_imgNormal('ro_img_prev_bot'); return true" onfocus="ro_imgOver('ro_img_prev_bot', 'previous page'); return true" onblur="ro_imgNormal('ro_img_prev_bot'); return true"><img name="ro_img_prev_bot" src="ssl_template.navbut-prev-n.gif" alt="previous page" width="70" height="18" border="0"></a><br><font color="#000000">F.A.Q. List</font>
</td>
<td valign="top" align="right" width="250">
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td><img src="ssl_template.imgdot-1x1-000000.gif" alt="" width="600" height="2" align="bottom" border="0"></td>
</tr>
<tr>
<td><table width="598" summary="">
<tr>
<td align="left"><font face="Arial,Helvetica">
<a href="http://www.modssl.org/">mod_ssl</a> 2.8, User Manual<br>
The Apache Interface to OpenSSL
</font>
</td>
<td align="right"><font face="Arial,Helvetica">
Copyright &copy; 1998-2001
<a href="http://www.engelschall.com/">Ralf S. Engelschall</a><br>
All Rights Reserved<br>
</font>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</div>
</body>
</html>

929
docs/manual/ssl/ssl_howto.html Normal file
View File

@ -0,0 +1,929 @@
<html>
<head>
<title>mod_ssl: HowTo</title>
<!--
Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above
copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials
provided with the distribution.
3. All advertising materials mentioning features or use of this
software must display the following acknowledgment:
"This product includes software developed by
Ralf S. Engelschall <rse@engelschall.com> for use in the
mod_ssl project (http://www.modssl.org/)."
4. The name "mod_ssl" must not be used to endorse or promote
products derived from this software without prior written
permission.
5. Redistributions of any form whatsoever must retain the
following acknowledgment:
"This product includes software developed by
Ralf S. Engelschall <rse@engelschall.com> for use in the
mod_ssl project (http://www.modssl.org/)."
THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY
EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S. ENGELSCHALL OR
HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
-->
<style type="text/css"><!--
A:link {
text-decoration: none;
color: #6666cc;
}
A:active {
text-decoration: none;
color: #6666cc;
}
A:visited {
text-decoration: none;
color: #6666cc;
}
#sf {
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
H1 {
font-weight: bold;
font-size: 24pt;
line-height: 24pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
H2 {
font-weight: bold;
font-size: 18pt;
line-height: 18pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
H3 {
font-weight: bold;
font-size: 14pt;
line-height: 14pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
H4 {
font-weight: bold;
font-size: 12pt;
line-height: 12pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
#H {
}
#D {
background-color: #f0f0f0;
}
#faq {
font-weight: bold;
font-size: 16pt;
line-height: 16pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
#howto {
font-weight: bold;
font-size: 16pt;
line-height: 16pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
#term {
font-weight: bold;
font-size: 16pt;
line-height: 16pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
--></style>
<script type="text/javascript" language="JavaScript">
<!-- Hiding the code
function ro_imgNormal(imgName) {
if (document.images) {
document[imgName].src = eval(imgName + '_n.src');
self.status = '';
}
}
function ro_imgOver(imgName, descript) {
if (document.images) {
document[imgName].src = eval(imgName + '_o.src');
self.status = descript;
}
}
// done hiding -->
</script>
<script type="text/javascript" language="JavaScript">
<!-- Hiding the code
if (document.images) {
ro_img_prev_top_n = new Image();
ro_img_prev_top_n.src = 'ssl_template.navbut-prev-n.gif';
ro_img_prev_top_o = new Image();
ro_img_prev_top_o.src = 'ssl_template.navbut-prev-s.gif';
}
// done hiding -->
</script>
<script type="text/javascript" language="JavaScript">
<!-- Hiding the code
if (document.images) {
ro_img_prev_bot_n = new Image();
ro_img_prev_bot_n.src = 'ssl_template.navbut-prev-n.gif';
ro_img_prev_bot_o = new Image();
ro_img_prev_bot_o.src = 'ssl_template.navbut-prev-s.gif';
}
// done hiding -->
</script>
<script type="text/javascript" language="JavaScript">
<!-- Hiding the code
if (document.images) {
ro_img_next_top_n = new Image();
ro_img_next_top_n.src = 'ssl_template.navbut-next-n.gif';
ro_img_next_top_o = new Image();
ro_img_next_top_o.src = 'ssl_template.navbut-next-s.gif';
}
// done hiding -->
</script>
<script type="text/javascript" language="JavaScript">
<!-- Hiding the code
if (document.images) {
ro_img_next_bot_n = new Image();
ro_img_next_bot_n.src = 'ssl_template.navbut-next-n.gif';
ro_img_next_bot_o = new Image();
ro_img_next_bot_o.src = 'ssl_template.navbut-next-s.gif';
}
// done hiding -->
</script>
</head>
<body bgcolor="#ffffff" text="#000000" link="#333399" alink="#9999ff" vlink="#000066">
<div align="center">
<table width="600" cellspacing="0" cellpadding="0" border="0" summary="">
<tr>
<td>
<img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="600" height="1" align="bottom" border="0"><br>
<table width="600" cellspacing="0" cellpadding="0" summary="">
<tr>
<td>
<table width="600" summary="">
<tr>
<td align="left" valign="bottom">
<font face="Arial,Helvetica" size="+2"><b>mod_ssl</b></font>
</td>
<td align="right">
<img src="ssl_template.head-chapter.gif" alt="Chapter" width="175" height="94"> <img src="ssl_template.head-num-5.gif" alt="5" width="74" height="89">
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td><img src="ssl_template.imgdot-1x1-000000.gif" alt="" width="600" height="2" align="bottom" border="0"></td>
</tr>
<tr>
<td>
<table width="600" border="0" summary="">
<tr>
<td valign="top" align="left" width="250">
<a href="ssl_compat.html" onmouseover="ro_imgOver('ro_img_prev_top', 'previous page'); return true" onmouseout="ro_imgNormal('ro_img_prev_top'); return true" onfocus="ro_imgOver('ro_img_prev_top', 'previous page'); return true" onblur="ro_imgNormal('ro_img_prev_top'); return true"><img name="ro_img_prev_top" src="ssl_template.navbut-prev-n.gif" alt="previous page" width="70" height="18" border="0"></a><br><font color="#000000">Compatibility</font>
</td>
<td valign="top" align="right" width="250">
<a href="ssl_faq.html" onmouseover="ro_imgOver('ro_img_next_top', 'next page'); return true" onmouseout="ro_imgNormal('ro_img_next_top'); return true" onfocus="ro_imgOver('ro_img_next_top', 'next page'); return true" onblur="ro_imgNormal('ro_img_next_top'); return true"><img name="ro_img_next_top" src="ssl_template.navbut-next-n.gif" alt="next page" width="70" height="18" border="0"></a><br><font color="#000000">F.A.Q. List</font>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td>
<br>
<img src="ssl_template.title-howto.gif" alt="HowTo" width="456" height="60">
</td>
</tr>
</table>
<div align="right">
<table cellspacing="0" cellpadding="0" width="200" summary="">
<tr>
<td>
<em>
``The solution of this problem is trivial
and is left as an exercise for the reader.''
</em>
</td>
</tr>
<tr>
<td align="right">
<font size="-1">
Standard textbook cookie
</font>
</td>
</tr>
</table>
</div>
<p>
<table cellspacing="0" cellpadding="0" border="0" summary="">
<tr valign="bottom">
<td>
<img src="ssl_howto.gfont000.gif" alt="H" width="40" height="34" border="0" align="left">
ow to solve particular security constraints for an SSL-aware webserver
is not always obvious because of the coherences between SSL, HTTP and Apache's
way of processing requests. This chapter gives instructions on how to solve
such typical situations. Treat is as a first step to find out the final
solution, but always try to understand the stuff before you use it. Nothing is
worse than using a security solution without knowing it's restrictions and
coherences.
</td>
<td>
&nbsp;&nbsp;
</td>
<td>
<div align="right">
<table cellspacing="0" cellpadding="5" border="0" bgcolor="#ccccff" width="300" summary="">
<tr>
<td bgcolor="#333399">
<font face="Arial,Helvetica" color="#ccccff">
<b>Table Of Contents</b>
</font>
</td>
</tr>
<tr>
<td>
<font face="Arial,Helvetica" size="-1">
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC1"><strong>Cipher Suites and Enforced Strong Security</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC2"><strong>SSLv2 only server</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC3"><strong>strong encryption only server</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC4"><strong>server gated cryptography</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC5"><strong>stronger per-directory requirements</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC6"><strong>Client Authentication and Access Control</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC7"><strong>simple certificate-based client authentication</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC8"><strong>selective certificate-based client authentication</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC9"><strong>particular certificate-based client authentication</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC10"><strong>intranet vs. internet authentication</strong></a><br>
</font>
</td>
</tr>
</table>
</div>
</td>
</tr>
</table>
<h2><a name="ToC1">Cipher Suites and Enforced Strong Security</a></h2>
<ul>
<p>
<li><a name="ToC2"></a>
<a name="cipher-sslv2"></a>
<strong id="howto">
How can I create a real SSLv2-only server?
</strong>&nbsp;&nbsp;
[<a href="http://www.modssl.org/docs/2.8/ssl_howto.html#cipher-sslv2"><b>L</b></a>]
<p>
The following creates an SSL server which speaks only the SSLv2 protocol and
its ciphers.
<p>
<table border="0" cellpadding="0" cellspacing="0" summary="">
<tr>
<td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td>
<td rowspan="3">&nbsp;&nbsp;<font face="Arial,Helvetica" color="#999999">httpd.conf</font>&nbsp;&nbsp;</td>
<td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
<tr>
<td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
<td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
<tr>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
<td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td>
<td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
</tr>
<tr>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
<td colspan="3" bgcolor="#ffffff">
<table border="0" cellspacing="4" summary="">
<tr>
<td>
<pre>
SSLProtocol -all +SSLv2
SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP
</pre>
</td>
</tr>
</table>
</td>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
<tr>
<td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
</table>
<p>
<li><a name="ToC3"></a>
<a name="cipher-strong"></a>
<strong id="howto">
How can I create an SSL server which accepts strong encryption only?
