diff options
Diffstat (limited to 'rubbos/app/apache2/manual/ssl')
-rw-r--r-- | rubbos/app/apache2/manual/ssl/index.html | 13 | ||||
-rw-r--r-- | rubbos/app/apache2/manual/ssl/index.html.en | 59 | ||||
-rw-r--r-- | rubbos/app/apache2/manual/ssl/index.html.ja.utf8 | 61 | ||||
-rw-r--r-- | rubbos/app/apache2/manual/ssl/index.html.tr.utf8 | 59 | ||||
-rw-r--r-- | rubbos/app/apache2/manual/ssl/ssl_compat.html | 5 | ||||
-rw-r--r-- | rubbos/app/apache2/manual/ssl/ssl_compat.html.en | 233 | ||||
-rw-r--r-- | rubbos/app/apache2/manual/ssl/ssl_faq.html | 5 | ||||
-rw-r--r-- | rubbos/app/apache2/manual/ssl/ssl_faq.html.en | 1043 | ||||
-rw-r--r-- | rubbos/app/apache2/manual/ssl/ssl_howto.html | 5 | ||||
-rw-r--r-- | rubbos/app/apache2/manual/ssl/ssl_howto.html.en | 284 | ||||
-rw-r--r-- | rubbos/app/apache2/manual/ssl/ssl_intro.html | 9 | ||||
-rw-r--r-- | rubbos/app/apache2/manual/ssl/ssl_intro.html.en | 641 | ||||
-rw-r--r-- | rubbos/app/apache2/manual/ssl/ssl_intro.html.ja.utf8 | 695 |
13 files changed, 0 insertions, 3112 deletions
diff --git a/rubbos/app/apache2/manual/ssl/index.html b/rubbos/app/apache2/manual/ssl/index.html deleted file mode 100644 index d6ccf929..00000000 --- a/rubbos/app/apache2/manual/ssl/index.html +++ /dev/null @@ -1,13 +0,0 @@ -# GENERATED FROM XML -- DO NOT EDIT - -URI: index.html.en -Content-Language: en -Content-type: text/html; charset=ISO-8859-1 - -URI: index.html.ja.utf8 -Content-Language: ja -Content-type: text/html; charset=UTF-8 - -URI: index.html.tr.utf8 -Content-Language: tr -Content-type: text/html; charset=UTF-8 diff --git a/rubbos/app/apache2/manual/ssl/index.html.en b/rubbos/app/apache2/manual/ssl/index.html.en deleted file mode 100644 index 1577c57d..00000000 --- a/rubbos/app/apache2/manual/ssl/index.html.en +++ /dev/null @@ -1,59 +0,0 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!-- - XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - This file is generated from xml source: DO NOT EDIT - XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - --> -<title>Apache SSL/TLS Encryption - Apache HTTP Server</title> -<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> -<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> -<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /> -<link href="../images/favicon.ico" rel="shortcut icon" /></head> -<body id="manual-page"><div id="page-header"> -<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p> -<p class="apache">Apache HTTP Server Version 2.0</p> -<img alt="" src="../images/feather.gif" /></div> -<div class="up"><a href="../"><img title="<-" alt="<-" src="../images/left.gif" /></a></div> -<div id="path"> -<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.0</a></div><div id="page-content"><div id="preamble"><h1>Apache SSL/TLS Encryption</h1> -<div class="toplang"> -<p><span>Available Languages: </span><a href="../en/ssl/" title="English"> en </a> | -<a href="../ja/ssl/" hreflang="ja" rel="alternate" title="Japanese"> ja </a> | -<a href="../tr/ssl/" hreflang="tr" rel="alternate" title="Türkçe"> tr </a></p> -</div> - -<p>The Apache HTTP Server module <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> -provides an interface to the <a href="http://www.openssl.org/">OpenSSL</a> library, which provides -Strong Encryption using the Secure Sockets Layer and Transport Layer -Security protocols. The module and this documentation are based on -Ralf S. Engelschall's mod_ssl project.</p> -</div> -<div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#documentation">Documentation</a></li> -<li><img alt="" src="../images/down.gif" /> <a href="#mod-ssl">mod_ssl</a></li> -</ul></div> -<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> -<div class="section"> -<h2><a name="documentation" id="documentation">Documentation</a></h2> -<ul> -<li><a href="ssl_intro.html">Introduction</a></li> -<li><a href="ssl_compat.html">Compatibility</a></li> -<li><a href="ssl_howto.html">How-To</a></li> -<li><a href="ssl_faq.html">Frequently Asked Questions</a></li> -<li><a href="../glossary.html">Glossary</a></li> -</ul> -</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> -<div class="section"> -<h2><a name="mod-ssl" id="mod-ssl">mod_ssl</a></h2> -<p>Extensive documentation on the directives and environment variables -provided by this module is provided in the <a href="../mod/mod_ssl.html">mod_ssl reference documentation</a>. -</p> -</div></div> -<div class="bottomlang"> -<p><span>Available Languages: </span><a href="../en/ssl/" title="English"> en </a> | -<a href="../ja/ssl/" hreflang="ja" rel="alternate" title="Japanese"> ja </a> | -<a href="../tr/ssl/" hreflang="tr" rel="alternate" title="Türkçe"> tr </a></p> -</div><div id="footer"> -<p class="apache">Copyright 2009 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> -<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div> -</body></html>
\ No newline at end of file diff --git a/rubbos/app/apache2/manual/ssl/index.html.ja.utf8 b/rubbos/app/apache2/manual/ssl/index.html.ja.utf8 deleted file mode 100644 index f8d893b8..00000000 --- a/rubbos/app/apache2/manual/ssl/index.html.ja.utf8 +++ /dev/null @@ -1,61 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml" lang="ja" xml:lang="ja"><head><!-- - XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - This file is generated from xml source: DO NOT EDIT - XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - --> -<title>Apache ã® SSL/TLS æå·å - Apache HTTP ãµãŒã</title> -<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> -<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> -<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /> -<link href="../images/favicon.ico" rel="shortcut icon" /></head> -<body id="manual-page"><div id="page-header"> -<p class="menu"><a href="../mod/">ã¢ãžã¥ãŒã«</a> | <a href="../mod/directives.html">ãã£ã¬ã¯ãã£ã</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">çšèª</a> | <a href="../sitemap.html">ãµã€ãããã</a></p> -<p class="apache">Apache HTTP ãµãŒã ããŒãžã§ã³ 2.0</p> -<img alt="" src="../images/feather.gif" /></div> -<div class="up"><a href="../"><img title="<-" alt="<-" src="../images/left.gif" /></a></div> -<div id="path"> -<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP ãµãŒã</a> > <a href="http://httpd.apache.org/docs/">ããã¥ã¡ã³ããŒã·ã§ã³</a> > <a href="../">ããŒãžã§ã³ 2.0</a></div><div id="page-content"><div id="preamble"><h1>Apache ã® SSL/TLS æå·å</h1> -<div class="toplang"> -<p><span>Available Languages: </span><a href="../en/ssl/" hreflang="en" rel="alternate" title="English"> en </a> | -<a href="../ja/ssl/" title="Japanese"> ja </a> | -<a href="../tr/ssl/" hreflang="tr" rel="alternate" title="TÃŒrkçe"> tr </a></p> -</div> - -<p>Apache HTTP ãµãŒãã¢ãžã¥ãŒã« <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> ã -<a href="http://www.openssl.org/">OpenSSL</a> -ã©ã€ãã©ãªãžã®ã€ã³ã¿ãŒãã§ãŒã¹ãæäŸããŠããŸããããã㯠-Secure Sockts Layer ãš Transport Layer Security -ãããã³ã«ãçšãã匷åãªæå·åãæäŸããŸãã -ãã®ã¢ãžã¥ãŒã«ããã®ææžã¯ Ralf S. Engelschall ã® mod_ssl -ãããžã§ã¯ãã«åºã¥ããŠããŸãã</p> -</div> -<div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#documentation">Documentation</a></li> -<li><img alt="" src="../images/down.gif" /> <a href="#mod-ssl">mod_ssl</a></li> -</ul></div> -<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> -<div class="section"> -<h2><a name="documentation" id="documentation">Documentation</a></h2> -<ul> -<li><a href="ssl_intro.html">ã¯ããã«</a></li> -<li><a href="ssl_compat.html">äºææ§</a></li> -<li><a href="ssl_howto.html">How-To</a></li> -<li><a href="ssl_faq.html">ãããã質å</a></li> -<li><a href="../glossary.html">çšèª</a></li> -</ul> -</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> -<div class="section"> -<h2><a name="mod-ssl" id="mod-ssl">mod_ssl</a></h2> -<p>ãã®ã¢ãžã¥ãŒã«ã§æäŸããããã£ã¬ã¯ãã£ããç°å¢å€æ°ã«é¢ãã -詳ããææžã¯ã<a href="../mod/mod_ssl.html">mod_ssl -ãªãã¡ã¬ã³ã¹</a>ãã芧äžããã</p> -</div></div> -<div class="bottomlang"> -<p><span>Available Languages: </span><a href="../en/ssl/" hreflang="en" rel="alternate" title="English"> en </a> | -<a href="../ja/ssl/" title="Japanese"> ja </a> | -<a href="../tr/ssl/" hreflang="tr" rel="alternate" title="TÃŒrkçe"> tr </a></p> -</div><div id="footer"> -<p class="apache">Copyright 2009 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> -<p class="menu"><a href="../mod/">ã¢ãžã¥ãŒã«</a> | <a href="../mod/directives.html">ãã£ã¬ã¯ãã£ã</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">çšèª</a> | <a href="../sitemap.html">ãµã€ãããã</a></p></div> -</body></html>
\ No newline at end of file diff --git a/rubbos/app/apache2/manual/ssl/index.html.tr.utf8 b/rubbos/app/apache2/manual/ssl/index.html.tr.utf8 deleted file mode 100644 index 1f673957..00000000 --- a/rubbos/app/apache2/manual/ssl/index.html.tr.utf8 +++ /dev/null @@ -1,59 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml" lang="tr" xml:lang="tr"><head><!-- - XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - This file is generated from xml source: DO NOT EDIT - XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - --> -<title>Apache SSL/TLS Åifrelemesi - Apache HTTP Sunucusu</title> -<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> -<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> -<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /> -<link href="../images/favicon.ico" rel="shortcut icon" /></head> -<body id="manual-page"><div id="page-header"> -<p class="menu"><a href="../mod/">ModÃŒller</a> | <a href="../mod/directives.html">Yönergeler</a> | <a href="../faq/">SSS</a> | <a href="../glossary.html">Terimler</a> | <a href="../sitemap.html">Site Haritası</a></p> -<p class="apache">Apache HTTP Sunucusu SÃŒrÃŒm 2.0</p> -<img alt="" src="../images/feather.gif" /></div> -<div class="up"><a href="../"><img title="<-" alt="<-" src="../images/left.gif" /></a></div> -<div id="path"> -<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Sunucusu</a> > <a href="http://httpd.apache.org/docs/">Belgeleme</a> > <a href="../">SÃŒrÃŒm 2.0</a></div><div id="page-content"><div id="preamble"><h1>Apache SSL/TLS Åifrelemesi</h1> -<div class="toplang"> -<p><span>Mevcut Diller: </span><a href="../en/ssl/" hreflang="en" rel="alternate" title="English"> en </a> | -<a href="../ja/ssl/" hreflang="ja" rel="alternate" title="Japanese"> ja </a> | -<a href="../tr/ssl/" title="TÃŒrkçe"> tr </a></p> -</div> - - <p>Apache HTTP Sunucusunun <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> modÃŒlÃŒ, GÃŒvenli Soketler - Katmanı (SSL) ve Aktarım Katmanı GÃŒvenliÄi (TLS) protokollerinin - kullanıldıÄı SaÄlam Åifreleme desteÄini saÄlayan <a href="http://www.openssl.org/">OpenSSL</a> kÃŒtÃŒphanesine bir arayÃŒz - içerir. Bu modÃŒl ve belgeler Ralf S. Engelschallâın mod_ssl projesine - dayanmaktadır.</p> -</div> -<div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#documentation">Belgeler</a></li> -<li><img alt="" src="../images/down.gif" /> <a href="#mod-ssl"><code>mod_ssl</code> ModÃŒlÃŒ</a></li> -</ul></div> -<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> -<div class="section"> -<h2><a name="documentation" id="documentation">Belgeler</a></h2> - <ul> - <li><a href="ssl_intro.html">GiriÅ</a></li> - <li><a href="ssl_compat.html">Uyumluluk</a></li> - <li><a href="ssl_howto.html">NASIL</a></li> - <li><a href="ssl_faq.html">Sıkça Sorulan Sorular</a></li> - <li><a href="../glossary.html">Terimler</a></li> - </ul> -</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> -<div class="section"> -<h2><a name="mod-ssl" id="mod-ssl"><code>mod_ssl</code> ModÃŒlÃŒ</a></h2> - <p>Bu modÃŒlce saÄlanan yönergeler ve ortam deÄiÅkenleri - <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> baÅvuru kılavuzunda ayrıntılı olarak - açıklanmıÅtır.</p> -</div></div> -<div class="bottomlang"> -<p><span>Mevcut Diller: </span><a href="../en/ssl/" hreflang="en" rel="alternate" title="English"> en </a> | -<a href="../ja/ssl/" hreflang="ja" rel="alternate" title="Japanese"> ja </a> | -<a href="../tr/ssl/" title="TÃŒrkçe"> tr </a></p> -</div><div id="footer"> -<p class="apache">Copyright 2009 The Apache Software Foundation.<br /><a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a> altında lisanslıdır.</p> -<p class="menu"><a href="../mod/">ModÃŒller</a> | <a href="../mod/directives.html">Yönergeler</a> | <a href="../faq/">SSS</a> | <a href="../glossary.html">Terimler</a> | <a href="../sitemap.html">Site Haritası</a></p></div> -</body></html>
