diff options
author | hongbotian <hongbo.tianhongbo@huawei.com> | 2015-11-30 01:35:09 -0500 |
---|---|---|
committer | hongbotian <hongbo.tianhongbo@huawei.com> | 2015-11-30 01:36:35 -0500 |
commit | cc40af334e619bb549038238507407866f774f8f (patch) | |
tree | 43ddc1974f72997a57173151eafb23e6025a13c9 /rubbos/app/apache2/manual/ssl | |
parent | 68e74fd78b2485e5914ce34a5b30f4485029e021 (diff) |
upload apache
JIRA: BOTTLENECK-10
Change-Id: I67eae31de6dc824097dfa56ab454ba36fdd23a2c
Signed-off-by: hongbotian <hongbo.tianhongbo@huawei.com>
Diffstat (limited to 'rubbos/app/apache2/manual/ssl')
-rw-r--r-- | rubbos/app/apache2/manual/ssl/index.html | 13 | ||||
-rw-r--r-- | rubbos/app/apache2/manual/ssl/index.html.en | 59 | ||||
-rw-r--r-- | rubbos/app/apache2/manual/ssl/index.html.ja.utf8 | 61 | ||||
-rw-r--r-- | rubbos/app/apache2/manual/ssl/index.html.tr.utf8 | 59 | ||||
-rw-r--r-- | rubbos/app/apache2/manual/ssl/ssl_compat.html | 5 | ||||
-rw-r--r-- | rubbos/app/apache2/manual/ssl/ssl_compat.html.en | 233 | ||||
-rw-r--r-- | rubbos/app/apache2/manual/ssl/ssl_faq.html | 5 | ||||
-rw-r--r-- | rubbos/app/apache2/manual/ssl/ssl_faq.html.en | 1043 | ||||
-rw-r--r-- | rubbos/app/apache2/manual/ssl/ssl_howto.html | 5 | ||||
-rw-r--r-- | rubbos/app/apache2/manual/ssl/ssl_howto.html.en | 284 | ||||
-rw-r--r-- | rubbos/app/apache2/manual/ssl/ssl_intro.html | 9 | ||||
-rw-r--r-- | rubbos/app/apache2/manual/ssl/ssl_intro.html.en | 641 | ||||
-rw-r--r-- | rubbos/app/apache2/manual/ssl/ssl_intro.html.ja.utf8 | 695 |
13 files changed, 3112 insertions, 0 deletions
diff --git a/rubbos/app/apache2/manual/ssl/index.html b/rubbos/app/apache2/manual/ssl/index.html new file mode 100644 index 00000000..d6ccf929 --- /dev/null +++ b/rubbos/app/apache2/manual/ssl/index.html @@ -0,0 +1,13 @@ +# GENERATED FROM XML -- DO NOT EDIT + +URI: index.html.en +Content-Language: en +Content-type: text/html; charset=ISO-8859-1 + +URI: index.html.ja.utf8 +Content-Language: ja +Content-type: text/html; charset=UTF-8 + +URI: index.html.tr.utf8 +Content-Language: tr +Content-type: text/html; charset=UTF-8 diff --git a/rubbos/app/apache2/manual/ssl/index.html.en b/rubbos/app/apache2/manual/ssl/index.html.en new file mode 100644 index 00000000..1577c57d --- /dev/null +++ b/rubbos/app/apache2/manual/ssl/index.html.en @@ -0,0 +1,59 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!-- + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + This file is generated from xml source: DO NOT EDIT + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + --> +<title>Apache SSL/TLS Encryption - Apache HTTP Server</title> +<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> +<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> +<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /> +<link href="../images/favicon.ico" rel="shortcut icon" /></head> +<body id="manual-page"><div id="page-header"> +<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p> +<p class="apache">Apache HTTP Server Version 2.0</p> +<img alt="" src="../images/feather.gif" /></div> +<div class="up"><a href="../"><img title="<-" alt="<-" src="../images/left.gif" /></a></div> +<div id="path"> +<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.0</a></div><div id="page-content"><div id="preamble"><h1>Apache SSL/TLS Encryption</h1> +<div class="toplang"> +<p><span>Available Languages: </span><a href="../en/ssl/" title="English"> en </a> | +<a href="../ja/ssl/" hreflang="ja" rel="alternate" title="Japanese"> ja </a> | +<a href="../tr/ssl/" hreflang="tr" rel="alternate" title="Türkçe"> tr </a></p> +</div> + +<p>The Apache HTTP Server module <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> +provides an interface to the <a href="http://www.openssl.org/">OpenSSL</a> library, which provides +Strong Encryption using the Secure Sockets Layer and Transport Layer +Security protocols. The module and this documentation are based on +Ralf S. Engelschall's mod_ssl project.</p> +</div> +<div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#documentation">Documentation</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#mod-ssl">mod_ssl</a></li> +</ul></div> +<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="documentation" id="documentation">Documentation</a></h2> +<ul> +<li><a href="ssl_intro.html">Introduction</a></li> +<li><a href="ssl_compat.html">Compatibility</a></li> +<li><a href="ssl_howto.html">How-To</a></li> +<li><a href="ssl_faq.html">Frequently Asked Questions</a></li> +<li><a href="../glossary.html">Glossary</a></li> +</ul> +</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="mod-ssl" id="mod-ssl">mod_ssl</a></h2> +<p>Extensive documentation on the directives and environment variables +provided by this module is provided in the <a href="../mod/mod_ssl.html">mod_ssl reference documentation</a>. +</p> +</div></div> +<div class="bottomlang"> +<p><span>Available Languages: </span><a href="../en/ssl/" title="English"> en </a> | +<a href="../ja/ssl/" hreflang="ja" rel="alternate" title="Japanese"> ja </a> | +<a href="../tr/ssl/" hreflang="tr" rel="alternate" title="Türkçe"> tr </a></p> +</div><div id="footer"> +<p class="apache">Copyright 2009 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> +<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div> +</body></html>
\ No newline at end of file diff --git a/rubbos/app/apache2/manual/ssl/index.html.ja.utf8 b/rubbos/app/apache2/manual/ssl/index.html.ja.utf8 new file mode 100644 index 00000000..f8d893b8 --- /dev/null +++ b/rubbos/app/apache2/manual/ssl/index.html.ja.utf8 @@ -0,0 +1,61 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" lang="ja" xml:lang="ja"><head><!-- + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + This file is generated from xml source: DO NOT EDIT + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + --> +<title>Apache ã® SSL/TLS æå·å - Apache HTTP ãµãŒã</title> +<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> +<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> +<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /> +<link href="../images/favicon.ico" rel="shortcut icon" /></head> +<body id="manual-page"><div id="page-header"> +<p class="menu"><a href="../mod/">ã¢ãžã¥ãŒã«</a> | <a href="../mod/directives.html">ãã£ã¬ã¯ãã£ã</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">çšèª</a> | <a href="../sitemap.html">ãµã€ãããã</a></p> +<p class="apache">Apache HTTP ãµãŒã ããŒãžã§ã³ 2.0</p> +<img alt="" src="../images/feather.gif" /></div> +<div class="up"><a href="../"><img title="<-" alt="<-" src="../images/left.gif" /></a></div> +<div id="path"> +<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP ãµãŒã</a> > <a href="http://httpd.apache.org/docs/">ããã¥ã¡ã³ããŒã·ã§ã³</a> > <a href="../">ããŒãžã§ã³ 2.0</a></div><div id="page-content"><div id="preamble"><h1>Apache ã® SSL/TLS æå·å</h1> +<div class="toplang"> +<p><span>Available Languages: </span><a href="../en/ssl/" hreflang="en" rel="alternate" title="English"> en </a> | +<a href="../ja/ssl/" title="Japanese"> ja </a> | +<a href="../tr/ssl/" hreflang="tr" rel="alternate" title="TÃŒrkçe"> tr </a></p> +</div> + +<p>Apache HTTP ãµãŒãã¢ãžã¥ãŒã« <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> ã +<a href="http://www.openssl.org/">OpenSSL</a> +ã©ã€ãã©ãªãžã®ã€ã³ã¿ãŒãã§ãŒã¹ãæäŸããŠããŸããããã㯠+Secure Sockts Layer ãš Transport Layer Security +ãããã³ã«ãçšãã匷åãªæå·åãæäŸããŸãã +ãã®ã¢ãžã¥ãŒã«ããã®ææžã¯ Ralf S. Engelschall ã® mod_ssl +ãããžã§ã¯ãã«åºã¥ããŠããŸãã</p> +</div> +<div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#documentation">Documentation</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#mod-ssl">mod_ssl</a></li> +</ul></div> +<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="documentation" id="documentation">Documentation</a></h2> +<ul> +<li><a href="ssl_intro.html">ã¯ããã«</a></li> +<li><a href="ssl_compat.html">äºææ§</a></li> +<li><a href="ssl_howto.html">How-To</a></li> +<li><a href="ssl_faq.html">ãããã質å</a></li> +<li><a href="../glossary.html">çšèª</a></li> +</ul> +</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="mod-ssl" id="mod-ssl">mod_ssl</a></h2> +<p>ãã®ã¢ãžã¥ãŒã«ã§æäŸããããã£ã¬ã¯ãã£ããç°å¢å€æ°ã«é¢ãã +詳ããææžã¯ã<a href="../mod/mod_ssl.html">mod_ssl +ãªãã¡ã¬ã³ã¹</a>ãã芧äžããã</p> +</div></div> +<div class="bottomlang"> +<p><span>Available Languages: </span><a href="../en/ssl/" hreflang="en" rel="alternate" title="English"> en </a> | +<a href="../ja/ssl/" title="Japanese"> ja </a> | +<a href="../tr/ssl/" hreflang="tr" rel="alternate" title="TÃŒrkçe"> tr </a></p> +</div><div id="footer"> +<p class="apache">Copyright 2009 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> +<p class="menu"><a href="../mod/">ã¢ãžã¥ãŒã«</a> | <a href="../mod/directives.html">ãã£ã¬ã¯ãã£ã</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">çšèª</a> | <a href="../sitemap.html">ãµã€ãããã</a></p></div> +</body></html>
\ No newline at end of file diff --git a/rubbos/app/apache2/manual/ssl/index.html.tr.utf8 b/rubbos/app/apache2/manual/ssl/index.html.tr.utf8 new file mode 100644 index 00000000..1f673957 --- /dev/null +++ b/rubbos/app/apache2/manual/ssl/index.html.tr.utf8 @@ -0,0 +1,59 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" lang="tr" xml:lang="tr"><head><!-- + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + This file is generated from xml source: DO NOT EDIT + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + --> +<title>Apache SSL/TLS Åifrelemesi - Apache HTTP Sunucusu</title> +<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> +<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> +<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /> +<link href="../images/favicon.ico" rel="shortcut icon" /></head> +<body id="manual-page"><div id="page-header"> +<p class="menu"><a href="../mod/">ModÃŒller</a> | <a href="../mod/directives.html">Yönergeler</a> | <a href="../faq/">SSS</a> | <a href="../glossary.html">Terimler</a> | <a href="../sitemap.html">Site Haritası</a></p> +<p class="apache">Apache HTTP Sunucusu SÃŒrÃŒm 2.0</p> +<img alt="" src="../images/feather.gif" /></div> +<div class="up"><a href="../"><img title="<-" alt="<-" src="../images/left.gif" /></a></div> +<div id="path"> +<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Sunucusu</a> > <a href="http://httpd.apache.org/docs/">Belgeleme</a> > <a href="../">SÃŒrÃŒm 2.0</a></div><div id="page-content"><div id="preamble"><h1>Apache SSL/TLS Åifrelemesi</h1> +<div class="toplang"> +<p><span>Mevcut Diller: </span><a href="../en/ssl/" hreflang="en" rel="alternate" title="English"> en </a> | +<a href="../ja/ssl/" hreflang="ja" rel="alternate" title="Japanese"> ja </a> | +<a href="../tr/ssl/" title="TÃŒrkçe"> tr </a></p> +</div> + + <p>Apache HTTP Sunucusunun <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> modÃŒlÃŒ, GÃŒvenli Soketler + Katmanı (SSL) ve Aktarım Katmanı GÃŒvenliÄi (TLS) protokollerinin + kullanıldıÄı SaÄlam Åifreleme desteÄini saÄlayan <a href="http://www.openssl.org/">OpenSSL</a> kÃŒtÃŒphanesine bir arayÃŒz + içerir. Bu modÃŒl ve belgeler Ralf S. Engelschallâın mod_ssl projesine + dayanmaktadır.</p> +</div> +<div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#documentation">Belgeler</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#mod-ssl"><code>mod_ssl</code> ModÃŒlÃŒ</a></li> +</ul></div> +<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="documentation" id="documentation">Belgeler</a></h2> + <ul> + <li><a href="ssl_intro.html">GiriÅ</a></li> + <li><a href="ssl_compat.html">Uyumluluk</a></li> + <li><a href="ssl_howto.html">NASIL</a></li> + <li><a href="ssl_faq.html">Sıkça Sorulan Sorular</a></li> + <li><a href="../glossary.html">Terimler</a></li> + </ul> +</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="mod-ssl" id="mod-ssl"><code>mod_ssl</code> ModÃŒlÃŒ</a></h2> + <p>Bu modÃŒlce saÄlanan yönergeler ve ortam deÄiÅkenleri + <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> baÅvuru kılavuzunda ayrıntılı olarak + açıklanmıÅtır.</p> +</div></div> +<div class="bottomlang"> +<p><span>Mevcut Diller: </span><a href="../en/ssl/" hreflang="en" rel="alternate" title="English"> en </a> | +<a href="../ja/ssl/" hreflang="ja" rel="alternate" title="Japanese"> ja </a> | +<a href="../tr/ssl/" title="TÃŒrkçe"> tr </a></p> +</div><div id="footer"> +<p class="apache">Copyright 2009 The Apache Software Foundation.<br /><a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a> altında lisanslıdır.</p> +<p class="menu"><a href="../mod/">ModÃŒller</a> | <a href="../mod/directives.html">Yönergeler</a> | <a href="../faq/">SSS</a> | <a href="../glossary.html">Terimler</a> | <a href="../sitemap.html">Site Haritası</a></p></div> +</body></html>
\ No newline at end of file diff --git a/rubbos/app/apache2/manual/ssl/ssl_compat.html b/rubbos/app/apache2/manual/ssl/ssl_compat.html new file mode 100644 index 00000000..eb43a0be --- /dev/null +++ b/rubbos/app/apache2/manual/ssl/ssl_compat.html @@ -0,0 +1,5 @@ +# GENERATED FROM XML -- DO NOT EDIT + +URI: ssl_compat.html.en +Content-Language: en +Content-type: text/html; charset=ISO-8859-1 diff --git a/rubbos/app/apache2/manual/ssl/ssl_compat.html.en b/rubbos/app/apache2/manual/ssl/ssl_compat.html.en new file mode 100644 index 00000000..9a0dbfcf --- /dev/null +++ b/rubbos/app/apache2/manual/ssl/ssl_compat.html.en @@ -0,0 +1,233 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!-- + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + This file is generated from xml source: DO NOT EDIT + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + --> +<title>SSL/TLS Strong Encryption: Compatibility - Apache HTTP Server</title> +<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> +<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> +<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /> +<link href="../images/favicon.ico" rel="shortcut icon" /></head> +<body id="manual-page"><div id="page-header"> +<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p> +<p class="apache">Apache HTTP Server Version 2.0</p> +<img alt="" src="../images/feather.gif" /></div> +<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div> +<div id="path"> +<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.0</a> > <a href="./">SSL/TLS</a></div><div id="page-content"><div id="preamble"><h1>SSL/TLS Strong Encryption: Compatibility</h1> +<div class="toplang"> +<p><span>Available Languages: </span><a href="../en/ssl/ssl_compat.html" title="English"> en </a></p> +</div> + +<blockquote> +<p>All PCs are compatible. But some of +them are more compatible than others.</p> +<p class="cite">-- <cite>Unknown</cite></p> +</blockquote> + +<p> +Here we talk about backward compatibility to other SSL solutions. As you +perhaps know, mod_ssl is not the only existing SSL solution for Apache. +Actually there are four additional major products available on the market: Ben +Laurie's freely available <a href="http://www.apache-ssl.org/">Apache-SSL</a> +(from where mod_ssl were originally derived in 1998), Red Hat's commercial <a href="http://www.redhat.com/products/product-details.phtml?id=rhsa">Secure Web +Server</a> (which is based on mod_ssl), Covalent's commercial <a href="http://raven.covalent.net/">Raven SSL Module</a> (also based on mod_ssl) +and finally C2Net's commercial product <a href="http://www.c2.net/products/stronghold/">Stronghold</a> (based on a +different evolution branch named Sioux up to Stronghold 2.x and based on +mod_ssl since Stronghold 3.x).</p> + +<p> +The idea in mod_ssl is mainly the following: because mod_ssl provides mostly a +superset of the functionality of all other solutions we can easily provide +backward compatibility for most of the cases. Actually there are three +compatibility areas we currently address: configuration directives, +environment variables and custom log functions.</p> +</div> +<div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#configuration">Configuration Directives</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#variables">Environment Variables</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#customlog">Custom Log Functions</a></li> +</ul></div> +<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="configuration" id="configuration">Configuration Directives</a></h2> +<p>For backward compatibility to the configuration directives of other SSL +solutions we do an on-the-fly mapping: directives which have a direct +counterpart in mod_ssl are mapped silently while other directives lead to a +warning message in the logfiles. The currently implemented directive mapping +is listed in <a href="#table1">Table 1</a>. Currently full backward +compatibility is provided only for Apache-SSL 1.x and mod_ssl 2.0.x. +Compatibility to Sioux 1.x and Stronghold 2.x is only partial because of +special functionality in these interfaces which mod_ssl (still) doesn't +provide.</p> + + +<h3><a name="table1" id="table1">Table 1: Configuration Directive Mapping</a></h3> + +<table><tr class="header"><th>Old Directive</th><th>mod_ssl Directive</th><th>Comment</th></tr> +<tr class="header"><th colspan="3">Apache-SSL 1.x & mod_ssl 2.0.x compatibility:</th></tr> +<tr><td><code>SSLEnable</code></td><td><code>SSLEngine on</code></td><td>compactified</td></tr> +<tr class="odd"><td><code>SSLDisable</code></td><td><code>SSLEngine off</code></td><td>compactified</td></tr> +<tr><td><code>SSLLogFile</code> <em>file</em></td><td><code>SSLLog</code> <em>file</em></td><td>compactified</td></tr> +<tr class="odd"><td><code>SSLRequiredCiphers</code> <em>spec</em></td><td><code>SSLCipherSuite</code> <em>spec</em></td><td>renamed</td></tr> +<tr><td><code>SSLRequireCipher</code> <em>c1</em> ...</td><td><code>SSLRequire %{SSL_CIPHER} in {"</code><em>c1</em><code>", +...}</code></td><td>generalized</td></tr> +<tr class="odd"><td><code>SSLBanCipher</code> <em>c1</em> ...</td><td><code>SSLRequire not (%{SSL_CIPHER} in {"</code><em>c1</em><code>", +...