</strong>&nbsp;&nbsp;
[<a href="http://www.modssl.org/docs/2.8/ssl_howto.html#cipher-strong"><b>L</b></a>]
<p>
The following enables only the seven strongest ciphers:
<p>
<table border="0" cellpadding="0" cellspacing="0" summary="">
<tr>
<td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td>
<td rowspan="3">&nbsp;&nbsp;<font face="Arial,Helvetica" color="#999999">httpd.conf</font>&nbsp;&nbsp;</td>
<td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
<tr>
<td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
<td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
<tr>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
<td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td>
<td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
</tr>
<tr>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
<td colspan="3" bgcolor="#ffffff">
<table border="0" cellspacing="4" summary="">
<tr>
<td>
<pre>
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM
</pre>
</td>
</tr>
</table>
</td>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
<tr>
<td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
</table>
<p>
<li><a name="ToC4"></a>
<a name="cipher-sgc"></a>
<strong id="howto">
How can I create an SSL server which accepts strong encryption only,
but allows export browsers to upgrade to stronger encryption?
</strong>&nbsp;&nbsp;
[<a href="http://www.modssl.org/docs/2.8/ssl_howto.html#cipher-sgc"><b>L</b></a>]
<p>
This facility is called Server Gated Cryptography (SGC) and details you can
find in the <code>README.GlobalID</code> document in the mod_ssl distribution.
In short: The server has a Global ID server certificate, signed by a special
CA certificate from Verisign which enables strong encryption in export
browsers. This works as following: The browser connects with an export cipher,
the server sends it's Global ID certificate, the browser verifies it and
subsequently upgrades the cipher suite before any HTTP communication takes
place. The question now is: How can we allow this upgrade, but enforce strong
encryption. Or in other words: Browser either have to initially connect with
strong encryption or have to upgrade to strong encryption, but are not allowed
to keep the export ciphers. The following does the trick:
<p>
<table border="0" cellpadding="0" cellspacing="0" summary="">
<tr>
<td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td>
<td rowspan="3">&nbsp;&nbsp;<font face="Arial,Helvetica" color="#999999">httpd.conf</font>&nbsp;&nbsp;</td>
<td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
<tr>
<td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
<td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
<tr>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
<td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td>
<td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
</tr>
<tr>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
<td colspan="3" bgcolor="#ffffff">
<table border="0" cellspacing="4" summary="">
<tr>
<td>
<pre>
# allow all ciphers for the inital handshake,
# so export browsers can upgrade via SGC facility
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
&lt;Directory /usr/local/apache/htdocs&gt;
# but finally deny all browsers which haven't upgraded
SSLRequire %{SSL_CIPHER_USEKEYSIZE} &gt;= 128
&lt;/Directory&gt;
</pre>
</td>
</tr>
</table>
</td>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
<tr>
<td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
</table>
<p>
<li><a name="ToC5"></a>
<a name="cipher-perdir"></a>
<strong id="howto">
How can I create an SSL server which accepts all types of ciphers in general,
but requires a strong ciphers for access to a particular URL?
</strong>&nbsp;&nbsp;
[<a href="http://www.modssl.org/docs/2.8/ssl_howto.html#cipher-perdir"><b>L</b></a>]
<p>
Obviously you cannot just use a server-wide <code>SSLCipherSuite</code> which
restricts the ciphers to the strong variants. But mod_ssl allows you to
reconfigure the cipher suite in per-directory context and automatically forces
a renegotiation of the SSL parameters to meet the new configuration. So, the
solution is:
<p>
<table border="0" cellpadding="0" cellspacing="0" summary="">
<tr>
<td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td>
<td rowspan="3">&nbsp;&nbsp;<font face="Arial,Helvetica" color="#999999">httpd.conf</font>&nbsp;&nbsp;</td>
<td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
<tr>
<td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
<td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
<tr>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
<td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td>
<td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
</tr>
<tr>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
<td colspan="3" bgcolor="#ffffff">
<table border="0" cellspacing="4" summary="">
<tr>
<td>
<pre>
# be liberal in general
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
&lt;Location /strong/area&gt;
# but https://hostname/strong/area/ and below requires strong ciphers
SSLCipherSuite HIGH:MEDIUM
&lt;/Location&gt;
</pre>
</td>
</tr>
</table>
</td>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
<tr>
<td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
</table>
</ul>
<h2><a name="ToC6">Client Authentication and Access Control</a></h2>
<ul>
<p>
<li><a name="ToC7"></a>
<a name="auth-simple"></a>
<strong id="howto">
How can I authenticate clients based on certificates when I know all my
clients?
</strong>&nbsp;&nbsp;
[<a href="http://www.modssl.org/docs/2.8/ssl_howto.html#auth-simple"><b>L</b></a>]
<p>
When you know your user community (i.e. a closed user group situation), as
it's the case for instance in an Intranet, you can use plain certificate
authentication. All you have to do is to create client certificates signed by
your own CA certificate <code>ca.crt</code> and then verifiy the clients
against this certificate.
<p>
<table border="0" cellpadding="0" cellspacing="0" summary="">
<tr>
<td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td>
<td rowspan="3">&nbsp;&nbsp;<font face="Arial,Helvetica" color="#999999">httpd.conf</font>&nbsp;&nbsp;</td>
<td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
<tr>
<td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
<td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
<tr>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
<td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td>
<td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
</tr>
<tr>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
<td colspan="3" bgcolor="#ffffff">
<table border="0" cellspacing="4" summary="">
<tr>
<td>
<pre>
# require a client certificate which has to be directly
# signed by our CA certificate in ca.crt
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile conf/ssl.crt/ca.crt
</pre>
</td>
</tr>
</table>
</td>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
<tr>
<td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
</table>
<p>
<li><a name="ToC8"></a>
<a name="auth-selective"></a>
<strong id="howto">
How can I authenticate my clients for a particular URL based on certificates
but still allow arbitrary clients to access the remaining parts of the server?
</strong>&nbsp;&nbsp;
[<a href="http://www.modssl.org/docs/2.8/ssl_howto.html#auth-selective"><b>L</b></a>]
<p>
For this we again use the per-directory reconfiguration feature of mod_ssl:
<p>
<table border="0" cellpadding="0" cellspacing="0" summary="">
<tr>
<td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td>
<td rowspan="3">&nbsp;&nbsp;<font face="Arial,Helvetica" color="#999999">httpd.conf</font>&nbsp;&nbsp;</td>
<td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
<tr>
<td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
<td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
<tr>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
<td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td>
<td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
</tr>
<tr>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
<td colspan="3" bgcolor="#ffffff">
<table border="0" cellspacing="4" summary="">
<tr>
<td>
<pre>
SSLVerifyClient none
SSLCACertificateFile conf/ssl.crt/ca.crt
&lt;Location /secure/area&gt;
SSLVerifyClient require
SSLVerifyDepth 1
&lt;/Location&gt;
</pre>
</td>
</tr>
</table>
</td>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
<tr>
<td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
</table>
<p>
<li><a name="ToC9"></a>
<a name="auth-particular"></a>
<strong id="howto">
How can I authenticate only particular clients for a some URLs based
on certificates but still allow arbitrary clients to access the remaining
parts of the server?
</strong>&nbsp;&nbsp;
[<a href="http://www.modssl.org/docs/2.8/ssl_howto.html#auth-particular"><b>L</b></a>]
<p>
The key is to check for various ingredients of the client certficate. Usually
this means to check the whole or part of the Distinguished Name (DN) of the
Subject. For this two methods exists: The <code>mod_auth</code> based variant
and the <code>SSLRequire</code> variant. The first method is good when the
clients are of totally different type, i.e. when their DNs have no common
fields (usually the organisation, etc.). In this case you've to establish a
password database containing <em>all</em> clients. The second method is better
when your clients are all part of a common hierarchy which is encoded into the
DN. Then you can match them more easily.
<p>
The first method:
<p>
<table border="0" cellpadding="0" cellspacing="0" summary="">
<tr>
<td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td>
<td rowspan="3">&nbsp;&nbsp;<font face="Arial,Helvetica" color="#999999">/usr/local/apache/conf/httpd.conf</font>&nbsp;&nbsp;</td>
<td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
<tr>
<td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
<td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
<tr>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
<td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td>
<td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
</tr>
<tr>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
<td colspan="3" bgcolor="#ffffff">
<table border="0" cellspacing="4" summary="">
<tr>
<td>
<pre>
SSLVerifyClient none
&lt;Directory /usr/local/apache/htdocs/secure/area&gt;
SSLVerifyClient require
SSLVerifyDepth 5
SSLCACertificateFile conf/ssl.crt/ca.crt
SSLCACertificatePath conf/ssl.crt
SSLOptions +FakeBasicAuth
SSLRequireSSL
AuthName "Snake Oil Authentication"
AuthType Basic
AuthUserFile /usr/local/apache/conf/httpd.passwd
require valid-user
&lt;/Directory&gt;
</pre>
</td>
</tr>
</table>
</td>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
<tr>
<td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
</table>
<p>
<table border="0" cellpadding="0" cellspacing="0" summary="">
<tr>
<td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td>
<td rowspan="3">&nbsp;&nbsp;<font face="Arial,Helvetica" color="#999999">/usr/local/apache/conf/httpd.passwd</font>&nbsp;&nbsp;</td>
<td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
<tr>
<td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
<td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
<tr>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
<td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td>
<td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
</tr>
<tr>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
<td colspan="3" bgcolor="#ffffff">
<table border="0" cellspacing="4" summary="">
<tr>
<td>
<pre>
/C=DE/L=Munich/O=Snake Oil, Ltd./OU=Staff/CN=Foo:xxj31ZMTZzkVA
/C=US/L=S.F./O=Snake Oil, Ltd./OU=CA/CN=Bar:xxj31ZMTZzkVA
/C=US/L=L.A./O=Snake Oil, Ltd./OU=Dev/CN=Quux:xxj31ZMTZzkVA
</pre>
</td>
</tr>
</table>
</td>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
<tr>
<td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
</table>
<p>
The second method:
<p>
<table border="0" cellpadding="0" cellspacing="0" summary="">
<tr>
<td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td>
<td rowspan="3">&nbsp;&nbsp;<font face="Arial,Helvetica" color="#999999">httpd.conf</font>&nbsp;&nbsp;</td>
<td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
<tr>
<td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
<td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
<tr>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
<td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td>
<td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
</tr>
<tr>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
<td colspan="3" bgcolor="#ffffff">
<table border="0" cellspacing="4" summary="">
<tr>
<td>
<pre>
SSLVerifyClient none
&lt;Directory /usr/local/apache/htdocs/secure/area&gt;
SSLVerifyClient require
SSLVerifyDepth 5
SSLCACertificateFile conf/ssl.crt/ca.crt
SSLCACertificatePath conf/ssl.crt
SSLOptions +FakeBasicAuth
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." and \
%{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}
&lt;/Directory&gt;
</pre>
</td>
</tr>
</table>
</td>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
<tr>
<td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
</table>
<p>
<li><a name="ToC10"></a>
<a name="auth-intranet"></a>
<strong id="howto"> How can
I require HTTPS with strong ciphers and either basic authentication or client
certificates for access to a subarea on the Intranet website for clients
coming from the Internet but still allow plain HTTP access for clients on the
Intranet?