\ No newline at end of file diff --git a/rubbos/app/apache2/manual/ssl/ssl_compat.html b/rubbos/app/apache2/manual/ssl/ssl_compat.html deleted file mode 100644 index eb43a0be..00000000 --- a/rubbos/app/apache2/manual/ssl/ssl_compat.html +++ /dev/null @@ -1,5 +0,0 @@ -# GENERATED FROM XML -- DO NOT EDIT - -URI: ssl_compat.html.en -Content-Language: en -Content-type: text/html; charset=ISO-8859-1 diff --git a/rubbos/app/apache2/manual/ssl/ssl_compat.html.en b/rubbos/app/apache2/manual/ssl/ssl_compat.html.en deleted file mode 100644 index 9a0dbfcf..00000000 --- a/rubbos/app/apache2/manual/ssl/ssl_compat.html.en +++ /dev/null @@ -1,233 +0,0 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!-- - XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - This file is generated from xml source: DO NOT EDIT - XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - --> -<title>SSL/TLS Strong Encryption: Compatibility - Apache HTTP Server</title> -<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> -<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> -<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /> -<link href="../images/favicon.ico" rel="shortcut icon" /></head> -<body id="manual-page"><div id="page-header"> -<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p> -<p class="apache">Apache HTTP Server Version 2.0</p> -<img alt="" src="../images/feather.gif" /></div> -<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div> -<div id="path"> -<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.0</a> > <a href="./">SSL/TLS</a></div><div id="page-content"><div id="preamble"><h1>SSL/TLS Strong Encryption: Compatibility</h1> -<div class="toplang"> -<p><span>Available Languages: </span><a href="../en/ssl/ssl_compat.html" title="English"> en </a></p> -</div> - -<blockquote> -<p>All PCs are compatible. But some of -them are more compatible than others.</p> -<p class="cite">-- <cite>Unknown</cite></p> -</blockquote> - -<p> -Here we talk about backward compatibility to other SSL solutions. As you -perhaps know, mod_ssl is not the only existing SSL solution for Apache. -Actually there are four additional major products available on the market: Ben -Laurie's freely available <a href="http://www.apache-ssl.org/">Apache-SSL</a> -(from where mod_ssl were originally derived in 1998), Red Hat's commercial <a href="http://www.redhat.com/products/product-details.phtml?id=rhsa">Secure Web -Server</a> (which is based on mod_ssl), Covalent's commercial <a href="http://raven.covalent.net/">Raven SSL Module</a> (also based on mod_ssl) -and finally C2Net's commercial product <a href="http://www.c2.net/products/stronghold/">Stronghold</a> (based on a -different evolution branch named Sioux up to Stronghold 2.x and based on -mod_ssl since Stronghold 3.x).</p> - -<p> -The idea in mod_ssl is mainly the following: because mod_ssl provides mostly a -superset of the functionality of all other solutions we can easily provide -backward compatibility for most of the cases. Actually there are three -compatibility areas we currently address: configuration directives, -environment variables and custom log functions.</p> -</div> -<div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#configuration">Configuration Directives</a></li> -<li><img alt="" src="../images/down.gif" /> <a href="#variables">Environment Variables</a></li> -<li><img alt="" src="../images/down.gif" /> <a href="#customlog">Custom Log Functions</a></li> -</ul></div> -<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> -<div class="section"> -<h2><a name="configuration" id="configuration">Configuration Directives</a></h2> -<p>For backward compatibility to the configuration directives of other SSL -solutions we do an on-the-fly mapping: directives which have a direct -counterpart in mod_ssl are mapped silently while other directives lead to a -warning message in the logfiles. The currently implemented directive mapping -is listed in <a href="#table1">Table 1</a>. Currently full backward -compatibility is provided only for Apache-SSL 1.x and mod_ssl 2.0.x. -Compatibility to Sioux 1.x and Stronghold 2.x is only partial because of -special functionality in these interfaces which mod_ssl (still) doesn't -provide.</p> - - -<h3><a name="table1" id="table1">Table 1: Configuration Directive Mapping</a></h3> - -<table><tr class="header"><th>Old Directive</th><th>mod_ssl Directive</th><th>Comment</th></tr> -<tr class="header"><th colspan="3">Apache-SSL 1.x & mod_ssl 2.0.x compatibility:</th></tr> -<tr><td><code>SSLEnable</code></td><td><code>SSLEngine on</code></td><td>compactified</td></tr> -<tr class="odd"><td><code>SSLDisable</code></td><td><code>SSLEngine off</code></td><td>compactified</td></tr> -<tr><td><code>SSLLogFile</code> <em>file</em></td><td><code>SSLLog</code> <em>file</em></td><td>compactified</td></tr> -<tr class="odd"><td><code>SSLRequiredCiphers</code> <em>spec</em></td><td><code>SSLCipherSuite</code> <em>spec</em></td><td>renamed</td></tr> -<tr><td><code>SSLRequireCipher</code> <em>c1</em> ...</td><td><code>SSLRequire %{SSL_CIPHER} in {"</code><em>c1</em><code>", -...}</code></td><td>generalized</td></tr> -<tr class="odd"><td><code>SSLBanCipher</code> <em>c1</em> ...</td><td><code>SSLRequire not (%{SSL_CIPHER} in {"</code><em>c1</em><code>", -...})</code></td><td>generalized</td></tr> -<tr><td><code>SSLFakeBasicAuth</code></td><td><code>SSLOptions +FakeBasicAuth</code></td><td>merged</td></tr> -<tr class="odd"><td><code>SSLCacheServerPath</code> <em>dir</em></td><td>-</td><td>functionality removed</td></tr> -<tr><td><code>SSLCacheServerPort</code> <em>integer</em></td><td>-</td><td>functionality removed</td></tr> -<tr class="header"><th colspan="3">Apache-SSL 1.x compatibility:</th></tr> -<tr class="odd"><td><code>SSLExportClientCertificates</code></td><td><code>SSLOptions +ExportCertData</code></td><td>merged</td></tr> -<tr><td><code>SSLCacheServerRunDir</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> -<tr class="header"><th colspan="3">Sioux 1.x compatibility:</th></tr> -<tr class="odd"><td><code>SSL_CertFile</code> <em>file</em></td><td><code>SSLCertificateFile</code> <em>file</em></td><td>renamed</td></tr> -<tr><td><code>SSL_KeyFile</code> <em>file</em></td><td><code>SSLCertificateKeyFile</code> <em>file</em></td><td>renamed</td></tr> -<tr class="odd"><td><code>SSL_CipherSuite</code> <em>arg</em></td><td><code>SSLCipherSuite</code> <em>arg</em></td><td>renamed</td></tr> -<tr><td><code>SSL_X509VerifyDir</code> <em>arg</em></td><td><code>SSLCACertificatePath</code> <em>arg</em></td><td>renamed</td></tr> -<tr class="odd"><td><code>SSL_Log</code> <em>file</em></td><td><code>SSLLogFile</code> <em>file</em></td><td>renamed</td></tr> -<tr><td><code>SSL_Connect</code> <em>flag</em></td><td><code>SSLEngine</code> <em>flag</em></td><td>renamed</td></tr> -<tr class="odd"><td><code>SSL_ClientAuth</code> <em>arg</em></td><td><code>SSLVerifyClient</code> <em>arg</em></td><td>renamed</td></tr> -<tr><td><code>SSL_X509VerifyDepth</code> <em>arg</em></td><td><code>SSLVerifyDepth</code> <em>arg</em></td><td>renamed</td></tr> -<tr class="odd"><td><code>SSL_FetchKeyPhraseFrom</code> <em>arg</em></td><td>-</td><td>not directly mappable; use SSLPassPhraseDialog</td></tr> -<tr><td><code>SSL_SessionDir</code> <em>dir</em></td><td>-</td><td>not directly mappable; use SSLSessionCache</td></tr> -<tr class="odd"><td><code>SSL_Require</code> <em>expr</em></td><td>-</td><td>not directly mappable; use SSLRequire</td></tr> -<tr><td><code>SSL_CertFileType</code> <em>arg</em></td><td>-</td><td>functionality not supported</td></tr> -<tr class="odd"><td><code>SSL_KeyFileType</code> <em>arg</em></td><td>-</td><td>functionality not supported</td></tr> -<tr><td><code>SSL_X509VerifyPolicy</code> <em>arg</em></td><td>-</td><td>functionality not supported</td></tr> -<tr class="odd"><td><code>SSL_LogX509Attributes</code> <em>arg</em></td><td>-</td><td>functionality not supported</td></tr> -<tr class="header"><th colspan="3">Stronghold 2.x compatibility:</th></tr> -<tr><td><code>StrongholdAccelerator</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> -<tr class="odd"><td><code>StrongholdKey</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> -<tr><td><code>StrongholdLicenseFile</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> -<tr class="odd"><td><code>SSLFlag</code> <em>flag</em></td><td><code>SSLEngine</code> <em>flag</em></td><td>renamed</td></tr> -<tr><td><code>SSLSessionLockFile</code> <em>file</em></td><td><code>SSLMutex</code> <em>file</em></td><td>renamed</td></tr> -<tr class="odd"><td><code>SSLCipherList</code> <em>spec</em></td><td><code>SSLCipherSuite</code> <em>spec</em></td><td>renamed</td></tr> -<tr><td><code>RequireSSL</code></td><td><code>SSLRequireSSL</code></td><td>renamed</td></tr> -<tr class="odd"><td><code>SSLErrorFile</code> <em>file</em></td><td>-</td><td>functionality not supported</td></tr> -<tr><td><code>SSLRoot</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> -<tr class="odd"><td><code>SSL_CertificateLogDir</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> -<tr><td><code>AuthCertDir</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> -<tr class="odd"><td><code>SSL_Group</code> <em>name</em></td><td>-</td><td>functionality not supported</td></tr> -<tr><td><code>SSLProxyMachineCertPath</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> -<tr class="odd"><td><code>SSLProxyMachineCertFile</code> <em>file</em></td><td>-</td><td>functionality not supported</td></tr> -<tr><td><code>SSLProxyCACertificatePath</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> -<tr class="odd"><td><code>SSLProxyCACertificateFile</code> <em>file</em></td><td>-</td><td>functionality not supported</td></tr> -<tr><td><code>SSLProxyVerifyDepth</code> <em>number</em></td><td>-</td><td>functionality not supported</td></tr> -<tr class="odd"><td><code>SSLProxyCipherList</code> <em>spec</em></td><td>-</td><td>functionality not supported</td></tr> -</table> - -</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> -<div class="section"> -<h2><a name="variables" id="variables">Environment Variables</a></h2> -<p>When you use ``<code>SSLOptions +CompatEnvVars</code>'' additional environment -variables are generated. They all correspond to existing official mod_ssl -variables. The currently implemented variable derivation is listed in <a href="#table2">Table 2</a>.</p> - -<h3><a name="table2" id="table2">Table 2: Environment Variable Derivation</a></h3> - -<table><tr class="header"><th>Old Variable</th><th>mod_ssl Variable</th><th>Comment</th></tr> -<tr><td><code>SSL_PROTOCOL_VERSION</code></td><td><code>SSL_PROTOCOL</code></td><td>renamed</td></tr> -<tr class="odd"><td><code>SSLEAY_VERSION</code></td><td><code>SSL_VERSION_LIBRARY</code></td><td>renamed</td></tr> -<tr><td><code>HTTPS_SECRETKEYSIZE</code></td><td><code>SSL_CIPHER_USEKEYSIZE</code></td><td>renamed</td></tr> -<tr class="odd"><td><code>HTTPS_KEYSIZE</code></td><td><code>SSL_CIPHER_ALGKEYSIZE</code></td><td>renamed</td></tr> -<tr><td><code>HTTPS_CIPHER</code></td><td><code>SSL_CIPHER</code></td><td>renamed</td></tr> -<tr class="odd"><td><code>HTTPS_EXPORT</code></td><td><code>SSL_CIPHER_EXPORT</code></td><td>renamed</td></tr> -<tr><td><code>SSL_SERVER_KEY_SIZE</code></td><td><code>SSL_CIPHER_ALGKEYSIZE</code></td><td>renamed</td></tr> -<tr class="odd"><td><code>SSL_SERVER_CERTIFICATE</code></td><td><code>SSL_SERVER_CERT</code></td><td>renamed</td></tr> -<tr><td><code>SSL_SERVER_CERT_START</code></td><td><code>SSL_SERVER_V_START</code></td><td>renamed</td></tr> -<tr class="odd"><td><code>SSL_SERVER_CERT_END</code></td><td><code>SSL_SERVER_V_END</code></td><td>renamed</td></tr> -<tr><td><code>SSL_SERVER_CERT_SERIAL</code></td><td><code>SSL_SERVER_M_SERIAL</code></td><td>renamed</td></tr> -<tr class="odd"><td><code>SSL_SERVER_SIGNATURE_ALGORITHM</code></td><td><code>SSL_SERVER_A_SIG</code></td><td>renamed</td></tr> -<tr><td><code>SSL_SERVER_DN</code></td><td><code>SSL_SERVER_S_DN</code></td><td>renamed</td></tr> -<tr class="odd"><td><code>SSL_SERVER_CN</code></td><td><code>SSL_SERVER_S_DN_CN</code></td><td>renamed</td></tr> -<tr><td><code>SSL_SERVER_EMAIL</code></td><td><code>SSL_SERVER_S_DN_Email</code></td><td>renamed</td></tr> -<tr class="odd"><td><code>SSL_SERVER_O</code></td><td><code>SSL_SERVER_S_DN_O</code></td><td>renamed</td></tr> -<tr><td><code>SSL_SERVER_OU</code></td><td><code>SSL_SERVER_S_DN_OU</code></td><td>renamed</td></tr> -<tr class="odd"><td><code>SSL_SERVER_C</code></td><td><code>SSL_SERVER_S_DN_C</code></td><td>renamed</td></tr> -<tr><td><code>SSL_SERVER_SP</code></td><td><code>SSL_SERVER_S_DN_SP</code></td><td>renamed</td></tr> -<tr class="odd"><td><code>SSL_SERVER_L</code></td><td><code>SSL_SERVER_S_DN_L</code></td><td>renamed</td></tr> -<tr><td><code>SSL_SERVER_IDN</code></td><td><code>SSL_SERVER_I_DN</code></td><td>renamed</td></tr> -<tr class="odd"><td><code>SSL_SERVER_ICN</code></td><td><code>SSL_SERVER_I_DN_CN</code></td><td>renamed</td></tr> -<tr><td><code>SSL_SERVER_IEMAIL</code></td><td><code>SSL_SERVER_I_DN_Email</code></td><td>renamed</td></tr> -<tr class="odd"><td><code>SSL_SERVER_IO</code></td><td><code>SSL_SERVER_I_DN_O</code></td><td>renamed</td></tr> -<tr><td><code>SSL_SERVER_IOU</code></td><td><code>SSL_SERVER_I_DN_OU</code></td><td>renamed</td></tr> -<tr class="odd"><td><code>SSL_SERVER_IC</code></td><td><code>SSL_SERVER_I_DN_C</code></td><td>renamed</td></tr> -<tr><td><code>SSL_SERVER_ISP</code></td><td><code>SSL_SERVER_I_DN_SP</code></td><td>renamed</td></tr> -<tr class="odd"><td><code>SSL_SERVER_IL</code></td><td><code>SSL_SERVER_I_DN_L</code></td><td>renamed</td></tr> -<tr><td><code>SSL_CLIENT_CERTIFICATE</code></td><td><code>SSL_CLIENT_CERT</code></td><td>renamed</td></tr> -<tr class="odd"><td><code>SSL_CLIENT_CERT_START</code></td><td><code>SSL_CLIENT_V_START</code></td><td>renamed</td></tr> -<tr><td><code>SSL_CLIENT_CERT_END</code></td><td><code>SSL_CLIENT_V_END</code></td><td>renamed</td></tr> -<tr class="odd"><td><code>SSL_CLIENT_CERT_SERIAL</code></td><td><code>SSL_CLIENT_M_SERIAL</code></td><td>renamed</td></tr> -<tr><td><code>SSL_CLIENT_SIGNATURE_ALGORITHM</code></td><td><code>SSL_CLIENT_A_SIG</code></td><td>renamed</td></tr> -<tr class="odd"><td><code>SSL_CLIENT_DN</code></td><td><code>SSL_CLIENT_S_DN</code></td><td>renamed</td></tr> -<tr><td><code>SSL_CLIENT_CN</code></td><td><code>SSL_CLIENT_S_DN_CN</code></td><td>renamed</td></tr> -<tr