})</code></td><td>generalized</td></tr> +<tr><td><code>SSLFakeBasicAuth</code></td><td><code>SSLOptions +FakeBasicAuth</code></td><td>merged</td></tr> +<tr class="odd"><td><code>SSLCacheServerPath</code> <em>dir</em></td><td>-</td><td>functionality removed</td></tr> +<tr><td><code>SSLCacheServerPort</code> <em>integer</em></td><td>-</td><td>functionality removed</td></tr> +<tr class="header"><th colspan="3">Apache-SSL 1.x compatibility:</th></tr> +<tr class="odd"><td><code>SSLExportClientCertificates</code></td><td><code>SSLOptions +ExportCertData</code></td><td>merged</td></tr> +<tr><td><code>SSLCacheServerRunDir</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> +<tr class="header"><th colspan="3">Sioux 1.x compatibility:</th></tr> +<tr class="odd"><td><code>SSL_CertFile</code> <em>file</em></td><td><code>SSLCertificateFile</code> <em>file</em></td><td>renamed</td></tr> +<tr><td><code>SSL_KeyFile</code> <em>file</em></td><td><code>SSLCertificateKeyFile</code> <em>file</em></td><td>renamed</td></tr> +<tr class="odd"><td><code>SSL_CipherSuite</code> <em>arg</em></td><td><code>SSLCipherSuite</code> <em>arg</em></td><td>renamed</td></tr> +<tr><td><code>SSL_X509VerifyDir</code> <em>arg</em></td><td><code>SSLCACertificatePath</code> <em>arg</em></td><td>renamed</td></tr> +<tr class="odd"><td><code>SSL_Log</code> <em>file</em></td><td><code>SSLLogFile</code> <em>file</em></td><td>renamed</td></tr> +<tr><td><code>SSL_Connect</code> <em>flag</em></td><td><code>SSLEngine</code> <em>flag</em></td><td>renamed</td></tr> +<tr class="odd"><td><code>SSL_ClientAuth</code> <em>arg</em></td><td><code>SSLVerifyClient</code> <em>arg</em></td><td>renamed</td></tr> +<tr><td><code>SSL_X509VerifyDepth</code> <em>arg</em></td><td><code>SSLVerifyDepth</code> <em>arg</em></td><td>renamed</td></tr> +<tr class="odd"><td><code>SSL_FetchKeyPhraseFrom</code> <em>arg</em></td><td>-</td><td>not directly mappable; use SSLPassPhraseDialog</td></tr> +<tr><td><code>SSL_SessionDir</code> <em>dir</em></td><td>-</td><td>not directly mappable; use SSLSessionCache</td></tr> +<tr class="odd"><td><code>SSL_Require</code> <em>expr</em></td><td>-</td><td>not directly mappable; use SSLRequire</td></tr> +<tr><td><code>SSL_CertFileType</code> <em>arg</em></td><td>-</td><td>functionality not supported</td></tr> +<tr class="odd"><td><code>SSL_KeyFileType</code> <em>arg</em></td><td>-</td><td>functionality not supported</td></tr> +<tr><td><code>SSL_X509VerifyPolicy</code> <em>arg</em></td><td>-</td><td>functionality not supported</td></tr> +<tr class="odd"><td><code>SSL_LogX509Attributes</code> <em>arg</em></td><td>-</td><td>functionality not supported</td></tr> +<tr class="header"><th colspan="3">Stronghold 2.x compatibility:</th></tr> +<tr><td><code>StrongholdAccelerator</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> +<tr class="odd"><td><code>StrongholdKey</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> +<tr><td><code>StrongholdLicenseFile</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> +<tr class="odd"><td><code>SSLFlag</code> <em>flag</em></td><td><code>SSLEngine</code> <em>flag</em></td><td>renamed</td></tr> +<tr><td><code>SSLSessionLockFile</code> <em>file</em></td><td><code>SSLMutex</code> <em>file</em></td><td>renamed</td></tr> +<tr class="odd"><td><code>SSLCipherList</code> <em>spec</em></td><td><code>SSLCipherSuite</code> <em>spec</em></td><td>renamed</td></tr> +<tr><td><code>RequireSSL</code></td><td><code>SSLRequireSSL</code></td><td>renamed</td></tr> +<tr class="odd"><td><code>SSLErrorFile</code> <em>file</em></td><td>-</td><td>functionality not supported</td></tr> +<tr><td><code>SSLRoot</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> +<tr class="odd"><td><code>SSL_CertificateLogDir</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> +<tr><td><code>AuthCertDir</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> +<tr class="odd"><td><code>SSL_Group</code> <em>name</em></td><td>-</td><td>functionality not supported</td></tr> +<tr><td><code>SSLProxyMachineCertPath</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> +<tr class="odd"><td><code>SSLProxyMachineCertFile</code> <em>file</em></td><td>-</td><td>functionality not supported</td></tr> +<tr><td><code>SSLProxyCACertificatePath</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> +<tr class="odd"><td><code>SSLProxyCACertificateFile</code> <em>file</em></td><td>-</td><td>functionality not supported</td></tr> +<tr><td><code>SSLProxyVerifyDepth</code> <em>number</em></td><td>-</td><td>functionality not supported</td></tr> +<tr class="odd"><td><code>SSLProxyCipherList</code> <em>spec</em></td><td>-</td><td>functionality not supported</td></tr> +</table> + +</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="variables" id="variables">Environment Variables</a></h2> +<p>When you use ``<code>SSLOptions +CompatEnvVars</code>'' additional environment +variables are generated. They all correspond to existing official mod_ssl +variables. The currently implemented variable derivation is listed in <a href="#table2">Table 2</a>.</p> + +<h3><a name="table2" id="table2">Table 2: Environment Variable Derivation</a></h3> + +<table><tr class="header"><th>Old Variable</th><th>mod_ssl Variable</th><th>Comment</th></tr> +<tr><td><code>SSL_PROTOCOL_VERSION</code></td><td><code>SSL_PROTOCOL</code></td><td>renamed</td></tr> +<tr class="odd"><td><code>SSLEAY_VERSION</code></td><td><code>SSL_VERSION_LIBRARY</code></td><td>renamed</td></tr> +<tr><td><code>HTTPS_SECRETKEYSIZE</code></td><td><code>SSL_CIPHER_USEKEYSIZE</code></td><td>renamed</td></tr> +<tr class="odd"><td><code>HTTPS_KEYSIZE</code></td><td><code>SSL_CIPHER_ALGKEYSIZE</code></td><td>renamed</td></tr> +<tr><td><code>HTTPS_CIPHER</code></td><td><code>SSL_CIPHER</code></td><td>renamed</td></tr> +<tr class="odd"><td><code>HTTPS_EXPORT</code></td><td><code>SSL_CIPHER_EXPORT</code></td><td>renamed</td></tr> +<tr><td><code>SSL_SERVER_KEY_SIZE</code></td><td><code>SSL_CIPHER_ALGKEYSIZE</code></td><td>renamed</td></tr> +<tr class="odd"><td><code>SSL_SERVER_CERTIFICATE</code></td><td><code>SSL_SERVER_CERT</code></td><td>renamed</td></tr> +<tr><td><code>SSL_SERVER_CERT_START</code></td><td><code>SSL_SERVER_V_START</code></td><td>renamed</td></tr> +<tr class="odd"><td><code>SSL_SERVER_CERT_END</code></td><td><code>SSL_SERVER_V_END</code></td><td>renamed</td></tr> +<tr><td><code>SSL_SERVER_CERT_SERIAL</code></td><td><code>SSL_SERVER_M_SERIAL</code></td><td>renamed</td></tr> +<tr class="odd"><td><code>SSL_SERVER_SIGNATURE_ALGORITHM</code></td><td><code>SSL_SERVER_A_SIG</code></td><td>renamed</td></tr> +<tr><td><code>SSL_SERVER_DN</code></td><td><code>SSL_SERVER_S_DN</code></td><td>renamed</td></tr> +<tr class="odd"><td><code>SSL_SERVER_CN</code></td><td><code>SSL_SERVER_S_DN_CN</code></td><td>renamed</td></tr> +<tr><td><code>SSL_SERVER_EMAIL</code></td><td><code>SSL_SERVER_S_DN_Email</code></td><td>renamed</td></tr> +<tr class="odd"><td><code>SSL_SERVER_O</code></td><td><code>SSL_SERVER_S_DN_O</code></td><td>renamed</td></tr> +<tr><td><code>SSL_SERVER_OU</code></td><td><code>SSL_SERVER_S_DN_OU</code></td><td>renamed</td></tr> +<tr class="odd"><td><code>SSL_SERVER_C</code></td><td><code>SSL_SERVER_S_DN_C</code></td><td>renamed</td></tr> +<tr><td><code>SSL_SERVER_SP</code></td><td><code>SSL_SERVER_S_DN_SP</code></td><td>renamed</td></tr> +<tr class="odd"><td><code>SSL_SERVER_L</code></td><td><code>SSL_SERVER_S_DN_L</code></td><td>renamed</td></tr> +<tr><td><code>SSL_SERVER_IDN</code></td><td><code>SSL_SERVER_I_DN</code></td><td>renamed</td></tr> +<tr class="odd"><td><code>SSL_SERVER_ICN</code></td><td><code>SSL_SERVER_I_DN_CN</code></td><td>renamed</td></tr> +<tr><td><code>SSL_SERVER_IEMAIL</code></td><td><code>SSL_SERVER_I_DN_Email</code></td><td>renamed</td></tr> +<tr class="odd"><td><code>SSL_SERVER_IO</code></td><td><code>SSL_SERVER_I_DN_O</code></td><td>renamed</td></tr> +<tr><td><code>SSL_SERVER_IOU</code></td><td><code>SSL_SERVER_I_DN_OU</code></td><td>renamed</td></tr> +<tr class="odd"><td><code>SSL_SERVER_IC</code></td><td><code>SSL_SERVER_I_DN_C</code></td><td>renamed</td></tr> +<tr><td><code>SSL_SERVER_ISP</code></td><td><code>SSL_SERVER_I_DN_SP</code></td><td>renamed</td></tr> +<tr class="odd"><td><code>SSL_SERVER_IL</code></td><td><code>SSL_SERVER_I_DN_L</code></td><td>renamed</td></tr> +<tr><td><code>SSL_CLIENT_CERTIFICATE</code></td><td><code>SSL_CLIENT_CERT</code></td><td>renamed</td></tr> +<tr class="odd"><td><code>SSL_CLIENT_CERT_START</code></td><td><code>SSL_CLIENT_V_START</code></td><td>renamed</td></tr> +<tr><td><code>SSL_CLIENT_CERT_END</code></td><td><code>SSL_CLIENT_V_END</code></td><td>renamed</td></tr> +<tr class="odd"><td><code>SSL_CLIENT_CERT_SERIAL</code></td><td><code>SSL_CLIENT_M_SERIAL</code></td><td>renamed</td></tr> +<tr><td><code>SSL_CLIENT_SIGNATURE_ALGORITHM</code></td><td><code>SSL_CLIENT_A_SIG</code></td><td>renamed</td></tr> +<tr class="odd"><td><code>SSL_CLIENT_DN</code></td><td><code>SSL_CLIENT_S_DN</code></td><td>renamed</td></tr> +<tr><td><code>SSL_CLIENT_CN</code></td><td><code>SSL_CLIENT_S_DN_CN</code></td><td>renamed</td></tr> +<tr class="odd"><td><code>SSL_CLIENT_EMAIL</code></td><td><code>SSL_CLIENT_S_DN_Email</code></td><td>renamed</td></tr> +<tr><td><code>SSL_CLIENT_O</code></td><td><code>SSL_CLIENT_S_DN_O</code></td><td>renamed</td></tr> +<tr class="odd"><td><code>SSL_CLIENT_OU</code></td><td><code>SSL_CLIENT_S_DN_OU</code></td><td>renamed</td></tr> +<tr><td><code>SSL_CLIENT_C</code></td><td><code>SSL_CLIENT_S_DN_C</code></td><td>renamed</td></tr> +<tr class="odd"><td><code>SSL_CLIENT_SP</code></td><td><code>SSL_CLIENT_S_DN_SP</code></td><td>renamed</td></tr> +<tr><td><code>SSL_CLIENT_L</code></td><td><code>SSL_CLIENT_S_DN_L</code></td><td>renamed</td></tr> +<tr class="odd"><td><code>SSL_CLIENT_IDN</code></td><td><code>SSL_CLIENT_I_DN</code></td><td>renamed</td></tr> +<tr><td><code>SSL_CLIENT_ICN</code></td><td><code>SSL_CLIENT_I_DN_CN</code></td><td>renamed</td></tr> +<tr class="odd"><td><code>SSL_CLIENT_IEMAIL</code></td><td><code>SSL_CLIENT_I_DN_Email</code></td><td>renamed</td></tr> +<tr><td><code>SSL_CLIENT_IO</code></td><td><code>SSL_CLIENT_I_DN_O</code></td><td>renamed</td></tr> +<tr class="odd"><td><code>SSL_CLIENT_IOU</code></td><td><code>SSL_CLIENT_I_DN_OU</code></td><td>renamed</td></tr> +<tr><td><code>SSL_CLIENT_IC</code></td><td><code>SSL_CLIENT_I_DN_C</code></td><td>renamed</td></tr> +<tr class="odd"><td><code>SSL_CLIENT_ISP</code></td><td><code>SSL_CLIENT_I_DN_SP</code></td><td>renamed</td></tr> +<tr><td><code>SSL_CLIENT_IL</code></td><td><code>SSL_CLIENT_I_DN_L</code></td><td>renamed</td></tr> +<tr class="odd"><td><code>SSL_EXPORT</code></td><td><code>SSL_CIPHER_EXPORT</code></td><td>renamed</td></tr> +<tr><td><code>SSL_KEYSIZE</code></td><td><code>SSL_CIPHER_ALGKEYSIZE</code></td><td>renamed</td></tr> +<tr class="odd"><td><code>SSL_SECKEYSIZE</code></td><td><code>SSL_CIPHER_USEKEYSIZE</code></td><td>renamed</td></tr> +<tr><td><code>SSL_SSLEAY_VERSION</code></td><td><code>SSL_VERSION_LIBRARY</code></td><td>renamed</td></tr> +<tr class="odd"><td><code>SSL_STRONG_CRYPTO</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> +<tr><td><code>SSL_SERVER_KEY_EXP</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> +<tr class="odd"><td><code>SSL_SERVER_KEY_ALGORITHM</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> +<tr><td><code>SSL_SERVER_KEY_SIZE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> +<tr class="odd"><td><code>SSL_SERVER_SESSIONDIR</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> +<tr><td><code>SSL_SERVER_CERTIFICATELOGDIR</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> +<tr class="odd"><td><code>SSL_SERVER_CERTFILE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> +<tr><td><code>SSL_SERVER_KEYFILE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> +<tr class="odd"><td><code>SSL_SERVER_KEYFILETYPE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> +<tr><td><code>SSL_CLIENT_KEY_EXP</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> +<tr class="odd"><td><code>SSL_CLIENT_KEY_ALGORITHM</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> +<tr><td><code>SSL_CLIENT_KEY_SIZE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> +</table> + +</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="customlog" id="customlog">Custom Log Functions</a></h2> +<p> +When mod_ssl is built into Apache or at least loaded (under DSO situation) +additional functions exist for the <a href="../mod/mod_log_config.html#formats">Custom Log Format</a> of +<code class="module"><a href="../mod/mod_log_config.html">mod_log_config</a></code> as documented in the Reference +Chapter. Beside the ``<code>%{</code><em>varname</em><code>}x</code>'' +eXtension format function which can be used to expand any variables provided +by any module, an additional Cryptography +``<code>%{</code><em>name</em><code>}c</code>'' cryptography format function +exists for backward compatibility. The currently implemented function calls +are listed in <a href="#table3">Table 3</a>.</p> + +<h3><a name="table3" id="table3">Table 3: Custom Log Cryptography Function</a></h3> + +<table> + +<tr><th>Function Call</th><th>Description</th></tr> + +<tr><td><code>%...{version}c</code></td> <td>SSL protocol version</td></tr> +<tr><td><code>%...{cipher}c</code></td> <td>SSL cipher</td></tr> +<tr><td><code>%...{subjectdn}c</code></td> <td>Client Certificate Subject Distinguished Name</td></tr> +<tr><td><code>%...{issuerdn}c</code></td> <td>Client Certificate Issuer Distinguished Name</td></tr> +<tr><td><code>%...{errcode}c</code></td> <td>Certificate Verification Error (numerical)</td></tr> + +<tr><td><code>%...{errstr}c</code></td> <td>Certificate Verification Error (string)</td></tr> +</table> + +</div></div> +<div class="bottomlang"> +<p><span>Available Languages: </span><a href="../en/ssl/ssl_compat.html" title="English"> en </a></p> +</div><div id="footer"> +<p class="apache">Copyright 2009 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> +<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div> +</body></html>
\ No newline at end of file diff --git a/rubbos/app/apache2/manual/ssl/ssl_faq.html b/rubbos/app/apache2/manual/ssl/ssl_faq.html new file mode 100644 index 00000000..ce1cf81d --- /dev/null +++ b/rubbos/app/apache2/manual/ssl/ssl_faq.html @@ -0,0 +1,5 @@ +# GENERATED FROM XML -- DO NOT EDIT + +URI: ssl_faq.html.en +Content-Language: en +Content-type: text/html; charset=ISO-8859-1 diff --git a/rubbos/app/apache2/manual/ssl/ssl_faq.html.en b/rubbos/app/apache2/manual/ssl/ssl_faq.html.en new file mode 100644 index 00000000..16801dd6 --- /dev/null +++ b/rubbos/app/apache2/manual/ssl/ssl_faq.html.en @@ -0,0 +1,1043 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!-- + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + This file is generated from xml source: DO NOT EDIT + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + --> +<title>SSL/TLS Strong Encryption: FAQ - Apache HTTP Server</title> +<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> +<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> +<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /> +<link href="../images/favicon.ico" rel="shortcut icon" /></head> +<body id="manual-page"><div id="page-header"> +<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p> +<p class="apache">Apache HTTP Server Version 2.0</p> +<img alt="" src="../images/feather.gif" /></div> +<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div> +<div id="path"> +<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.0</a> > <a href="./">SSL/TLS</a></div><div id="page-content"><div id="preamble"><h1>SSL/TLS Strong Encryption: FAQ</h1> +<div class="toplang"> +<p><span>Available Languages: </span><a href="../en/ssl/ssl_faq.html" title="English"> en </a></p> +</div> + +<blockquote> +<p>The wise man doesn't give the right answers, +he poses the right questions.</p> +<p class="cite">-- <cite>Claude Levi-Strauss</cite></p> + +</blockquote> +<p>This chapter is a collection of frequently asked questions (FAQ) and +corresponding answers following the popular USENET tradition. Most of these +questions occurred on the Newsgroup <code><a href="news:comp.infosystems.www.servers.unix">comp.infosystems.www.servers.unix</a></code> or the mod_ssl Support +Mailing List <code><a href="mailto:modssl-users@modssl.org">modssl-users@modssl.org</a></code>. They are collected at this place +to avoid answering the same questions over and over.</p> + +<p>Please read this chapter at least once when installing mod_ssl or at least +search for your problem here before submitting a problem report to the +author.</p> +</div> +<div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#about">About The Module</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#installation">Installation</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#aboutconfig">Configuration</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#aboutcerts">Certificates</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#aboutssl">The SSL Protocol</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#support">mod_ssl Support</a></li> +</ul></div> +<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="about" id="about">About The Module</a></h2> +<ul> +<li><a href="#history">What is the history of mod_ssl?</a></li> +<li><a href="#wassenaar">mod_ssl and Wassenaar Arrangement?</a></li> +</ul> + +<h3><a name="history" id="history">What is the history of mod_ssl?</a></h3> +<p>The mod_ssl v1 package was initially created in April 1998 by <a href="mailto:rse@engelschall.com">Ralf S. Engelschall</a> via porting <a href="mailto:ben@algroup.co.uk">Ben Laurie</a>'s <a href="http://www.apache-ssl.org/">Apache-SSL</a> 1.17 source patches for + Apache 1.2.6 to Apache 1.3b6. Because of conflicts with Ben + Laurie's development cycle it then was re-assembled from scratch for + Apache 1.3.0 by merging the old mod_ssl 1.x with the newer Apache-SSL + 1.18. From this point on mod_ssl lived its own life as mod_ssl v2. The + first publicly released version was mod_ssl 2.0.0 from August 10th, + 1998. </p> + + <p>After US export restrictions on cryptographic software were + loosened, <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> became part of the Apache HTTP + Server with the release of Apache httpd 2.</p> + + +<h3><a name="wassenaar" id="wassenaar">Is mod_ssl affected by the Wassenaar Arrangement?</a></h3> +<p>First, let us explain what <dfn>Wassenaar</dfn> and its <dfn>Arrangement on + Export Controls for Conventional Arms and Dual-Use Goods and + Technologies</dfn> is: This is a international regime, established in 1995, to + control trade in conventional arms and dual-use goods and technology. It + replaced the previous <dfn>CoCom</dfn> regime. Further details on + both the Arrangement and its signatories are available at <a href="http://www.wassenaar.org/">http://www.wassenaar.org/</a>.</p> + + <p>In short, the aim of the Wassenaar Arrangement is to prevent the build up + of military capabilities that threaten regional and international security + and stability. The Wassenaar Arrangement controls the export of + cryptography as a dual-use good, that is, something that has both military and + civilian applications. However, the Wassenaar Arrangement also provides an + exemption from export controls for mass-market software and free software.</p> + + <p>In the current Wassenaar <cite>List of Dual Use Goods and Technologies And + Munitions</cite>, under <q>GENERAL SOFTWARE NOTE (GSN)</q> it says + <q>The Lists do not control "software" which is either: 1. [...] 2. "in + the public domain".</q> And under <q>DEFINITIONS OF TERMS USED IN + THESE LISTS</q> we find <q>In the public + domain</q> defined as <q>"technology" or "software" which has been made + available without restrictions upon its further dissemination. Note: + Copyright restrictions do not remove "technology" or "software" from being + "in the public domain".</q></p> + + <p>So, both mod_ssl and OpenSSL are <q>in the public domain</q> for the purposes + of the Wassenaar Arrangement and its <q>List of Dual Use Goods and + Technologies And Munitions List</q>, and thus not affected by its provisions.</p> + + +</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="installation" id="installation">Installation</a></h2> +<ul> +<li><a href="#mutex">Why do I get permission errors related to +SSLMutex when I start Apache?</a></li> +<li><a href="#entropy">Why does mod_ssl stop with the error "Failed to +generate temporary 512 bit RSA private key" when I start Apache?</a></li> +</ul> + +<h3><a name="mutex" id="mutex">Why do I get permission errors related to + SSLMutex when I start Apache?