</strong>&nbsp;&nbsp;
[<a href="http://www.modssl.org/docs/2.8/ssl_howto.html#auth-intranet"><b>L</b></a>]
<p>
Let us assume the Intranet can be distinguished through the IP network
192.160.1.0/24 and the subarea on the Intranet website has the URL
<tt>/subarea</tt>. Then configure the following outside your HTTPS virtual
host (so it applies to both HTTPS and HTTP):
<p>
<table border="0" cellpadding="0" cellspacing="0" summary="">
<tr>
<td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td>
<td rowspan="3">&nbsp;&nbsp;<font face="Arial,Helvetica" color="#999999">httpd.conf</font>&nbsp;&nbsp;</td>
<td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
<tr>
<td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
<td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
<tr>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
<td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td>
<td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
</tr>
<tr>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
<td colspan="3" bgcolor="#ffffff">
<table border="0" cellspacing="4" summary="">
<tr>
<td>
<pre>
SSLCACertificateFile conf/ssl.crt/company-ca.crt
&lt;Directory /usr/local/apache/htdocs&gt;
# Outside the subarea only Intranet access is granted
Order deny,allow
Deny from all
Allow from 192.168.1.0/24
&lt;/Directory&gt;
&lt;Directory /usr/local/apache/htdocs/subarea&gt;
# Inside the subarea any Intranet access is allowed
# but from the Internet only HTTPS + Strong-Cipher + Password
# or the alternative HTTPS + Strong-Cipher + Client-Certificate
# If HTTPS is used, make sure a strong cipher is used.
# Additionally allow client certs as alternative to basic auth.
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +FakeBasicAuth +StrictRequire
SSLRequire %{SSL_CIPHER_USEKEYSIZE} &gt;= 128
# Force clients from the Internet to use HTTPS
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$
RewriteCond %{HTTPS} !=on
RewriteRule .* - [F]
# Allow Network Access and/or Basic Auth
Satisfy any
# Network Access Control
Order deny,allow
Deny from all
Allow 192.168.1.0/24
# HTTP Basic Authentication
AuthType basic
AuthName "Protected Intranet Area"
AuthUserFile conf/protected.passwd
Require valid-user
&lt;/Directory&gt;
</pre>
</td>
</tr>
</table>
</td>
<td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
<tr>
<td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
</tr>
</table>
</ul>
<p>
<br>
<table summary="">
<tr>
<td>
<table width="600" border="0" summary="">
<tr>
<td valign="top" align="left" width="250">
<a href="ssl_compat.html" onmouseover="ro_imgOver('ro_img_prev_bot', 'previous page'); return true" onmouseout="ro_imgNormal('ro_img_prev_bot'); return true" onfocus="ro_imgOver('ro_img_prev_bot', 'previous page'); return true" onblur="ro_imgNormal('ro_img_prev_bot'); return true"><img name="ro_img_prev_bot" src="ssl_template.navbut-prev-n.gif" alt="previous page" width="70" height="18" border="0"></a><br><font color="#000000">Compatibility</font>
</td>
<td valign="top" align="right" width="250">
<a href="ssl_faq.html" onmouseover="ro_imgOver('ro_img_next_bot', 'next page'); return true" onmouseout="ro_imgNormal('ro_img_next_bot'); return true" onfocus="ro_imgOver('ro_img_next_bot', 'next page'); return true" onblur="ro_imgNormal('ro_img_next_bot'); return true"><img name="ro_img_next_bot" src="ssl_template.navbut-next-n.gif" alt="next page" width="70" height="18" border="0"></a><br><font color="#000000">F.A.Q. List</font>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td><img src="ssl_template.imgdot-1x1-000000.gif" alt="" width="600" height="2" align="bottom" border="0"></td>
</tr>
<tr>
<td><table width="598" summary="">
<tr>
<td align="left"><font face="Arial,Helvetica">
<a href="http://www.modssl.org/">mod_ssl</a> 2.8, User Manual<br>
The Apache Interface to OpenSSL
</font>
</td>
<td align="right"><font face="Arial,Helvetica">
Copyright &copy; 1998-2001
<a href="http://www.engelschall.com/">Ralf S. Engelschall</a><br>
All Rights Reserved<br>
</font>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</div>
</body>
</html>

919
docs/manual/ssl/ssl_intro.html Normal file
View File

@ -0,0 +1,919 @@
<html>
<head>
<title>mod_ssl: Introduction</title>
<!--
Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above
copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials
provided with the distribution.
3. All advertising materials mentioning features or use of this
software must display the following acknowledgment:
"This product includes software developed by
Ralf S. Engelschall <rse@engelschall.com> for use in the
mod_ssl project (http://www.modssl.org/)."
4. The name "mod_ssl" must not be used to endorse or promote
products derived from this software without prior written
permission.
5. Redistributions of any form whatsoever must retain the
following acknowledgment:
"This product includes software developed by
Ralf S. Engelschall <rse@engelschall.com> for use in the
mod_ssl project (http://www.modssl.org/)."
THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY
EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S. ENGELSCHALL OR
HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
-->
<style type="text/css"><!--
A:link {
text-decoration: none;
color: #6666cc;
}
A:active {
text-decoration: none;
color: #6666cc;
}
A:visited {
text-decoration: none;
color: #6666cc;
}
#sf {
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
H1 {
font-weight: bold;
font-size: 24pt;
line-height: 24pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
H2 {
font-weight: bold;
font-size: 18pt;
line-height: 18pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
H3 {
font-weight: bold;
font-size: 14pt;
line-height: 14pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
H4 {
font-weight: bold;
font-size: 12pt;
line-height: 12pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
#H {
}
#D {
background-color: #f0f0f0;
}
#faq {
font-weight: bold;
font-size: 16pt;
line-height: 16pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
#howto {
font-weight: bold;
font-size: 16pt;
line-height: 16pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
#term {
font-weight: bold;
font-size: 16pt;
line-height: 16pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
--></style>
<script type="text/javascript" language="JavaScript">
<!-- Hiding the code
function ro_imgNormal(imgName) {
if (document.images) {
document[imgName].src = eval(imgName + '_n.src');
self.status = '';
}
}
function ro_imgOver(imgName, descript) {
if (document.images) {
document[imgName].src = eval(imgName + '_o.src');
self.status = descript;
}
}
// done hiding -->
</script>
<script type="text/javascript" language="JavaScript">
<!-- Hiding the code
if (document.images) {
ro_img_prev_top_n = new Image();
ro_img_prev_top_n.src = 'ssl_template.navbut-prev-n.gif';
ro_img_prev_top_o = new Image();
ro_img_prev_top_o.src = 'ssl_template.navbut-prev-s.gif';
}
// done hiding -->
</script>
<script type="text/javascript" language="JavaScript">
<!-- Hiding the code
if (document.images) {
ro_img_prev_bot_n = new Image();
ro_img_prev_bot_n.src = 'ssl_template.navbut-prev-n.gif';
ro_img_prev_bot_o = new Image();
ro_img_prev_bot_o.src = 'ssl_template.navbut-prev-s.gif';
}
// done hiding -->
</script>
<script type="text/javascript" language="JavaScript">
<!-- Hiding the code
if (document.images) {
ro_img_next_top_n = new Image();
ro_img_next_top_n.src = 'ssl_template.navbut-next-n.gif';
ro_img_next_top_o = new Image();
ro_img_next_top_o.src = 'ssl_template.navbut-next-s.gif';
}
// done hiding -->
</script>
<script type="text/javascript" language="JavaScript">
<!-- Hiding the code
if (document.images) {
ro_img_next_bot_n = new Image();
ro_img_next_bot_n.src = 'ssl_template.navbut-next-n.gif';
ro_img_next_bot_o = new Image();
ro_img_next_bot_o.src = 'ssl_template.navbut-next-s.gif';
}
// done hiding -->
</script>
</head>
<body bgcolor="#ffffff" text="#000000" link="#333399" alink="#9999ff" vlink="#000066">
<div align="center">
<table width="600" cellspacing="0" cellpadding="0" border="0" summary="">
<tr>
<td>
<img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="600" height="1" align="bottom" border="0"><br>
<table width="600" cellspacing="0" cellpadding="0" summary="">
<tr>
<td>
<table width="600" summary="">
<tr>
<td align="left" valign="bottom">
<font face="Arial,Helvetica" size="+2"><b>mod_ssl</b></font>
</td>
<td align="right">
<img src="ssl_template.head-chapter.gif" alt="Chapter" width="175" height="94"> <img src="ssl_template.head-num-2.gif" alt="2" width="74" height="89">
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td><img src="ssl_template.imgdot-1x1-000000.gif" alt="" width="600" height="2" align="bottom" border="0"></td>
</tr>
<tr>
<td>
<table width="600" border="0" summary="">
<tr>
<td valign="top" align="left" width="250">
<a href="ssl_overview.html" onmouseover="ro_imgOver('ro_img_prev_top', 'previous page'); return true" onmouseout="ro_imgNormal('ro_img_prev_top'); return true" onfocus="ro_imgOver('ro_img_prev_top', 'previous page'); return true" onblur="ro_imgNormal('ro_img_prev_top'); return true"><img name="ro_img_prev_top" src="ssl_template.navbut-prev-n.gif" alt="previous page" width="70" height="18" border="0"></a><br><font color="#000000">Overview</font>
</td>
<td valign="top" align="right" width="250">
<a href="ssl_reference.html" onmouseover="ro_imgOver('ro_img_next_top', 'next page'); return true" onmouseout="ro_imgNormal('ro_img_next_top'); return true" onfocus="ro_imgOver('ro_img_next_top', 'next page'); return true" onblur="ro_imgNormal('ro_img_next_top'); return true"><img name="ro_img_next_top" src="ssl_template.navbut-next-n.gif" alt="next page" width="70" height="18" border="0"></a><br><font color="#000000">Reference</font>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td>
<br>
<img src="ssl_template.title-intro.gif" alt="Introduction" width="456" height="60">
</td>
</tr>
</table>
<div align="right">
<table cellspacing="0" cellpadding="0" width="400" summary="">
<tr>
<td>
<em>
``The nice thing about standards is that there are so many to choose from.