class="odd"><td><code>SSL_CLIENT_EMAIL</code></td><td><code>SSL_CLIENT_S_DN_Email</code></td><td>renamed</td></tr> -<tr><td><code>SSL_CLIENT_O</code></td><td><code>SSL_CLIENT_S_DN_O</code></td><td>renamed</td></tr> -<tr class="odd"><td><code>SSL_CLIENT_OU</code></td><td><code>SSL_CLIENT_S_DN_OU</code></td><td>renamed</td></tr> -<tr><td><code>SSL_CLIENT_C</code></td><td><code>SSL_CLIENT_S_DN_C</code></td><td>renamed</td></tr> -<tr class="odd"><td><code>SSL_CLIENT_SP</code></td><td><code>SSL_CLIENT_S_DN_SP</code></td><td>renamed</td></tr> -<tr><td><code>SSL_CLIENT_L</code></td><td><code>SSL_CLIENT_S_DN_L</code></td><td>renamed</td></tr> -<tr class="odd"><td><code>SSL_CLIENT_IDN</code></td><td><code>SSL_CLIENT_I_DN</code></td><td>renamed</td></tr> -<tr><td><code>SSL_CLIENT_ICN</code></td><td><code>SSL_CLIENT_I_DN_CN</code></td><td>renamed</td></tr> -<tr class="odd"><td><code>SSL_CLIENT_IEMAIL</code></td><td><code>SSL_CLIENT_I_DN_Email</code></td><td>renamed</td></tr> -<tr><td><code>SSL_CLIENT_IO</code></td><td><code>SSL_CLIENT_I_DN_O</code></td><td>renamed</td></tr> -<tr class="odd"><td><code>SSL_CLIENT_IOU</code></td><td><code>SSL_CLIENT_I_DN_OU</code></td><td>renamed</td></tr> -<tr><td><code>SSL_CLIENT_IC</code></td><td><code>SSL_CLIENT_I_DN_C</code></td><td>renamed</td></tr> -<tr class="odd"><td><code>SSL_CLIENT_ISP</code></td><td><code>SSL_CLIENT_I_DN_SP</code></td><td>renamed</td></tr> -<tr><td><code>SSL_CLIENT_IL</code></td><td><code>SSL_CLIENT_I_DN_L</code></td><td>renamed</td></tr> -<tr class="odd"><td><code>SSL_EXPORT</code></td><td><code>SSL_CIPHER_EXPORT</code></td><td>renamed</td></tr> -<tr><td><code>SSL_KEYSIZE</code></td><td><code>SSL_CIPHER_ALGKEYSIZE</code></td><td>renamed</td></tr> -<tr class="odd"><td><code>SSL_SECKEYSIZE</code></td><td><code>SSL_CIPHER_USEKEYSIZE</code></td><td>renamed</td></tr> -<tr><td><code>SSL_SSLEAY_VERSION</code></td><td><code>SSL_VERSION_LIBRARY</code></td><td>renamed</td></tr> -<tr class="odd"><td><code>SSL_STRONG_CRYPTO</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> -<tr><td><code>SSL_SERVER_KEY_EXP</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> -<tr class="odd"><td><code>SSL_SERVER_KEY_ALGORITHM</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> -<tr><td><code>SSL_SERVER_KEY_SIZE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> -<tr class="odd"><td><code>SSL_SERVER_SESSIONDIR</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> -<tr><td><code>SSL_SERVER_CERTIFICATELOGDIR</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> -<tr class="odd"><td><code>SSL_SERVER_CERTFILE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> -<tr><td><code>SSL_SERVER_KEYFILE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> -<tr class="odd"><td><code>SSL_SERVER_KEYFILETYPE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> -<tr><td><code>SSL_CLIENT_KEY_EXP</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> -<tr class="odd"><td><code>SSL_CLIENT_KEY_ALGORITHM</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> -<tr><td><code>SSL_CLIENT_KEY_SIZE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> -</table> - -</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> -<div class="section"> -<h2><a name="customlog" id="customlog">Custom Log Functions</a></h2> -<p> -When mod_ssl is built into Apache or at least loaded (under DSO situation) -additional functions exist for the <a href="../mod/mod_log_config.html#formats">Custom Log Format</a> of -<code class="module"><a href="../mod/mod_log_config.html">mod_log_config</a></code> as documented in the Reference -Chapter. Beside the ``<code>%{</code><em>varname</em><code>}x</code>'' -eXtension format function which can be used to expand any variables provided -by any module, an additional Cryptography -``<code>%{</code><em>name</em><code>}c</code>'' cryptography format function -exists for backward compatibility. The currently implemented function calls -are listed in <a href="#table3">Table 3</a>.</p> - -<h3><a name="table3" id="table3">Table 3: Custom Log Cryptography Function</a></h3> - -<table> - -<tr><th>Function Call</th><th>Description</th></tr> - -<tr><td><code>%...{version}c</code></td> <td>SSL protocol version</td></tr> -<tr><td><code>%...{cipher}c</code></td> <td>SSL cipher</td></tr> -<tr><td><code>%...{subjectdn}c</code></td> <td>Client Certificate Subject Distinguished Name</td></tr> -<tr><td><code>%...{issuerdn}c</code></td> <td>Client Certificate Issuer Distinguished Name</td></tr> -<tr><td><code>%...{errcode}c</code></td> <td>Certificate Verification Error (numerical)</td></tr> - -<tr><td><code>%...{errstr}c</code></td> <td>Certificate Verification Error (string)</td></tr> -</table> - -</div></div> -<div class="bottomlang"> -<p><span>Available Languages: </span><a href="../en/ssl/ssl_compat.html" title="English"> en </a></p> -</div><div id="footer"> -<p class="apache">Copyright 2009 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> -<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div> -</body></html>
\ No newline at end of file diff --git a/rubbos/app/apache2/manual/ssl/ssl_faq.html b/rubbos/app/apache2/manual/ssl/ssl_faq.html deleted file mode 100644 index ce1cf81d..00000000 --- a/rubbos/app/apache2/manual/ssl/ssl_faq.html +++ /dev/null @@ -1,5 +0,0 @@ -# GENERATED FROM XML -- DO NOT EDIT - -URI: ssl_faq.html.en -Content-Language: en -Content-type: text/html; charset=ISO-8859-1 diff --git a/rubbos/app/apache2/manual/ssl/ssl_faq.html.en b/rubbos/app/apache2/manual/ssl/ssl_faq.html.en deleted file mode 100644 index 16801dd6..00000000 --- a/rubbos/app/apache2/manual/ssl/ssl_faq.html.en +++ /dev/null @@ -1,1043 +0,0 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!-- - XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - This file is generated from xml source: DO NOT EDIT - XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - --> -<title>SSL/TLS Strong Encryption: FAQ - Apache HTTP Server</title> -<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> -<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> -<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /> -<link href="../images/favicon.ico" rel="shortcut icon" /></head> -<body id="manual-page"><div id="page-header"> -<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p> -<p class="apache">Apache HTTP Server Version 2.0</p> -<img alt="" src="../images/feather.gif" /></div> -<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div> -<div id="path"> -<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.0</a> > <a href="./">SSL/TLS</a></div><div id="page-content"><div id="preamble"><h1>SSL/TLS Strong Encryption: FAQ</h1> -<div class="toplang"> -<p><span>Available Languages: </span><a href="../en/ssl/ssl_faq.html" title="English"> en </a></p> -</div> - -<blockquote> -<p>The wise man doesn't give the right answers, -he poses the right questions.</p> -<p class="cite">-- <cite>Claude Levi-Strauss</cite></p> - -</blockquote> -<p>This chapter is a collection of frequently asked questions (FAQ) and -corresponding answers following the popular USENET tradition. Most of these -questions occurred on the Newsgroup <code><a href="news:comp.infosystems.www.servers.unix">comp.infosystems.www.servers.unix</a></code> or the mod_ssl Support -Mailing List <code><a href="mailto:modssl-users@modssl.org">modssl-users@modssl.org</a></code>. They are collected at this place -to avoid answering the same questions over and over.</p> - -<p>Please read this chapter at least once when installing mod_ssl or at least -search for your problem here before submitting a problem report to the -author.</p> -</div> -<div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#about">About The Module</a></li> -<li><img alt="" src="../images/down.gif" /> <a href="#installation">Installation</a></li> -<li><img alt="" src="../images/down.gif" /> <a href="#aboutconfig">Configuration</a></li> -<li><img alt="" src="../images/down.gif" /> <a href="#aboutcerts">Certificates</a></li> -<li><img alt="" src="../images/down.gif" /> <a href="#aboutssl">The SSL Protocol</a></li> -<li><img alt="" src="../images/down.gif" /> <a href="#support">mod_ssl Support</a></li> -</ul></div> -<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> -<div class="section"> -<h2><a name="about" id="about">About The Module</a></h2> -<ul> -<li><a href="#history">What is the history of mod_ssl?</a></li> -<li><a href="#wassenaar">mod_ssl and Wassenaar Arrangement?</a></li> -</ul> - -<h3><a name="history" id="history">What is the history of mod_ssl?</a></h3> -<p>The mod_ssl v1 package was initially created in April 1998 by <a href="mailto:rse@engelschall.com">Ralf S. Engelschall</a> via porting <a href="mailto:ben@algroup.co.uk">Ben Laurie</a>'s <a href="http://www.apache-ssl.org/">Apache-SSL</a> 1.17 source patches for - Apache 1.2.6 to Apache 1.3b6. Because of conflicts with Ben - Laurie's development cycle it then was re-assembled from scratch for - Apache 1.3.0 by merging the old mod_ssl 1.x with the newer Apache-SSL - 1.18. From this point on mod_ssl lived its own life as mod_ssl v2. The - first publicly released version was mod_ssl 2.0.0 from August 10th, - 1998. </p> - - <p>After US export restrictions on cryptographic software were - loosened, <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> became part of the Apache HTTP - Server with the release of Apache httpd 2.</p> - - -<h3><a name="wassenaar" id="wassenaar">Is mod_ssl affected by the Wassenaar Arrangement?</a></h3> -<p>First, let us explain what <dfn>Wassenaar</dfn> and its <dfn>Arrangement on - Export Controls for Conventional Arms and Dual-Use Goods and - Technologies</dfn> is: This is a international regime, established in 1995, to - control trade in conventional arms and dual-use goods and technology. It - replaced the previous <dfn>CoCom</dfn> regime. Further details on - both the Arrangement and its signatories are available at <a href="http://www.wassenaar.org/">http://www.wassenaar.org/</a>.</p> - - <p>In short, the aim of the Wassenaar Arrangement is to prevent the build up - of military capabilities that threaten regional and international security - and stability. The Wassenaar Arrangement controls the export of - cryptography as a dual-use good, that is, something that has both military and - civilian applications. However, the Wassenaar Arrangement also provides an - exemption from export controls for mass-market software and free software.</p> - - <p>In the current Wassenaar <cite>List of Dual Use Goods and Technologies And - Munitions</cite>, under <q>GENERAL SOFTWARE NOTE (GSN)</q> it says - <q>The Lists do not control "software" which is either: 1. [...] 2. "in - the public domain".</q> And under <q>DEFINITIONS OF TERMS USED IN - THESE LISTS</q> we find <q>In the public - domain</q> defined as <q>"technology" or "software" which has been made - available without restrictions upon its further dissemination. Note: - Copyright restrictions do not remove "technology" or "software" from being - "in the public domain".</q></p> - - <p>So, both mod_ssl and OpenSSL are <q>in the public domain</q> for the purposes - of the Wassenaar Arrangement and its <q>List of Dual Use Goods and - Technologies And Munitions List</q>, and thus not affected by its provisions.</p> - - -</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> -<div class="section"> -<h2><a name="installation" id="installation">Installation</a></h2> -<ul> -<li><a href="#mutex">Why do I get permission errors related to -SSLMutex when I start Apache?</a></li> -<li><a href="#entropy">Why does mod_ssl stop with the error "Failed to -generate temporary 512 bit RSA private key" when I start Apache?</a></li> -</ul> - -<h3><a name="mutex" id="mutex">Why do I get permission errors related to - SSLMutex when I start Apache?</a></h3> - <p>Errors such as ``<code>mod_ssl: Child could not open - SSLMutex lockfile /opt/apache/logs/ssl_mutex.18332 (System error follows) - [...] System: Permission denied (errno: 13)</code>'' are usually - caused by overly restrictive permissions on the <em>parent</em> directories. - Make sure that all parent directories (here <code>/opt</code>, - <code>/opt/apache</code> and <code>/opt/apache/logs</code>) have the x-bit - set for, at minimum, the UID under which Apache's children are running (see - the <code class="directive"><a href="../mod/mpm_common.html#user">User</a></code> directive).</p> - - -<h3><a name="entropy" id="entropy">Why does mod_ssl stop with the error - "Failed to generate temporary 512 bit RSA private key" when I start - Apache?</a></h3> - <p>Cryptographic software needs a source of unpredictable data - to work correctly. Many open source operating systems provide - a "randomness device" that serves this purpose (usually named - <code>/dev/random</code>). On other systems, applications have to - seed the OpenSSL Pseudo Random Number Generator (PRNG) manually with - appropriate data before generating keys or performing public key - encryption. As of version 0.9.5, the OpenSSL functions that need - randomness report an error if the PRNG has not been seeded with - at least 128 bits of randomness.</p> - <p>To prevent this error, <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> has to provide - enough entropy to the PRNG to allow it to work correctly. This can - be done via the <code class="directive"><a href="../mod/mod_ssl.html#sslrandomseed">SSLRandomSeed</a></code> - directive.