</a></h3> + <p>Errors such as ``<code>mod_ssl: Child could not open + SSLMutex lockfile /opt/apache/logs/ssl_mutex.18332 (System error follows) + [...] System: Permission denied (errno: 13)</code>'' are usually + caused by overly restrictive permissions on the <em>parent</em> directories. + Make sure that all parent directories (here <code>/opt</code>, + <code>/opt/apache</code> and <code>/opt/apache/logs</code>) have the x-bit + set for, at minimum, the UID under which Apache's children are running (see + the <code class="directive"><a href="../mod/mpm_common.html#user">User</a></code> directive).</p> + + +<h3><a name="entropy" id="entropy">Why does mod_ssl stop with the error + "Failed to generate temporary 512 bit RSA private key" when I start + Apache?</a></h3> + <p>Cryptographic software needs a source of unpredictable data + to work correctly. Many open source operating systems provide + a "randomness device" that serves this purpose (usually named + <code>/dev/random</code>). On other systems, applications have to + seed the OpenSSL Pseudo Random Number Generator (PRNG) manually with + appropriate data before generating keys or performing public key + encryption. As of version 0.9.5, the OpenSSL functions that need + randomness report an error if the PRNG has not been seeded with + at least 128 bits of randomness.</p> + <p>To prevent this error, <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> has to provide + enough entropy to the PRNG to allow it to work correctly. This can + be done via the <code class="directive"><a href="../mod/mod_ssl.html#sslrandomseed">SSLRandomSeed</a></code> + directive.</p> + +</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="aboutconfig" id="aboutconfig">Configuration</a></h2> +<ul> +<li><a href="#parallel">Is it possible to provide HTTP and HTTPS from +the same server?</a></li> +<li><a href="#ports">Which port does HTTPS use?</a></li> +<li><a href="#httpstest">How do I speak HTTPS manually for testing +purposes?</a></li> +<li><a href="#hang">Why does the connection hang when I connect to my +SSL-aware Apache server?</a></li> +<li><a href="#refused">Why do I get ``Connection Refused'' errors, when +trying to access my newly installed Apache+mod_ssl server via HTTPS?</a></li> +<li><a href="#envvars">Why are the <code>SSL_XXX</code> variables not +available to my CGI & SSI scripts?</a></li> +<li><a href="#relative">How can I switch between HTTP and HTTPS in +relative hyperlinks?</a></li> +</ul> + +<h3><a name="parallel" id="parallel">Is it possible to provide HTTP and HTTPS + from the same server?</a></h3> + <p>Yes. HTTP and HTTPS use different server ports (HTTP binds to + port 80, HTTPS to port 443), so there is no direct conflict between + them. You can either run two separate server instances bound to + these ports, or use Apache's elegant virtual hosting facility to + create two virtual servers, both served by the same instance of Apache + - one responding over HTTP to requests on port 80, and the other + responding over HTTPS to requests on port 443.</p> + + +<h3><a name="ports" id="ports">Which port does HTTPS use?</a></h3> +<p>You can run HTTPS on any port, but the standards specify port 443, which + is where any HTTPS compliant browser will look by default. You can force + your browser to look on a different port by specifying it in the URL. For + example, if your server is set up to serve pages over HTTPS on port 8080, + you can access them at <code>https://example.com:8080/</code></p> + + +<h3><a name="httpstest" id="httpstest">How do I speak HTTPS manually for testing purposes?</a></h3> + <p>While you usually just use</p> + + <div class="example"><p><code>$ telnet localhost 80<br /> + GET / HTTP/1.0</code></p></div> + + <p>for simple testing of Apache via HTTP, it's not so easy for + HTTPS because of the SSL protocol between TCP and HTTP. With the + help of OpenSSL's <code>s_client</code> command, however, you can + do a similar check via HTTPS:</p> + + <div class="example"><p><code>$ openssl s_client -connect localhost:443 -state -debug<br /> + GET / HTTP/1.0</code></p></div> + + <p>Before the actual HTTP response you will receive detailed + information about the SSL handshake. For a more general command + line client which directly understands both HTTP and HTTPS, can + perform GET and POST operations, can use a proxy, supports byte + ranges, etc. you should have a look at the nifty + <a href="http://curl.haxx.se/">cURL</a> tool. Using this, you can + check that Apache is responding correctly to requests via HTTP and + HTTPS as follows:</p> + + <div class="example"><p><code>$ curl http://localhost/<br /> + $ curl https://localhost/</code></p></div> + + +<h3><a name="hang" id="hang">Why does the connection hang when I connect + to my SSL-aware Apache server?</a></h3> + +<p>This can happen when you try to connect to a HTTPS server (or virtual + server) via HTTP (eg, using <code>http://example.com/</code> instead of + <code>https://example.com</code>). It can also happen when trying to + connect via HTTPS to a HTTP server (eg, using + <code>https://example.com/</code> on a server which doesn't support HTTPS, + or which supports it on a non-standard port). Make sure that you're + connecting to a (virtual) server that supports SSL.</p> + +<h3><a name="refused" id="refused">Why do I get ``Connection Refused'' messages, + when trying to access my newly installed Apache+mod_ssl server via HTTPS?</a></h3> +<p> + This error can be caused by an incorrect configuration. + Please make sure that your <code class="directive"><a href="../mod/mpm_common.html#listen">Listen</a></code> directives match your + <code class="directive"><a href="../mod/core.html#virtualhost"><VirtualHost></a></code> + directives. If all else fails, please start afresh, using the default + configuration provided by <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>.</p> + + +<h3><a name="envvars" id="envvars">Why are the <code>SSL_XXX</code> variables + not available to my CGI & SSI scripts?</a></h3> +<p>Please make sure you have ``<code>SSLOptions +StdEnvVars</code>'' + enabled for the context of your CGI/SSI requests.</p> + + +<h3><a name="relative" id="relative">How can I switch between HTTP and HTTPS in relative + hyperlinks?</a></h3> + +<p>Usually, to switch between HTTP and HTTPS, you have to use + fully-qualified hyperlinks (because you have to change the URL + scheme). Using <code class="module"><a href="../mod/mod_rewrite.html">mod_rewrite</a></code> however, you can + manipulate relative hyperlinks, to achieve the same effect.</p> + <div class="example"><p><code> + RewriteEngine on<br /> + RewriteRule ^/(.*):SSL$ https://%{SERVER_NAME}/$1 [R,L]<br /> + RewriteRule ^/(.*):NOSSL$ http://%{SERVER_NAME}/$1 [R,L] + </code></p></div> + + <p>This rewrite ruleset lets you use hyperlinks of the form + <code><a href="document.html:SSL"></code>, to switch to HTTPS + in a relative link. (Replace SSL with NOSSL to switch to HTTP.)</p> + +</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="aboutcerts" id="aboutcerts">Certificates</a></h2> +<ul> +<li><a href="#keyscerts">What are RSA Private Keys, CSRs and +Certificates?</a></li> +<li><a href="#startup">Is there a difference on startup between +a non-SSL-aware Apache and an SSL-aware Apache?</a></li> +<li><a href="#selfcert">How do I create a self-signed SSL +Certificate for testing purposes?</a></li> +<li><a href="#realcert">How do I create a real SSL Certificate?</a></li> +<li><a href="#ownca">How do I create and use my own Certificate +Authority (CA)?</a></li> +<li><a href="#passphrase">How can I change the pass-phrase on my private +key file?</a></li> +<li><a href="#removepassphrase">How can I get rid of the pass-phrase +dialog at Apache startup time?</a></li> +<li><a href="#verify">How do I verify that a private key matches its +Certificate?</a></li> +<li><a href="#badcert">Why do connections fail with an "alert bad +certificate" error?</a></li> +<li><a href="#keysize">Why does my 2048-bit private key not work?</a></li> +<li><a href="#hashsymlinks">Why is client authentication broken after +upgrading from SSLeay version 0.8 to 0.9?</a></li> +<li><a href="#pemder">How can I convert a certificate from PEM to DER +format?</a></li> +<li><a href="#verisign">Why can't I find the +<code>getca</code> or <code>getverisign</code> programs mentioned by +Verisign, for installing my Verisign certificate?</a></li> +<li><a href="#sgc">Can I use the Server Gated Cryptography (SGC) +facility (aka Verisign Global ID) with mod_ssl?</a></li> +<li><a href="#gid">Why do browsers complain that they cannot +verify my Verisign Global ID server certificate?</a></li> +</ul> + +<h3><a name="keyscerts" id="keyscerts">What are RSA Private Keys, CSRs and Certificates?</a></h3> +<p>An RSA private key file is a digital file that you can use to decrypt + messages sent to you. It has a public component which you distribute (via + your Certificate file) which allows people to encrypt those messages to + you.</p> + <p>A Certificate Signing Request (CSR) is a digital file which contains + your public key and your name. You send the CSR to a Certifying Authority + (CA), who will convert it into a real Certificate, by signing it.</p> + <p>A Certificate contains your + RSA public key, your name, the name of the CA, and is digitally signed by + the CA. Browsers that know the CA can verify the signature on that + Certificate, thereby obtaining your RSA public key. That enables them to + send messages which only you can decrypt.</p> + <p>See the <a href="ssl_intro.html">Introduction</a> chapter for a general + description of the SSL protocol.</p> + + +<h3><a name="startup" id="startup">Is there a difference on startup between + a non-SSL-aware Apache and an SSL-aware Apache?</a></h3> +<p>Yes. In general, starting Apache with + <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> built-in is just like starting Apache + without it. However, if you have a passphrase on your SSL private + key file, a startup dialog will pop up which asks you to enter the + pass phrase.</p> + + <p>Having to manually enter the passphrase when starting the server + can be problematic - for example, when starting the server from the + system boot scripts. In this case, you can follow the steps + <a href="#removepassphrase">below</a> to remove the passphrase from + your private key. Bear in mind that doing so brings additional security + risks - proceed with caution!</p> + + +<h3><a name="selfcert" id="selfcert">How do I create a self-signed SSL +Certificate for testing purposes?</a></h3> + <ol> + <li>Make sure OpenSSL is installed and in your <code>PATH</code>.<br /> + <br /> + </li> + <li>Run the following command, to create <code>server.key</code> and + <code>server.crt</code> files:<br /> + <code><strong>$ openssl req -new -x509 -nodes -out server.crt + -keyout server.key</strong></code><br /> + These can be used as follows in your <code>httpd.conf</code> + file: + <pre> + SSLCertificateFile /path/to/this/server.crt + SSLCertificateKeyFile /path/to/this/server.key + </pre> + </li> + <li>It is important that you are aware that this + <code>server.key</code> does <em>not</em> have any passphrase. + To add a passphrase to the key, you should run the following + command, and enter & verify the passphrase as requested.<br /> + <p><code><strong>$ openssl rsa -des3 -in server.key -out + server.key.new</strong></code><br /> + <code><strong>$ mv server.key.new server.key</strong></code><br /></p> + Please backup the <code>server.key</code> file, and the passphrase + you entered, in a secure location. + </li> + </ol> + + +<h3><a name="realcert" id="realcert">How do I create a real SSL Certificate?</a></h3> +<p>Here is a step-by-step description:</p> + <ol> + <li>Make sure OpenSSL is installed and in your <code>PATH</code>. + <br /> + <br /> + </li> + <li>Create a RSA private key for your Apache server + (will be Triple-DES encrypted and PEM formatted):<br /> + <br /> + <code><strong>$ openssl genrsa -des3 -out server.key 1024</strong></code><br /> + <br /> + Please backup this <code>server.key</code> file and the + pass-phrase you entered in a secure location. + You can see the details of this RSA private key by using the command:<br /> + + <br /> + <code><strong>$ openssl rsa -noout -text -in server.key</strong></code><br /> + <br /> + If necessary, you can also create a decrypted PEM version (not + recommended) of this RSA private key with:<br /> + <br /> + <code><strong>$ openssl rsa -in server.key -out server.key.unsecure</strong></code><br /> + <br /> + + </li> + <li>Create a Certificate Signing Request (CSR) with the server RSA private + key (output will be PEM formatted):<br /> + <br /> + <code><strong>$ openssl req -new -key server.key -out server.csr</strong></code><br /> + <br /> + Make sure you enter the FQDN ("Fully Qualified Domain Name") of the + server when OpenSSL prompts you for the "CommonName", i.e. when you + generate a CSR for a website which will be later accessed via + <code>https://www.foo.dom/</code>, enter "www.foo.dom" here. + You can see the details of this CSR by using<br /> + + <br /> + <code><strong>$ openssl req -noout -text -in server.csr</strong></code><br /> + <br /> + </li> + <li>You now have to send this Certificate Signing Request (CSR) to + a Certifying Authority (CA) to be signed. Once the CSR has been + signed, you will have a real Certificate, which can be used by + Apache. You can have a CSR signed by a commercial CA, or you can + create your own CA to sign it.<br /> + Commercial CAs usually ask you to post the CSR into a web form, + pay for the signing, and then send a signed Certificate, which + you can store in a server.crt file. For more information about + commercial CAs see the following locations:<br /> + <br /> + <ol> + <li> Verisign<br /> + <a href="http://digitalid.verisign.com/server/apacheNotice.htm"> + http://digitalid.verisign.com/server/apacheNotice.htm + </a> + </li> + <li> Thawte<br /> + <a href="http://www.thawte.com/">http://www.thawte.com/</a> + </li> + <li> CertiSign Certificadora Digital Ltda.<br /> + <a href="http://www.certisign.com.br"> + http://www.certisign.com.br + </a> + </li> + <li> IKS GmbH<br /> + <a href="http://www.iks-jena.de/leistungen/ca/"> + http://www.iks-jena.de/leistungen/ca/ + </a> + </li> + <li> Uptime Commerce Ltd.<br /> + <a href="http://www.uptimecommerce.com"> + http://www.uptimecommerce.com + </a> + </li> + <li> BelSign NV/SA<br /> + <a href="http://www.belsign.be"> + http://www.belsign.be + </a> + </li> + </ol> + + For details on how to create your own CA, and use this to sign + a CSR, see <a href="#ownca">below</a>.<br /> + + Once your CSR has been signed, you can see the details of the + Certificate as follows:<br /> + <br /> + <code><strong>$ openssl x509 -noout -text -in server.crt</strong></code><br /> + + </li> + <li>You should now have two files: <code>server.key</code> and + <code>server.crt</code>. These can be used as follows in your + <code>httpd.conf</code> file: + <pre> + SSLCertificateFile /path/to/this/server.crt + SSLCertificateKeyFile /path/to/this/server.key + </pre> + The <code>server.csr</code> file is no longer needed. + </li> + + </ol> + + +<h3><a name="ownca" id="ownca">How do I create and use my own Certificate Authority (CA)?</a></h3> + <p>The short answer is to use the <code>CA.sh</code> or <code>CA.pl</code> + script provided by OpenSSL. Unless you have a good reason not to, + you should use these for preference. If you cannot, you can create a + self-signed Certificate as follows:</p> + + <ol> + <li>Create a RSA private key for your server + (will be Triple-DES encrypted and PEM formatted):<br /> + <br /> + <code><strong>$ openssl genrsa -des3 -out server.key 1024</strong></code><br /> + <br /> + Please backup this <code>host.key</code> file and the + pass-phrase you entered in a secure location. + You can see the details of this RSA private key by using the + command:<br /> + <code><strong>$ openssl rsa -noout -text -in server.key</strong></code><br /> + <br /> + If necessary, you can also create a decrypted PEM version (not + recommended) of this RSA private key with:<br /> + <br /> + <code><strong>$ openssl rsa -in server.key -out server.key.unsecure</strong></code><br /> + <br /> + </li> + <li>Create a self-signed Certificate (X509 structure) + with the RSA key you just created (output will be PEM formatted):<br /> + <br /> + <code><strong>$ openssl req -new -x509 -nodes -sha1 -days 365 + -key server.key -out server.crt</strong></code><br /> + <br /> + This signs the server CSR and results in a <code>server.crt</code> file.<br /> + You can see the details of this Certificate using:<br /> + <br /> + <code><strong>$ openssl x509 -noout -text -in server.crt</strong></code><br /> + <br /> + </li> + </ol> + + +<h3><a name="passphrase" id="passphrase">How can I change the pass-phrase on my private key file?</a></h3> +<p>You simply have to read it with the old pass-phrase and write it again, + specifying the new pass-phrase. You can accomplish this with the following + commands:</p> + + + <p><code><strong>$ openssl rsa -des3 -in server.key -out server.key.new</strong></code><br /> + <code><strong>$ mv server.key.new server.key</strong></code><br /></p> + + <p>The first time you're asked for a PEM pass-phrase, you should + enter the old pass-phrase. After that, you'll be asked again to + enter a pass-phrase - this time, use the new pass-phrase. If you + are asked to verify the pass-phrase, you'll need to enter the new + pass-phrase a second time.</p> + + +<h3><a name="removepassphrase" id="removepassphrase">How can I get rid of the pass-phrase dialog at Apache startup time?</a></h3> +<p>The reason this dialog pops up at startup and every re-start + is that the RSA private key inside your server.key file is stored in + encrypted format for security reasons. The pass-phrase is needed to decrypt + this file, so it can be read and parsed. Removing the pass-phrase + removes a layer of security from your server - proceed with caution!</p> + <ol> + <li>Remove the encryption from the RSA private key (while + keeping a backup copy of the original file):<br /> + <br /> + <code><strong>$ cp server.key server.key.org</strong></code><br /> + <code><strong>$ openssl rsa -in server.key.org -out server.key</strong></code><br /> + + <br /> + </li> + <li>Make sure the server.key file is only readable by root:<br /> + <br /> + <code><strong>$ chmod 400 server.key</strong></code><br /> + <br /> + </li> + </ol> + + <p>Now <code>server.key</code> contains an unencrypted copy of the key. + If you point your server at this file, it will not prompt you for a + pass-phrase. HOWEVER, if anyone gets this key they will be able to + impersonate you on the net. PLEASE make sure that the permissions on this + file are such that only root or the web server user can read it + (preferably get your web server to start as root but run as another + user, and have the key readable only by root).</p> + + <p>As an alternative approach you can use the ``<code>SSLPassPhraseDialog + exec:/path/to/program</code>'' facility. Bear in mind that this is + neither more nor less secure, of course.</p> + + +<h3><a name="verify" id="verify">How do I verify that a private key matches its Certificate?</a></h3> +<p>A private key contains a series of numbers. Two of these numbers form + the "public key", the others are part of the "private key". The "public + key" bits are included when you generate a CSR, and subsequently form + part of the associated Certificate.