And if you really don't like all the standards you just have to wait another
year until the one arises you are looking for.''
</em>
</td>
</tr>
<tr>
<td align="right">
<font size="-1">
A. Tanenbaum, ``Introduction to Computer Networks''
</font>
</td>
</tr>
</table>
</div>
<p>
<table cellspacing="0" cellpadding="0" border="0" summary="">
<tr valign="bottom">
<td>
<img src="ssl_intro.gfont000.gif" alt="A" width="37" height="35" border="0" align="left">
s an introduction this chapter is aimed at readers who are familiar
with the Web, HTTP, and Apache, but are not security experts. It is not
intended to be a definitive guide to the SSL protocol, nor does it discuss
specific techniques for managing certificates in an organization, or the
important legal issues of patents and import and export restrictions. Rather,
it is intended to provide a common background to mod_ssl users by pulling
together various concepts, definitions, and examples as a starting point for
further exploration.
<p>
The presented content is mainly derived, with permission by the author, from
the article <a
href="http://www.ultranet.com/~fhirsch/Papers/wwwj/index.html"><em>Introducing SSL
and Certificates using SSLeay</em></a> from <a
href="http://www.ultranet.com/~fhirsch/">Frederick J. Hirsch</a>, of The Open
Group Research Institute, which was published in <a
href="http://www.ora.com/catalog/wjsum97/"><em>Web Security: A Matter of
Trust</em></a>, World Wide Web Journal, Volume 2, Issue 3, Summer 1997.
Please send any postive feedback to <a
href="mailto:fjh@alum.mit.edu">Frederick Hirsch</a> (the original
article author) and all negative feedback to <a
href="mailto:rse@engelschall.com">Ralf S. Engelschall</a> (the mod_ssl
author).
</td>
<td>
&nbsp;&nbsp;
</td>
<td>
<div align="right">
<table cellspacing="0" cellpadding="5" border="0" bgcolor="#ccccff" summary="">
<tr>
<td bgcolor="#333399">
<font face="Arial,Helvetica" color="#ccccff">
<b>Table Of Contents</b>
</font>
</td>
</tr>
<tr>
<td>
<font face="Arial,Helvetica" size="-1">
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC1"><strong>Cryptographic Techniques</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC2"><strong>Cryptographic Algorithms</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC3"><strong>Message Digests</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC4"><strong>Digital Signatures</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC5"><strong>Certificates</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC6"><strong>Certificate Contents</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC7"><strong>Certificate Authorities</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC8"><strong>Certificate Chains</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC9"><strong>Creating a Root-Level CA</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC10"><strong>Certificate Management</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC11"><strong>Secure Sockets Layer (SSL)</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC12"><strong>Session Establishment</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC13"><strong>Key Exchange Method</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC14"><strong>Cipher for Data Transfer</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC15"><strong>Digest Function</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC16"><strong>Handshake Sequence Protocol</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC17"><strong>Data Transfer</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC18"><strong>Securing HTTP Communication</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC19"><strong>References</strong></a><br>
</font>
</td>
</tr>
</table>
</div>
</td>
</tr>
</table>
<h2><a name="ToC1">Cryptographic Techniques</a></h2>
Understanding SSL requires an understanding of cryptographic algorithms,
message digest functions (aka. one-way or hash functions), and digital
signatures. These techniques are the subject of entire books (see for instance
[<a href="#AC96">AC96</a>]) and provide the basis for privacy, integrity, and
authentication.
<h3><a name="ToC2">Cryptographic Algorithms</a></h3>
Suppose Alice wants to send a message to her bank to transfer some money.
Alice would like the message to be private, since it will include information
such as her account number and transfer amount. One solution is to use a
cryptographic algorithm, a technique that would transform her message into an
encrypted form, unreadable except by those it is intended for. Once in this
form, the message may only be interpreted through the use of a secret key.
Without the key the message is useless: good cryptographic algorithms make it
so difficult for intruders to decode the original text that it isn't worth
their effort.
<p>
There are two categories of cryptographic algorithms:
conventional and public key.
<ul>
<li><em>Conventional cryptography</em>, also known as symmetric
cryptography, requires the sender and receiver to share a key: a secret
piece of information that may be used to encrypt or decrypt a message.
If this key is secret, then nobody other than the sender or receiver may
read the message. If Alice and the bank know a secret key, then they
may send each other private messages. The task of privately choosing a key
before communicating, however, can be problematic.
<p>
<li><em>Public key cryptography</em>, also known as asymmetric cryptography,
solves the key exchange problem by defining an algorithm which uses two keys,
each of which may be used to encrypt a message. If one key is used to encrypt
a message then the other must be used to decrypt it. This makes it possible
to receive secure messages by simply publishing one key (the public key) and
keeping the other secret (the private key).
<p>
Anyone may encrypt a message using the public key, but only the owner of the
private key will be able to read it. In this way, Alice may send private
messages to the owner of a key-pair (the bank), by encrypting it using their
public key. Only the bank will be able to decrypt it.
</ul>
<h3><a name="ToC3">Message Digests</a></h3>
Although Alice may encrypt her message to make it private, there is still a
concern that someone might modify her original message or substitute
it with a different one, in order to transfer the money to themselves, for
instance. One way of guaranteeing the integrity of Alice's message is to
create a concise summary of her message and send this to the bank as well.
Upon receipt of the message, the bank creates its own summary and compares it
with the one Alice sent. If they agree then the message was received intact.
<p>
A summary such as this is called a <em>message digest</em>, <em>one-way
function</em> or <em>hash function</em>. Message digests are used to create
short, fixed-length representations of longer, variable-length messages.
Digest algorithms are designed to produce unique digests for different
messages. Message digests are designed to make it too difficult to determine
the message from the digest, and also impossible to find two different
messages which create the same digest -- thus eliminating the possibility of
substituting one message for another while maintaining the same digest.
<p>
Another challenge that Alice faces is finding a way to send the digest to the
bank securely; when this is achieved, the integrity of the associated message
is assured. One way to to this is to include the digest in a digital
signature.
<h3><a name="ToC4">Digital Signatures</a></h3>
When Alice sends a message to the bank, the bank needs to ensure that the
message is really from her, so an intruder does not request a transaction
involving her account. A <em>digital signature</em>, created by Alice and
included with the message, serves this purpose.
<p>
Digital signatures are created by encrypting a digest of the message,
and other information (such as a sequence number) with the sender's
private key. Though anyone may <em>decrypt</em> the signature using the public
key, only the signer knows the private key. This means that only they may
have signed it. Including the digest in the signature means the signature is
only good for that message; it also ensures the integrity of the message since
no one can change the digest and still sign it.
<p>
To guard against interception and reuse of the signature by an intruder at a
later date, the signature contains a unique sequence number. This protects
the bank from a fraudulent claim from Alice that she did not send the message
-- only she could have signed it (non-repudiation).
<h2><a name="ToC5">Certificates</a></h2>
Although Alice could have sent a private message to the bank, signed it, and
ensured the integrity of the message, she still needs to be sure that she is
really communicating with the bank. This means that she needs to be sure that
the public key she is using corresponds to the bank's private key. Similarly,
the bank also needs to verify that the message signature really corresponds to
Alice's signature.
<p>
If each party has a certificate which validates the other's identity, confirms
the public key, and is signed by a trusted agency, then they both will be
assured that they are communicating with whom they think they are. Such a
trusted agency is called a <em>Certificate Authority</em>, and certificates are
used for authentication.
<h3><a name="ToC6">Certificate Contents</a></h3>
A certificate associates a public key with the real identity of an individual,
server, or other entity, known as the subject. As shown in <a
href="#table1">Table 1</a>, information about the subject includes identifying
information (the distinguished name), and the public key. It also includes
the identification and signature of the Certificate Authority that issued the
certificate, and the period of time during which the certificate is valid. It
may have additional information (or extensions) as well as administrative
information for the Certificate Authority's use, such as a serial number.