</p> - -</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> -<div class="section"> -<h2><a name="aboutconfig" id="aboutconfig">Configuration</a></h2> -<ul> -<li><a href="#parallel">Is it possible to provide HTTP and HTTPS from -the same server?</a></li> -<li><a href="#ports">Which port does HTTPS use?</a></li> -<li><a href="#httpstest">How do I speak HTTPS manually for testing -purposes?</a></li> -<li><a href="#hang">Why does the connection hang when I connect to my -SSL-aware Apache server?</a></li> -<li><a href="#refused">Why do I get ``Connection Refused'' errors, when -trying to access my newly installed Apache+mod_ssl server via HTTPS?</a></li> -<li><a href="#envvars">Why are the <code>SSL_XXX</code> variables not -available to my CGI & SSI scripts?</a></li> -<li><a href="#relative">How can I switch between HTTP and HTTPS in -relative hyperlinks?</a></li> -</ul> - -<h3><a name="parallel" id="parallel">Is it possible to provide HTTP and HTTPS - from the same server?</a></h3> - <p>Yes. HTTP and HTTPS use different server ports (HTTP binds to - port 80, HTTPS to port 443), so there is no direct conflict between - them. You can either run two separate server instances bound to - these ports, or use Apache's elegant virtual hosting facility to - create two virtual servers, both served by the same instance of Apache - - one responding over HTTP to requests on port 80, and the other - responding over HTTPS to requests on port 443.</p> - - -<h3><a name="ports" id="ports">Which port does HTTPS use?</a></h3> -<p>You can run HTTPS on any port, but the standards specify port 443, which - is where any HTTPS compliant browser will look by default. You can force - your browser to look on a different port by specifying it in the URL. For - example, if your server is set up to serve pages over HTTPS on port 8080, - you can access them at <code>https://example.com:8080/</code></p> - - -<h3><a name="httpstest" id="httpstest">How do I speak HTTPS manually for testing purposes?</a></h3> - <p>While you usually just use</p> - - <div class="example"><p><code>$ telnet localhost 80<br /> - GET / HTTP/1.0</code></p></div> - - <p>for simple testing of Apache via HTTP, it's not so easy for - HTTPS because of the SSL protocol between TCP and HTTP. With the - help of OpenSSL's <code>s_client</code> command, however, you can - do a similar check via HTTPS:</p> - - <div class="example"><p><code>$ openssl s_client -connect localhost:443 -state -debug<br /> - GET / HTTP/1.0</code></p></div> - - <p>Before the actual HTTP response you will receive detailed - information about the SSL handshake. For a more general command - line client which directly understands both HTTP and HTTPS, can - perform GET and POST operations, can use a proxy, supports byte - ranges, etc. you should have a look at the nifty - <a href="http://curl.haxx.se/">cURL</a> tool. Using this, you can - check that Apache is responding correctly to requests via HTTP and - HTTPS as follows:</p> - - <div class="example"><p><code>$ curl http://localhost/<br /> - $ curl https://localhost/</code></p></div> - - -<h3><a name="hang" id="hang">Why does the connection hang when I connect - to my SSL-aware Apache server?</a></h3> - -<p>This can happen when you try to connect to a HTTPS server (or virtual - server) via HTTP (eg, using <code>http://example.com/</code> instead of - <code>https://example.com</code>). It can also happen when trying to - connect via HTTPS to a HTTP server (eg, using - <code>https://example.com/</code> on a server which doesn't support HTTPS, - or which supports it on a non-standard port). Make sure that you're - connecting to a (virtual) server that supports SSL.</p> - -<h3><a name="refused" id="refused">Why do I get ``Connection Refused'' messages, - when trying to access my newly installed Apache+mod_ssl server via HTTPS?</a></h3> -<p> - This error can be caused by an incorrect configuration. - Please make sure that your <code class="directive"><a href="../mod/mpm_common.html#listen">Listen</a></code> directives match your - <code class="directive"><a href="../mod/core.html#virtualhost"><VirtualHost></a></code> - directives. If all else fails, please start afresh, using the default - configuration provided by <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>.</p> - - -<h3><a name="envvars" id="envvars">Why are the <code>SSL_XXX</code> variables - not available to my CGI & SSI scripts?</a></h3> -<p>Please make sure you have ``<code>SSLOptions +StdEnvVars</code>'' - enabled for the context of your CGI/SSI requests.</p> - - -<h3><a name="relative" id="relative">How can I switch between HTTP and HTTPS in relative - hyperlinks?</a></h3> - -<p>Usually, to switch between HTTP and HTTPS, you have to use - fully-qualified hyperlinks (because you have to change the URL - scheme). Using <code class="module"><a href="../mod/mod_rewrite.html">mod_rewrite</a></code> however, you can - manipulate relative hyperlinks, to achieve the same effect.</p> - <div class="example"><p><code> - RewriteEngine on<br /> - RewriteRule ^/(.*):SSL$ https://%{SERVER_NAME}/$1 [R,L]<br /> - RewriteRule ^/(.*):NOSSL$ http://%{SERVER_NAME}/$1 [R,L] - </code></p></div> - - <p>This rewrite ruleset lets you use hyperlinks of the form - <code><a href="document.html:SSL"></code>, to switch to HTTPS - in a relative link. (Replace SSL with NOSSL to switch to HTTP.)</p> - -</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> -<div class="section"> -<h2><a name="aboutcerts" id="aboutcerts">Certificates</a></h2> -<ul> -<li><a href="#keyscerts">What are RSA Private Keys, CSRs and -Certificates?</a></li> -<li><a href="#startup">Is there a difference on startup between -a non-SSL-aware Apache and an SSL-aware Apache?</a></li> -<li><a href="#selfcert">How do I create a self-signed SSL -Certificate for testing purposes?</a></li> -<li><a href="#realcert">How do I create a real SSL Certificate?</a></li> -<li><a href="#ownca">How do I create and use my own Certificate -Authority (CA)?</a></li> -<li><a href="#passphrase">How can I change the pass-phrase on my private -key file?</a></li> -<li><a href="#removepassphrase">How can I get rid of the pass-phrase -dialog at Apache startup time?</a></li> -<li><a href="#verify">How do I verify that a private key matches its -Certificate?</a></li> -<li><a href="#badcert">Why do connections fail with an "alert bad -certificate" error?</a></li> -<li><a href="#keysize">Why does my 2048-bit private key not work?</a></li> -<li><a href="#hashsymlinks">Why is client authentication broken after -upgrading from SSLeay version 0.8 to 0.9?</a></li> -<li><a href="#pemder">How can I convert a certificate from PEM to DER -format?</a></li> -<li><a href="#verisign">Why can't I find the -<code>getca</code> or <code>getverisign</code> programs mentioned by -Verisign, for installing my Verisign certificate?</a></li> -<li><a href="#sgc">Can I use the Server Gated Cryptography (SGC) -facility (aka Verisign Global ID) with mod_ssl?</a></li> -<li><a href="#gid">Why do browsers complain that they cannot -verify my Verisign Global ID server certificate?</a></li> -</ul> - -<h3><a name="keyscerts" id="keyscerts">What are RSA Private Keys, CSRs and Certificates?</a></h3> -<p>An RSA private key file is a digital file that you can use to decrypt - messages sent to you. It has a public component which you distribute (via - your Certificate file) which allows people to encrypt those messages to - you.</p> - <p>A Certificate Signing Request (CSR) is a digital file which contains - your public key and your name. You send the CSR to a Certifying Authority - (CA), who will convert it into a real Certificate, by signing it.</p> - <p>A Certificate contains your - RSA public key, your name, the name of the CA, and is digitally signed by - the CA. Browsers that know the CA can verify the signature on that - Certificate, thereby obtaining your RSA public key. That enables them to - send messages which only you can decrypt.</p> - <p>See the <a href="ssl_intro.html">Introduction</a> chapter for a general - description of the SSL protocol.</p> - - -<h3><a name="startup" id="startup">Is there a difference on startup between - a non-SSL-aware Apache and an SSL-aware Apache?</a></h3> -<p>Yes. In general, starting Apache with - <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> built-in is just like starting Apache - without it. However, if you have a passphrase on your SSL private - key file, a startup dialog will pop up which asks you to enter the - pass phrase.</p> - - <p>Having to manually enter the passphrase when starting the server - can be problematic - for example, when starting the server from the - system boot scripts. In this case, you can follow the steps - <a href="#removepassphrase">below</a> to remove the passphrase from - your private key. Bear in mind that doing so brings additional security - risks - proceed with caution!</p> - - -<h3><a name="selfcert" id="selfcert">How do I create a self-signed SSL -Certificate for testing purposes?</a></h3> - <ol> - <li>Make sure OpenSSL is installed and in your <code>PATH</code>.<br /> - <br /> - </li> - <li>Run the following command, to create <code>server.key</code> and - <code>server.crt</code> files:<br /> - <code><strong>$ openssl req -new -x509 -nodes -out server.crt - -keyout server.key</strong></code><br /> - These can be used as follows in your <code>httpd.conf</code> - file: - <pre> - SSLCertificateFile /path/to/this/server.crt - SSLCertificateKeyFile /path/to/this/server.key - </pre> - </li> - <li>It is important that you are aware that this - <code>server.key</code> does <em>not</em> have any passphrase. - To add a passphrase to the key, you should run the following - command, and enter & verify the passphrase as requested.<br /> - <p><code><strong>$ openssl rsa -des3 -in server.key -out - server.key.new</strong></code><br /> - <code><strong>$ mv server.key.new server.key</strong></code><br /></p> - Please backup the <code>server.key</code> file, and the passphrase - you entered, in a secure location. - </li> - </ol> - - -<h3><a name="realcert" id="realcert">How do I create a real SSL Certificate?</a></h3> -<p>Here is a step-by-step description:</p> - <ol> - <li>Make sure OpenSSL is installed and in your <code>PATH</code>. - <br /> - <br /> - </li> - <li>Create a RSA private key for your Apache server - (will be Triple-DES encrypted and PEM formatted):<br /> - <br /> - <code><strong>$ openssl genrsa -des3 -out server.key 1024</strong></code><br /> - <br /> - Please backup this <code>server.key</code> file and the - pass-phrase you entered in a secure location. - You can see the details of this RSA private key by using the command:<br /> - - <br /> - <code><strong>$ openssl rsa -noout -text -in server.key</strong></code><br /> - <br /> - If necessary, you can also create a decrypted PEM version (not - recommended) of this RSA private key with:<br /> - <br /> - <code><strong>$ openssl rsa -in server.key -out server.key.unsecure</strong></code><br /> - <br /> - - </li> - <li>Create a Certificate Signing Request (CSR) with the server RSA private - key (output will be PEM formatted):<br /> - <br /> - <code><strong>$ openssl req -new -key server.key -out server.csr</strong></code><br /> - <br /> - Make sure you enter the FQDN ("Fully Qualified Domain Name") of the - server when OpenSSL prompts you for the "CommonName", i.e. when you - generate a CSR for a website which will be later accessed via - <code>https://www.foo.dom/</code>, enter "www.foo.dom" here. - You can see the details of this CSR by using<br /> - - <br /> - <code><strong>$ openssl req -noout -text -in server.csr</strong></code><br /> - <br /> - </li> - <li>You now have to send this Certificate Signing Request (CSR) to - a Certifying Authority (CA) to be signed. Once the CSR has been - signed, you will have a real Certificate, which can be used by - Apache. You can have a CSR signed by a commercial CA, or you can - create your own CA to sign it.<br /> - Commercial CAs usually ask you to post the CSR into a web form, - pay for the signing, and then send a signed Certificate, which - you can store in a server.crt file. For more information about - commercial CAs see the following locations:<br /> - <br /> - <ol> - <li> Verisign<br /> - <a href="http://digitalid.verisign.com/server/apacheNotice.htm"> - http://digitalid.verisign.com/server/apacheNotice.htm - </a> - </li> - <li> Thawte<br /> - <a href="http://www.thawte.com/">http://www.thawte.com/</a> - </li> - <li> CertiSign Certificadora Digital Ltda.<br /> - <a href="http://www.certisign.com.br"> - http://www.certisign.com.br - </a> - </li> - <li> IKS GmbH<br /> - <a href="http://www.iks-jena.de/leistungen/ca/"> - http://www.iks-jena.de/leistungen/ca/ - </a> - </li> - <li> Uptime Commerce Ltd.<br /> - <a href="http://www.uptimecommerce.com"> - http://www.uptimecommerce.com - </a> - </li> - <li> BelSign NV/SA<br /> - <a href="http://www.belsign.be"> - http://www.belsign.be - </a> - </li> - </ol> - - For details on how to create your own CA, and use this to sign - a CSR, see <a href="#ownca">below</a>.