</p> + <p>To check that the public key in your Certificate matches the public + portion of your private key, you simply need to compare these numbers. + To view the Certificate and the key run the commands:</p> + + <p><code><strong>$ openssl x509 -noout -text -in server.crt</strong></code><br /> + <code><strong>$ openssl rsa -noout -text -in server.key</strong></code></p> + + <p>The `modulus' and the `public exponent' portions in the key and the + Certificate must match. As the public exponent is usually 65537 + and it's difficult to visually check that the long modulus numbers + are the same, you can use the following approach:</p> + + <p><code><strong>$ openssl x509 -noout -modulus -in server.crt | openssl md5</strong></code><br /> + <code><strong>$ openssl rsa -noout -modulus -in server.key | openssl md5</strong></code></p> + + <p>This leaves you with two rather shorter numbers to compare. It is, + in theory, possible that these numbers may be the same, without the + modulus numbers being the same, but the chances of this are + overwhelmingly remote.</p> + <p>Should you wish to check to which key or certificate a particular + CSR belongs you can perform the same calculation on the CSR as + follows:</p> + + <p><code><strong>$ openssl req -noout -modulus -in server.csr | openssl md5</strong></code></p> + + +<h3><a name="badcert" id="badcert">Why do connections fail with an "alert +bad certificate" error?</a></h3> +<p>Errors such as <code>OpenSSL: error:14094412: SSL + routines:SSL3_READ_BYTES:sslv3 alert bad certificate</code> in the SSL + logfile, are usually caused by a browser which is unable to handle the server + certificate/private-key. For example, Netscape Navigator 3.x is + unable to handle RSA key lengths not equal to 1024 bits.</p> + + +<h3><a name="keysize" id="keysize">Why does my 2048-bit private key not work?</a></h3> +<p>The private key sizes for SSL must be either 512 or 1024 bits, for compatibility + with certain web browsers. A keysize of 1024 bits is recommended because + keys larger than 1024 bits are incompatible with some versions of Netscape + Navigator and Microsoft Internet Explorer, and with other browsers that + use RSA's BSAFE cryptography toolkit.</p> + + +<h3><a name="hashsymlinks" id="hashsymlinks">Why is client authentication broken after upgrading from +SSLeay version 0.8 to 0.9?</a></h3> +<p>The CA certificates under the path you configured with + <code>SSLCACertificatePath</code> are found by SSLeay through hash + symlinks. These hash values are generated by the `<code>openssl x509 -noout + -hash</code>' command. However, the algorithm used to calculate the hash for a + certificate changed between SSLeay 0.8 and 0.9. You will need to remove + all old hash symlinks and create new ones after upgrading. Use the + <code>Makefile</code> provided by <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>.</p> + + +<h3><a name="pemder" id="pemder">How can I convert a certificate from PEM to DER format?</a></h3> +<p>The default certificate format for SSLeay/OpenSSL is PEM, which is simply + Base64 encoded DER, with header and footer lines. For some applications + (e.g. Microsoft Internet Explorer) you need the certificate in plain DER + format. You can convert a PEM file <code>cert.pem</code> into the + corresponding DER file <code>cert.der</code> using the following command: + <code><strong>$ openssl x509 -in cert.pem -out cert.der -outform DER</strong></code></p> + + +<h3><a name="verisign" id="verisign">Why can't I find the +<code>getca</code> or <code>getverisign</code> programs mentioned by +Verisign, for installing my Verisign certificate?</a></h3> +<p>Verisign has never provided specific instructions + for Apache+mod_ssl. The instructions provided are for C2Net's + Stronghold (a commercial Apache based server with SSL support).</p> + <p>To install your certificate, all you need to do is to save the + certificate to a file, and give the name of that file to the + <code class="directive"><a href="../mod/mod_ssl.html#sslcertificatefile">SSLCertificateFile</a></code> directive. + You will also need to give it the key file. For more information, + see the <code class="directive"><a href="../mod/mod_ssl.html#sslcertificatekeyfile">SSLCertificateKeyFile</a></code> + directive.</p> + + +<h3><a name="sgc" id="sgc">Can I use the Server Gated Cryptography (SGC) +facility (aka Verisign Global ID) with mod_ssl?</a></h3> +<p>Yes. <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> has included support for the SGC + facility since version 2.1. No special configuration is required - + just use the Global ID as your server certificate. The + <em>step up</em> of the clients is then automatically handled by + <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> at run-time.</p> + + +<h3><a name="gid" id="gid">Why do browsers complain that they cannot +verify my Verisign Global ID server certificate?</a></h3> +<p>Verisign uses an intermediate CA certificate between the root CA + certificate (which is installed in the browsers) and the server + certificate (which you installed on the server). You should have + received this additional CA certificate from Verisign. + If not, complain to them. Then, configure this certificate with the + <code class="directive"><a href="../mod/mod_ssl.html#sslcertificatechainfile">SSLCertificateChainFile</a></code> + directive. This ensures that the intermediate CA certificate is + sent to the browser, filling the gap in the certificate chain.</p> + +</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="aboutssl" id="aboutssl">The SSL Protocol</a></h2> +<ul> +<li><a href="#random">Why do I get lots of random SSL protocol +errors under heavy server load?</a></li> +<li><a href="#load">Why does my webserver have a higher load, now +that it serves SSL encrypted traffic?</a></li> +<li><a href="#establishing">Why do HTTPS connections to my server +sometimes take up to 30 seconds to establish a connection?</a></li> +<li><a href="#ciphers">What SSL Ciphers are supported by mod_ssl?</a></li> +<li><a href="#adh">Why do I get ``no shared cipher'' errors, when +trying to use Anonymous Diffie-Hellman (ADH) ciphers?</a></li> +<li><a href="#sharedciphers">Why do I get a 'no shared ciphers' +error when connecting to my newly installed server?</a></li> +<li><a href="#vhosts">Why can't I use SSL with name-based/non-IP-based +virtual hosts?</a></li> +<li><a href="#vhosts2">Why is it not possible to use Name-Based Virtual +Hosting to identify different SSL virtual hosts?</a></li> +<li><a href="#comp">How do I get SSL compression working?</a></li> +<li><a href="#lockicon">When I use Basic Authentication over HTTPS +the lock icon in Netscape browsers stays unlocked when the dialog pops up. +Does this mean the username/password is being sent unencrypted?</a></li> +<li><a href="#msie">Why do I get I/O errors when connecting via +HTTPS to an Apache+mod_ssl server with Microsoft Internet Explorer +(MSIE)?</a></li> +<li><a href="#nn">Why do I get I/O errors, or the message "Netscape has +encountered bad data from the server", when connecting via +HTTPS to an Apache+mod_ssl server with Netscape Navigator?</a></li> +</ul> + +<h3><a name="random" id="random">Why do I get lots of random SSL protocol +errors under heavy server load?</a></h3> +<p>There can be a number of reasons for this, but the main one + is problems with the SSL session Cache specified by the + <code class="directive"><a href="../mod/mod_ssl.html#sslsessioncache">SSLSessionCache</a></code> directive. The DBM session + cache is the most likely source of the problem, so using the SHM session cache (or + no cache at all) may help.</p> + + +<h3><a name="load" id="load">Why does my webserver have a higher load, now +that it serves SSL encrypted traffic?</a></h3> +<p>SSL uses strong cryptographic encryption, which necessitates a lot of + number crunching. When you request a webpage via HTTPS, everything (even + the images) is encrypted before it is transferred. So increased HTTPS + traffic leads to load increases.</p> + + +<h3><a name="establishing" id="establishing">Why do HTTPS connections to my server +sometimes take up to 30 seconds to establish a connection?</a></h3> +<p>This is usually caused by a <code>/dev/random</code> device for + <code class="directive"><a href="../mod/mod_ssl.html#sslrandomseed">SSLRandomSeed</a></code> which blocks the + read(2) call until enough entropy is available to service the + request. More information is available in the reference + manual for the <code class="directive"><a href="../mod/mod_ssl.html#sslrandomseed">SSLRandomSeed</a></code> + directive.</p> + + +<h3><a name="ciphers" id="ciphers">What SSL Ciphers are supported by mod_ssl?</a></h3> +<p>Usually, any SSL ciphers supported by the version of OpenSSL in use, + are also supported by <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>. Which ciphers are + available can depend on the way you built OpenSSL. Typically, at + least the following ciphers are supported:</p> + + <ol> + <li>RC4 with MD5</li> + <li>RC4 with MD5 (export version restricted to 40-bit key)</li> + <li>RC2 with MD5</li> + <li>RC2 with MD5 (export version restricted to 40-bit key)</li> + <li>IDEA with MD5</li> + <li>DES with MD5</li> + <li>Triple-DES with MD5</li> + </ol> + + <p>To determine the actual list of ciphers available, you should run + the following:</p> + <div class="example"><p><code>$ openssl ciphers -v</code></p></div> + + +<h3><a name="adh" id="adh">Why do I get ``no shared cipher'' errors, when +trying to use Anonymous Diffie-Hellman (ADH) ciphers?</a></h3> +<p>By default, OpenSSL does <em>not</em> allow ADH ciphers, for security + reasons. Please be sure you are aware of the potential side-effects + if you choose to enable these ciphers.</p> + <p>In order to use Anonymous Diffie-Hellman (ADH) ciphers, you must + build OpenSSL with ``<code>-DSSL_ALLOW_ADH</code>'', and then add + ``<code>ADH</code>'' into your <code class="directive"><a href="../mod/mod_ssl.html#sslciphersuite">SSLCipherSuite</a></code>.</p> + + +<h3><a name="sharedciphers" id="sharedciphers">Why do I get a 'no shared ciphers' +error when connecting to my newly installed server?</a></h3> +<p>Either you have made a mistake with your + <code class="directive"><a href="../mod/mod_ssl.html#sslciphersuite">SSLCipherSuite</a></code> + directive (compare it with the pre-configured example in + <code>httpd.conf-dist</code>) or you chose to use DSA/DH + algorithms instead of RSA when you generated your private key + and ignored or overlooked the warnings. If you have chosen + DSA/DH, then your server cannot communicate using RSA-based SSL + ciphers (at least until you configure an additional RSA-based + certificate/key pair). Modern browsers like NS or IE can only + communicate over SSL using RSA ciphers. The result is the + "no shared ciphers" error. To fix this, regenerate your server + certificate/key pair, using the RSA algorithm.</p> + + +<h3><a name="vhosts" id="vhosts">Why can't I use SSL with name-based/non-IP-based virtual hosts?</a></h3> +<p>The reason is very technical, and a somewhat "chicken and egg" problem. + The SSL protocol layer stays below the HTTP protocol layer and + encapsulates HTTP. When an SSL connection (HTTPS) is established + Apache/mod_ssl has to negotiate the SSL protocol parameters with the + client. For this, mod_ssl has to consult the configuration of the virtual + server (for instance it has to look for the cipher suite, the server + certificate, etc.). But in order to go to the correct virtual server + Apache has to know the <code>Host</code> HTTP header field. To do this, the + HTTP request header has to be read. This cannot be done before the SSL + handshake is finished, but the information is needed in order to + complete the SSL handshake phase. Bingo!</p> + + +<h3><a name="vhosts2" id="vhosts2">Why is it not possible to use Name-Based +Virtual Hosting to identify different SSL virtual hosts?</a></h3> + <p>Name-Based Virtual Hosting is a very popular method of identifying + different virtual hosts. It allows you to use the same IP address and + the same port number for many different sites. When people move on to + SSL, it seems natural to assume that the same method can be used to have + lots of different SSL virtual hosts on the same server.</p> + + <p>It comes as rather a shock to learn that it is impossible.</p> + + <p>The reason is that the SSL protocol is a separate layer which + encapsulates the HTTP protocol. So the SSL session is a separate + transaction, that takes place before the HTTP session has begun. + The server receives an SSL request on IP address X and port Y + (usually 443). Since the SSL request does not contain any Host: + field, the server has no way to decide which SSL virtual host to use. + Usually, it will just use the first one it finds, which matches the + port and IP address specified.</p> + + <p>You can, of course, use Name-Based Virtual Hosting to identify many + non-SSL virtual hosts (all on port 80, for example) and then + have a single SSL virtual host (on port 443). But if you do this, + you must make sure to put the non-SSL port number on the NameVirtualHost + directive, e.g.</p> + + <div class="example"><p><code> + NameVirtualHost 192.168.1.1:80 + </code></p></div> + + <p>Other workaround solutions include: </p> + + <p>Using separate IP addresses for different SSL hosts. + Using different port numbers for different SSL hosts.</p> + + +<h3><a name="comp" id="comp">How do I get SSL compression working?</a></h3> +<p>Although SSL compression negotiation was defined in the specification +of SSLv2 and TLS, it took until May 2004 for RFC 3749 to define DEFLATE as +a negotiable standard compression method. +</p> +<p>OpenSSL 0.9.8 started to support this by default when compiled with the +<code>zlib</code> option. If both the client and the server support compression, +it will be used. However, most clients still try to initially connect with an +SSLv2 Hello. As SSLv2 did not include an array of prefered compression algorithms +in its handshake, compression cannot be negotiated with these clients. +If the client disables support for SSLv2, either an SSLv3 or TLS Hello +may be sent, depending on which SSL library is used, and compression may +be set up. You can verify whether clients make use of SSL compression by +logging the <code>%{SSL_COMPRESS_METHOD}x</code> variable. +</p> + + +<h3><a name="lockicon" id="lockicon">When I use Basic Authentication over HTTPS +the lock icon in Netscape browsers stays unlocked when the dialog pops up. +Does this mean the username/password is being sent unencrypted?</a></h3> +<p>No, the username/password is transmitted encrypted. The icon in + Netscape browsers is not actually synchronized with the SSL/TLS layer. + It only toggles to the locked state when the first part of the actual + webpage data is transferred, which may confuse people. The Basic + Authentication facility is part of the HTTP layer, which is above + the SSL/TLS layer in HTTPS. Before any HTTP data communication takes + place in HTTPS, the SSL/TLS layer has already completed its handshake + phase, and switched to encrypted communication. So don't be + confused by this icon.</p> + + +<h3><a name="msie" id="msie">Why do I get I/O errors when connecting via +HTTPS to an Apache+mod_ssl server with Microsoft Internet Explorer (MSIE)?</a></h3> +<p>The first reason is that the SSL implementation in some MSIE versions has + some subtle bugs related to the HTTP keep-alive facility and the SSL close + notify alerts on socket connection close. Additionally the interaction + between SSL and HTTP/1.1 features are problematic in some MSIE versions. + You can work around these problems by forcing Apache not to use HTTP/1.1, + keep-alive connections or send the SSL close notify messages to MSIE clients. + This can be done by using the following directive in your SSL-aware + virtual host section:</p> + <div class="example"><p><code> + SetEnvIf User-Agent ".*MSIE.*" \<br /> + nokeepalive ssl-unclean-shutdown \<br /> + downgrade-1.0 force-response-1.0 + </code></p></div> + <p>Further, some MSIE versions have problems with particular ciphers. + Unfortunately, it is not possible to implement a MSIE-specific + workaround for this, because the ciphers are needed as early as the + SSL handshake phase. So a MSIE-specific + <code class="directive"><a href="../mod/mod_setenvif.html#setenvif">SetEnvIf</a></code> won't solve these + problems. Instead, you will have to make more drastic + adjustments to the global parameters. Before you decide to do + this, make sure your clients really have problems. If not, do not + make these changes - they will affect <em>all</em> your clients, MSIE + or otherwise.</p> + + <p>The next problem is that 56bit export versions of MSIE 5.x + browsers have a broken SSLv3 implementation, which interacts badly + with OpenSSL versions greater than 0.9.4. You can accept this and + require your clients to upgrade their browsers, you can downgrade to + OpenSSL 0.9.4 (not advised), or you can work around this, accepting + that your workaround will affect other browsers too:</p> + <div class="example"><p><code>SSLProtocol all -SSLv3</code></p></div> + <p>will completely disables the SSLv3 protocol and allow those + browsers to work. A better workaround is to disable only those + ciphers which cause trouble.</p> + <div class="example"><p><code>SSLCipherSuite + ALL:!ADH:<strong>!EXPORT56</strong>:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</code> + </p></div> + + <p>This also allows the broken MSIE versions to work, but only removes the + newer 56bit TLS ciphers.</p> + + <p>Another problem with MSIE 5.x clients is that they refuse to connect to + URLs of the form <code>https://12.34.56.78/</code> (where IP-addresses are used + instead of the hostname), if the server is using the Server Gated + Cryptography (SGC) facility. This can only be avoided by using the fully + qualified domain name (FQDN) of the website in hyperlinks instead, because + MSIE 5.x has an error in the way it handles the SGC negotiation.</p> + + <p>And finally there are versions of MSIE which seem to require that + an SSL session can be reused (a totally non standard-conforming + behaviour, of course). Connecting with those MSIE versions only work + if a SSL session cache is used. So, as a work-around, make sure you + are using a session cache (see the <code class="directive"><a href="../mod/mod_ssl.html#sslsessioncache">SSLSessionCache</a></code> directive).</p> + + +<h3><a name="nn" id="nn">Why do I get I/O errors, or the message "Netscape has +encountered bad data from the server", when connecting via +HTTPS to an Apache+mod_ssl server with Netscape Navigator?</a></h3> +<p> + This usually occurs when you have created a new server certificate for + a given domain, but had previously told your browser to always accept + the old server certificate. Once you clear the entry for the old + certificate from your browser, everything should be fine. Netscape's SSL + implementation is correct, so when you encounter I/O errors with Netscape + Navigator it is usually caused by the configured certificates.</p> + +</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="support" id="support">mod_ssl Support</a></h2> +<ul> +<li><a href="#resources">What information resources are available in +case of mod_ssl problems?