<p>
<div align="center">
<a name="table1"></a>
<table width="600" cellspacing="0" cellpadding="1" border="0" summary="">
<caption align="bottom" id="sf">Table 1: Certificate Information</caption>
<tr><td bgcolor="#cccccc">
<table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
<tr><td valign="top" align="center" bgcolor="#ffffff">
<table summary="">
<tr valign="top"><td><b>Subject:</b></td>
<td>Distinguished Name, Public Key</td></tr>
<tr valign="top"><td><b>Issuer:</b></td>
<td>Distinguished Name, Signature</td></tr>
<tr><td><b>Period of Validity:</b></td>
<td>Not Before Date, Not After Date</td></tr>
<tr><td><b>Administrative Information:</b></td>
<td>Version, Serial Number</td></TR>
<tr><td><b>Extended Information:</b></td>
<td>Basic Contraints, Netscape Flags, etc.</td></TR>
</table>
</td>
</tr></table>
</td></tr></table>
</div>
<p>
A distinguished name is used to provide an identity in a specific context --
for instance, an individual might have a personal certificate as well as one
for their identity as an employee. Distinguished names are defined by the
X.509 standard [<a href="#X509">X509</A>], which defines the fields, field
names, and abbreviations used to refer to the fields
(see <a href="#table2">Table 2</a>).
<p>
<div align="center">
<a name="table2"></a>
<table width="600" cellspacing="0" cellpadding="1" border="0" summary="">
<caption align="bottom" id="sf">Table 2: Distinguished Name Information</caption>
<tr><td bgcolor="#cccccc">
<table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
<tr><td valign="top" align="center" bgcolor="#ffffff">
<table summary="">
<tr valign="top"><td><b>DN Field:</b></td><td><b>Abbrev.:</b></td><td><b>Description:</b></td>
<td><b>Example:</b></td>
</t>
<tr valign="top"><td>Common Name</td><td>CN</td>
<td>Name being certified</td><td>CN=Joe Average</td></tr>
<tr valign="top"><td>Organization or Company</td><td>O</td>
<td>Name is associated with this<br>organization</td><td>O=Snake Oil, Ltd.</td></tr>
<tr valign="top"><td>Organizational Unit</td><td>OU</td>
<td>Name is associated with this <br>organization unit, such as a department</td><td>OU=Research Institute</td></tr>
<tr valign="top"><td>City/Locality</td><td>L</td>
<td>Name is located in this City</td><td>L=Snake City</td></tr>
<tr valign="top"><td>State/Province</td><td>ST</td>
<td>Name is located in this State/Province</td><td>ST=Desert</td></tr>
<tr valign="top"><td>Country</td><td>C</td>
<td>Name is located in this Country (ISO code)</td><td>C=XZ</td></tr>
</table>
</td>
</tr></table>
</td></tr></table>
</div>
<p>
A Certificate Authority may define a policy specifying which distinguished
field names are optional, and which are required. It may also place
requirements upon the field contents, as may users of certificates. As an
example, a Netscape browser requires that the Common Name for a certificate
representing a server has a name which matches a wildcard pattern for the
domain name of that server, such as <code>*.snakeoil.com</code>.
<p>
The binary format of a certificate is defined using the ASN.1 notation [ <a
href="#X208">X208</a>] [<a href="#PKCS">PKCS</a>]. This notation defines how to
specify the contents, and encoding rules define how this information is
translated into binary form. The binary encoding of the certificate is
defined using Distinguished Encoding Rules (DER), which are based on the more
general Basic Encoding Rules (BER). For those transmissions which cannot
handle binary, the binary form may be translated into an ASCII form by using
Base64 encoding [<a href="#MIME">MIME</a>]. This encoded version is called PEM
encoded (the name comes from "Privacy Enhanced Mail"), when placed between
begin and end delimiter lines as illustrated in <a href="#table3">Table 3</a>.
<p>
<div align="center">
<a name="table3"></a>
<table width="600" cellspacing="0" cellpadding="1" border="0" summary="">
<caption align="bottom" id="sf">Table 3: Example of a PEM-encoded certificate (snakeoil.crt)</caption>
<tr><td bgcolor="#cccccc">
<table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
<tr><td valign="top" align="center" bgcolor="#ffffff">
<table cellspacing="0" cellpadding="0" summary=""><tr><td>
<div class="code"><pre>
-----BEGIN CERTIFICATE-----
MIIC7jCCAlegAwIBAgIBATANBgkqhkiG9w0BAQQFADCBqTELMAkGA1UEBhMCWFkx
FTATBgNVBAgTDFNuYWtlIERlc2VydDETMBEGA1UEBxMKU25ha2UgVG93bjEXMBUG
A1UEChMOU25ha2UgT2lsLCBMdGQxHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhv
cml0eTEVMBMGA1UEAxMMU25ha2UgT2lsIENBMR4wHAYJKoZIhvcNAQkBFg9jYUBz
bmFrZW9pbC5kb20wHhcNOTgxMDIxMDg1ODM2WhcNOTkxMDIxMDg1ODM2WjCBpzEL
MAkGA1UEBhMCWFkxFTATBgNVBAgTDFNuYWtlIERlc2VydDETMBEGA1UEBxMKU25h
a2UgVG93bjEXMBUGA1UEChMOU25ha2UgT2lsLCBMdGQxFzAVBgNVBAsTDldlYnNl
cnZlciBUZWFtMRkwFwYDVQQDExB3d3cuc25ha2VvaWwuZG9tMR8wHQYJKoZIhvcN
AQkBFhB3d3dAc25ha2VvaWwuZG9tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDH9Ge/s2zcH+da+rPTx/DPRp3xGjHZ4GG6pCmvADIEtBtKBFAcZ64n+Dy7Np8b
vKR+yy5DGQiijsH1D/j8HlGE+q4TZ8OFk7BNBFazHxFbYI4OKMiCxdKzdif1yfaa
lWoANFlAzlSdbxeGVHoT0K+gT5w3UxwZKv2DLbCTzLZyPwIDAQABoyYwJDAPBgNV
HRMECDAGAQH/AgEAMBEGCWCGSAGG+EIBAQQEAwIAQDANBgkqhkiG9w0BAQQFAAOB
gQAZUIHAL4D09oE6Lv2k56Gp38OBDuILvwLg1v1KL8mQR+KFjghCrtpqaztZqcDt
2q2QoyulCgSzHbEGmi0EsdkPfg6mp0penssIFePYNI+/8u9HT4LuKMJX15hxBam7
dUHzICxBVC1lnHyYGjDuAMhe396lYAn8bCld1/L4NMGBCQ==
-----END CERTIFICATE-----</pre></div>
</td></tr></table>
</td>
</tr></table>
</td></tr></table>
</div>
<h3><a name="ToC7">Certificate Authorities</a></h3>
By first verifying the information in a certificate request before granting
the certificate, the Certificate Authority assures the identity of the private
key owner of a key-pair. For instance, if Alice requests a personal
certificate, the Certificate Authority must first make sure that Alice really
is the person the certificate request claims.
<h4><a name="ToC8">Certificate Chains</a></h4>
A Certificate Authority may also issue a certificate for another Certificate
Authority. When examining a certificate, Alice may need to examine the
certificate of the issuer, for each parent Certificate Authority, until
reaching one which she has confidence in. She may decide to trust only
certificates with a limited chain of issuers, to reduce her risk of a "bad"
certificate in the chain.
<h4><a name="ToC9">Creating a Root-Level CA</a></h4>
As noted earlier, each certificate requires an issuer to assert the validity
of the identity of the certificate subject, up to the top-level Certificate
Authority (CA). This presents a problem: Since this is who vouches for the
certificate of the top-level authority, which has no issuer?
In this unique case, the certificate is "self-signed", so the issuer of the
certificate is the same as the subject. As a result, one must exercise extra
care in trusting a self-signed certificate. The wide publication of a public
key by the root authority reduces the risk in trusting this key -- it would be
obvious if someone else publicized a key claiming to be the authority.
Browsers are preconfigured to trust well-known certificate authorities.
<p>
A number of companies, such as <a href="http://www.thawte.com/">Thawte</a> and
<a href="http://www.verisign.com/">VeriSign</a> have established themselves as
Certificate Authorities. These companies provide the following services:
<ul>
<li>Verifying certificate requests
<li>Processing certificate requests
<li>Issuing and managing certificates
</ul>
<p>
It is also possible to create your own Certificate Authority. Although risky
in the Internet environment, it may be useful within an Intranet where the
organization can easily verify the identities of individuals and servers.
<h4><a name="ToC10">Certificate Management</a></h4>
Establishing a Certificate Authority is a responsibility which requires a
solid administrative, technical, and management framework.
Certificate Authorities not only issue certificates, they also manage them --
that is, they determine how long certificates are valid, they renew them, and
they keep lists of certificates that have already been issued but are no
longer valid (Certificate Revocation Lists, or CRLs).
Say Alice is entitled to a certificate as an employee of a company. Say too,
that the certificate needs to be revoked when Alice leaves the company. Since
certificates are objects that get passed around, it is impossible to tell from
the certificate alone that it has been revoked.
When examining certificates for validity, therefore, it is necessary to
contact the issuing Certificate Authority to check CRLs -- this is not usually
an automated part of the process.
<p>
<div align="center"><B>Note:</B></div>
If you use a Certificate Authority that is not configured into browsers by
default, it is necessary to load the Certificate Authority certificate into
the browser, enabling the browser to validate server certificates signed by
that Certificate Authority. Doing so may be dangerous, since once loaded, the
browser will accept all certificates signed by that Certificate Authority.
<h2><a name="ToC11">Secure Sockets Layer (SSL)</a></h2>
The Secure Sockets Layer protocol is a protocol layer which may be placed
between a reliable connection-oriented network layer protocol (e.g. TCP/IP)
and the application protocol layer (e.g. HTTP). SSL provides for secure
communication between client and server by allowing mutual authentication, the
use of digital signatures for integrity, and encryption for privacy.
<p>
The protocol is designed to support a range of choices for specific algorithms
used for cryptography, digests, and signatures. This allows algorithm
selection for specific servers to be made based on legal, export or other
concerns, and also enables the protocol to take advantage of new algorithms.
Choices are negotiated between client and server at the start of establishing
a protocol session.