<br /> - - Once your CSR has been signed, you can see the details of the - Certificate as follows:<br /> - <br /> - <code><strong>$ openssl x509 -noout -text -in server.crt</strong></code><br /> - - </li> - <li>You should now have two files: <code>server.key</code> and - <code>server.crt</code>. These can be used as follows in your - <code>httpd.conf</code> file: - <pre> - SSLCertificateFile /path/to/this/server.crt - SSLCertificateKeyFile /path/to/this/server.key - </pre> - The <code>server.csr</code> file is no longer needed. - </li> - - </ol> - - -<h3><a name="ownca" id="ownca">How do I create and use my own Certificate Authority (CA)?</a></h3> - <p>The short answer is to use the <code>CA.sh</code> or <code>CA.pl</code> - script provided by OpenSSL. Unless you have a good reason not to, - you should use these for preference. If you cannot, you can create a - self-signed Certificate as follows:</p> - - <ol> - <li>Create a RSA private key for your server - (will be Triple-DES encrypted and PEM formatted):<br /> - <br /> - <code><strong>$ openssl genrsa -des3 -out server.key 1024</strong></code><br /> - <br /> - Please backup this <code>host.key</code> file and the - pass-phrase you entered in a secure location. - You can see the details of this RSA private key by using the - command:<br /> - <code><strong>$ openssl rsa -noout -text -in server.key</strong></code><br /> - <br /> - If necessary, you can also create a decrypted PEM version (not - recommended) of this RSA private key with:<br /> - <br /> - <code><strong>$ openssl rsa -in server.key -out server.key.unsecure</strong></code><br /> - <br /> - </li> - <li>Create a self-signed Certificate (X509 structure) - with the RSA key you just created (output will be PEM formatted):<br /> - <br /> - <code><strong>$ openssl req -new -x509 -nodes -sha1 -days 365 - -key server.key -out server.crt</strong></code><br /> - <br /> - This signs the server CSR and results in a <code>server.crt</code> file.<br /> - You can see the details of this Certificate using:<br /> - <br /> - <code><strong>$ openssl x509 -noout -text -in server.crt</strong></code><br /> - <br /> - </li> - </ol> - - -<h3><a name="passphrase" id="passphrase">How can I change the pass-phrase on my private key file?</a></h3> -<p>You simply have to read it with the old pass-phrase and write it again, - specifying the new pass-phrase. You can accomplish this with the following - commands:</p> - - - <p><code><strong>$ openssl rsa -des3 -in server.key -out server.key.new</strong></code><br /> - <code><strong>$ mv server.key.new server.key</strong></code><br /></p> - - <p>The first time you're asked for a PEM pass-phrase, you should - enter the old pass-phrase. After that, you'll be asked again to - enter a pass-phrase - this time, use the new pass-phrase. If you - are asked to verify the pass-phrase, you'll need to enter the new - pass-phrase a second time.</p> - - -<h3><a name="removepassphrase" id="removepassphrase">How can I get rid of the pass-phrase dialog at Apache startup time?</a></h3> -<p>The reason this dialog pops up at startup and every re-start - is that the RSA private key inside your server.key file is stored in - encrypted format for security reasons. The pass-phrase is needed to decrypt - this file, so it can be read and parsed. Removing the pass-phrase - removes a layer of security from your server - proceed with caution!</p> - <ol> - <li>Remove the encryption from the RSA private key (while - keeping a backup copy of the original file):<br /> - <br /> - <code><strong>$ cp server.key server.key.org</strong></code><br /> - <code><strong>$ openssl rsa -in server.key.org -out server.key</strong></code><br /> - - <br /> - </li> - <li>Make sure the server.key file is only readable by root:<br /> - <br /> - <code><strong>$ chmod 400 server.key</strong></code><br /> - <br /> - </li> - </ol> - - <p>Now <code>server.key</code> contains an unencrypted copy of the key. - If you point your server at this file, it will not prompt you for a - pass-phrase. HOWEVER, if anyone gets this key they will be able to - impersonate you on the net. PLEASE make sure that the permissions on this - file are such that only root or the web server user can read it - (preferably get your web server to start as root but run as another - user, and have the key readable only by root).</p> - - <p>As an alternative approach you can use the ``<code>SSLPassPhraseDialog - exec:/path/to/program</code>'' facility. Bear in mind that this is - neither more nor less secure, of course.</p> - - -<h3><a name="verify" id="verify">How do I verify that a private key matches its Certificate?</a></h3> -<p>A private key contains a series of numbers. Two of these numbers form - the "public key", the others are part of the "private key". The "public - key" bits are included when you generate a CSR, and subsequently form - part of the associated Certificate.</p> - <p>To check that the public key in your Certificate matches the public - portion of your private key, you simply need to compare these numbers. - To view the Certificate and the key run the commands:</p> - - <p><code><strong>$ openssl x509 -noout -text -in server.crt</strong></code><br /> - <code><strong>$ openssl rsa -noout -text -in server.key</strong></code></p> - - <p>The `modulus' and the `public exponent' portions in the key and the - Certificate must match. As the public exponent is usually 65537 - and it's difficult to visually check that the long modulus numbers - are the same, you can use the following approach:</p> - - <p><code><strong>$ openssl x509 -noout -modulus -in server.crt | openssl md5</strong></code><br /> - <code><strong>$ openssl rsa -noout -modulus -in server.key | openssl md5</strong></code></p> - - <p>This leaves you with two rather shorter numbers to compare. It is, - in theory, possible that these numbers may be the same, without the - modulus numbers being the same, but the chances of this are - overwhelmingly remote.</p> - <p>Should you wish to check to which key or certificate a particular - CSR belongs you can perform the same calculation on the CSR as - follows:</p> - - <p><code><strong>$ openssl req -noout -modulus -in server.csr | openssl md5</strong></code></p> - - -<h3><a name="badcert" id="badcert">Why do connections fail with an "alert -bad certificate" error?</a></h3> -<p>Errors such as <code>OpenSSL: error:14094412: SSL - routines:SSL3_READ_BYTES:sslv3 alert bad certificate</code> in the SSL - logfile, are usually caused by a browser which is unable to handle the server - certificate/private-key. For example, Netscape Navigator 3.x is - unable to handle RSA key lengths not equal to 1024 bits.</p> - - -<h3><a name="keysize" id="keysize">Why does my 2048-bit private key not work?</a></h3> -<p>The private key sizes for SSL must be either 512 or 1024 bits, for compatibility - with certain web browsers. A keysize of 1024 bits is recommended because - keys larger than 1024 bits are incompatible with some versions of Netscape - Navigator and Microsoft Internet Explorer, and with other browsers that - use RSA's BSAFE cryptography toolkit.</p> - - -<h3><a name="hashsymlinks" id="hashsymlinks">Why is client authentication broken after upgrading from -SSLeay version 0.8 to 0.9?</a></h3> -<p>The CA certificates under the path you configured with - <code>SSLCACertificatePath</code> are found by SSLeay through hash - symlinks. These hash values are generated by the `<code>openssl x509 -noout - -hash</code>' command. However, the algorithm used to calculate the hash for a - certificate changed between SSLeay 0.8 and 0.9. You will need to remove - all old hash symlinks and create new ones after upgrading. Use the - <code>Makefile</code> provided by <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>.</p> - - -<h3><a name="pemder" id="pemder">How can I convert a certificate from PEM to DER format?</a></h3> -<p>The default certificate format for SSLeay/OpenSSL is PEM, which is simply - Base64 encoded DER, with header and footer lines. For some applications - (e.g. Microsoft Internet Explorer) you need the certificate in plain DER - format. You can convert a PEM file <code>cert.pem</code> into the - corresponding DER file <code>cert.der</code> using the following command: - <code><strong>$ openssl x509 -in cert.pem -out cert.der -outform DER</strong></code></p> - - -<h3><a name="verisign" id="verisign">Why can't I find the -<code>getca</code> or <code>getverisign</code> programs mentioned by -Verisign, for installing my Verisign certificate?</a></h3> -<p>Verisign has never provided specific instructions - for Apache+mod_ssl. The instructions provided are for C2Net's - Stronghold (a commercial Apache based server with SSL support).</p> - <p>To install your certificate, all you need to do is to save the - certificate to a file, and give the name of that file to the - <code class="directive"><a href="../mod/mod_ssl.html#sslcertificatefile">SSLCertificateFile</a></code> directive. - You will also need to give it the key file. For more information, - see the <code class="directive"><a href="../mod/mod_ssl.html#sslcertificatekeyfile">SSLCertificateKeyFile</a></code> - directive.</p> - - -<h3><a name="sgc" id="sgc">Can I use the Server Gated Cryptography (SGC) -facility (aka Verisign Global ID) with mod_ssl?</a></h3> -<p>Yes. <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> has included support for the SGC - facility since version 2.1. No special configuration is required - - just use the Global ID as your server certificate. The - <em>step up</em> of the clients is then automatically handled by - <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> at run-time.</p> - - -<h3><a name="gid" id="gid">Why do browsers complain that they cannot -verify my Verisign Global ID server certificate?</a></h3> -<p>Verisign uses an intermediate CA certificate between the root CA - certificate (which is installed in the browsers) and the server - certificate (which you installed on the server). You should have - received this additional CA certificate from Verisign. - If not, complain to them. Then, configure this certificate with the - <code class="directive"><a href="../mod/mod_ssl.html#sslcertificatechainfile">SSLCertificateChainFile</a></code> - directive. This ensures that the intermediate CA certificate is - sent to the browser, filling the gap in the certificate chain.</p> - -</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> -<div class="section"> -<h2><a name="aboutssl" id="aboutssl">The SSL Protocol</a></h2> -<ul> -<li><a href="#random">Why do I get lots of random SSL protocol -errors under heavy server load?</a></li> -<li><a href="#load">Why does my webserver have a higher load, now -that it serves SSL encrypted traffic?</a></li> -<li><a href="#establishing">Why do HTTPS connections to my server -sometimes take up to 30 seconds to establish a connection?</a></li> -<li><a href="#ciphers">What SSL Ciphers are supported by mod_ssl?</a></li> -<li><a href="#adh">Why do I get ``no shared cipher'' errors, when -trying to use Anonymous Diffie-Hellman (ADH) ciphers?</a></li> -<li><a href="#sharedciphers">Why do I get a 'no shared ciphers' -error when connecting to my newly installed server?</a></li> -<li><a href="#vhosts">Why can't I use SSL with name-based/non-IP-based -virtual hosts?</a></li> -<li><a href="#vhosts2">Why is it not possible to use Name-Based Virtual -Hosting to identify different SSL virtual hosts?</a></li> -<li><a href="#comp">How do I get SSL compression working?</a></li> -<li><a href="#lockicon">When I use Basic Authentication over HTTPS -the lock icon in Netscape browsers stays unlocked when the dialog pops up. -Does this mean the username/password is being sent unencrypted?</a></li> -<li><a href="#msie">Why do I get I/O errors when connecting via -HTTPS to an Apache+mod_ssl server with Microsoft Internet Explorer -(MSIE)?</a></li> -<li><a href="#nn">Why do I get I/O errors, or the message "Netscape has -encountered bad data from the server", when connecting via -HTTPS to an Apache+mod_ssl server with Netscape Navigator?</a></li> -</ul> - -<h3><a name="random" id="random">Why do I get lots of random SSL protocol -errors under heavy server load?</a></h3> -<p>There can be a number of reasons for this, but the main one - is problems with the SSL session Cache specified by the - <code class="directive"><a href="../mod/mod_ssl.html#sslsessioncache">SSLSessionCache</a></code> directive. The DBM session - cache is the most likely source of the problem, so using the SHM session cache (or - no cache at all) may help.</p> - - -<h3><a name="load" id="load">Why does my webserver have a higher load, now -that it serves SSL encrypted traffic?</a></h3> -<p>SSL uses strong cryptographic encryption, which necessitates a lot of - number crunching. When you request a webpage via HTTPS, everything (even - the images) is encrypted before it is transferred. So increased HTTPS - traffic leads to load increases.</p> - - -<h3><a name="establishing" id="establishing">Why do HTTPS connections to my server -sometimes take up to 30 seconds to establish a connection?</a></h3> -<p>This is usually caused by a <code>/dev/random</code> device for - <code class="directive"><a href="../mod/mod_ssl.html#sslrandomseed">SSLRandomSeed</a></code> which blocks the - read(2) call until enough entropy is available to service the - request. More information is available in the reference - manual for the <code class="directive"><a href="../mod/mod_ssl.html#sslrandomseed">SSLRandomSeed</a></code> - directive.