</a></li> +<li><a href="#contact">What support contacts are available in case of +mod_ssl problems?</a></li> +<li><a href="#reportdetails">What information should I +provide when writing a bug report?</a></li> +<li><a href="#coredumphelp">I had a core dump, can you help me?</a></li> +<li><a href="#backtrace">How do I get a backtrace, to help find the reason +for my core dump?</a></li> +</ul> + +<h3><a name="resources" id="resources">What information resources are available in case of mod_ssl problems?</a></h3> +<p>The following information resources are available. + In case of problems you should search here first.</p> + + <dl> + <dt>Answers in the User Manual's F.A.Q. List (this)</dt> + <dd><a href="http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html"> + http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html</a><br /> + First check the F.A.Q. (this text). If your problem is a common + one, it may have been answered several times before, and been included + in this doc. + </dd> + <dt>Postings from the modssl-users Support Mailing List + <a href="http://www.modssl.org/support/">http://www.modssl.org/support/</a></dt> + <dd>Search for your problem in the archives of the modssl-users mailing list. + You're probably not the first person to have had this problem! + </dd> + </dl> + + +<h3><a name="contact" id="contact">What support contacts are available in case +of mod_ssl problems?</a></h3> + <p>The following lists all support possibilities for mod_ssl, in order of + preference. Please go through these possibilities + <em>in this order</em> - don't just pick the one you like the look of. </p> + <ol> + <li><em>Send a Problem Report to the modssl-users Support Mailing List</em><br /> + <a href="mailto:modssl-users@modssl.org"> + modssl-users@modssl.org</a><br /> + This is the preferred way of submitting your problem report, because this way, + others can see the problem, and learn from any answers. You must subscribe to + the list first, but you can then easily discuss your problem with both the + author and the whole mod_ssl user community. + </li> + + <li><em>Send a Problem Report to the Apache httpd Users Support Mailing List</em><br /> + <a href="mailto:users@httpd.apache.org"> + users@httpd.apache.org</a><br /> + This is the second way of submitting your problem report. Again, you must + subscribe to the list first, but you can then easily discuss your problem + with the whole Apache httpd user community. + </li> + + <li><em>Write a Problem Report in the Bug Database</em><br /> + <a href="http://httpd.apache.org/bug_report.html"> + http://httpd.apache.org/bug_report.html</a><br /> + This is the last way of submitting your problem report. You should only + do this if you've already posted to the mailing lists, and had no success. + Please follow the instructions on the above page <em>carefully</em>. + </li> + </ol> + + +<h3><a name="reportdetails" id="reportdetails">What information should I +provide when writing a bug report?</a></h3> +<p>You should always provide at least the following information:</p> + + <dl> + <dt>Apache and OpenSSL version information</dt> + <dd>The Apache version can be determined + by running <code>httpd -v</code>. The OpenSSL version can be + determined by running <code>openssl version</code>. Alternatively, if + you have Lynx installed, you can run the command <code>lynx -mime_header + http://localhost/ | grep Server</code> to gather this information in a + single step. + </dd> + + <dt>The details on how you built and installed Apache+mod_ssl+OpenSSL</dt> + <dd>For this you can provide a logfile of your terminal session which shows + the configuration and install steps. If this is not possible, you + should at least provide the <code class="program"><a href="../programs/configure.html">configure</a></code> command line you used. + </dd> + + <dt>In case of core dumps please include a Backtrace</dt> + <dd>If your Apache+mod_ssl+OpenSSL dumps its core, please attach + a stack-frame ``backtrace'' (see <a href="#backtrace">below</a> + for information on how to get this). This information is required + in order to find a reason for your core dump. + </dd> + + <dt>A detailed description of your problem</dt> + <dd>Don't laugh, we really mean it! Many problem reports don't + include a description of what the actual problem is. Without this, + it's very difficult for anyone to help you. So, it's in your own + interest (you want the problem be solved, don't you?) to include as + much detail as possible, please. Of course, you should still include + all the essentials above too. + </dd> + </dl> + + +<h3><a name="coredumphelp" id="coredumphelp">I had a core dump, can you help me?</a></h3> +<p>In general no, at least not unless you provide more details about the code + location where Apache dumped core. What is usually always required in + order to help you is a backtrace (see next question). Without this + information it is mostly impossible to find the problem and help you in + fixing it.</p> + + +<h3><a name="backtrace" id="backtrace">How do I get a backtrace, to help find +the reason for my core dump?</a></h3> +<p>Following are the steps you will need to complete, to get a backtrace:</p> + <ol> + <li>Make sure you have debugging symbols available, at least + in Apache. On platforms where you use GCC/GDB, you will have to build + Apache+mod_ssl with ``<code>OPTIM="-g -ggdb3"</code>'' to get this. On + other platforms at least ``<code>OPTIM="-g"</code>'' is needed. + </li> + + <li>Start the server and try to reproduce the core-dump. For this you may + want to use a directive like ``<code>CoreDumpDirectory /tmp</code>'' to + make sure that the core-dump file can be written. This should result + in a <code>/tmp/core</code> or <code>/tmp/httpd.core</code> file. If you + don't get one of these, try running your server under a non-root UID. + Many modern kernels do not allow a process to dump core after it has + done a <code>setuid()</code> (unless it does an <code>exec()</code>) for + security reasons (there can be privileged information left over in + memory). If necessary, you can run <code>/path/to/httpd -X</code> + manually to force Apache to not fork. + </li> + + <li>Analyze the core-dump. For this, run <code>gdb /path/to/httpd + /tmp/httpd.core</code> or a similar command. In GDB, all you + have to do then is to enter <code>bt</code>, and voila, you get the + backtrace. For other debuggers consult your local debugger manual. + </li> + </ol> + +</div></div> +<div class="bottomlang"> +<p><span>Available Languages: </span><a href="../en/ssl/ssl_faq.html" title="English"> en </a></p> +</div><div id="footer"> +<p class="apache">Copyright 2009 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> +<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div> +</body></html>
\ No newline at end of file diff --git a/rubbos/app/apache2/manual/ssl/ssl_howto.html b/rubbos/app/apache2/manual/ssl/ssl_howto.html new file mode 100644 index 00000000..9f06e018 --- /dev/null +++ b/rubbos/app/apache2/manual/ssl/ssl_howto.html @@ -0,0 +1,5 @@ +# GENERATED FROM XML -- DO NOT EDIT + +URI: ssl_howto.html.en +Content-Language: en +Content-type: text/html; charset=ISO-8859-1 diff --git a/rubbos/app/apache2/manual/ssl/ssl_howto.html.en b/rubbos/app/apache2/manual/ssl/ssl_howto.html.en new file mode 100644 index 00000000..f09492d6 --- /dev/null +++ b/rubbos/app/apache2/manual/ssl/ssl_howto.html.en @@ -0,0 +1,284 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!-- + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + This file is generated from xml source: DO NOT EDIT + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + --> +<title>SSL/TLS Strong Encryption: How-To - Apache HTTP Server</title> +<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> +<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> +<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /> +<link href="../images/favicon.ico" rel="shortcut icon" /></head> +<body id="manual-page"><div id="page-header"> +<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p> +<p class="apache">Apache HTTP Server Version 2.0</p> +<img alt="" src="../images/feather.gif" /></div> +<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div> +<div id="path"> +<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.0</a> > <a href="./">SSL/TLS</a></div><div id="page-content"><div id="preamble"><h1>SSL/TLS Strong Encryption: How-To</h1> +<div class="toplang"> +<p><span>Available Languages: </span><a href="../en/ssl/ssl_howto.html" title="English"> en </a></p> +</div> + +<blockquote> +<p>The solution of this problem is trivial +and is left as an exercise for the reader.</p> + +<p class="cite">-- <cite>Standard textbook cookie</cite></p> +</blockquote> + +<p>How to solve particular security constraints for an SSL-aware +webserver is not always obvious because of the coherences between SSL, +HTTP and Apache's way of processing requests. This chapter gives +instructions on how to solve such typical situations. Treat it as a first +step to find out the final solution, but always try to understand the +stuff before you use it. Nothing is worse than using a security solution +without knowing its restrictions and coherences.</p> +</div> +<div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#ciphersuites">Cipher Suites and Enforced Strong Security</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#accesscontrol">Client Authentication and Access Control</a></li> +</ul></div> +<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="ciphersuites" id="ciphersuites">Cipher Suites and Enforced Strong Security</a></h2> + +<ul> +<li><a href="#realssl">SSLv2 only server</a></li> +<li><a href="#onlystrong">strong encryption only server</a></li> +<li><a href="#upgradeenc">server gated cryptography</a></li> +<li><a href="#strongurl">stronger per-directory requirements</a></li> +</ul> + +<h3><a name="realssl" id="realssl">How can I create a real SSLv2-only server?</a></h3> + + <p>The following creates an SSL server which speaks only the SSLv2 protocol and + its ciphers.</p> + + <div class="example"><h3>httpd.conf</h3><p><code> + SSLProtocol -all +SSLv2<br /> + SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP<br /> + </code></p></div> + + +<h3><a name="onlystrong" id="onlystrong">How can I create an SSL server which accepts strong encryption +only?</a></h3> + + <p>The following enables only the seven strongest ciphers:</p> + <div class="example"><h3>httpd.conf</h3><p><code> + SSLProtocol all<br /> + SSLCipherSuite HIGH:MEDIUM<br /> + </code></p></div> + + +<h3><a name="upgradeenc" id="upgradeenc">How can I create an SSL server which accepts strong encryption +only, but allows export browsers to upgrade to stronger encryption?</a></h3> + + <p>This facility is called Server Gated Cryptography (SGC) and details + you can find in the <code>README.GlobalID</code> document in the + mod_ssl distribution. In short: The server has a Global ID server + certificate, signed by a special CA certificate from Verisign which + enables strong encryption in export browsers. This works as following: + The browser connects with an export cipher, the server sends its Global + ID certificate, the browser verifies it and subsequently upgrades the + cipher suite before any HTTP communication takes place. The question + now is: How can we allow this upgrade, but enforce strong encryption. + Or in other words: Browser either have to initially connect with + strong encryption or have to upgrade to strong encryption, but are + not allowed to keep the export ciphers. The following does the trick:</p> + <div class="example"><h3>httpd.conf</h3><p><code> + # allow all ciphers for the initial handshake,<br /> + # so export browsers can upgrade via SGC facility<br /> + SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL<br /> + <br /> + <Directory /usr/local/apache2/htdocs><br /> + # but finally deny all browsers which haven't upgraded<br /> + SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128<br /> + </Directory> + </code></p></div> + + +<h3><a name="strongurl" id="strongurl">How can I create an SSL server which accepts all types of ciphers +in general, but requires a strong ciphers for access to a particular +URL?</a></h3> + + <p>Obviously you cannot just use a server-wide <code class="directive"><a href="../mod/mod_ssl.html#sslciphersuite">SSLCipherSuite</a></code> which restricts the + ciphers to the strong variants. But mod_ssl allows you to reconfigure + the cipher suite in per-directory context and automatically forces + a renegotiation of the SSL parameters to meet the new configuration. + So, the solution is:</p> + <div class="example"><p><code> + # be liberal in general<br /> + SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL<br /> + <br /> + <Location /strong/area><br /> + # but https://hostname/strong/area/ and below<br /> + # requires strong ciphers<br /> + SSLCipherSuite HIGH:MEDIUM<br /> + </Location> + </code></p></div> + +</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="accesscontrol" id="accesscontrol">Client Authentication and Access Control</a></h2> + +<ul> +<li><a href="#allclients">simple certificate-based client authentication</a></li> +<li><a href="#arbitraryclients">selective certificate-based client authentication</a></li> +<li><a href="#certauthenticate">particular certificate-based client authentication</a></li> +<li><a href="#intranet">intranet vs. internet authentication</a></li> +</ul> + +<h3><a name="allclients" id="allclients">How can I authenticate clients based on certificates when I know +all my clients?</a></h3> + + <p>When you know your user community (i.e. a closed user group + situation), as it's the case for instance in an Intranet, you can + use plain certificate authentication. All you have to do is to + create client certificates signed by your own CA certificate + <code>ca.crt</code> and then verify the clients against this + certificate.</p> + <div class="example"><h3>httpd.conf</h3><p><code> + # require a client certificate which has to be directly<br /> + # signed by our CA certificate in ca.crt<br /> + SSLVerifyClient require<br /> + SSLVerifyDepth 1<br /> + SSLCACertificateFile conf/ssl.crt/ca.crt + </code></p></div> + + +<h3><a name="arbitraryclients" id="arbitraryclients">How can I authenticate my clients for a particular URL based on +certificates but still allow arbitrary clients to access the remaining +parts of the server?</a></h3> + + <p>For this we again use the per-directory reconfiguration feature + of <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>:</p> + + <div class="example"><h3>httpd.conf</h3><p><code> + SSLVerifyClient none<br /> + SSLCACertificateFile conf/ssl.crt/ca.crt<br /> + <br /> + <Location /secure/area><br /> + SSLVerifyClient require<br /> + SSLVerifyDepth 1<br /> + </Location><br /> + </code></p></div> + + +<h3><a name="certauthenticate" id="certauthenticate">How can I authenticate only particular clients for a some URLs based +on certificates but still allow arbitrary clients to access the remaining +parts of the server?</a></h3> + + <p>The key is to check for various ingredients of the client certificate. + Usually this means to check the whole or part of the Distinguished + Name (DN) of the Subject. For this two methods exists: The <code class="module"><a href="../mod/mod_auth.html">mod_auth</a></code> based variant and the <code class="directive"><a href="../mod/mod_ssl.html#sslrequire">SSLRequire</a></code> variant. The first method is + good when the clients are of totally different type, i.e. when their + DNs have no common fields (usually the organisation, etc.). In this + case you've to establish a password database containing <em>all</em> + clients. The second method is better when your clients are all part of + a common hierarchy which is encoded into the DN. Then you can match + them more easily.</p> + + <p>The first method:</p> + <div class="example"><h3>httpd.conf</h3><pre> +SSLVerifyClient none +<Directory /usr/local/apache2/htdocs/secure/area> + +SSLVerifyClient require +SSLVerifyDepth 5 +SSLCACertificateFile conf/ssl.crt/ca.crt +SSLCACertificatePath conf/ssl.crt +SSLOptions +FakeBasicAuth +SSLRequireSSL +AuthName "Snake Oil Authentication" +AuthType Basic +AuthUserFile /usr/local/apache2/conf/httpd.passwd +require valid-user +</Directory></pre></div> + + <p>The password used in this example is the DES encrypted string "password". + See the <code class="directive"><a href="../mod/mod_ssl.html#ssloptions">SSLOptions</a></code> docs for more + information.</p> + + <div class="example"><h3>httpd.passwd</h3><pre> +/C=DE/L=Munich/O=Snake Oil, Ltd./OU=Staff/CN=Foo:xxj31ZMTZzkVA +/C=US/L=S.F./O=Snake Oil, Ltd./OU=CA/CN=Bar:xxj31ZMTZzkVA +/C=US/L=L.A./O=Snake Oil, Ltd./OU=Dev/CN=Quux:xxj31ZMTZzkVA</pre></div> + + <p>The second method:</p> + + <div class="example"><h3>httpd.conf</h3><pre> +SSLVerifyClient none +<Directory /usr/local/apache2/htdocs/secure/area> + + SSLVerifyClient require + SSLVerifyDepth 5 + SSLCACertificateFile conf/ssl.crt/ca.crt + SSLCACertificatePath conf/ssl.crt + SSLOptions +FakeBasicAuth + SSLRequireSSL + SSLRequire %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ + and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} +</Directory></pre></div> + + +<h3><a name="intranet" id="intranet">How can I require HTTPS with strong ciphers and either basic +authentication or client certificates for access to a subarea on the +Intranet website for clients coming from the Internet but still allow +plain HTTP access for clients on the Intranet?</a></h3> + + <p>Let us assume the Intranet can be distinguished through the IP + network 192.168.1.0/24 and the subarea on the Intranet website has + the URL <code>/subarea</code>. Then configure the following outside + your HTTPS virtual host (so it applies to both HTTPS and HTTP):</p> + + <div class="example"><h3>httpd.conf</h3><pre> +SSLCACertificateFile conf/ssl.crt/company-ca.crt + +<Directory /usr/local/apache2/htdocs> +# Outside the subarea only Intranet access is granted +Order deny,allow +Deny from all +Allow from 192.168.1.0/24 +</Directory> + +<Directory /usr/local/apache2/htdocs/subarea> +# Inside the subarea any Intranet access is allowed +# but from the Internet only HTTPS + Strong-Cipher + Password +# or the alternative HTTPS + Strong-Cipher + Client-Certificate + +# If HTTPS is used, make sure a strong cipher is used. +# Additionally allow client certs as alternative to basic auth. +SSLVerifyClient optional +SSLVerifyDepth 1 +SSLOptions +FakeBasicAuth +StrictRequire +SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 + +# Force clients from the Internet to use HTTPS +RewriteEngine on +RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$ +RewriteCond %{HTTPS} !=on +RewriteRule .* - [F] + +# Allow Network Access and/or Basic Auth +Satisfy any + +# Network Access Control +Order deny,allow +Deny from all +Allow 192.168.1.0/24 + +# HTTP Basic Authentication +AuthType basic +AuthName "Protected Intranet Area" +AuthUserFile conf/protected.passwd +Require valid-user +</Directory></pre></div> + +</div></div> +<div class="bottomlang"> +<p><span>Available Languages: </span><a href="../en/ssl/ssl_howto.html" title="English"> en </a></p> +</div><div id="footer"> +<p class="apache">Copyright 2009 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> +<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div> +</body></html>