<p>
<div align="center">
<a name="table4"></a>
<table width="600" cellspacing="0" cellpadding="1" border="0" summary="">
<caption align="bottom" id="sf">Table 4: Versions of the SSL protocol</caption>
<tr><td bgcolor="#cccccc">
<table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
<tr><td valign="top" align="center" bgcolor="#ffffff">
<table summary="">
<tr valign="top">
<td><b>Version:</b></td>
<td><b>Source:</b></td>
<td><b>Description:</b></td>
<td><b>Browser Support:</b></td>
</tr>
<tr valign="top">
<td>SSL v2.0</td>
<td>Vendor Standard (from Netscape Corp.) [<a href="#SSL2">SSL2</a>]</td>
<td>First SSL protocol for which implementations exists</td>
<td>- NS Navigator 1.x/2.x<br>
- MS IE 3.x<br>
- Lynx/2.8+OpenSSL
</td>
</tr>
<tr valign="top">
<td>SSL v3.0</td>
<td>Expired Internet Draft (from Netscape Corp.) [<a href="#SSL3">SSL3</a>]</td>
<td>Revisions to prevent specific security attacks, add non-RSA ciphers, and support for certificate chains</td>
<td>- NS Navigator 2.x/3.x/4.x<br>
- MS IE 3.x/4.x<br>
- Lynx/2.8+OpenSSL
</td>
</tr>
<tr valign="top">
<td>TLS v1.0</td>
<td>Proposed Internet Standard (from IETF) [<a href="#TLS1">TLS1</a>]</td>
<td>Revision of SSL 3.0 to update the MAC layer to HMAC, add block padding for
block ciphers, message order standardization and more alert messages.
</td>
<td>- Lynx/2.8+OpenSSL</td>
</table>
</td>
</tr></table>
</td></tr></table>
</div>
<p>
There are a number of versions of the SSL protocol, as shown in <a
href="#table4">Table 4</a>. As noted there, one of the benefits in SSL 3.0 is
that it adds support of certificate chain loading. This feature allows a
server to pass a server certificate along with issuer certificates to the
browser. Chain loading also permits the browser to validate the server
certificate, even if Certificate Authority certificates are not installed for
the intermediate issuers, since they are included in the certificate chain.
SSL 3.0 is the basis for the Transport Layer Security [<A
HREF="#TLS1">TLS</A>] protocol standard, currently in development by the
Internet Engineering Task Force (IETF).
<h3><a name="ToC12">Session Establishment</a></h3>
The SSL session is established by following a <I>handshake sequence</I>
between client and server, as shown in <a href="#figure1">Figure 1</a>. This
sequence may vary, depending on whether the server is configured to provide a
server certificate or request a client certificate. Though cases exist where
additional handshake steps are required for management of cipher information,
this article summarizes one common scenario: see the SSL specification for the
full range of possibilities.
<p>
<div align="center"><b>Note</b></div>
Once an SSL session has been established it may be reused, thus avoiding the
performance penalty of repeating the many steps needed to start a session.
For this the server assigns each SSL session a unique session identifier which
is cached in the server and which the client can use on forthcoming
connections to reduce the handshake (until the session identifer expires in
the cache of the server).
<p>
<div align="center">
<a name="figure1"></a>
<table width="600" cellspacing="0" cellpadding="1" border="0" summary="">
<caption align="bottom" id="sf">Figure 1: Simplified SSL Handshake Sequence</caption>
<tr><td bgcolor="#cccccc">
<table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
<tr><td valign="top" align="center" bgcolor="#ffffff">
<img src="ssl_intro_fig1.gif" alt="" width="423" height="327">
</td>
</tr></table>
</td></tr></table>
</div>
<p>
The elements of the handshake sequence, as used by the client and server, are
listed below:
<ol>
<li>Negotiate the Cipher Suite to be used during data transfer
<li>Establish and share a session key between client and server
<li>Optionally authenticate the server to the client
<li>Optionally authenticate the client to the server
</ol>
<p>
The first step, Cipher Suite Negotiation, allows the client and server to
choose a Cipher Suite supportable by both of them. The SSL3.0 protocol
specification defines 31 Cipher Suites. A Cipher Suite is defined by the
following components:
<ul>
<li>Key Exchange Method
<li>Cipher for Data Transfer
<li>Message Digest for creating the Message Authentication Code (MAC)
</ul>
These three elements are described in the sections that follow.
<h3><a name="ToC13">Key Exchange Method</a></h3>
The key exchange method defines how the shared secret symmetric cryptography
key used for application data transfer will be agreed upon by client and
server. SSL 2.0 uses RSA key exchange only, while SSL 3.0 supports a choice of
key exchange algorithms including the RSA key exchange when certificates are
used, and Diffie-Hellman key exchange for exchanging keys without certificates
and without prior communication between client and server.
<p>
One variable in the choice of key exchange methods is digital signatures --
whether or not to use them, and if so, what kind of signatures to use.
Signing with a private key provides assurance against a
man-in-the-middle-attack during the information exchange used in generating
the shared key [<a href="#AC96">AC96</a>, p516].
<h3><a name="ToC14">Cipher for Data Transfer</a></h3>
SSL uses the conventional cryptography algorithm (symmetric cryptography)
described earlier for encrypting messages in a session. There are nine
choices, including the choice to perform no encryption:
<ul>
<li>No encryption
<li>Stream Ciphers
<ul>
<li>RC4 with 40-bit keys
<li>RC4 with 128-bit keys
</ul>
<li>CBC Block Ciphers
<ul>
<li>RC2 with 40 bit key
<li>DES with 40 bit key
<li>DES with 56 bit key
<li>Triple-DES with 168 bit key
<li>Idea (128 bit key)
<li>Fortezza (96 bit key)
</ul>
</ul>
Here "CBC" refers to Cipher Block Chaining, which means that a portion of the
previously encrypted cipher text is used in the encryption of the current
block. "DES" refers to the Data Encryption Standard [<a href="#AC96">AC96</a>,
ch12], which has a number of variants (including DES40 and 3DES_EDE). "Idea"
is one of the best and cryptographically strongest available algorithms, and
"RC2" is a proprietary algorithm from RSA DSI [<a href="#AC96">AC96</a>,
ch13].
<h3><a name="ToC15">Digest Function</a></h3>
The choice of digest function determines how a digest is created from a record
unit. SSL supports the following:
<ul>
<li>No digest (Null choice)
<li>MD5, a 128-bit hash
<li>Secure Hash Algorithm (SHA-1), a 160-bit hash
</ul>
The message digest is used to create a Message Authentication Code (MAC) which
is encrypted with the message to provide integrity and to prevent against
replay attacks.
<h3><a name="ToC16">Handshake Sequence Protocol</a></h3>
The handshake sequence uses three protocols:
<ul>
<li>The <em>SSL Handshake Protocol</em>
for performing the client and server SSL session establishment.
<li>The <em>SSL Change Cipher Spec Protocol</em> for actually establishing agreement
on the Cipher Suite for the session.
<li>The <em>SSL Alert Protocol</em> for
conveying SSL error messages between client and server.
</ul>
These protocols, as well as application protocol data, are encapsulated in the
<em>SSL Record Protocol</em>, as shown in <a href="#figure2">Figure 2</a>. An
encapsulated protocol is transferred as data by the lower layer protocol,
which does not examine the data. The encapsulated protocol has no knowledge of
the underlying protocol.
<p>
<div align="center">
<a name="figure2"></a>
<table width="600" cellspacing="0" cellpadding="1" border="0" summary="">
<caption align="bottom" id="sf">Figure 2: SSL Protocol Stack</caption>
<tr><td bgcolor="#cccccc">
<table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
<tr><td valign="top" align="center" bgcolor="#ffffff">
<img src="ssl_intro_fig2.gif" alt="" width="428" height="217">
</td>
</tr></table>
</td></tr></table>
</div>
<p>
The encapsulation of SSL control protocols by the record protocol means that
if an active session is renegotiated the control protocols will be transmitted
securely. If there were no session before, then the Null cipher suite is
used, which means there is no encryption and messages have no integrity
digests until the session has been established.
<h3><a name="ToC17">Data Transfer</a></h3>
The SSL Record Protocol, shown in <a href="#figure3">Figure 3</a>, is used to
transfer application and SSL Control data between the client and server,
possibly fragmenting this data into smaller units, or combining multiple
higher level protocol data messages into single units. It may compress, attach
digest signatures, and encrypt these units before transmitting them using the
underlying reliable transport protocol (Note: currently all major SSL
implementations lack support for compression).
<p>
<div align="center">
<a name="figure3"></a>
<table width="600" cellspacing="0" cellpadding="1" border="0" summary="">
<caption align="bottom" id="sf">Figure 3: SSL Record Protocol</caption>
<tr><td bgcolor="#cccccc">
<table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
<tr><td valign="top" align="center" bgcolor="#ffffff">
<img src="ssl_intro_fig3.gif" alt="" width="423" height="323">
</td>
</tr></table>
</td></tr></table>
</div>
<h3><a name="ToC18">Securing HTTP Communication</a></h3>
One common use of SSL is to secure Web HTTP communication between a browser
and a webserver. This case does not preclude the use of non-secured HTTP. The
secure version is mainly plain HTTP over SSL (named HTTPS), but with one major
difference: it uses the URL scheme <code>https</code> rather than
<code>http</code> and a different server port (by default 443). This mainly
is what mod_ssl provides to you for the Apache webserver...
<h2><a name="ToC19">References</a></h2>
<ul>
<p>
<li><a name="AC96"></a>
[AC96] Bruce Schneier, <em>Applied Cryptography</em>, 2nd Edition, Wiley,
1996. See <a href="http://www.counterpane.com/">http://www.counterpane.com/</a> for
various other materials by Bruce Schneier.
<p>
<li><a name="X208"></a>
[X208] ITU-T Recommendation X.208, <em>Specification of Abstract Syntax Notation
One (ASN.1)</em>, 1988. See for instance <a
href="ftp://ftp.neda.com/pub/itu/x.series/x208.ps">
ftp://ftp.neda.com/pub/itu/x.series/x208.ps</a>.