</p> - - -<h3><a name="ciphers" id="ciphers">What SSL Ciphers are supported by mod_ssl?</a></h3> -<p>Usually, any SSL ciphers supported by the version of OpenSSL in use, - are also supported by <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>. Which ciphers are - available can depend on the way you built OpenSSL. Typically, at - least the following ciphers are supported:</p> - - <ol> - <li>RC4 with MD5</li> - <li>RC4 with MD5 (export version restricted to 40-bit key)</li> - <li>RC2 with MD5</li> - <li>RC2 with MD5 (export version restricted to 40-bit key)</li> - <li>IDEA with MD5</li> - <li>DES with MD5</li> - <li>Triple-DES with MD5</li> - </ol> - - <p>To determine the actual list of ciphers available, you should run - the following:</p> - <div class="example"><p><code>$ openssl ciphers -v</code></p></div> - - -<h3><a name="adh" id="adh">Why do I get ``no shared cipher'' errors, when -trying to use Anonymous Diffie-Hellman (ADH) ciphers?</a></h3> -<p>By default, OpenSSL does <em>not</em> allow ADH ciphers, for security - reasons. Please be sure you are aware of the potential side-effects - if you choose to enable these ciphers.</p> - <p>In order to use Anonymous Diffie-Hellman (ADH) ciphers, you must - build OpenSSL with ``<code>-DSSL_ALLOW_ADH</code>'', and then add - ``<code>ADH</code>'' into your <code class="directive"><a href="../mod/mod_ssl.html#sslciphersuite">SSLCipherSuite</a></code>.</p> - - -<h3><a name="sharedciphers" id="sharedciphers">Why do I get a 'no shared ciphers' -error when connecting to my newly installed server?</a></h3> -<p>Either you have made a mistake with your - <code class="directive"><a href="../mod/mod_ssl.html#sslciphersuite">SSLCipherSuite</a></code> - directive (compare it with the pre-configured example in - <code>httpd.conf-dist</code>) or you chose to use DSA/DH - algorithms instead of RSA when you generated your private key - and ignored or overlooked the warnings. If you have chosen - DSA/DH, then your server cannot communicate using RSA-based SSL - ciphers (at least until you configure an additional RSA-based - certificate/key pair). Modern browsers like NS or IE can only - communicate over SSL using RSA ciphers. The result is the - "no shared ciphers" error. To fix this, regenerate your server - certificate/key pair, using the RSA algorithm.</p> - - -<h3><a name="vhosts" id="vhosts">Why can't I use SSL with name-based/non-IP-based virtual hosts?</a></h3> -<p>The reason is very technical, and a somewhat "chicken and egg" problem. - The SSL protocol layer stays below the HTTP protocol layer and - encapsulates HTTP. When an SSL connection (HTTPS) is established - Apache/mod_ssl has to negotiate the SSL protocol parameters with the - client. For this, mod_ssl has to consult the configuration of the virtual - server (for instance it has to look for the cipher suite, the server - certificate, etc.). But in order to go to the correct virtual server - Apache has to know the <code>Host</code> HTTP header field. To do this, the - HTTP request header has to be read. This cannot be done before the SSL - handshake is finished, but the information is needed in order to - complete the SSL handshake phase. Bingo!</p> - - -<h3><a name="vhosts2" id="vhosts2">Why is it not possible to use Name-Based -Virtual Hosting to identify different SSL virtual hosts?</a></h3> - <p>Name-Based Virtual Hosting is a very popular method of identifying - different virtual hosts. It allows you to use the same IP address and - the same port number for many different sites. When people move on to - SSL, it seems natural to assume that the same method can be used to have - lots of different SSL virtual hosts on the same server.</p> - - <p>It comes as rather a shock to learn that it is impossible.</p> - - <p>The reason is that the SSL protocol is a separate layer which - encapsulates the HTTP protocol. So the SSL session is a separate - transaction, that takes place before the HTTP session has begun. - The server receives an SSL request on IP address X and port Y - (usually 443). Since the SSL request does not contain any Host: - field, the server has no way to decide which SSL virtual host to use. - Usually, it will just use the first one it finds, which matches the - port and IP address specified.</p> - - <p>You can, of course, use Name-Based Virtual Hosting to identify many - non-SSL virtual hosts (all on port 80, for example) and then - have a single SSL virtual host (on port 443). But if you do this, - you must make sure to put the non-SSL port number on the NameVirtualHost - directive, e.g.</p> - - <div class="example"><p><code> - NameVirtualHost 192.168.1.1:80 - </code></p></div> - - <p>Other workaround solutions include: </p> - - <p>Using separate IP addresses for different SSL hosts. - Using different port numbers for different SSL hosts.</p> - - -<h3><a name="comp" id="comp">How do I get SSL compression working?</a></h3> -<p>Although SSL compression negotiation was defined in the specification -of SSLv2 and TLS, it took until May 2004 for RFC 3749 to define DEFLATE as -a negotiable standard compression method. -</p> -<p>OpenSSL 0.9.8 started to support this by default when compiled with the -<code>zlib</code> option. If both the client and the server support compression, -it will be used. However, most clients still try to initially connect with an -SSLv2 Hello. As SSLv2 did not include an array of prefered compression algorithms -in its handshake, compression cannot be negotiated with these clients. -If the client disables support for SSLv2, either an SSLv3 or TLS Hello -may be sent, depending on which SSL library is used, and compression may -be set up. You can verify whether clients make use of SSL compression by -logging the <code>%{SSL_COMPRESS_METHOD}x</code> variable. -</p> - - -<h3><a name="lockicon" id="lockicon">When I use Basic Authentication over HTTPS -the lock icon in Netscape browsers stays unlocked when the dialog pops up. -Does this mean the username/password is being sent unencrypted?</a></h3> -<p>No, the username/password is transmitted encrypted. The icon in - Netscape browsers is not actually synchronized with the SSL/TLS layer. - It only toggles to the locked state when the first part of the actual - webpage data is transferred, which may confuse people. The Basic - Authentication facility is part of the HTTP layer, which is above - the SSL/TLS layer in HTTPS. Before any HTTP data communication takes - place in HTTPS, the SSL/TLS layer has already completed its handshake - phase, and switched to encrypted communication. So don't be - confused by this icon.</p> - - -<h3><a name="msie" id="msie">Why do I get I/O errors when connecting via -HTTPS to an Apache+mod_ssl server with Microsoft Internet Explorer (MSIE)?</a></h3> -<p>The first reason is that the SSL implementation in some MSIE versions has - some subtle bugs related to the HTTP keep-alive facility and the SSL close - notify alerts on socket connection close. Additionally the interaction - between SSL and HTTP/1.1 features are problematic in some MSIE versions. - You can work around these problems by forcing Apache not to use HTTP/1.1, - keep-alive connections or send the SSL close notify messages to MSIE clients. - This can be done by using the following directive in your SSL-aware - virtual host section:</p> - <div class="example"><p><code> - SetEnvIf User-Agent ".*MSIE.*" \<br /> - nokeepalive ssl-unclean-shutdown \<br /> - downgrade-1.0 force-response-1.0 - </code></p></div> - <p>Further, some MSIE versions have problems with particular ciphers. - Unfortunately, it is not possible to implement a MSIE-specific - workaround for this, because the ciphers are needed as early as the - SSL handshake phase. So a MSIE-specific - <code class="directive"><a href="../mod/mod_setenvif.html#setenvif">SetEnvIf</a></code> won't solve these - problems. Instead, you will have to make more drastic - adjustments to the global parameters. Before you decide to do - this, make sure your clients really have problems. If not, do not - make these changes - they will affect <em>all</em> your clients, MSIE - or otherwise.</p> - - <p>The next problem is that 56bit export versions of MSIE 5.x - browsers have a broken SSLv3 implementation, which interacts badly - with OpenSSL versions greater than 0.9.4. You can accept this and - require your clients to upgrade their browsers, you can downgrade to - OpenSSL 0.9.4 (not advised), or you can work around this, accepting - that your workaround will affect other browsers too:</p> - <div class="example"><p><code>SSLProtocol all -SSLv3</code></p></div> - <p>will completely disables the SSLv3 protocol and allow those - browsers to work. A better workaround is to disable only those - ciphers which cause trouble.</p> - <div class="example"><p><code>SSLCipherSuite - ALL:!ADH:<strong>!EXPORT56</strong>:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</code> - </p></div> - - <p>This also allows the broken MSIE versions to work, but only removes the - newer 56bit TLS ciphers.</p> - - <p>Another problem with MSIE 5.x clients is that they refuse to connect to - URLs of the form <code>https://12.34.56.78/</code> (where IP-addresses are used - instead of the hostname), if the server is using the Server Gated - Cryptography (SGC) facility. This can only be avoided by using the fully - qualified domain name (FQDN) of the website in hyperlinks instead, because - MSIE 5.x has an error in the way it handles the SGC negotiation.</p> - - <p>And finally there are versions of MSIE which seem to require that - an SSL session can be reused (a totally non standard-conforming - behaviour, of course). Connecting with those MSIE versions only work - if a SSL session cache is used. So, as a work-around, make sure you - are using a session cache (see the <code class="directive"><a href="../mod/mod_ssl.html#sslsessioncache">SSLSessionCache</a></code> directive).</p> - - -<h3><a name="nn" id="nn">Why do I get I/O errors, or the message "Netscape has -encountered bad data from the server", when connecting via -HTTPS to an Apache+mod_ssl server with Netscape Navigator?</a></h3> -<p> - This usually occurs when you have created a new server certificate for - a given domain, but had previously told your browser to always accept - the old server certificate. Once you clear the entry for the old - certificate from your browser, everything should be fine. Netscape's SSL - implementation is correct, so when you encounter I/O errors with Netscape - Navigator it is usually caused by the configured certificates.</p> - -</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> -<div class="section"> -<h2><a name="support" id="support">mod_ssl Support</a></h2> -<ul> -<li><a href="#resources">What information resources are available in -case of mod_ssl problems?</a></li> -<li><a href="#contact">What support contacts are available in case of -mod_ssl problems?</a></li> -<li><a href="#reportdetails">What information should I -provide when writing a bug report?</a></li> -<li><a href="#coredumphelp">I had a core dump, can you help me?</a></li> -<li><a href="#backtrace">How do I get a backtrace, to help find the reason -for my core dump?</a></li> -</ul> - -<h3><a name="resources" id="resources">What information resources are available in case of mod_ssl problems?</a></h3> -<p>The following information resources are available. - In case of problems you should search here first.</p> - - <dl> - <dt>Answers in the User Manual's F.A.Q. List (this)</dt> - <dd><a href="http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html"> - http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html</a><br /> - First check the F.A.Q. (this text). If your problem is a common - one, it may have been answered several times before, and been included - in this doc. - </dd> - <dt>Postings from the modssl-users Support Mailing List - <a href="http://www.modssl.org/support/">http://www.modssl.org/support/</a></dt> - <dd>Search for your problem in the archives of the modssl-users mailing list. - You're probably not the first person to have had this problem! - </dd> - </dl> - - -<h3><a name="contact" id="contact">What support contacts are available in case -of mod_ssl problems?</a></h3> - <p>The following lists all support possibilities for mod_ssl, in order of - preference. Please go through these possibilities - <em>in this order</em> - don't just pick the one you like the look of. </p> - <ol> - <li><em>Send a Problem Report to the modssl-users Support Mailing List</em><br /> - <a href="mailto:modssl-users@modssl.org"> - modssl-users@modssl.org</a><br /> - This is the preferred way of submitting your problem report, because this way, - others can see the problem, and learn from any answers. You must subscribe to - the list first, but you can then easily discuss your problem with both the - author and the whole mod_ssl user community. - </li> - - <li><em>Send a Problem Report to the Apache httpd Users Support Mailing List</em><br /> - <a href="mailto:users@httpd.apache.org"> - users@httpd.apache.org</a><br /> - This is the second way of submitting your problem report. Again, you must - subscribe to the list first, but you can then easily discuss your problem - with the whole Apache httpd user community. - </li> - - <li><em>Write a Problem Report in the Bug Database</em><br /> - <a href="http://httpd.apache.org/bug_report.html"> - http://httpd.apache.org/bug_report.html</a><br /> - This is the last way of submitting your problem report. You should only - do this if you've already posted to the mailing lists, and had no success. - Please follow the instructions on the above page <em>carefully</em>. - </li> - </ol> - - -<h3><a name="reportdetails" id="reportdetails">What information should I -provide when writing a bug report?