\ No newline at end of file diff --git a/rubbos/app/apache2/manual/ssl/ssl_intro.html b/rubbos/app/apache2/manual/ssl/ssl_intro.html new file mode 100644 index 00000000..0163b215 --- /dev/null +++ b/rubbos/app/apache2/manual/ssl/ssl_intro.html @@ -0,0 +1,9 @@ +# GENERATED FROM XML -- DO NOT EDIT + +URI: ssl_intro.html.en +Content-Language: en +Content-type: text/html; charset=ISO-8859-1 + +URI: ssl_intro.html.ja.utf8 +Content-Language: ja +Content-type: text/html; charset=UTF-8 diff --git a/rubbos/app/apache2/manual/ssl/ssl_intro.html.en b/rubbos/app/apache2/manual/ssl/ssl_intro.html.en new file mode 100644 index 00000000..c3079d4e --- /dev/null +++ b/rubbos/app/apache2/manual/ssl/ssl_intro.html.en @@ -0,0 +1,641 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!-- + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + This file is generated from xml source: DO NOT EDIT + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + --> +<title>SSL/TLS Strong Encryption: An Introduction - Apache HTTP Server</title> +<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> +<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> +<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /> +<link href="../images/favicon.ico" rel="shortcut icon" /></head> +<body id="manual-page"><div id="page-header"> +<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p> +<p class="apache">Apache HTTP Server Version 2.0</p> +<img alt="" src="../images/feather.gif" /></div> +<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div> +<div id="path"> +<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.0</a> > <a href="./">SSL/TLS</a></div><div id="page-content"><div id="preamble"><h1>SSL/TLS Strong Encryption: An Introduction</h1> +<div class="toplang"> +<p><span>Available Languages: </span><a href="../en/ssl/ssl_intro.html" title="English"> en </a> | +<a href="../ja/ssl/ssl_intro.html" hreflang="ja" rel="alternate" title="Japanese"> ja </a></p> +</div> + +<blockquote> +<p>The nice thing about standards is that there are so many to choose +from. And if you really don't like all the standards you just have to +wait another year until the one arises you are looking for.</p> + +<p class="cite">-- <cite>A. Tanenbaum</cite>, "Introduction to +Computer Networks"</p> +</blockquote> + +<p>As an introduction this chapter is aimed at readers who are familiar +with the Web, HTTP, and Apache, but are not security experts. It is not +intended to be a definitive guide to the SSL protocol, nor does it discuss +specific techniques for managing certificates in an organization, or the +important legal issues of patents and import and export restrictions. +Rather, it is intended to provide a common background to mod_ssl users by +pulling together various concepts, definitions, and examples as a starting +point for further exploration.</p> + +<p>The presented content is mainly derived, with permission by the author, +from the article <a href="http://home.earthlink.net/~fjhirsch/Papers/wwwj/article.html">Introducing +SSL and Certificates using SSLeay</a> from <a href="http://home.earthlink.net/~fjhirsch/">Frederick J. Hirsch</a>, of The +Open Group Research Institute, which was published in <a href="http://www.ora.com/catalog/wjsum97/">Web Security: A Matter of +Trust</a>, World Wide Web Journal, Volume 2, Issue 3, Summer 1997. +Please send any positive feedback to <a href="mailto:hirsch@fjhirsch.com">Frederick Hirsch</a> (the original +article author) and all negative feedback to <a href="mailto:rse@engelschall.com">Ralf S. Engelschall</a> (the +<code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> author).</p> +</div> +<div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#cryptographictech">Cryptographic Techniques</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#certificates">Certificates</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#ssl">Secure Sockets Layer (SSL)</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#references">References</a></li> +</ul></div> +<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="cryptographictech" id="cryptographictech">Cryptographic Techniques</a></h2> + +<p>Understanding SSL requires an understanding of cryptographic +algorithms, message digest functions (aka. one-way or hash functions), and +digital signatures. These techniques are the subject of entire books (see +for instance [<a href="#AC96">AC96</a>]) and provide the basis for privacy, +integrity, and authentication.</p> + +<h3><a name="cryptographicalgo" id="cryptographicalgo">Cryptographic Algorithms</a></h3> + + <p>Suppose Alice wants to send a message to her bank to transfer some + money. Alice would like the message to be private, since it will + include information such as her account number and transfer amount. One + solution is to use a cryptographic algorithm, a technique that would + transform her message into an encrypted form, unreadable except by + those it is intended for. Once in this form, the message may only be + interpreted through the use of a secret key. Without the key the + message is useless: good cryptographic algorithms make it so difficult + for intruders to decode the original text that it isn't worth their + effort.</p> + + <p>There are two categories of cryptographic algorithms: conventional + and public key.</p> + + <dl> + <dt>Conventional cryptography</dt> + <dd>also known as symmetric cryptography, requires the sender and + receiver to share a key: a secret piece of information that may be + used to encrypt or decrypt a message. If this key is secret, then + nobody other than the sender or receiver may read the message. If + Alice and the bank know a secret key, then they may send each other + private messages. The task of privately choosing a key before + communicating, however, can be problematic.</dd> + + <dt>Public key cryptography</dt> + <dd>also known as asymmetric cryptography, solves the key exchange + problem by defining an algorithm which uses two keys, each of which + may be used to encrypt a message. If one key is used to encrypt a + message then the other must be used to decrypt it. This makes it + possible to receive secure messages by simply publishing one key + (the public key) and keeping the other secret (the private key).</dd> + </dl> + + <p>Anyone may encrypt a message using the public key, but only the + owner of the private key will be able to read it. In this way, Alice + may send private messages to the owner of a key-pair (the bank), by + encrypting it using their public key. Only the bank will be able to + decrypt it.</p> + + +<h3><a name="messagedigests" id="messagedigests">Message Digests</a></h3> + + <p>Although Alice may encrypt her message to make it private, there + is still a concern that someone might modify her original message or + substitute it with a different one, in order to transfer the money + to themselves, for instance. One way of guaranteeing the integrity + of Alice's message is to create a concise summary of her message and + send this to the bank as well. Upon receipt of the message, the bank + creates its own summary and compares it with the one Alice sent. If + they agree then the message was received intact.</p> + + <p>A summary such as this is called a <dfn>message digest</dfn>, <em>one-way +function</em> or <em>hash function</em>. Message digests are used to create +short, fixed-length representations of longer, variable-length messages. +Digest algorithms are designed to produce unique digests for different +messages. Message digests are designed to make it too difficult to determine +the message from the digest, and also impossible to find two different +messages which create the same digest -- thus eliminating the possibility of +substituting one message for another while maintaining the same digest.</p> +<p>Another challenge that Alice faces is finding a way to send the digest to the +bank securely; when this is achieved, the integrity of the associated message +is assured. One way to do this is to include the digest in a digital +signature.</p> + + +<h3><a name="digitalsignatures" id="digitalsignatures">Digital Signatures</a></h3> +<p>When Alice sends a message to the bank, the bank needs to ensure that the +message is really from her, so an intruder does not request a transaction +involving her account. A <em>digital signature</em>, created by Alice and +included with the message, serves this purpose.</p> + +<p>Digital signatures are created by encrypting a digest of the message, +and other information (such as a sequence number) with the sender's +private key. Though anyone may <em>decrypt</em> the signature using the public +key, only the signer knows the private key. This means that only they may +have signed it. Including the digest in the signature means the signature is +only good for that message; it also ensures the integrity of the message since +no one can change the digest and still sign it.</p> +<p>To guard against interception and reuse of the signature by an intruder at a +later date, the signature contains a unique sequence number. This protects +the bank from a fraudulent claim from Alice that she did not send the message +-- only she could have signed it (non-repudiation).</p> + +</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="certificates" id="certificates">Certificates</a></h2> + +<p>Although Alice could have sent a private message to the bank, signed +it, and ensured the integrity of the message, she still needs to be sure +that she is really communicating with the bank. This means that she needs +to be sure that the public key she is using corresponds to the bank's +private key. Similarly, the bank also needs to verify that the message +signature really corresponds to Alice's signature.</p> + +<p>If each party has a certificate which validates the other's identity, +confirms the public key, and is signed by a trusted agency, then they both +will be assured that they are communicating with whom they think they are. +Such a trusted agency is called a <em>Certificate Authority</em>, and +certificates are used for authentication.</p> + +<h3><a name="certificatecontents" id="certificatecontents">Certificate Contents</a></h3> + + <p>A certificate associates a public key with the real identity of + an individual, server, or other entity, known as the subject. As + shown in <a href="#table1">Table 1</a>, information about the subject + includes identifying information (the distinguished name), and the + public key. It also includes the identification and signature of the + Certificate Authority that issued the certificate, and the period of + time during which the certificate is valid. It may have additional + information (or extensions) as well as administrative information + for the Certificate Authority's use, such as a serial number.</p> + + <h4><a name="table1" id="table1">Table 1: Certificate Information</a></h4> + + <table> + + <tr><th>Subject</th> + <td>Distinguished Name, Public Key</td></tr> + <tr><th>Issuer</th> + <td>Distinguished Name, Signature</td></tr> + <tr><th>Period of Validity</th> + <td>Not Before Date, Not After Date</td></tr> + <tr><th>Administrative Information</th> + <td>Version, Serial Number</td></tr> + <tr><th>Extended Information</th> + <td>Basic Constraints, Netscape Flags, etc.</td></tr> + </table> + + + <p>A distinguished name is used to provide an identity in a specific + context -- for instance, an individual might have a personal + certificate as well as one for their identity as an employee. + Distinguished names are defined by the X.509 standard [<a href="#X509">X509</a>], which defines the fields, field names, and + abbreviations used to refer to the fields (see <a href="#table2">Table + 2</a>).</p> + + <h4><a name="table2" id="table2">Table 2: Distinguished Name Information</a></h4> + + <table class="bordered"> + + <tr><th>DN Field</th> + <th>Abbrev.</th> + <th>Description</th> + <th>Example</th></tr> + <tr><td>Common Name</td> + <td>CN</td> + <td>Name being certified</td> + <td>CN=Joe Average</td></tr> + <tr><td>Organization or Company</td> + <td>O</td> + <td>Name is associated with this<br />organization</td> + <td>O=Snake Oil, Ltd.</td></tr> + <tr><td>Organizational Unit</td> + <td>OU</td> + <td>Name is associated with this <br />organization unit, such + as a department</td> + <td>OU=Research Institute</td></tr> + <tr><td>City/Locality</td> + <td>L</td> + <td>Name is located in this City</td> + <td>L=Snake City</td></tr> + <tr><td>State/Province</td> + <td>ST</td> + <td>Name is located in this State/Province</td> + <td>ST=Desert</td></tr> + <tr><td>Country</td> + <td>C</td> + <td>Name is located in this Country (ISO code)</td> + <td>C=XZ</td></tr> + </table> + + + <p>A Certificate Authority may define a policy specifying which + distinguished field names are optional, and which are required. It + may also place requirements upon the field contents, as may users of + certificates. As an example, a Netscape browser requires that the + Common Name for a certificate representing a server has a name which + matches a wildcard pattern for the domain name of that server, such + as <code>*.snakeoil.com</code>.</p> + + <p>The binary format of a certificate is defined using the ASN.1 + notation [<a href="#X208">X208</a>] [<a href="#PKCS">PKCS</a>]. This + notation defines how to specify the contents, and encoding rules + define how this information is translated into binary form. The binary + encoding of the certificate is defined using Distinguished Encoding + Rules (DER), which are based on the more general Basic Encoding Rules + (BER). For those transmissions which cannot handle binary, the binary + form may be translated into an ASCII form by using Base64 encoding + [<a href="#MIME">MIME</a>]. This encoded version is called PEM encoded + (the name comes from "Privacy Enhanced Mail"), when placed between + begin and end delimiter lines as illustrated in the following + example.</p> + + <div class="example"><h3>Example of a PEM-encoded certificate (snakeoil.crt)</h3><pre>-----BEGIN CERTIFICATE----- +MIIC7jCCAlegAwIBAgIBATANBgkqhkiG9w0BAQQFADCBqTELMAkGA1UEBhMCWFkx +FTATBgNVBAgTDFNuYWtlIERlc2VydDETMBEGA1UEBxMKU25ha2UgVG93bjEXMBUG +A1UEChMOU25ha2UgT2lsLCBMdGQxHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhv +cml0eTEVMBMGA1UEAxMMU25ha2UgT2lsIENBMR4wHAYJKoZIhvcNAQkBFg9jYUBz +bmFrZW9pbC5kb20wHhcNOTgxMDIxMDg1ODM2WhcNOTkxMDIxMDg1ODM2WjCBpzEL +MAkGA1UEBhMCWFkxFTATBgNVBAgTDFNuYWtlIERlc2VydDETMBEGA1UEBxMKU25h +a2UgVG93bjEXMBUGA1UEChMOU25ha2UgT2lsLCBMdGQxFzAVBgNVBAsTDldlYnNl +cnZlciBUZWFtMRkwFwYDVQQDExB3d3cuc25ha2VvaWwuZG9tMR8wHQYJKoZIhvcN +AQkBFhB3d3dAc25ha2VvaWwuZG9tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB +gQDH9Ge/s2zcH+da+rPTx/DPRp3xGjHZ4GG6pCmvADIEtBtKBFAcZ64n+Dy7Np8b +vKR+yy5DGQiijsH1D/j8HlGE+q4TZ8OFk7BNBFazHxFbYI4OKMiCxdKzdif1yfaa +lWoANFlAzlSdbxeGVHoT0K+gT5w3UxwZKv2DLbCTzLZyPwIDAQABoyYwJDAPBgNV +HRMECDAGAQH/AgEAMBEGCWCGSAGG+EIBAQQEAwIAQDANBgkqhkiG9w0BAQQFAAOB +gQAZUIHAL4D09oE6Lv2k56Gp38OBDuILvwLg1v1KL8mQR+KFjghCrtpqaztZqcDt +2q2QoyulCgSzHbEGmi0EsdkPfg6mp0penssIFePYNI+/8u9HT4LuKMJX15hxBam7 +dUHzICxBVC1lnHyYGjDuAMhe396lYAn8bCld1/L4NMGBCQ== +-----END CERTIFICATE-----</pre></div> + + +<h3><a name="certificateauthorities" id="certificateauthorities">Certificate Authorities</a></h3> + + <p>By first verifying the information in a certificate request + before granting the certificate, the Certificate Authority assures + the identity of the private key owner of a key-pair. For instance, + if Alice requests a personal certificate, the Certificate Authority + must first make sure that Alice really is the person the certificate + request claims.</p> + + <h4><a name="certificatechains" id="certificatechains">Certificate Chains</a></h4> + + <p>A Certificate Authority may also issue a certificate for + another Certificate Authority. When examining a certificate, + Alice may need to examine the certificate of the issuer, for each + parent Certificate Authority, until reaching one which she has + confidence in. She may decide to trust only certificates with a + limited chain of issuers, to reduce her risk of a "bad" certificate + in the chain.</p> + + + <h4><a name="rootlevelca" id="rootlevelca">Creating a Root-Level CA</a></h4> + + <p>As noted earlier, each certificate requires an issuer to assert + the validity of the identity of the certificate subject, up to + the top-level Certificate Authority (CA). This presents a problem: + Since this is who vouches for the certificate of the top-level + authority, which has no issuer? In this unique case, the + certificate is "self-signed", so the issuer of the certificate is + the same as the subject. As a result, one must exercise extra care + in trusting a self-signed certificate. The wide publication of a + public key by the root authority reduces the risk in trusting this + key -- it would be obvious if someone else publicized a key + claiming to be the authority. Browsers are preconfigured to trust + well-known certificate authorities.</p> + + <p>A number of companies, such as <a href="http://www.thawte.com/">Thawte</a> and <a href="http://www.verisign.com/">VeriSign</a> + have established themselves as Certificate Authorities. These + companies provide the following services:</p> + + <ul> + <li>Verifying certificate requests</li> + <li>Processing certificate requests</li> + <li>Issuing and managing certificates</li> + </ul> + + <p>It is also possible to create your own Certificate Authority. + Although risky in the Internet environment, it may be useful + within an Intranet where the organization can easily verify the + identities of individuals and servers.</p> + + + <h4><a name="certificatemanagement" id="certificatemanagement">Certificate Management</a></h4> + + <p>Establishing a Certificate Authority is a responsibility which + requires a solid administrative, technical, and management + framework. Certificate Authorities not only issue certificates, + they also manage them -- that is, they determine how long + certificates are valid, they renew them, and they keep lists of + certificates that have already been issued but are no longer valid + (Certificate Revocation Lists, or CRLs). Say Alice is entitled to + a certificate as an employee of a company. Say too, that the + certificate needs to be revoked when Alice leaves the company. Since + certificates are objects that get passed around, it is impossible + to tell from the certificate alone that it has been revoked. When + examining certificates for validity, therefore, it is necessary to + contact the issuing Certificate Authority to check CRLs -- this + is not usually an automated part of the process.</p> + + <div class="note"><h3>Note</h3> + <p>If you use a Certificate Authority that is not configured into + browsers by default, it is necessary to load the Certificate + Authority certificate into the browser, enabling the browser to + validate server certificates signed by that Certificate Authority. + Doing so may be dangerous, since once loaded, the browser will + accept all certificates signed by that Certificate Authority.