<p>
<li><a name="X509"></a>
[X509] ITU-T Recommendation X.509, <em>The Directory - Authentication
Framework</em>, 1988. See for instance <a
href="ftp://ftp.bull.com/pub/OSIdirectory/ITUnov96/X.509/97x509final.doc">
ftp://ftp.bull.com/pub/OSIdirectory/ITUnov96/X.509/97x509final.doc</a>.
<p>
<li><a name="PKCS"></a>
[PKCS] Kaliski, Burton S., Jr., <em>An Overview of the PKCS Standards</em>, An RSA
Laboratories Technical Note, revised November 1, 1993.
See <a href="http://www.rsa.com/rsalabs/pubs/PKCS/">
http://www.rsa.com/rsalabs/pubs/PKCS/</a>.
<p>
<li><a name="MIME"></a>
[MIME] N. Freed, N. Borenstein, <em>Multipurpose Internet Mail Extensions
(MIME) Part One: Format of Internet Message Bodies</em>, RFC2045.
See for instance <a href="ftp://ftp.isi.edu/in-notes/rfc2045.txt">
ftp://ftp.isi.edu/in-notes/rfc2045.txt</a>.
<p>
<li><a name="SSL2"></a>
[SSL2] Kipp E.B. Hickman, <em>The SSL Protocol</em>, 1995.
See <a href="http://www.netscape.com/eng/security/SSL_2.html">
http://www.netscape.com/eng/security/SSL_2.html</a>.
<p>
<li><a name="SSL3"></a>
[SSL3] Alan O. Freier, Philip Karlton, Paul C. Kocher, <em>The SSL Protocol
Version 3.0</em>, 1996. See <a
href="http://www.netscape.com/eng/ssl3/draft302.txt">
http://www.netscape.com/eng/ssl3/draft302.txt</a>.
<p>
<li><a name="TLS1"></a>
[TLS1] Tim Dierks, Christopher Allen, <em>The TLS Protocol Version 1.0</em>,
1997. See <a
href="ftp://ftp.ietf.org/internet-drafts/draft-ietf-tls-protocol-06.txt">
ftp://ftp.ietf.org/internet-drafts/draft-ietf-tls-protocol-06.txt</a>.
</ul>
<p>
<br>
<table summary="">
<tr>
<td>
<table width="600" border="0" summary="">
<tr>
<td valign="top" align="left" width="250">
<a href="ssl_overview.html" onmouseover="ro_imgOver('ro_img_prev_bot', 'previous page'); return true" onmouseout="ro_imgNormal('ro_img_prev_bot'); return true" onfocus="ro_imgOver('ro_img_prev_bot', 'previous page'); return true" onblur="ro_imgNormal('ro_img_prev_bot'); return true"><img name="ro_img_prev_bot" src="ssl_template.navbut-prev-n.gif" alt="previous page" width="70" height="18" border="0"></a><br><font color="#000000">Overview</font>
</td>
<td valign="top" align="right" width="250">
<a href="ssl_reference.html" onmouseover="ro_imgOver('ro_img_next_bot', 'next page'); return true" onmouseout="ro_imgNormal('ro_img_next_bot'); return true" onfocus="ro_imgOver('ro_img_next_bot', 'next page'); return true" onblur="ro_imgNormal('ro_img_next_bot'); return true"><img name="ro_img_next_bot" src="ssl_template.navbut-next-n.gif" alt="next page" width="70" height="18" border="0"></a><br><font color="#000000">Reference</font>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td><img src="ssl_template.imgdot-1x1-000000.gif" alt="" width="600" height="2" align="bottom" border="0"></td>
</tr>
<tr>
<td><table width="598" summary="">
<tr>
<td align="left"><font face="Arial,Helvetica">
<a href="http://www.modssl.org/">mod_ssl</a> 2.8, User Manual<br>
The Apache Interface to OpenSSL
</font>
</td>
<td align="right"><font face="Arial,Helvetica">
Copyright &copy; 1998-2001
<a href="http://www.engelschall.com/">Ralf S. Engelschall</a><br>
All Rights Reserved<br>
</font>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</div>
</body>
</html>

476
docs/manual/ssl/ssl_overview.html Normal file
View File

@ -0,0 +1,476 @@
<html>
<head>
<title>mod_ssl: Preface</title>
<!--
Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above
copyright notice, this list of conditions and the following
disclaimer.
2. Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials
provided with the distribution.
3. All advertising materials mentioning features or use of this
software must display the following acknowledgment:
"This product includes software developed by
Ralf S. Engelschall <rse@engelschall.com> for use in the
mod_ssl project (http://www.modssl.org/)."
4. The name "mod_ssl" must not be used to endorse or promote
products derived from this software without prior written
permission.
5. Redistributions of any form whatsoever must retain the
following acknowledgment:
"This product includes software developed by
Ralf S. Engelschall <rse@engelschall.com> for use in the
mod_ssl project (http://www.modssl.org/)."
THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY
EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RALF S. ENGELSCHALL OR
HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
-->
<style type="text/css"><!--
A:link {
text-decoration: none;
color: #6666cc;
}
A:active {
text-decoration: none;
color: #6666cc;
}
A:visited {
text-decoration: none;
color: #6666cc;
}
#sf {
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
H1 {
font-weight: bold;
font-size: 24pt;
line-height: 24pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
H2 {
font-weight: bold;
font-size: 18pt;
line-height: 18pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
H3 {
font-weight: bold;
font-size: 14pt;
line-height: 14pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
H4 {
font-weight: bold;
font-size: 12pt;
line-height: 12pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
#H {
}
#D {
background-color: #f0f0f0;
}
#faq {
font-weight: bold;
font-size: 16pt;
line-height: 16pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
#howto {
font-weight: bold;
font-size: 16pt;
line-height: 16pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
#term {
font-weight: bold;
font-size: 16pt;
line-height: 16pt;
font-family: arial,helvetica;
font-variant: normal;
font-style: normal;
}
--></style>
<script type="text/javascript" language="JavaScript">
<!-- Hiding the code
function ro_imgNormal(imgName) {
if (document.images) {
document[imgName].src = eval(imgName + '_n.src');
self.status = '';
}
}
function ro_imgOver(imgName, descript) {
if (document.images) {
document[imgName].src = eval(imgName + '_o.src');
self.status = descript;
}
}
// done hiding -->
</script>
<script type="text/javascript" language="JavaScript">
<!-- Hiding the code
if (document.images) {
ro_img_prev_top_n = new Image();
ro_img_prev_top_n.src = 'ssl_template.navbut-prev-n.gif';
ro_img_prev_top_o = new Image();
ro_img_prev_top_o.src = 'ssl_template.navbut-prev-s.gif';
}
// done hiding -->
</script>
<script type="text/javascript" language="JavaScript">
<!-- Hiding the code
if (document.images) {
ro_img_prev_bot_n = new Image();
ro_img_prev_bot_n.src = 'ssl_template.navbut-prev-n.gif';
ro_img_prev_bot_o = new Image();
ro_img_prev_bot_o.src = 'ssl_template.navbut-prev-s.gif';
}
// done hiding -->
</script>
<script type="text/javascript" language="JavaScript">
<!-- Hiding the code
if (document.images) {
ro_img_next_top_n = new Image();
ro_img_next_top_n.src = 'ssl_template.navbut-next-n.gif';
ro_img_next_top_o = new Image();
ro_img_next_top_o.src = 'ssl_template.navbut-next-s.gif';
}
// done hiding -->
</script>
<script type="text/javascript" language="JavaScript">
<!-- Hiding the code
if (document.images) {
ro_img_next_bot_n = new Image();
ro_img_next_bot_n.src = 'ssl_template.navbut-next-n.gif';
ro_img_next_bot_o = new Image();
ro_img_next_bot_o.src = 'ssl_template.navbut-next-s.gif';
}
// done hiding -->
</script>
</head>
<body bgcolor="#ffffff" text="#000000" link="#333399" alink="#9999ff" vlink="#000066">
<div align="center">
<table width="600" cellspacing="0" cellpadding="0" border="0" summary="">
<tr>
<td>
<img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="600" height="1" align="bottom" border="0"><br>
<table width="600" cellspacing="0" cellpadding="0" summary="">
<tr>
<td>
<table width="600" summary="">
<tr>
<td align="left" valign="bottom">
<font face="Arial,Helvetica" size="+2"><b>mod_ssl</b></font>
</td>
<td align="right">
<img src="ssl_template.head-chapter.gif" alt="Chapter" width="175" height="94"> <img src="ssl_template.head-num-1.gif" alt="1" width="74" height="89">
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td><img src="ssl_template.imgdot-1x1-000000.gif" alt="" width="600" height="2" align="bottom" border="0"></td>
</tr>
<tr>
<td>
<table width="600" border="0" summary="">
<tr>
<td valign="top" align="left" width="250">
<a href="index.html" onmouseover="ro_imgOver('ro_img_prev_top', 'previous page'); return true" onmouseout="ro_imgNormal('ro_img_prev_top'); return true" onfocus="ro_imgOver('ro_img_prev_top', 'previous page'); return true" onblur="ro_imgNormal('ro_img_prev_top'); return true"><img name="ro_img_prev_top" src="ssl_template.navbut-prev-n.gif" alt="previous page" width="70" height="18" border="0"></a><br><font color="#000000">Cover</font>
</td>
<td valign="top" align="right" width="250">
<a href="ssl_intro.html" onmouseover="ro_imgOver('ro_img_next_top', 'next page'); return true" onmouseout="ro_imgNormal('ro_img_next_top'); return true" onfocus="ro_imgOver('ro_img_next_top', 'next page'); return true" onblur="ro_imgNormal('ro_img_next_top'); return true"><img name="ro_img_next_top" src="ssl_template.navbut-next-n.gif" alt="next page" width="70" height="18" border="0"></a><br><font color="#000000">Introduction</font>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td>
<br>
<img src="ssl_template.title-over.gif" alt="Preface" width="456" height="60">
</td>
</tr>
</table>
<div align="right">
<table cellspacing="0" cellpadding="0" width="300" summary="">
<tr>
<td>
<em>
``Ralf Engelschall has released an
excellent module that integrates
Apache and SSLeay.''