</a></h3> -<p>You should always provide at least the following information:</p> - - <dl> - <dt>Apache and OpenSSL version information</dt> - <dd>The Apache version can be determined - by running <code>httpd -v</code>. The OpenSSL version can be - determined by running <code>openssl version</code>. Alternatively, if - you have Lynx installed, you can run the command <code>lynx -mime_header - http://localhost/ | grep Server</code> to gather this information in a - single step. - </dd> - - <dt>The details on how you built and installed Apache+mod_ssl+OpenSSL</dt> - <dd>For this you can provide a logfile of your terminal session which shows - the configuration and install steps. If this is not possible, you - should at least provide the <code class="program"><a href="../programs/configure.html">configure</a></code> command line you used. - </dd> - - <dt>In case of core dumps please include a Backtrace</dt> - <dd>If your Apache+mod_ssl+OpenSSL dumps its core, please attach - a stack-frame ``backtrace'' (see <a href="#backtrace">below</a> - for information on how to get this). This information is required - in order to find a reason for your core dump. - </dd> - - <dt>A detailed description of your problem</dt> - <dd>Don't laugh, we really mean it! Many problem reports don't - include a description of what the actual problem is. Without this, - it's very difficult for anyone to help you. So, it's in your own - interest (you want the problem be solved, don't you?) to include as - much detail as possible, please. Of course, you should still include - all the essentials above too. - </dd> - </dl> - - -<h3><a name="coredumphelp" id="coredumphelp">I had a core dump, can you help me?</a></h3> -<p>In general no, at least not unless you provide more details about the code - location where Apache dumped core. What is usually always required in - order to help you is a backtrace (see next question). Without this - information it is mostly impossible to find the problem and help you in - fixing it.</p> - - -<h3><a name="backtrace" id="backtrace">How do I get a backtrace, to help find -the reason for my core dump?</a></h3> -<p>Following are the steps you will need to complete, to get a backtrace:</p> - <ol> - <li>Make sure you have debugging symbols available, at least - in Apache. On platforms where you use GCC/GDB, you will have to build - Apache+mod_ssl with ``<code>OPTIM="-g -ggdb3"</code>'' to get this. On - other platforms at least ``<code>OPTIM="-g"</code>'' is needed. - </li> - - <li>Start the server and try to reproduce the core-dump. For this you may - want to use a directive like ``<code>CoreDumpDirectory /tmp</code>'' to - make sure that the core-dump file can be written. This should result - in a <code>/tmp/core</code> or <code>/tmp/httpd.core</code> file. If you - don't get one of these, try running your server under a non-root UID. - Many modern kernels do not allow a process to dump core after it has - done a <code>setuid()</code> (unless it does an <code>exec()</code>) for - security reasons (there can be privileged information left over in - memory). If necessary, you can run <code>/path/to/httpd -X</code> - manually to force Apache to not fork. - </li> - - <li>Analyze the core-dump. For this, run <code>gdb /path/to/httpd - /tmp/httpd.core</code> or a similar command. In GDB, all you - have to do then is to enter <code>bt</code>, and voila, you get the - backtrace. For other debuggers consult your local debugger manual. - </li> - </ol> - -</div></div> -<div class="bottomlang"> -<p><span>Available Languages: </span><a href="../en/ssl/ssl_faq.html" title="English"> en </a></p> -</div><div id="footer"> -<p class="apache">Copyright 2009 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> -<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div> -</body></html>
\ No newline at end of file diff --git a/rubbos/app/apache2/manual/ssl/ssl_howto.html b/rubbos/app/apache2/manual/ssl/ssl_howto.html deleted file mode 100644 index 9f06e018..00000000 --- a/rubbos/app/apache2/manual/ssl/ssl_howto.html +++ /dev/null @@ -1,5 +0,0 @@ -# GENERATED FROM XML -- DO NOT EDIT - -URI: ssl_howto.html.en -Content-Language: en -Content-type: text/html; charset=ISO-8859-1 diff --git a/rubbos/app/apache2/manual/ssl/ssl_howto.html.en b/rubbos/app/apache2/manual/ssl/ssl_howto.html.en deleted file mode 100644 index f09492d6..00000000 --- a/rubbos/app/apache2/manual/ssl/ssl_howto.html.en +++ /dev/null @@ -1,284 +0,0 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!-- - XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - This file is generated from xml source: DO NOT EDIT - XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - --> -<title>SSL/TLS Strong Encryption: How-To - Apache HTTP Server</title> -<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> -<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> -<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /> -<link href="../images/favicon.ico" rel="shortcut icon" /></head> -<body id="manual-page"><div id="page-header"> -<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p> -<p class="apache">Apache HTTP Server Version 2.0</p> -<img alt="" src="../images/feather.gif" /></div> -<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div> -<div id="path"> -<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.0</a> > <a href="./">SSL/TLS</a></div><div id="page-content"><div id="preamble"><h1>SSL/TLS Strong Encryption: How-To</h1> -<div class="toplang"> -<p><span>Available Languages: </span><a href="../en/ssl/ssl_howto.html" title="English"> en </a></p> -</div> - -<blockquote> -<p>The solution of this problem is trivial -and is left as an exercise for the reader.</p> - -<p class="cite">-- <cite>Standard textbook cookie</cite></p> -</blockquote> - -<p>How to solve particular security constraints for an SSL-aware -webserver is not always obvious because of the coherences between SSL, -HTTP and Apache's way of processing requests. This chapter gives -instructions on how to solve such typical situations. Treat it as a first -step to find out the final solution, but always try to understand the -stuff before you use it. Nothing is worse than using a security solution -without knowing its restrictions and coherences.</p> -</div> -<div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#ciphersuites">Cipher Suites and Enforced Strong Security</a></li> -<li><img alt="" src="../images/down.gif" /> <a href="#accesscontrol">Client Authentication and Access Control</a></li> -</ul></div> -<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> -<div class="section"> -<h2><a name="ciphersuites" id="ciphersuites">Cipher Suites and Enforced Strong Security</a></h2> - -<ul> -<li><a href="#realssl">SSLv2 only server</a></li> -<li><a href="#onlystrong">strong encryption only server</a></li> -<li><a href="#upgradeenc">server gated cryptography</a></li> -<li><a href="#strongurl">stronger per-directory requirements</a></li> -</ul> - -<h3><a name="realssl" id="realssl">How can I create a real SSLv2-only server?</a></h3> - - <p>The following creates an SSL server which speaks only the SSLv2 protocol and - its ciphers.</p> - - <div class="example"><h3>httpd.conf</h3><p><code> - SSLProtocol -all +SSLv2<br /> - SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP<br /> - </code></p></div> - - -<h3><a name="onlystrong" id="onlystrong">How can I create an SSL server which accepts strong encryption -only?</a></h3> - - <p>The following enables only the seven strongest ciphers:</p> - <div class="example"><h3>httpd.conf</h3><p><code> - SSLProtocol all<br /> - SSLCipherSuite HIGH:MEDIUM<br /> - </code></p></div> - - -<h3><a name="upgradeenc" id="upgradeenc">How can I create an SSL server which accepts strong encryption -only, but allows export browsers to upgrade to stronger encryption?</a></h3> - - <p>This facility is called Server Gated Cryptography (SGC) and details - you can find in the <code>README.GlobalID</code> document in the - mod_ssl distribution. In short: The server has a Global ID server - certificate, signed by a special CA certificate from Verisign which - enables strong encryption in export browsers. This works as following: - The browser connects with an export cipher, the server sends its Global - ID certificate, the browser verifies it and subsequently upgrades the - cipher suite before any HTTP communication takes place. The question - now is: How can we allow this upgrade, but enforce strong encryption. - Or in other words: Browser either have to initially connect with - strong encryption or have to upgrade to strong encryption, but are - not allowed to keep the export ciphers. The following does the trick:</p> - <div class="example"><h3>httpd.conf</h3><p><code> - # allow all ciphers for the initial handshake,<br /> - # so export browsers can upgrade via SGC facility<br /> - SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL<br /> - <br /> - <Directory /usr/local/apache2/htdocs><br /> - # but finally deny all browsers which haven't upgraded<br /> - SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128<br /> - </Directory> - </code></p></div> - - -<h3><a name="strongurl" id="strongurl">How can I create an SSL server which accepts all types of ciphers -in general, but requires a strong ciphers for access to a particular -URL?</a></h3> - - <p>Obviously you cannot just use a server-wide <code class="directive"><a href="../mod/mod_ssl.html#sslciphersuite">SSLCipherSuite</a></code> which restricts the - ciphers to the strong variants. But mod_ssl allows you to reconfigure - the cipher suite in per-directory context and automatically forces - a renegotiation of the SSL parameters to meet the new configuration. - So, the solution is:</p> - <div class="example"><p><code> - # be liberal in general<br /> - SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL<br /> - <br /> - <Location /strong/area><br /> - # but https://hostname/strong/area/ and below<br /> - # requires strong ciphers<br /> - SSLCipherSuite HIGH:MEDIUM<br /> - </Location> - </code></p></div> - -</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> -<div class="section"> -<h2><a name="accesscontrol" id="accesscontrol">Client Authentication and Access Control</a></h2> - -<ul> -<li><a href="#allclients">simple certificate-based client authentication</a></li> -<li><a href="#arbitraryclients">selective certificate-based client authentication</a></li> -<li><a href="#certauthenticate">particular certificate-based client authentication</a></li> -<li><a href="#intranet">intranet vs. internet authentication</a></li> -</ul> - -<h3><a name="allclients" id="allclients">How can I authenticate clients based on certificates when I know -all my clients?</a></h3> - - <p>When you know your user community (i.e. a closed user group - situation), as it's the case for instance in an Intranet, you can - use plain certificate authentication. All you have to do is to - create client certificates signed by your own CA certificate - <code>ca.crt</code> and then verify the clients against this - certificate.</p> - <div class="example"><h3>httpd.conf</h3><p><code> - # require a client certificate which has to be directly<br /> - # signed by our CA certificate in ca.crt<br /> - SSLVerifyClient require<br /> - SSLVerifyDepth 1<br /> - SSLCACertificateFile conf/ssl.crt/ca.crt - </code></p></div> - - -<h3><a name="arbitraryclients" id="arbitraryclients">How can I authenticate my clients for a particular URL based on -certificates but still allow arbitrary clients to access the remaining -parts of the server?</a></h3> - - <p>For this we again use the per-directory reconfiguration feature - of <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>:</p> - - <div class="example"><h3>httpd.conf</h3><p><code> - SSLVerifyClient none<br /> - SSLCACertificateFile conf/ssl.crt/ca.crt<br /> - <br /> - <Location /secure/area><br /> - SSLVerifyClient require<br /> - SSLVerifyDepth 1<br /> - </Location><br /> - </code></p></div> - - -<h3><a name="certauthenticate" id="certauthenticate">How can I authenticate only particular clients for a some URLs based -on certificates but still allow arbitrary clients to access the remaining -parts of the server?</a></h3> - - <p>The key is to check for various ingredients of the client certificate. - Usually this means to check the whole or part of the Distinguished - Name (DN) of the Subject. For this two methods exists: The <code class="module"><a href="../mod/mod_auth.html">mod_auth</a></code> based variant and the <code class="directive"><a href="../mod/mod_ssl.html#sslrequire">SSLRequire</a></code> variant. The first method is - good when the clients are of totally different type, i.e. when their - DNs have no common fields (usually the organisation, etc.). In this - case you've to establish a password database containing <em>all</em> - clients. The second method is better when your clients are all part of - a common hierarchy which is encoded into the DN. Then you can match - them more easily.