</p> + </div> + + + +</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="ssl" id="ssl">Secure Sockets Layer (SSL)</a></h2> + +<p>The Secure Sockets Layer protocol is a protocol layer which may be +placed between a reliable connection-oriented network layer protocol +(e.g. TCP/IP) and the application protocol layer (e.g. HTTP). SSL provides +for secure communication between client and server by allowing mutual +authentication, the use of digital signatures for integrity, and encryption +for privacy.</p> + +<p>The protocol is designed to support a range of choices for specific +algorithms used for cryptography, digests, and signatures. This allows +algorithm selection for specific servers to be made based on legal, export +or other concerns, and also enables the protocol to take advantage of new +algorithms. Choices are negotiated between client and server at the start +of establishing a protocol session.</p> + +<h3><a name="table4" id="table4">Table 4: Versions of the SSL protocol</a></h3> + + <table class="bordered"> + + <tr><th>Version</th> + <th>Source</th> + <th>Description</th> + <th>Browser Support</th></tr> + <tr><td>SSL v2.0</td> + <td>Vendor Standard (from Netscape Corp.) [<a href="#SSL2">SSL2</a>]</td> + <td>First SSL protocol for which implementations exists</td> + <td>- NS Navigator 1.x/2.x<br /> + - MS IE 3.x<br /> + - Lynx/2.8+OpenSSL</td></tr> + <tr><td>SSL v3.0</td> + <td>Expired Internet Draft (from Netscape Corp.) [<a href="#SSL3">SSL3</a>]</td> + <td>Revisions to prevent specific security attacks, add non-RSA + ciphers, and support for certificate chains</td> + <td>- NS Navigator 2.x/3.x/4.x<br /> + - MS IE 3.x/4.x<br /> + - Lynx/2.8+OpenSSL</td></tr> + <tr><td>TLS v1.0</td> + <td>Proposed Internet Standard (from IETF) [<a href="#TLS1">TLS1</a>]</td> + <td>Revision of SSL 3.0 to update the MAC layer to HMAC, add block + padding for block ciphers, message order standardization and more + alert messages.</td> + <td>- Lynx/2.8+OpenSSL</td></tr> + </table> + + +<p>There are a number of versions of the SSL protocol, as shown in +<a href="#table4">Table 4</a>. As noted there, one of the benefits in +SSL 3.0 is that it adds support of certificate chain loading. This feature +allows a server to pass a server certificate along with issuer certificates +to the browser. Chain loading also permits the browser to validate the +server certificate, even if Certificate Authority certificates are not +installed for the intermediate issuers, since they are included in the +certificate chain. SSL 3.0 is the basis for the Transport Layer Security +[<a href="#TLS1">TLS</a>] protocol standard, currently in development by +the Internet Engineering Task Force (IETF).</p> + +<h3><a name="session" id="session">Session Establishment</a></h3> + + <p>The SSL session is established by following a handshake sequence + between client and server, as shown in <a href="#figure1">Figure 1</a>. This sequence may vary, depending on whether the server + is configured to provide a server certificate or request a client + certificate. Though cases exist where additional handshake steps + are required for management of cipher information, this article + summarizes one common scenario: see the SSL specification for the full + range of possibilities.</p> + + <div class="note"><h3>Note</h3> + <p>Once an SSL session has been established it may be reused, thus + avoiding the performance penalty of repeating the many steps needed + to start a session. For this the server assigns each SSL session a + unique session identifier which is cached in the server and which the + client can use on forthcoming connections to reduce the handshake + (until the session identifer expires in the cache of the server).</p> + </div> + + <p class="figure"> + <img src="../images/ssl_intro_fig1.gif" alt="" width="423" height="327" /><br /> + <a id="figure1" name="figure1"><dfn>Figure 1</dfn></a>: Simplified SSL + Handshake Sequence</p> + + <p>The elements of the handshake sequence, as used by the client and + server, are listed below:</p> + + <ol> + <li>Negotiate the Cipher Suite to be used during data transfer</li> + <li>Establish and share a session key between client and server</li> + <li>Optionally authenticate the server to the client</li> + <li>Optionally authenticate the client to the server</li> + </ol> + + <p>The first step, Cipher Suite Negotiation, allows the client and + server to choose a Cipher Suite supportable by both of them. The SSL3.0 + protocol specification defines 31 Cipher Suites. A Cipher Suite is + defined by the following components:</p> + + <ul> + <li>Key Exchange Method</li> + <li>Cipher for Data Transfer</li> + <li>Message Digest for creating the Message Authentication Code (MAC)</li> + </ul> + + <p>These three elements are described in the sections that follow.</p> + + +<h3><a name="keyexchange" id="keyexchange">Key Exchange Method</a></h3> + + <p>The key exchange method defines how the shared secret symmetric + cryptography key used for application data transfer will be agreed + upon by client and server. SSL 2.0 uses RSA key exchange only, while + SSL 3.0 supports a choice of key exchange algorithms including the + RSA key exchange when certificates are used, and Diffie-Hellman key + exchange for exchanging keys without certificates and without prior + communication between client and server.</p> + + <p>One variable in the choice of key exchange methods is digital + signatures -- whether or not to use them, and if so, what kind of + signatures to use. Signing with a private key provides assurance + against a man-in-the-middle-attack during the information exchange + used in generating the shared key [<a href="#AC96">AC96</a>, p516].</p> + + +<h3><a name="ciphertransfer" id="ciphertransfer">Cipher for Data Transfer</a></h3> + + <p>SSL uses the conventional cryptography algorithm (symmetric + cryptography) described earlier for encrypting messages in a session. + There are nine choices, including the choice to perform no + encryption:</p> + + <ul> + <li>No encryption</li> + <li>Stream Ciphers + <ul> + <li>RC4 with 40-bit keys</li> + <li>RC4 with 128-bit keys</li> + </ul></li> + <li>CBC Block Ciphers + <ul><li>RC2 with 40 bit key</li> + <li>DES with 40 bit key</li> + <li>DES with 56 bit key</li> + <li>Triple-DES with 168 bit key</li> + <li>Idea (128 bit key)</li> + <li>Fortezza (96 bit key)</li> + </ul></li> + </ul> + + <p>Here "CBC" refers to Cipher Block Chaining, which means that a + portion of the previously encrypted cipher text is used in the + encryption of the current block. "DES" refers to the Data Encryption + Standard [<a href="#AC96">AC96</a>, ch12], which has a number of + variants (including DES40 and 3DES_EDE). "Idea" is one of the best + and cryptographically strongest available algorithms, and "RC2" is + a proprietary algorithm from RSA DSI [<a href="#AC96">AC96</a>, + ch13].</p> + + +<h3><a name="digestfuntion" id="digestfuntion">Digest Function</a></h3> + + <p>The choice of digest function determines how a digest is created + from a record unit. SSL supports the following:</p> + + <ul> + <li>No digest (Null choice)</li> + <li>MD5, a 128-bit hash</li> + <li>Secure Hash Algorithm (SHA-1), a 160-bit hash</li> + </ul> + + <p>The message digest is used to create a Message Authentication Code + (MAC) which is encrypted with the message to provide integrity and to + prevent against replay attacks.</p> + + +<h3><a name="handshake" id="handshake">Handshake Sequence Protocol</a></h3> + + <p>The handshake sequence uses three protocols:</p> + + <ul> + <li>The <dfn>SSL Handshake Protocol</dfn> + for performing the client and server SSL session establishment.</li> + <li>The <dfn>SSL Change Cipher Spec Protocol</dfn> for actually + establishing agreement on the Cipher Suite for the session.</li> + <li>The <dfn>SSL Alert Protocol</dfn> for conveying SSL error + messages between client and server.</li> + </ul> + + <p>These protocols, as well as application protocol data, are + encapsulated in the <dfn>SSL Record Protocol</dfn>, as shown in + <a href="#figure2">Figure 2</a>. An encapsulated protocol is + transferred as data by the lower layer protocol, which does not + examine the data. The encapsulated protocol has no knowledge of the + underlying protocol.</p> + + <p class="figure"> + <img src="../images/ssl_intro_fig2.gif" alt="" width="428" height="217" /><br /> + <a id="figure2" name="figure2"><dfn>Figure 2</dfn></a>: SSL Protocol Stack + </p> + + <p>The encapsulation of SSL control protocols by the record protocol + means that if an active session is renegotiated the control protocols + will be transmitted securely. If there were no session before, then + the Null cipher suite is used, which means there is no encryption and + messages have no integrity digests until the session has been + established.</p> + + +<h3><a name="datatransfer" id="datatransfer">Data Transfer</a></h3> + + <p>The SSL Record Protocol, shown in <a href="#figure3">Figure 3</a>, + is used to transfer application and SSL Control data between the + client and server, possibly fragmenting this data into smaller units, + or combining multiple higher level protocol data messages into single + units. It may compress, attach digest signatures, and encrypt these + units before transmitting them using the underlying reliable transport + protocol (Note: currently all major SSL implementations lack support + for compression).</p> + + <p class="figure"> + <img src="../images/ssl_intro_fig3.gif" alt="" width="423" height="323" /><br /> + <a id="figure3" name="figure3"><dfn>Figure 3</dfn></a>: SSL Record Protocol + </p> + + +<h3><a name="securehttp" id="securehttp">Securing HTTP Communication</a></h3> + + <p>One common use of SSL is to secure Web HTTP communication between + a browser and a webserver. This case does not preclude the use of + non-secured HTTP. The secure version is mainly plain HTTP over SSL + (named HTTPS), but with one major difference: it uses the URL scheme + <code>https</code> rather than <code>http</code> and a different + server port (by default 443). This mainly is what <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> provides to you for the Apache webserver...</p> + +</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="references" id="references">References</a></h2> + +<dl> +<dt><a id="AC96" name="AC96">[AC96]</a></dt> +<dd>Bruce Schneier, <q>Applied Cryptography</q>, 2nd Edition, Wiley, +1996. See <a href="http://www.counterpane.com/">http://www.counterpane.com/</a> for various other materials by Bruce +Schneier.</dd> + +<dt><a id="X208" name="X208">[X208]</a></dt> +<dd>ITU-T Recommendation X.208, <q>Specification of Abstract Syntax Notation +One (ASN.1)</q>, 1988. See for instance <a href="http://www.itu.int/rec/recommendation.asp?type=items&lang=e&parent=T-REC-X.208-198811-I">http://www.itu.int/rec/recommendation.asp?type=items&lang=e&parent=T-REC-X.208-198811-I</a>. +</dd> + +<dt><a id="X509" name="X509">[X509]</a></dt> +<dd>ITU-T Recommendation X.509, <q>The Directory - Authentication +Framework</q>. See for instance <a href="http://www.itu.int/rec/recommendation.asp?type=folders&lang=e&parent=T-REC-X.509">http://www.itu.int/rec/recommendation.asp?type=folders&lang=e&parent=T-REC-X.509</a>. +</dd> + +<dt><a id="PKCS" name="PKCS">[PKCS]</a></dt> +<dd><q>Public Key Cryptography Standards (PKCS)</q>, +RSA Laboratories Technical Notes, See <a href="http://www.rsasecurity.com/rsalabs/pkcs/">http://www.rsasecurity.com/rsalabs/pkcs/</a>.</dd> + +<dt><a id="MIME" name="MIME">[MIME]</a></dt> +<dd>N. Freed, N. Borenstein, <q>Multipurpose Internet Mail Extensions +(MIME) Part One: Format of Internet Message Bodies</q>, RFC2045. +See for instance <a href="http://ietf.org/rfc/rfc2045.txt">http://ietf.org/rfc/rfc2045.txt</a>.</dd> + +<dt><a id="SSL2" name="SSL2">[SSL2]</a></dt> +<dd>Kipp E.B. Hickman, <q>The SSL Protocol</q>, 1995. See <a href="http://www.netscape.com/eng/security/SSL_2.html">http://www.netscape.com/eng/security/SSL_2.html</a>.</dd> + +<dt><a id="SSL3" name="SSL3">[SSL3]</a></dt> +<dd>Alan O. Freier, Philip Karlton, Paul C. Kocher, <q>The SSL Protocol +Version 3.0</q>, 1996. See <a href="http://www.netscape.com/eng/ssl3/draft302.txt">http://www.netscape.com/eng/ssl3/draft302.txt</a>.</dd> + +<dt><a id="TLS1" name="TLS1">[TLS1]</a></dt> +<dd>Tim Dierks, Christopher Allen, <q>The TLS Protocol Version 1.0</q>, +1999. See <a href="http://ietf.org/rfc/rfc2246.txt">http://ietf.org/rfc/rfc2246.txt</a>.</dd> +</dl> +</div></div> +<div class="bottomlang"> +<p><span>Available Languages: </span><a href="../en/ssl/ssl_intro.html" title="English"> en </a> | +<a href="../ja/ssl/ssl_intro.html" hreflang="ja" rel="alternate" title="Japanese"> ja </a></p> +</div><div id="footer"> +<p class="apache">Copyright 2009 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> +<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div> +</body></html>
\ No newline at end of file diff --git a/rubbos/app/apache2/manual/ssl/ssl_intro.html.ja.utf8 b/rubbos/app/apache2/manual/ssl/ssl_intro.html.ja.utf8 new file mode 100644 index 00000000..eb497b47 --- /dev/null +++ b/rubbos/app/apache2/manual/ssl/ssl_intro.html.ja.utf8 @@ -0,0 +1,695 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" lang="ja" xml:lang="ja"><head><!-- + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + This file is generated from xml source: DO NOT EDIT + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + --> +<title>SSL/TLS æå·å: ã¯ããã« - Apache HTTP ãµãŒã</title> +<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> +<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> +<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /> +<link href="../images/favicon.ico" rel="shortcut icon" /></head> +<body id="manual-page"><div id="page-header"> +<p class="menu"><a href="../mod/">ã¢ãžã¥ãŒã«</a> | <a href="../mod/directives.html">ãã£ã¬ã¯ãã£ã</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">çšèª</a> | <a href="../sitemap.html">ãµã€ãããã</a></p> +<p class="apache">Apache HTTP ãµãŒã ããŒãžã§ã³ 2.0</p> +<img alt="" src="../images/feather.gif" /></div> +<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div> +<div id="path"> +<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP ãµãŒã</a> > <a href="http://httpd.apache.org/docs/">ããã¥ã¡ã³ããŒã·ã§ã³</a> > <a href="../">ããŒãžã§ã³ 2.0</a> > <a href="./">SSL/TLS</a></div><div id="page-content"><div id="preamble"><h1>SSL/TLS æå·å: ã¯ããã«</h1> +<div class="toplang"> +<p><span>Available Languages: </span><a href="../en/ssl/ssl_intro.html" hreflang="en" rel="alternate" title="English"> en </a> | +<a href="../ja/ssl/ssl_intro.html" title="Japanese"> ja </a></p> +</div> + +<blockquote> +<p>æšæºèŠæ Œã®è¯ãæã¯ãããããã®èŠæ Œããéžã¹ããšããããšã ã +ãããŠãããæ¬åœã«ã©ã®èŠæ Œãæ°ã«å
¥ããªããã°ã +äžå¹ŽåŸ
ã€ã ãã§æ¢ããŠããèŠæ ŒãçŸããã</p> + +<p class="cite">-- <cite>A. Tanenbaum</cite>, "Introduction to +Computer Networks"</p> +</blockquote> + +<p> +å
¥éãšããããšã§ããã®ç« 㯠WebãHTTPãApache ã«éããŠãã +èªè
åãã§ãããã»ãã¥ãªãã£å°é家åãã§ã¯ãããŸããã +SSL ãããã³ã«ã®æ±ºå®çãªæåŒãã§ããã€ããã¯ãããŸããã +ãŸããçµç¹å
ã®èªèšŒç®¡çã®ããã®ç¹å®ã®ãã¯ããã¯ãã +ç¹èš±ã茞åºèŠå¶ãªã©ã®éèŠãªæ³çãªåé¡ã«ã€ããŠãæ±ããŸããã +ããããæŽãªãç 究ãžã®åºçºç¹ãšããŠè²ã
ãªæŠå¿µãå®çŸ©ãäŸã䞊ã¹ãããšã§ + mod_ssl ã®ãŠãŒã¶ã«åºç€ç¥èãæäŸããäºãç®çãšããŠããŸãã</p> + +<p>ããã«ç€ºãããå
容ã¯äž»ã«ãåèè
ã®èš±å¯ã®äž +The Open Group Research Institute ã® <a href="http://home.earthlink.net/~fjhirsch/">Frederick J. Hirsch</a> + æ°ã®èšäº <a href="http://home.earthlink.net/~fjhirsch/Papers/wwwj/article.html"> +Introducing SSL and Certificates using SSLeay</a> ãåºã«ããŠããŸãã +æ°ã®èšäºã¯ <a href="http://www.ora.com/catalog/wjsum97/">Web Security: A Matter of +Trust</a>, World Wide Web Journal, Volume 2, Issue 3, Summer 1997 +ã«æ²èŒãããŸããã +è¯å®çãªæèŠã¯ <a href="mailto:hirsch@fjhirsch.com">Frederick Hirsch</a> æ° + (å
èšäºã®èè
) ãžå
šãŠã®èŠæ
㯠<a href="mailto:rse@engelschall.com">Ralf S. Engelschall</a> ( +<code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> ã®äœè
) ãžãé¡ãããŸãã +[蚳泚: èš³ã«ã€ããŠã¯ <a href="mailto:apache-docs@ml.apache.or.jp"> +Apache ããã¥ã¡ã³ã翻蚳ãããžã§ã¯ã</a> +ãžãé¡ãããŸãã]</p> +</div> +<div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#cryptographictech">æå·åæè¡</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#certificates">蚌ææž</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#ssl">Secure Sockets Layer (SSL)</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#references">åèæç®</a></li> +</ul></div> +<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="cryptographictech" id="cryptographictech">æå·åæè¡</a></h2> + +<p>SSL ãç解ããã«ã¯ãæå·ã¢ã«ãŽãªãºã ã +ã¡ãã»ãŒãžãã€ãžã§ã¹ãé¢æ°(å¥å: äžæ¹åé¢æ°ãããã·ã¥é¢æ°)ã +é»å眲åãªã©ãžã®ç解ãå¿
èŠã§ãã +ãããã®æè¡ã¯æ¬ãäžžããšå¿
èŠãªé¡ç®ã§ +(äŸãã° [<a href="#AC96">AC96</a>] ãåç
§)ã +ãã©ã€ãã·ãŒãä¿¡çšãèªèšŒãªã©ã®æè¡ã®åºç€ãšãªã£ãŠããŸãã</p> + +<h3><a name="cryptographicalgo" id="cryptographicalgo">æå·ã¢ã«ãŽãªãºã </a></h3> + + <p>äŸãã°ãã¢ãªã¹ãééã®ããã«éè¡ã«ã¡ãã»ãŒãžãéããããšããŸãã + å£åº§çªå·ãééã®éé¡ãå«ãŸããããã + ã¢ãªã¹ã¯ãã®ã¡ãã»ãŒãžãç§å¯ã«ããããšæããŸãã + 解決æ¹æ³ã®äžã€ã¯æå·ã¢ã«ãŽãªãºã ã䜿ã£ãŠãã¡ãã»ãŒãžã + èªãŸããã人以å€ã¯èªãããšãã§ããªãæå·åããã + 圢æ
ã«å€ããŠããŸãããšã§ãã + ãã®åœ¢æ
ã«ãªããšã + ã¡ãã»ãŒãžã¯ç§å¯ã®éµã«ãã£ãŠã®ã¿è§£éããããšãã§ããŸãã + éµãªãã§ã¯ãã¡ãã»ãŒãžã¯åœ¹ã«ç«ã¡ãŸããã + è¯ãæå·ã¢ã«ãŽãªãºã ã¯ã䟵å
¥è
ãå
ã®ããã¹ãã解èªããããšã + éåžžã«é£ãããããããåªåãå²ã«åããªããããŸãã</p> + + <p>æå·ã¢ã«ãŽãªãºã ã«ã¯ + åŸæ¥åãšå
¬ééµã®äºã€ã®çš®é¡ããããŸãã</p> + + <dl> + <dt>åŸæ¥åæå·</dt> + <dd>察称æå·ãšããŠãç¥ããã + éä¿¡è
ãšåä¿¡è
ãéµãå
±æããããšãå¿
èŠã§ãã + éµãšã¯ãã¡ãã»ãŒãžãæå·åããã埩å·ããã®ã«äœ¿ãããç§å¯ + ã®æ
å ±ã®ããšã§ãã + ããããã®éµãç§å¯ãªããéä¿¡è
ãšåä¿¡è
以å€ã¯èª°ãã¡ãã»ãŒãžãèª + ãããšãã§ããŸããã + ããããã¢ãªã¹ãšéè¡ãç§å¯ã®éµãç¥ã£ãŠãããªãã + 圌ãã¯ãäºãã«ç§å¯ã®ã¡ãã»ãŒãžãéãããšãã§ããã§ãããã + ãã ããäºåã«å
å¯ã«éµãéžã¶ãšããä»äºã¯åé¡ãå«ãã§ããŸãã</dd> + + <dt>å
¬ééµæå·</dt> + <dd>é察称æå·ãšããŠãç¥ããã + ã¡ãã»ãŒãžãæå·åããããšã®ã§ããäºã€ã®éµ + ã䜿çšããã¢ã«ãŽãªãºã ãå®çŸ©ããããšã§éµã®ããåãã®åé¡ã解決 + ããŸãã + ãããããéµãæå·åã«äœ¿ããããªãã + ããçæ¹ã®éµã§åŸ©å·ããªããã°ãããŸããã + ãã®æ¹åŒã«ãã£ãŠãäžã€ã®éµãå
¬è¡šããŠ(å
¬ééµ)ã + ããçæ¹ãç§å¯ã«ããŠãã(ç§å¯éµ)ã ãã§ã + å®å
šãªã¡ãã»ãŒãžãåãåãããšãã§ããŸãã</dd> + </dl> + + <p>誰ããæå·åãããã¡ãã»ãŒãžãå
¬ééµã«ãã£ãŠæå·å + ããããšãã§ããŸãããç§å¯éµã®æã¡äž»ã ãããããèªãããšã + ã§ããŸãã + ãã®æ¹æ³ã§ãéè¡ã®å
¬ééµã䜿ã£ãŠæå·åããããšã§ã + ã¢ãªã¹ã¯ç§å¯ã®ã¡ãã»ãŒãžãéãããšãã§ããŸãã + éè¡ã®ã¿ã埩å·ããããšãã§ããŸãã</p> + + +<h3><a name="messagedigests" id="messagedigests">ã¡ãã»ãŒãžãã€ãžã§ã¹ã</a></h3> + + <p>ã¢ãªã¹ã¯ã¡ãã»ãŒãžãç§å¯ã«ããããšãã§ããŸããã + 誰ããäŸãã°èªåã«ééããããã«ã¡ãã»ãŒãžãå€æŽãããã + å¥ã®ãã®ã«çœ®ãæããŠããŸããããããªããšããåé¡ããããŸãã + ã¢ãªã¹ã®ã¡ãã»ãŒãžã®ä¿¡çšãä¿èšŒããæ¹æ³ã®äžã€ã¯ã + ã¡ãã»ãŒãžã®ç°¡æœãªãã€ãžã§ã¹ããäœã£ãŠããããéè¡ã«éããšãããã®ã§ãã + ã¡ãã»ãŒãžãåãåããšéè¡ããã€ãžã§ã¹ããäœæãã + ã¢ãªã¹ãéã£ããã®ãšæ¯ã¹ãŸããããäžèŽãããªãã + åãåã£ãã¡ãã»ãŒãžã¯ç¡å·ã ãšããããšã«ãªããŸãã</p> + + <p>ãã®ãããªèŠçŽã¯<dfn>ã¡ãã»ãŒãžãã€ãžã§ã¹ã</dfn>ã + <em>äžæ¹è¡é¢æ°</em>ããŸãã¯<em>ããã·ã¥é¢æ°</em>ãšåŒã°ããŸãã + ã¡ãã»ãŒãžãã€ãžã§ã¹ãã¯é·ãå¯å€é·ã®ã¡ãã»ãŒãžãã + çãåºå®é·ã®è¡šçŸãäœãã®ã«äœ¿ãããŸãã + ãã€ãžã§ã¹ãã¢ã«ãŽãªãºã ã¯ã¡ãã»ãŒãžãã + äžæãªãã€ãžã§ã¹ããçæããããã«äœãããŠããŸãã + ã¡ãã»ãŒãžãã€ãžã§ã¹ãã¯ãã€ãžã§ã¹ãããå
ã®ã¡ãã»ãŒãžã + å€å®ããã®ããšãŠãé£ããããã«ã§ããŠããŸãã + ãŸããåãèŠçŽãäœæããäºã€ã®ã¡ãã»ãŒãžãæ¢ãã®ã¯äžå¯èœã§ãã + ãã£ãŠãåãèŠçŽã䜿ã£ãŠã¡ãã»ãŒãžã眮ãæãããšãã + å¯èœæ§ãæé€ããŠããŸãã</p> + +<p>ã¢ãªã¹ãžã®ããäžã€ã®åé¡ã¯ããã®ãã€ãžã§ã¹ããå®å
šã«éãæ¹æ³ãæ¢ãããšã§ãã +ãããã§ããã°ãã¡ãã»ãŒãžã®ä¿¡çšãä¿èšŒãããŸãã +äžã€ã®æ¹æ³ã¯ãã®ãã€ãžã§ã¹ãã«é»å眲åãå«ãããšã§ãã</p> + + +<h3><a name="digitalsignatures" id="digitalsignatures">é»å眲å</a></h3> +<p>ã¢ãªã¹ãéè¡ã«ã¡ãã»ãŒãžãéã£ããšããéè¡ã¯ã +䟵å