</em>
</td>
</tr>
<tr>
<td align="right">
<font size="-1">
Tim J. Hudson, SSLeay F.A.Q.
</font>
</td>
</tr>
</table>
</div>
<p>
<table cellspacing="0" cellpadding="0" border="0" summary="">
<tr valign="bottom">
<td>
<img src="ssl_overview.gfont000.gif" alt="T" width="34" height="34" border="0" align="left">
his module provides strong cryptography for the <A
HREF="http://www.apache.org/">Apache</A> (v1.3) webserver via the <A
HREF="http://www.netscape.com/newsref/std/SSL.html">Secure Socket Layer</A>
(SSL v2/v3) and <A HREF="http://www.consensus.com/ietf-tls/">Transport Layer
Security</A> (TLS v1) protocols by the help of the excellent SSL/TLS
implementation library <A HREF="http://www.openssl.org/">OpenSSL</A> from <A
HREF="mailto:eay@aus.rsa.com">Eric A. Young</A> and <A
HREF="mailto:tjh@cryptsoft.com">Tim Hudson</A>.
</td>
<td>
&nbsp;&nbsp;
</td>
<td>
<div align="right">
<table cellspacing="0" cellpadding="5" border="0" bgcolor="#ccccff" summary="">
<tr>
<td bgcolor="#333399">
<font face="Arial,Helvetica" color="#ccccff">
<b>Global Table Of Contents</b>
</font>
</td>
</tr>
<tr>
<td>
<font face="Arial,Helvetica" size="-1">
<b>
<a href="ssl_overview.html">Chapter 1: Preface</a><br>
<a href="ssl_intro.html">Chapter 2: Introduction</a><br>
<a href="ssl_reference.html">Chapter 3: Reference</a><br>
<a href="ssl_compat.html">Chapter 4: Compatibility</a><br>
<a href="ssl_howto.html">Chapter 5: HowTo</a><br>
<a href="ssl_faq.html">Chapter 6: F.A.Q. List</a><br>
<a href="ssl_glossary.html">Chapter 7: Glossary</a><br>
</b>
</font>
</td>
</tr>
</table>
</div>
</td>
</tr>
</table>
<p>
The <A HREF="http://www.modssl.org/">mod_ssl</A> package was
created in April 1998 by <A HREF="mailto:rse@engelschall.com">Ralf S.
Engelschall</A> and was originally derived from the <A
HREF="http://www.apache-ssl.org/">Apache-SSL</A> package developed by <A
HREF="mailto:ben@algroup.co.uk">Ben Laurie</A>. It stays under a BSD-style
license which is equivalent to the license used by <A
HREF="http://www.apache.org/">The Apache Group</a> for the Apache webserver
itself. This means, in short, that you are free to use it both for commercial
and non-commercial purposes as long as you retain the authors' copyright
notices and give the proper credit.
<h2>Legalese</h2>
Although the above conditions also apply to Apache and OpenSSL in general (both
are freely available and useable software packages), you should be aware that
especially the cryptographic algorithms used inside OpenSSL stay under
certain patents and perhaps import/export/use restrictions in some countries
of the world. So whether you can actually use the combination
Apache+mod_ssl+OpenSSL in your country depends mainly on your local state laws.
The authors of neither Apache nor mod_ssl nor OpenSSL are liable for any
violations you make here.
<p>
If you're not sure what law details apply to your country you're strongly
advised to first determine them by consulting an attorney before using this
module. A lot of hints you can find in the <a
href="http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm">International Law
Crypto Survey</a> which is a really comprehensive resource on this topic. At
least two countries with heavy cryptography restrictions are well known:
In the United States (USA) it's not allowed to (re-)export mod_ssl
or OpenSSL And inside France it's not allowed to use any cryptography at all
when keys with more than 40 bits are used.
<p>
<table cellspacing="0" cellpadding="1" bgcolor="#cccccc" border="0" summary="">
<tr>
<td>
<table bgcolor="white" cellspacing="0" cellpadding="10" border="0" summary="">
<tr>
<td>
<font face="Arial,Helvetica">
This software package uses strong cryptography, so while it is created,
maintained and distributed from Germany and Switzerland (where it is legal to
do this), it falls under certain export/import and/or use restrictions in some
other parts of the world.
<p>
PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY
SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING TECHNICAL
DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS OF THE WORLD.
SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE-DISTRIBUTE IT FROM
THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR EVEN SOURCE PATCHES TO THE
AUTHOR OR OTHER PEOPLE YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO
ANY EXPORT/IMPORT AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHOR OF MOD_SSL
IS NOT LIABLE FOR ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFULLY YOURSELF, IT
IS YOUR RESPONSIBILITY.
</font>
<p>
<font face="Arial,Helvetica">
CREDIT INFORMATION:
This product includes software developed by Ben Laurie for use in the
Apache-SSL HTTP server project, software developed by Larry Wall and David
MacKenzie for use in the GNU project of the FSF and software developed by Dr.
Stephen N. Henson as a companion to OpenSSL.
</font>
</td>
</tr>
</table>
</td>
</tr>
</table>
<h2>Module Architecture</h2>
The mod_ssl package consists of the SSL module (part 1 in <a
href="#figure1">Figure 1</a>) and a set of source patches for Apache adding the
Extended API (EAPI) (part 2 in <a href="#figure1">Figure 1</a>) which is an
essential prerequisite in order to use mod_ssl. In other words: you can only
use the mod_ssl module when Apache's core code contains the Extended API. But
because when applying mod_ssl to the Apache source tree the Extended API is
also automatically added you usually don't have to think about this. It's
mainly important for package vendors who want to build separate packages for
Apache and mod_ssl. For more details on how to apply mod_ssl to the Apache
source tree please follow the <code>INSTALL</code> file in the mod_ssl
distribution.
<p>
<div align="center">
<a name="figure1"></a>
<table width="600" cellspacing="0" cellpadding="1" border="0" summary="">
<caption align="bottom" id="sf">Figure 1: Module Architecture</caption>
<tr><td bgcolor="#cccccc">
<table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
<tr><td valign="top" align="center" bgcolor="#ffffff">
<img src="ssl_overview_fig1.gif" alt="" width="382" height="281">
</td>
</tr></table>
</td></tr></table>
</div>
<h2>Module Building</h2>
The SSL module (mod_ssl) resides under the <CODE>src/modules/ssl/</CODE>
subdirectory inside the Apache source tree and is a regular Apache module. This
means that you can configure, build and install it like any other Apache module.
Usually this is done by using the APACI command
<blockquote>
<pre>
$ cd apache_1.3.x/
$ SSL_BASE=/path/to/openssl ./configure ... --enable-module=ssl
</pre>
</blockquote>
or by manually editing the <code>SSL_BASE</code> variable,
uncommenting the corresponding <code>AddModule</code> directive inside the
<code>src/Configuration</code> file and using the command
<blockquote>
<pre>
$ cd apache_1.3.x/src
$ ./Configure
</pre>
</blockquote>
for configuring. Additionally you can enable the <a
href="http://www.apache.org/docs/dso.html">Dynamic Shared Object</a> (DSO)
support for mod_ssl by either adding the <code>--enable-shared=ssl</code>
option to the APACI configure command line or by replacing the
<blockquote>
<pre>
AddModule ssl_module modules/ssl/libssl.a
</pre>
</blockquote>
line in <code>src/Configuration</code> with
<blockquote>
<pre>
SharedModule ssl_module modules/ssl/libssl.so
</pre>
</blockquote>
Building mod_ssl as a DSO is especially interesting to achieve more run-time
flexibility, i.e. you can decide whether to use SSL or not at run-time instead
of build-time. But notice that building mod_ssl as a DSO requires that your
OS/compiler supports building DSOs in the first place, and additionally that
they support linking of a DSO against a static library (libssl.a, libcrypo.a).
Not all platform support this.
<p>
<br>
<table summary="">
<tr>
<td>
<table width="600" border="0" summary="">
<tr>
<td valign="top" align="left" width="250">
<a href="index.html" onmouseover="ro_imgOver('ro_img_prev_bot', 'previous page'); return true" onmouseout="ro_imgNormal('ro_img_prev_bot'); return true" onfocus="ro_imgOver('ro_img_prev_bot', 'previous page'); return true" onblur="ro_imgNormal('ro_img_prev_bot'); return true"><img name="ro_img_prev_bot" src="ssl_template.navbut-prev-n.gif" alt="previous page" width="70" height="18" border="0"></a><br><font color="#000000">Cover</font>
</td>
<td valign="top" align="right" width="250">
<a href="ssl_intro.html" onmouseover="ro_imgOver('ro_img_next_bot', 'next page'); return true" onmouseout="ro_imgNormal('ro_img_next_bot'); return true" onfocus="ro_imgOver('ro_img_next_bot', 'next page'); return true" onblur="ro_imgNormal('ro_img_next_bot'); return true"><img name="ro_img_next_bot" src="ssl_template.navbut-next-n.gif" alt="next page" width="70" height="18" border="0"></a><br><font color="#000000">Introduction</font>
</td>
</tr>
</table>
</td>
</tr>
<tr>
<td><img src="ssl_template.imgdot-1x1-000000.gif" alt="" width="600" height="2" align="bottom" border="0"></td>
</tr>
<tr>
<td><table width="598" summary="">
<tr>
<td align="left"><font face="Arial,Helvetica">
<a href="http://www.modssl.org/">mod_ssl</a> 2.8, User Manual<br>
The Apache Interface to OpenSSL
</font>
</td>
<td align="right"><font face="Arial,Helvetica">
Copyright &copy; 1998-2001
<a href="http://www.engelschall.com/">Ralf S. Engelschall</a><br>
All Rights Reserved<br>
</font>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</div>
</body>
</html>

2539
docs/manual/ssl/ssl_reference.html Normal file
View File

File diff suppressed because it is too large Load Diff