¥è
ã圌女ã«ãªãããŸããŠåœŒå¥³ã®å£åº§ãžã®ååŒãç³è«ããŠããªããã +ã¡ãã»ãŒãžãæ¬åœã«åœŒå¥³ããã®ãã®ã確å®ã«åãããªããã°ãããŸããã +ã¢ãªã¹ã«ãã£ãŠäœæãããã¡ãã»ãŒãžã«å«ãŸãã +<em>é»å眲å</em>ãããã§åœ¹ã«ç«ã¡ãŸãã</p> + +<p>é»å眲åã¯ã¡ãã»ãŒãžã®ãã€ãžã§ã¹ãããã®ä»ã®æ
å ±(åŠççªå·ãªã©)ã +éä¿¡è
ã®ç§å¯éµã§æå·åããããšã§äœãããŸãã +誰ããå
¬ééµã䜿ã£ãŠçœ²åã<em>埩å·</em>ããããšãã§ããŸããã +眲åè
ã®ã¿ãç§å¯éµãç¥ã£ãŠããŸãã +ããã¯ã圌ãã®ã¿ã眲åãããããšãæå³ããŸãã +ãã€ãžã§ã¹ããé»å眲åã«å«ãããšã¯ã +ãã®çœ²åããã®ã¡ãã»ãŒãžã®ã¿ã«æå¹ã§ããããšãæå³ããŸãã +ããã¯ã誰ããã€ãžã§ã¹ããå€ããŠçœ²åãããããšãã§ããªãããã +ã¡ãã»ãŒãžã®ä¿¡çšãä¿èšŒããŸãã</p> + +<p>䟵å
¥è
ã眲åãååããŠåŸæ¥ã«åå©çšããã®ãé²ããã +é»å眲åã«ã¯äžæãªåŠççªå·ãå«ãŸããŸãã +ããã¯ãã¢ãªã¹ããããªã¡ãã»ãŒãžã¯éã£ãŠããªããšèšãè©æ¬º +ããéè¡ãå®ããŸãã +圌女ã ãã眲åãããããã§ãã(åŠèªé²æ¢)</p> + +</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="certificates" id="certificates">蚌ææž</a></h2> + +<p>ã¢ãªã¹ã¯ç§å¯ã®ã¡ãã»ãŒãžãéè¡ã«éãã +眲åãããŠãã¡ãã»ãŒãžã®ä¿¡çšãä¿èšŒããããšãã§ããããã«ãªããŸãããã +éä¿¡ããŠããçžæãæ¬åœã«éè¡ãªã®ã確ãããªããŠã¯ãããŸããã +ããã¯ã圌女ã䜿ãå
¬ééµãéè¡ã®ç§å¯éµãšå¯Ÿã«ãªã£ãŠãããã®ãã +圌女ã¯ç¢ºãããªããŠã¯ãããªããšããããšãæå³ããŸãã +åæ§ã«ãéè¡ã¯ã¡ãã»ãŒãžã®çœ²åãæ¬åœã«ã¢ãªã¹ã®çœ²åã確èªããå¿
èŠã +ãããŸãã</p> + +<p>ããäž¡è
ã«èº«å
ã蚌æããå
¬ééµã確èªãããŸãä¿¡é Œãããæ©é¢ã眲å +ãã蚌ææžãããã°ãäž¡è
ãšãéä¿¡çžæã«ã€ããŠæ£ããçžæã ãš +確信ããããšãã§ããŸãã +ãã®ãããªä¿¡é Œãããæ©é¢ã¯<em>èªèšŒå±</em> + (Certificate Authority ãŸã㯠CA) ãšåŒã°ãã +蚌ææž (certificate) ãèªèšŒ (authentication) ã«äœ¿ãããŸãã</p> + +<h3><a name="certificatecontents" id="certificatecontents">蚌ææžã®å
容</a></h3> + + <p>蚌ææžã¯å
¬ééµãšå人ããµãŒãããã®ä»ã®äž»äœã®å®åšã®èº«å
ã + é¢é£ä»ããŸãã + <a href="#table1">è¡š1</a>ã«ç€ºãããããã«èšŒæ察象ã®æ
å ±ã¯ + 身å
蚌æã®æ
å ±(èå¥å)ãšå
¬ééµãå«ãŸããŸãã + 蚌ææžã¯ãŸããèªèšŒå±ã®èº«å
蚌æãšçœ²åããããŠèšŒææžã®æå¹æéã + å«ã¿ãŸãã + ã·ãªã¢ã«ãã³ããŒãªã©ã®èªèšŒå±ã®ç®¡çäžã®æ
å ±ã + ãã®ä»ã®è¿œå ã®æ
å ±ãå«ãŸããŠãããããããŸããã</p> + + <h4><a name="table1" id="table1">è¡š1: 蚌ææžæ
å ±</a></h4> + + <table> + + <tr><th>蚌æ察象</th> + <td>èå¥åãå
¬ééµ</td></tr> + <tr><th>çºè¡è
</th> + <td>èå¥åãå
¬ééµ</td></tr> + <tr><th>æå¹æé</th> + <td>éå§æ¥ã倱å¹æ¥</td></tr> + <tr><th>管çæ
å ±</th> + <td>ããŒãžã§ã³ãã·ãªã¢ã«ãã³ããŒ</td></tr> + <tr><th>æ¡åŒµæ
å ±</th> + <td>åºæ¬çãªå¶çŽããããã¹ã±ãŒããã©ãã°ããã®ä»</td></tr> + </table> + + + <p>èå¥å(ãã£ã¹ãã£ã³ã°ã€ãã·ã¥ã»ããŒã )ã¯ç¹å®ã®ç¶æ³ã«ããã + 身å蚌æãæäŸããã®ã«äœ¿ãããŠããŸããäŸãã°ããã人㯠+ ç§çšãšäŒç€Ÿãšã§å¥ã
ã®èº«å蚌æãæã€ãããããŸããã + + èå¥å㯠X.509 æšæºèŠæ Œ [<a href="#X509">X509</a>] ã§å®çŸ©ãããŠããŸãã + X.509 æšæºèŠæ Œã¯ãé
ç®ãé
ç®åããããŠé
ç®ã®ç¥ç§°ãå®çŸ©ããŠããŸãã(<a href="#table2">è¡š + 2</a> åç
§)</p> + + <h4><a name="table2" id="table2">è¡š 2: èå¥åæ
å ±</a></h4> + + <table class="bordered"> + + <tr><th>èå¥åé
ç®</th> + <th>ç¥ç§°</th> + <th>説æ</th> + <th>äŸ</th></tr> + <tr><td>Common Name (ã³ã¢ã³ããŒã )</td> + <td>CN</td> + <td>èªèšŒãããåå<br /> + SSLæ¥ç¶ããURL</td> + <td>CN=www.example.com</td></tr> + <tr><td>Organization or Company (çµç¹å)</td> + <td>O</td> + <td>å£äœã®æ£åŒè±èªçµç¹å</td> + <td>O=Example Japan K.K.</td></tr> + <tr><td>Organizational Unit (éšéå)</td> + <td>OU</td> + <td>éšçœ²åãªã©</td> + <td>OU=Customer Service</td></tr> + <tr><td>City/Locality (åžåºçºæ)</td> + <td>L</td> + <td>æåšããŠãåžåºçºæ</td> + <td>L=Sapporo</td></tr> + <tr><td>State/Province (éœéåºç)</td> + <td>ST</td> + <td>æåšããŠãéœéåºç</td> + <td>ST=Hokkaido</td></tr> + <tr><td>Country(åœ)</td> + <td>C</td> + <td>æåšããŠããåœåã® ISO ã³ãŒã<br /> + æ¥æ¬ã®å Žå JP + </td> + <td>C=JP</td></tr> + </table> + + + <p>èªèšŒå±ã¯ã©ã®é
ç®ãçç¥å¯èœã§ã©ããå¿
é ãã®æ¹éãå®çŸ©ãã + ãããããŸãããé
ç®ã®å
容ã«ã€ããŠãèªèšŒå±ã蚌ææžã®ãŠãŒã¶ããã® + èŠä»¶ããããããããŸããã + äŸãã°ããããã¹ã±ãŒãã®ãã©ãŠã¶ã¯ãµãŒãã®èšŒææžã® + Common Name (ã³ã¢ã³ããŒã )ããµãŒãã®ãã¡ã€ã³åã® + <code>*.example.com</code> + ãšãããããªã¯ã€ã«ãã«ãŒãã®ãã¿ãŒã³ã«ãããããããš + ãèŠæ±ããŸãã</p> + + <p>ãã€ããªåœ¢åŒã®èšŒææžã¯ ASN.1 è¡šèšæ³ + [<a href="#X208">X208</a>] [<a href="#PKCS">PKCS</a>] 㧠+ å®çŸ©ãããŠããŸãã + ãã®è¡šèšæ³ã¯å
容ãã©ã®ããã«èšè¿°ããããå®çŸ©ãã + 笊å·åã®èŠå®ããã®æ
å ±ãã©ã®ããã«ãã€ããªåœ¢åŒã«å€æããããã + å®çŸ©ããŸãã + 蚌ææžã®ãã€ããªç¬Šå·å㯠Distinguished Encoding + Rules (DER) ã§å®çŸ©ãããããã¯ããäžè¬ç㪠Basic Encoding Rules + (BER) ã«åºã¥ããŠããŸãã + ãã€ããªåœ¢åŒãæ±ãããšã®ã§ããªãéä¿¡ã§ã¯ã + ãã€ããªåœ¢åŒã¯ Base64 笊å·å [<a href="#MIME">MIME</a>] 㧠+ ASCII 圢åŒã«å€æãããããšããããŸãã + ãã®ããã«ç¬Šå·åããã以äžã®äŸã«ç€ºãããããã«åºåãè¡ã« + æãŸãããã®ã¯ PEM 笊å·åããããšèšããŸãã + (PEM ã®åå㯠"Privacy Enhanced Mail" ã«ç±æ¥ããŸã)</p> + + <div class="example"><h3>PEM 笊å·åããã蚌ææžã®äŸ (example.crt)</h3><pre>-----BEGIN CERTIFICATE----- +MIIC7jCCAlegAwIBAgIBATANBgkqhkiG9w0BAQQFADCBqTELMAkGA1UEBhMCWFkx +FTATBgNVBAgTDFNuYWtlIERlc2VydDETMBEGA1UEBxMKU25ha2UgVG93bjEXMBUG +A1UEChMOU25ha2UgT2lsLCBMdGQxHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhv +cml0eTEVMBMGA1UEAxMMU25ha2UgT2lsIENBMR4wHAYJKoZIhvcNAQkBFg9jYUBz +bmFrZW9pbC5kb20wHhcNOTgxMDIxMDg1ODM2WhcNOTkxMDIxMDg1ODM2WjCBpzEL +MAkGA1UEBhMCWFkxFTATBgNVBAgTDFNuYWtlIERlc2VydDETMBEGA1UEBxMKU25h +a2UgVG93bjEXMBUGA1UEChMOU25ha2UgT2lsLCBMdGQxFzAVBgNVBAsTDldlYnNl +cnZlciBUZWFtMRkwFwYDVQQDExB3d3cuc25ha2VvaWwuZG9tMR8wHQYJKoZIhvcN +AQkBFhB3d3dAc25ha2VvaWwuZG9tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB +gQDH9Ge/s2zcH+da+rPTx/DPRp3xGjHZ4GG6pCmvADIEtBtKBFAcZ64n+Dy7Np8b +vKR+yy5DGQiijsH1D/j8HlGE+q4TZ8OFk7BNBFazHxFbYI4OKMiCxdKzdif1yfaa +lWoANFlAzlSdbxeGVHoT0K+gT5w3UxwZKv2DLbCTzLZyPwIDAQABoyYwJDAPBgNV +HRMECDAGAQH/AgEAMBEGCWCGSAGG+EIBAQQEAwIAQDANBgkqhkiG9w0BAQQFAAOB +gQAZUIHAL4D09oE6Lv2k56Gp38OBDuILvwLg1v1KL8mQR+KFjghCrtpqaztZqcDt +2q2QoyulCgSzHbEGmi0EsdkPfg6mp0penssIFePYNI+/8u9HT4LuKMJX15hxBam7 +dUHzICxBVC1lnHyYGjDuAMhe396lYAn8bCld1/L4NMGBCQ== +-----END CERTIFICATE-----</pre></div> + + +<h3><a name="certificateauthorities" id="certificateauthorities">èªèšŒå±</a></h3> + + <p>ãŸã蚌ææžã®ç³è«ã®æ
å ±ã確èªããããšã§ã + èªèšŒå±ã¯ç§å¯éµã®æã¡äž»ã®èº«å
ãä¿èšŒããŸãã + äŸãã°ãã¢ãªã¹ãå人蚌ææžãç³è«ãããšãããšã + èªèšŒå±ã¯ã¢ãªã¹ã蚌ææžã®ç³è«ã䞻匵ããéãã® + 人ç©ã ãšããããšã確èªããªããŠã¯ãããŸããã</p> + + <h4><a name="certificatechains" id="certificatechains">蚌ææžéå±€æ§é </a></h4> + + <p>èªèšŒå±ã¯ä»ã®èªèšŒå±ãžã®èšŒææžãçºè¡ããããšãã§ããŸãã + æªç¥ã®èšŒææžã調ã¹ãæã«ãã¢ãªã¹ã¯ãã®èšŒææžã®çºè¡è
+ ã«èªä¿¡ãæãŠããŸã§ãçºè¡è
ã®èšŒææžã + ãã®äžäœéå±€ã®èªèšŒå±ããã©ã£ãŠèª¿ã¹ãå¿
èŠããããŸãã + ãæªè³ªãªã蚌ææžã®å±éºæ§ãæžããããã + 圌女ã¯éãããé£éã®çºè¡è
ã®ã¿ä¿¡é Œããããã« + 決ããããšãã§ããŸãã</p> + + + <h4><a name="rootlevelca" id="rootlevelca">æäžäœèªèšŒå±ã®äœæ</a></h4> + + <p>åã«è¿°ã¹ãããã«ãå
šãŠã®èšŒææžã«ã€ããŠã + æäžäœã®èªèšŒå±(CA)ãŸã§ããããã®çºè¡è
ã + 察象ã®èº«å
蚌æã®æå¹æ§ãæããã«ããå¿
èŠããããŸãã + åé¡ã¯ã誰ããã®æäžäœã®èªèšŒæ©é¢ã®èšŒææžãä¿èšŒããã®ãã + ãšããããšã§ãã + ãã®ãããªå Žåã«éãã蚌ææžã¯ãèªå·±çœ²åããããŸãã + ã€ãŸãã蚌ææžã®çºè¡è
ãšèšŒæ察象ãåããšããããšã«ãªããŸãã + ãã®çµæãèªå·±çœ²åããã蚌ææžãä¿¡çšããã«ã¯ + 现å¿ã®æ³šæãå¿
èŠã§ãã + æäžäœèªèšŒå±ãå
¬ééµãåºãå
¬è¡šããããšã§ã + ãã®éµãä¿¡é Œãããªã¹ã¯ãäœãããããšãã§ããŸãã + ãããä»äººããã®èªèšŒå±ã«ãªãããŸããæã«ããããé²èŠãã + ããããã§ãã + å€ãã®ãã©ãŠã¶ã¯æåãªèªèšŒå±ãä¿¡é Œããããã« + èšå®ãããŠããŸãã</p> + + <p><a href="http://www.thawte.com/">Thawte</a> + ã <a href="http://www.verisign.com/">VeriSign</a> + ã®ãããªå€ãã®äŒç€ŸãèªèšŒå±ãšããŠéèšããŸããã + ãã®ãããªäŒç€Ÿã¯ä»¥äžã®ãµãŒãã¹ãæäŸããŸã:</p> + + <ul> + <li>蚌ææžç³è«ã®ç¢ºèª</li> + <li>蚌ææžç³è«ã®åŠç</li> + <li>蚌ææžã®çºè¡ãšç®¡ç</li> + </ul> + + <p>èªåã§èªèšŒå±ãäœãããšãå¯èœã§ãã + ã€ã³ã¿ãŒãããç°å¢ã§ã¯å±éºã§ããã + å人ããµãŒãã®èº«å
蚌æãç°¡åã«è¡ããçµç¹ã® + ã€ã³ãã©ãããå
ã§ã¯åœ¹ã«ç«ã€ãããããŸããã</p> + + + <h4><a name="certificatemanagement" id="certificatemanagement">蚌ææžç®¡ç</a></h4> + + <p>èªèšŒå±ã®éèšã¯åŸ¹åºãã管çãæè¡ãéçšã®äœå¶ãå¿
èŠãšãã + 責任ã®ããä»äºã§ãã + èªèšŒå±ã¯èšŒææžãçºè¡ããã ãã§ãªãã + 管çãããªããã°ãªããŸããã + å
·äœçã«ã¯ã蚌ææžããã€ãŸã§æå¹ãã決å®ããæŽæ°ãã + ãŸãæ¢ã«çºè¡ãããã倱å¹ãã蚌ææžã®ãªã¹ã + (Certificate Revocation Lists ãŸã㯠CRL) + ã管çããªããã°ãããŸããã + äŸãã°ãã¢ãªã¹ãäŒç€Ÿãã瀟å¡ãšããŠèšŒææžãäžãããããšããŸãã + ãããŠãã¢ãªã¹ãäŒç€ŸãèŸãããšãã«ã¯èšŒææžãåãæ¶ããªããã° + ãããªããšããŸãã + 蚌ææžã¯æ¬¡ã
ãšäººã«æž¡ãããŠãããã®ãªã®ã§ã + 蚌ææžãã®ãã®ããããããåãæ¶ããããå€æããããšã¯ + äžå¯èœã§ãã + ãã£ãŠã蚌ææžã®æå¹æ§ã調ã¹ããšãã«ã¯ã + èªèšŒå±ã«é£çµ¡ã㊠CRL ãç
§åããå¿
èŠããããŸãã + æ®éãã®éçšã¯èªååãããŠãããã®ã§ã¯ãããŸããã</p> + + <div class="note"><h3>泚æ</h3> + <p>ããã©ã«ãã§ãã©ãŠã¶ã«èšå®ãããŠããªãèªèšŒå±ã䜿ã£ãå Žåã + èªèšŒå±ã®èšŒææžããã©ãŠã¶ã«èªã¿èŸŒãã§ã + ãã©ãŠã¶ããã®èªèšŒå±ã«ãã£ãŠçœ²åããããµãŒãã®èšŒææžã + æå¹åããå¿
èŠããããŸãã + äžåºŠèªã¿èŸŒãŸãããšããã®èªèšŒå±ã«ãã£ãŠçœ²åãããå
šãŠã® + 蚌ææžãåãå
¥ãããããå±éºã䌎ããŸãã</p> + </div> + + + +</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="ssl" id="ssl">Secure Sockets Layer (SSL)</a></h2> + +<p>Secure Sockets Layer ãããã³ã«ã¯ä¿¡é Œæ§ã®ããã³ãã¯ã·ã§ã³åã® +ãããã¯ãŒã¯å±€ã®ãããã³ã«(äŸãã°ãTCP/IP)ãš +ã¢ããªã±ãŒã·ã§ã³å±€ã®ãããã³ã«(äŸãã°ãHTTP) +ã®éã«çœ®ãããšãã§ããŸãã +SSL ã¯ãçžäºèªèšŒã«ãã£ãŠãµãŒããšã¯ã©ã€ã¢ã³ãéã®å®å
šãªéä¿¡ãã +é»å眲åã«ãã£ãŠããŒã¿ã®å®å
šæ§ãã +ãããŠæå·åã«ãã£ãŠãã©ã€ãã·ãæäŸããŸãã</p> + +<p>SSL ãããã³ã«ã¯æå·åããã€ãžã§ã¹ããé»å眲åã«ã€ããŠã +æ§ã
ãªã¢ã«ãŽãªãºã ããµããŒãããããã«ã§ããŠããŸãã +ããããããšã§ãæ³ã茞åºã®èŠå¶ãèæ
®ã«å
¥ããŠããµãŒãã«åããã +ã¢ã«ãŽãªãºã ãéžã¶ããšãã§ãããŸããæ°ããã¢ã«ãŽãªãºã ã +å©çšããŠããããšãå¯èœã«ããŠããŸãã +ã¢ã«ãŽãªãºã ã®éžæã¯ãããã³ã«ã»ãã·ã§ã³éå§æã« +ãµãŒããšã¯ã©ã€ã¢ã³ãéã§åã決ããããŸãã</p> + +<h3><a name="table4" id="table4">è¡š4: SSL ãããã³ã«ã®ããŒãžã§ã³</a></h3> + + <table class="bordered"> + + <tr><th>ããŒãžã§ã³</th> + <th>åºå
ž</th> + <th>説æ</th> + <th>ãã©ãŠã¶ã®ãµããŒã</th></tr> + <tr><td>SSL v2.0</td> + <td>Vendor Standard (Netscape Corp. ãã) [<a href="#SSL2">SSL2</a>]</td> + <td>å®è£
ãçŸåããåããŠã® SSL ãããã³ã«</td> + <td>- NS Navigator 1.x/2.x<br /> + - MS IE 3.x<br /> + - Lynx/2.8+OpenSSL</td></tr> + <tr><td>SSL v3.0</td> + <td>Expired Internet Draft (Netscape Corp. ãã) [<a href="#SSL3">SSL3</a>]</td> + <td>ç¹å®ã®ã»ãã¥ãªãã£æ»æãé²ãããã®æ¹èšã + éRSA æå·ã®è¿œå ã蚌ææžéå±€æ§é ã®ãµããŒã</td> + <td>- NS Navigator 2.x/3.x/4.x<br /> + - MS IE 3.x/4.x<br /> + - Lynx/2.8+OpenSSL</td></tr> + <tr><td>TLS v1.0</td> + <td>Proposed Internet Standard (IETF ãã) [<a href="#TLS1">TLS1</a>]</td> + <td>MAC ã¬ã€ã€ã HMAC ãžæŽæ°ããããã¯æå·ã® block + paddingãã¡ãã»ãŒãžé åºã®æšæºåãèŠåæã®å
å®ãªã©ã®ãã + SSL 3.0 ãæ¹èšã</td> + <td>- Lynx/2.8+OpenSSL</td></tr> + </table> + + +<p><a href="#table4">è¡š4</a>ã«ç€ºããããšãããSSL ãããã³ã«ã«ã¯ +ããã€ãã®ããŒãžã§ã³ããããŸãã +è¡šã«ãæžãããŠããããã«ãSSL 3.0 ã®å©ç¹ã®äžã€ã¯ +蚌ææžéå±€æ§é ããµããŒãããããšã§ãã +ãã®æ©èœã«ãã£ãŠããµãŒãã¯èªåã®èšŒææžã«å ããŠã +çºè¡è
ã®èšŒææžããã©ãŠã¶ã«æž¡ãããšãã§ããŸãã +蚌ææžéå±€æ§é ã«ãã£ãŠã +ãã©ãŠã¶ã«çºè¡è
ã®èšŒææžãçŽæ¥ç»é²ãããŠããªããŠãã +éå±€ã®äžã«å«ãŸããŠããã°ã +ãã©ãŠã¶ã¯ãµãŒãã®èšŒææžãæå¹åããããšãã§ããŸãã +SSL 3.0 ã¯çŸåš Internet Engineering Task Force (IETF) +ã«ãã£ãŠéçºãããŠãã Transport Layer Security +[<a href="#TLS1">TLS</a>] ãããã³ã«æšæºèŠæ Œã®åºç€ãšãªã£ãŠããŸãã</p> + +<h3><a name="session" id="session">ã»ãã·ã§ã³ã®ç¢ºç«</a></h3> + + <p><a href="#figure1">å³1</a>ã§ç€ºãããããã«ã + ã»ãã·ã§ã³ã®ç¢ºç«ã¯ã¯ã©ã€ã¢ã³ããšãµãŒãéã® + ãã³ãã·ã§ãŒã¯ã·ãŒã¯ãšã³ã¹ã«ãã£ãŠè¡ãªãããŸãã + ãµãŒãã蚌ææžãæäŸããããã¯ã©ã€ã¢ã³ãã®èšŒææžããªã¯ãšã¹ãããã + ãšãããµãŒãã®èšå®ã«ããããã®ã·ãŒã¯ãšã³ã¹ã¯ç°ãªããã®ãšãªããŸãã + æå·æ
å ±ã®ç®¡çã®ããã«ãè¿œå ã®ãã³ãã·ã§ãŒã¯éçšãå¿
èŠã«ãªã + å ŽåããããŸããããã®èšäºã§ã¯ + ããããã·ããªãªãæçã«èª¬æããŸãã + å
šãŠã®å¯èœæ§ã«ã€ãã¯ãSSL ä»æ§æžãåç
§ããŠãã ããã</p> + + <div class="note"><h3>泚æ</h3> + <p>äžåºŠ SSL ã»ãã·ã§ã³ã確ç«ãããšãã»ãã·ã§ã³ãåå©çšããããšã§ã + ã»ãã·ã§ã³ãéå§ããããã®å€ãã®éçšãç¹°ãè¿ããšãã + ããã©ãŒãã³ã¹ã®æ倱ãé²ããŸãã + ãã®ããããµãŒãã¯å
šãŠã®ã»ãã·ã§ã³ã«äžæãªã»ãã·ã§ã³èå¥åã + å²ãåœãŠããµãŒãã«ãã£ãã·ã¥ããã¯ã©ã€ã¢ã³ãã¯æ¬¡åãã + (èå¥åããµãŒãã®ãã£ãã·ã¥ã§æéåãã«ãªããŸã§ã¯) + ãã³ãã·ã§ãŒã¯ãªãã§æ¥ç¶ããããšãã§ããŸãã</p> + </div> + + <p class="figure"> + <img src="../images/ssl_intro_fig1.gif" alt="" width="423" height="327" /><br /> + <a id="figure1" name="figure1"><dfn>å³1</dfn></a>: SSL + ãã³ãã·ã§ãŒã¯ã·ãŒã¯ãšã³ã¹æŠç¥</p> + + <p>ãµãŒããšã¯ã©ã€ã¢ã³ãã§äœ¿ããã + ãã³ãã·ã§ãŒã¯ã·ãŒã¯ãšã³ã¹ã®èŠçŽ ã以äžã«ç€ºããŸã:</p> + + <ol> + <li>ããŒã¿éä¿¡ã«äœ¿ãããæå·ã¹ã€ãŒãã®åã決ã</li> + <li>ã¯ã©ã€ã¢ã³ããšãµãŒãéã§ã®ã»ãã·ã§ã³éµã®ç¢ºç«ãšå
±æ</li> + <li>ãªãã·ã§ã³ãšããŠãã¯ã©ã€ã¢ã³ãã«å¯ŸãããµãŒãã®èªèšŒ</li> + <li>ãªãã·ã§ã³ãšããŠããµãŒãã«å¯Ÿããã¯ã©ã€ã¢ã³ãã®èªèšŒ</li> + </ol> + + <p>第äžã¹ãããã®æå·ã¹ã€ãŒãåã決ãã«ãã£ãŠã + ãµãŒããšã¯ã©ã€ã¢ã³ãã¯ããããã«ãã£ã + æå·ã¹ã€ãŒããéžã¶ããšãã§ããŸãã + SSL3.0 ãããã³ã«ã®ä»æ§æžã¯ 31 ã®æå·ã¹ã€ãŒããå®çŸ©ããŠããŸãã + æå·ã¹ã€ãŒãã¯ä»¥äžã®ã³ã³ããŒãã³ãã«ããå®çŸ©ãããŠããŸã:</p> + + <ul> + <li>éµã®äº€ææ段</li> + <li>ããŒã¿éä¿¡ã®æå·è¡</li> + <li>Message Authentication Code (MAC) äœæã®ããã® + ã¡ãã»ãŒãžãã€ãžã§ã¹ã</li> + </ul> + + <p>ãããã®äžã€ã®èŠçŽ ã¯ä»¥äžã®ã»ã¯ã·ã§ã³ã§èª¬æãããŠããŸãã</p> + + +<h3><a name="keyexchange" id="keyexchange">éµã®äº€ææ段</a></h3> + + <p>éµã®äº€ææ段ã¯ã¢ããªã±ãŒã·ã§ã³ã®ããŒã¿éä¿¡ã«äœ¿ããã + å
±æããã察称æå·éµãã©ã®ããã«ãã¯ã©ã€ã¢ã³ããšãµãŒã㧠+ åã決ããããå®çŸ©ããŸãã + SSL 2.0 㯠RSA éµäº€æãã䜿ããŸãããã + SSL 3.0 ã¯èšŒææžã䜿ããããšã㯠RSA éµäº€æã䜿ãã + 蚌ææžãç¡ããã¯ã©ã€ã¢ã³ããšãµãŒãã®äºåã®éä¿¡ãç¡ãå Žå㯠+ Diffie-Hellman éµäº€æã䜿ã + ãªã©æ§ã
ãªéµäº€æã¢ã«ãŽãªãºã ããµããŒãããŸãã</p> + + <p>éµã®äº€ææ¹æ³ã«ãããäžã€ã®éžæè¢ã¯é»å眲åã§ãã + é»å眲åã䜿ããã©ããããŸãã + ã©ã®çš®é¡ã®çœ²åã䜿ãããšããéžæããããŸãã + ç§å¯éµã§çœ²åããããšã§å
±æéµãçæãããæ
å ±äº€æããæã® + ãã³ã»ã€ã³ã»ã¶ã»ããã«æ»æãé²ãããšãã§ããŸãã + [<a href="#AC96">AC96</a>, p516]</p> + + +<h3><a name="ciphertransfer" id="ciphertransfer">ããŒã¿éä¿¡ã®æå·è¡</a></h3> + + <p>SSL ã¯ã»ãã·ã§ã³ã®ã¡ãã»ãŒãžã®æå·åã«åè¿°ãã + åŸæ¥åæå·(察称æå·)ãçšããŸãã + æå·åããªããšããéžæè¢ãå«ãä¹ã€ã®éžæè¢ããããŸã:</p> + + <ul> + <li>æå·åãªã</li> + <li>ã¹ããªãŒã æå· + <ul> + <li>40-bit éµã§ã® RC4</li> + <li>128-bit éµã§ã® RC4</li> + </ul></li> + <li>CBC ãããã¯æå· + <ul><li>40 bit éµã§ã® RC2</li> + <li>40 bit éµã§ã® DES</li> + <li>56 bit éµã§ã® DES</li> + <li>168 bit éµã§ã® Triple-DES</li> + <li>Idea (128 bit éµ)</li> + <li>Fortezza (96 bit éµ)</li> + </ul></li> + </ul> + + <p>ããã§ã® CBC ãšã¯æå·ãããã¯é£é (Cipher Block Chaining) + ã®ç¥ã§ãäžã€åã®æå·åãããæå·æã®äžéšã + ãããã¯ã®æå·åã«äœ¿ãããããšãæå³ããŸãã + DES ã¯ããŒã¿æå·åæšæºèŠæ Œ (Data Encryption Standard) + [<a href="#AC96">AC96</a>, ch12] ã®ç¥ã§ã + DES40 ã 3DES_EDE ãå«ãããã€ãã®çš®é¡ããããŸãã + Idea ã¯æé«ãªãã®ã®äžã€ã§ãæå·è¡çã«ã¯çŸåšããäžã§ + æã匷åãªãã®ã§ãã + RC2 㯠RSA DSI ã«ããç¬å çãªã¢ã«ãŽãªãºã ã§ãã + [<a href="#AC96">AC96</a>, + ch13]</p> + + +<h3><a name="digestfuntion" id="digestfuntion">ãã€ãžã§ã¹ãé¢æ°</a></h3> + + <p> + ãã€ãžã§ã¹ãé¢æ°ã®éžæã¯ã¬ã³ãŒããŠãããããã©ã®ããã«ãã€ãžã§ã¹ããçæããããã決å®ããŸãã + SSL ã¯ä»¥äžããµããŒãããŸã:</p> + + <ul> + <li>ãã€ãžã§ã¹ããªã</li> + <li>MD5 (128-bit ããã·ã¥)</li> + <li>Secure Hash Algorithm (SHA-1) (160-bit ããã·ã¥)</li> + </ul> + + <p>ã¡ãã»ãŒãžãã€ãžã§ã¹ã㯠Message Authentication Code (MAC) + ã®çæã«äœ¿ãããã¡ãã»ãŒãžãšå
±ã«æå·åãããã¡ãã»ãŒãžã®ä¿¡çšã + æäŸãããªãã¬ã€æ»æãé²ããŸãã</p> + + +<h3><a name="handshake" id="handshake">ãã³ãã·ã§ãŒã¯ã·ãŒã¯ãšã³ã¹ãããã³ã«</a></h3> + + <p>ãã³ãã·ã§ãŒã¯ã·ãŒã¯ãšã³ã¹ã¯äžã€ã®ãããã³ã«ã䜿ããŸã:</p> + + <ul> + <li><dfn>SSL ãã³ãã·ã§ãŒã¯ãããã³ã«</dfn>㯠+ ã¯ã©ã€ã¢ã³ããšãµãŒãéã§ã® SSL ã»ãã·ã§ã³ã®ç¢ºç«ã«äœ¿ãããŸãã</li> + <li><dfn>SSL æå·ä»æ§å€æŽãããã³ã«</dfn>㯠+ ã»ãã·ã§ã³ã§ã®æå·ã¹ã€ãŒãã®åã決ãã«äœ¿ãããŸãã</li> + <li><dfn>SSL èŠåãããã³ã«</dfn>㯠+ ã¯ã©ã€ã¢ã³ããµãŒãé㧠SSL ãšã©ãŒãäŒéããã®ã«äœ¿ãããŸãã</li> + </ul> + + <p>äžã€ã®ãããã³ã«ã¯ãã¢ããªã±ãŒã·ã§ã³ãããã³ã«ããŒã¿ãšãšãã«ã + <a href="#figure2">å³2</a>ã«ç€ºããšãã <dfn>SSL ã¬ã³ãŒããããã³ã«</dfn> + ã§ã«ãã»ã«åãããŸãã + ã«ãã»ã«åããããããã³ã«ã¯ããŒã¿ãæ€æ»ããªã + äžå±€ã®ãããã³ã«ã«ãã£ãŠããŒã¿ãšããŠäŒéãããŸãã + ã«ãã»ã«åããããããã³ã«ã¯äžå±€ã®ãããã³ã«ã«é¢ããŠäžåé¢ç¥ããŸããã</p> + + <p class="figure"> + <img src="../images/ssl_intro_fig2.gif" alt="" width="428" height="217" /><br /> + <a id="figure2" name="figure2"><dfn>å³2</dfn></a>: SSL ãããã³ã«ã¹ã¿ã㯠+ </p> + + <p> + ã¬ã³ãŒããããã³ã«ã«ãã SSL ã³ã³ãããŒã«ãããã³ã«ã®ã«ãã»ã«åã¯ã + ã¢ã¯ãã£ããªã»ãã·ã§ã³ã®äºåç®ã®éä¿¡ããã£ãå Žåã + ã³ã³ãããŒã«ãããã³ã«ãå®å
šã§ããããšãæå³ããŸãã + æ¢ã«ã»ãã·ã§ã³ãç¡ãå Žåã¯ãNull æå·ã¹ã€ãŒãã䜿ããã + æå·åã¯è¡ãªããããã»ãã·ã§ã³ã確ç«ãããŸã§ã¯ + ãã€ãžã§ã¹ããç¡ãç¶æ
ãšãªããŸãã</p> + + +<h3><a name="datatransfer" id="datatransfer">ããŒã¿éä¿¡</a></h3> + + <p><a href="#figure3">å³3</a>ã«ç€ºããã SSL ã¬ã³ãŒããããã³ã« + ã¯ã¯ã©ã€ã¢ã³ããšãµãŒãéã®ã¢ããªã±ãŒã·ã§ã³ã + SSL ã³ã³ãããŒã«ããŒã¿ã®éä¿¡ã«äœ¿ãããŸãã + ãã®ããŒã¿ã¯ããå°ãããŠãããã«åãããããã + ããã€ãã®é«çŽãããã³ã«ããŸãšããŠäžãŠããããšããŠéä¿¡ã + è¡ãªãããããšããããŸãã + ããŒã¿ãå§çž®ãããã€ãžã§ã¹ã眲åãæ·»ä»ããŠã + ãããã®ãŠããããæå·åããã®ã¡ãããŒã¹ãšãªã£ãŠãã + ä¿¡é Œæ§ã®ãããã©ã³ã¹ããŒããããã³ã«ãçšãããããããŸããã + (泚æ: çŸåšã¡ãžã£ãŒãª SLL å®è£
ã§å§çž®ããµããŒãããŠãããã®ã¯ãããŸãã)</p> + + <p class="figure"> + <img src="../images/ssl_intro_fig3.gif" alt="" width="423" height="323" /><br /> + <a id="figure3" name="figure3"><dfn>å³ 3</dfn></a>: SSL ã¬ã³ãŒããããã³ã« + </p> + + +<h3><a name="securehttp" id="securehttp">HTTP éä¿¡ã®å®å
šå</a></h3> + + <p>ãããã SSL ã®äœ¿ãæ¹ã¯ãã©ãŠã¶ãšãŠã§ããµãŒãéã® HTTP éä¿¡ + ã®å®å
šåã§ãã + ããã¯ãåŸæ¥ã®å®å
šã§ã¯ãªã HTTP ã®äœ¿çšãé€å€ãããã®ã§ã¯ãããŸããã + å®å
šåããããã®ã¯äž»ã« SSH äžã®æ®éã® HTTP ã§ãHTTPS ãšåŒã°ããŸãã + 倧ããªéãã¯ãURL ã¹ããŒã ã« <code>http</code> ã®ä»£ããã« <code>https</code> + ãçšãããµãŒããå¥ã®ããŒãã䜿ãããšã§ã (ããã©ã«ãã§ã¯443)ã + ããã䞻㫠<code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> ã Apache ãŠã§ããµãŒãã«æäŸããæ©èœã§ãã</p> + +</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="references" id="references">åèæç®</a></h2> + +<dl> +<dt><a id="AC96" name="AC96">[AC96]</a></dt> +<dd>Bruce Schneier, <q>Applied Cryptography</q>, 2nd Edition, Wiley, +1996. See <a href="http://www.counterpane.com/">http://www.counterpane.com/</a> for various other materials by Bruce +Schneier.</dd> + +<dt><a id="X208" name="X208">[X208]</a></dt> +<dd>ITU-T Recommendation X.208, <q>Specification of Abstract Syntax Notation +One (ASN.1)</q>, 1988. See for instance <a href="http://www.itu.int/rec/recommendation.asp?type=items&lang=e&parent=T-REC-X.208-198811-I">http://www.itu.int/rec/recommendation.asp?type=items&lang=e&parent=T-REC-X.208-198811-I</a>. +</dd> + +<dt><a id="X509" name="X509">[X509]</a></dt> +<dd>ITU-T Recommendation X.509, <q>The Directory - Authentication +Framework</q>. See for instance <a href="http://www.itu.int/rec/recommendation.asp?type=folders&lang=e&parent=T-REC-X.509">http://www.itu.int/rec/recommendation.asp?type=folders&lang=e&parent=T-REC-X.509</a>. +</dd> + +<dt><a id="PKCS" name="PKCS">[PKCS]</a></dt> +<dd><q>Public Key Cryptography Standards (PKCS)</q>, +RSA Laboratories Technical Notes, See <a href="http://www.rsasecurity.com/rsalabs/pkcs/">http://www.rsasecurity.com/rsalabs/pkcs/</a>.</dd> + +<dt><a id="MIME" name="MIME">[MIME]</a></dt> +<dd>N. Freed, N. Borenstein, <q>Multipurpose Internet Mail Extensions +(MIME) Part One: Format of Internet Message Bodies</q>, RFC2045. +See for instance <a href="http://ietf.org/rfc/rfc2045.txt">http://ietf.org/rfc/rfc2045.txt</a>.</dd> + +<dt><a id="SSL2" name="SSL2">[SSL2]</a></dt> +<dd>Kipp E.B. Hickman, <q>The SSL Protocol</q>, 1995. See <a href="http://www.netscape.com/eng/security/SSL_2.html">http://www.netscape.com/eng/security/SSL_2.html</a>.</dd> + +<dt><a id="SSL3" name="SSL3">[SSL3]</a></dt> +<dd>Alan O. Freier, Philip Karlton, Paul C. Kocher, <q>The SSL Protocol +Version 3.0</q>, 1996. See <a href="http://www.netscape.com/eng/ssl3/draft302.txt">http://www.netscape.com/eng/ssl3/draft302.txt</a>.</dd> + +<dt><a id="TLS1" name="TLS1">[TLS1]</a></dt> +<dd>Tim Dierks, Christopher Allen, <q>The TLS Protocol Version 1.0</q>, +1999. See <a href="http://ietf.org/rfc/rfc2246.txt">http://ietf.org/rfc/rfc2246.txt</a>.</dd> +</dl> +</div></div> +<div class="bottomlang"> +<p><span>Available Languages: </span><a href="../en/ssl/ssl_intro.html" hreflang="en" rel="alternate" title="English"> en </a> | +<a href="../ja/ssl/ssl_intro.html" title="Japanese"> ja </a></p> +</div><div id="footer"> +<p class="apache">Copyright 2009 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> +<p class="menu"><a href="../mod/">ã¢ãžã¥ãŒã«</a> | <a href="../mod/directives.html">ãã£ã¬ã¯ãã£ã</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">çšèª</a> | <a href="../sitemap.html">ãµã€ãããã</a></p></div> +</body></html>
\ No newline at end of file |