</p> - - <p>The first method:</p> - <div class="example"><h3>httpd.conf</h3><pre> -SSLVerifyClient none -<Directory /usr/local/apache2/htdocs/secure/area> - -SSLVerifyClient require -SSLVerifyDepth 5 -SSLCACertificateFile conf/ssl.crt/ca.crt -SSLCACertificatePath conf/ssl.crt -SSLOptions +FakeBasicAuth -SSLRequireSSL -AuthName "Snake Oil Authentication" -AuthType Basic -AuthUserFile /usr/local/apache2/conf/httpd.passwd -require valid-user -</Directory></pre></div> - - <p>The password used in this example is the DES encrypted string "password". - See the <code class="directive"><a href="../mod/mod_ssl.html#ssloptions">SSLOptions</a></code> docs for more - information.</p> - - <div class="example"><h3>httpd.passwd</h3><pre> -/C=DE/L=Munich/O=Snake Oil, Ltd./OU=Staff/CN=Foo:xxj31ZMTZzkVA -/C=US/L=S.F./O=Snake Oil, Ltd./OU=CA/CN=Bar:xxj31ZMTZzkVA -/C=US/L=L.A./O=Snake Oil, Ltd./OU=Dev/CN=Quux:xxj31ZMTZzkVA</pre></div> - - <p>The second method:</p> - - <div class="example"><h3>httpd.conf</h3><pre> -SSLVerifyClient none -<Directory /usr/local/apache2/htdocs/secure/area> - - SSLVerifyClient require - SSLVerifyDepth 5 - SSLCACertificateFile conf/ssl.crt/ca.crt - SSLCACertificatePath conf/ssl.crt - SSLOptions +FakeBasicAuth - SSLRequireSSL - SSLRequire %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ - and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} -</Directory></pre></div> - - -<h3><a name="intranet" id="intranet">How can I require HTTPS with strong ciphers and either basic -authentication or client certificates for access to a subarea on the -Intranet website for clients coming from the Internet but still allow -plain HTTP access for clients on the Intranet?</a></h3> - - <p>Let us assume the Intranet can be distinguished through the IP - network 192.168.1.0/24 and the subarea on the Intranet website has - the URL <code>/subarea</code>. Then configure the following outside - your HTTPS virtual host (so it applies to both HTTPS and HTTP):</p> - - <div class="example"><h3>httpd.conf</h3><pre> -SSLCACertificateFile conf/ssl.crt/company-ca.crt - -<Directory /usr/local/apache2/htdocs> -# Outside the subarea only Intranet access is granted -Order deny,allow -Deny from all -Allow from 192.168.1.0/24 -</Directory> - -<Directory /usr/local/apache2/htdocs/subarea> -# Inside the subarea any Intranet access is allowed -# but from the Internet only HTTPS + Strong-Cipher + Password -# or the alternative HTTPS + Strong-Cipher + Client-Certificate - -# If HTTPS is used, make sure a strong cipher is used. -# Additionally allow client certs as alternative to basic auth. -SSLVerifyClient optional -SSLVerifyDepth 1 -SSLOptions +FakeBasicAuth +StrictRequire -SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 - -# Force clients from the Internet to use HTTPS -RewriteEngine on -RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$ -RewriteCond %{HTTPS} !=on -RewriteRule .* - [F] - -# Allow Network Access and/or Basic Auth -Satisfy any - -# Network Access Control -Order deny,allow -Deny from all -Allow 192.168.1.0/24 - -# HTTP Basic Authentication -AuthType basic -AuthName "Protected Intranet Area" -AuthUserFile conf/protected.passwd -Require valid-user -</Directory></pre></div> - -</div></div> -<div class="bottomlang"> -<p><span>Available Languages: </span><a href="../en/ssl/ssl_howto.html" title="English"> en </a></p> -</div><div id="footer"> -<p class="apache">Copyright 2009 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> -<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div> -</body></html>
\ No newline at end of file diff --git a/rubbos/app/apache2/manual/ssl/ssl_intro.html b/rubbos/app/apache2/manual/ssl/ssl_intro.html deleted file mode 100644 index 0163b215..00000000 --- a/rubbos/app/apache2/manual/ssl/ssl_intro.html +++ /dev/null @@ -1,9 +0,0 @@ -# GENERATED FROM XML -- DO NOT EDIT - -URI: ssl_intro.html.en -Content-Language: en -Content-type: text/html; charset=ISO-8859-1 - -URI: ssl_intro.html.ja.utf8 -Content-Language: ja -Content-type: text/html; charset=UTF-8 diff --git a/rubbos/app/apache2/manual/ssl/ssl_intro.html.en b/rubbos/app/apache2/manual/ssl/ssl_intro.html.en deleted file mode 100644 index c3079d4e..00000000 --- a/rubbos/app/apache2/manual/ssl/ssl_intro.html.en +++ /dev/null @@ -1,641 +0,0 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!-- - XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - This file is generated from xml source: DO NOT EDIT - XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - --> -<title>SSL/TLS Strong Encryption: An Introduction - Apache HTTP Server</title> -<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> -<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> -<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /> -<link href="../images/favicon.ico" rel="shortcut icon" /></head> -<body id="manual-page"><div id="page-header"> -<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p> -<p class="apache">Apache HTTP Server Version 2.0</p> -<img alt="" src="../images/feather.gif" /></div> -<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div> -<div id="path"> -<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.0</a> > <a href="./">SSL/TLS</a></div><div id="page-content"><div id="preamble"><h1>SSL/TLS Strong Encryption: An Introduction</h1> -<div class="toplang"> -<p><span>Available Languages: </span><a href="../en/ssl/ssl_intro.html" title="English"> en </a> | -<a href="../ja/ssl/ssl_intro.html" hreflang="ja" rel="alternate" title="Japanese"> ja </a></p> -</div> - -<blockquote> -<p>The nice thing about standards is that there are so many to choose -from. And if you really don't like all the standards you just have to -wait another year until the one arises you are looking for.</p> - -<p class="cite">-- <cite>A. Tanenbaum</cite>, "Introduction to -Computer Networks"</p> -</blockquote> - -<p>As an introduction this chapter is aimed at readers who are familiar -with the Web, HTTP, and Apache, but are not security experts. It is not -intended to be a definitive guide to the SSL protocol, nor does it discuss -specific techniques for managing certificates in an organization, or the -important legal issues of patents and import and export restrictions. -Rather, it is intended to provide a common background to mod_ssl users by -pulling together various concepts, definitions, and examples as a starting -point for further exploration.</p> - -<p>The presented content is mainly derived, with permission by the author, -from the article <a href="http://home.earthlink.net/~fjhirsch/Papers/wwwj/article.html">Introducing -SSL and Certificates using SSLeay</a> from <a href="http://home.earthlink.net/~fjhirsch/">Frederick J. Hirsch</a>, of The -Open Group Research Institute, which was published in <a href="http://www.ora.com/catalog/wjsum97/">Web Security: A Matter of -Trust</a>, World Wide Web Journal, Volume 2, Issue 3, Summer 1997. -Please send any positive feedback to <a href="mailto:hirsch@fjhirsch.com">Frederick Hirsch</a> (the original -article author) and all negative feedback to <a href="mailto:rse@engelschall.com">Ralf S. Engelschall</a> (the -<code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> author).</p> -</div> -<div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#cryptographictech">Cryptographic Techniques</a></li> -<li><img alt="" src="../images/down.gif" /> <a href="#certificates">Certificates</a></li> -<li><img alt="" src="../images/down.gif" /> <a href="#ssl">Secure Sockets Layer (SSL)</a></li> -<li><img alt="" src="../images/down.gif" /> <a href="#references">References</a></li> -</ul></div> -<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> -<div class="section"> -<h2><a name="cryptographictech" id="cryptographictech">Cryptographic Techniques</a></h2> - -<p>Understanding SSL requires an understanding of cryptographic -algorithms, message digest functions (aka. one-way or hash functions), and -digital signatures. These techniques are the subject of entire books (see -for instance [<a href="#AC96">AC96</a>]) and provide the basis for privacy, -integrity, and authentication.</p> - -<h3><a name="cryptographicalgo" id="cryptographicalgo">Cryptographic Algorithms</a></h3> - - <p>Suppose Alice wants to send a message to her bank to transfer some - money. Alice would like the message to be private, since it will - include information such as her account number and transfer amount. One - solution is to use a cryptographic algorithm, a technique that would - transform her message into an encrypted form, unreadable except by - those it is intended for. Once in this form, the message may only be - interpreted through the use of a secret key. Without the key the - message is useless: good cryptographic algorithms make it so difficult - for intruders to decode the original text that it isn't worth their - effort.</p> - - <p>There are two categories of cryptographic algorithms: conventional - and public key.</p> - - <dl> - <dt>Conventional cryptography</dt> - <dd>also known as symmetric cryptography, requires the sender and - receiver to share a key: a secret piece of information that may be - used to encrypt or decrypt a message. If this key is secret, then - nobody other than the sender or receiver may read the message. If - Alice and the bank know a secret key, then they may send each other - private messages. The task of privately choosing a key before - communicating, however, can be problematic.</dd> - - <dt>Public key cryptography</dt> - <dd>also known as asymmetric cryptography, solves the key exchange - problem by defining an algorithm which uses two keys, each of which - may be used to encrypt a message. If one key is used to encrypt a - message then the other must be used to decrypt it. This makes it - possible to receive secure messages by simply publishing one key - (the public key) and keeping the other secret (the private key).</dd> - </dl> - - <p>Anyone may encrypt a message using the public key, but only the - owner of the private key will be able to read it. In this way, Alice - may send private messages to the owner of a key-pair (the bank), by - encrypting it using their public key. Only the bank will be able to - decrypt it.</p> - - -<h3><a name="messagedigests" id="messagedigests">Message Digests</a></h3> - - <p>Although Alice may encrypt her message to make it private, there - is still a concern that someone might modify her original message or - substitute it with a different one, in order to transfer the money - to themselves, for instance. One way of guaranteeing the integrity - of Alice's message is to create a concise summary of her message and - send this to the bank as well. Upon receipt of the message, the bank - creates its own summary and compares it with the one Alice sent. If - they agree then the message was received intact.</p> - - <p>A summary such as this is called a <dfn>message digest</dfn>, <em>one-way -function</em> or <em>hash function</em>. Message digests are used to create -short, fixed-length representations of longer, variable-length messages. -Digest algorithms are designed to produce unique digests for different -messages. Message digests are designed to make it too difficult to determine -the message from the digest, and also impossible to find two different -messages which create the same digest -- thus eliminating the possibility of -substituting one message for another while maintaining the same digest.</p> -<p>Another challenge that Alice faces is finding a way to send the digest to the -bank securely; when this is achieved, the integrity of the associated message -is assured. One way to do this is to include the digest in a digital -signature.</p> - - -<h3><a name="digitalsignatures" id="digitalsignatures">Digital Signatures</a></h3> -<p>When Alice sends a message to the bank, the bank needs to ensure that the -message is really from her, so an intruder does not request a transaction -involving her account. A <em>digital signature</em>, created by Alice and -included with the message, serves this purpose.</p> - -<p>Digital signatures are created by encrypting a digest of the message, -and other information (such as a sequence number) with the sender's -private key. Though anyone may <em>decrypt</em> the signature using the public -key, only the signer knows the private key. This means that only they may -have signed it. Including the digest in the signature means the signature is -only good for that message; it also ensures the integrity of the message since -no one can change the digest and still sign it.</p> -<p>To guard against interception and reuse of the signature by an intruder at a -later date, the signature contains a unique sequence number. This protects -the bank from a fraudulent claim from Alice that she did not send the message --- only she could have signed it (non-repudiation).</p> - -</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> -<div class="section"> -<h2><a name="certificates" id="certificates">Certificates</a></h2> - -<p>Although Alice could have sent a private message to the bank, signed -it, and ensured the integrity of the message, she still needs to be sure -that she is really communicating with the bank. This means that she needs -to be sure that the public key she is using corresponds to the bank's -private key. Similarly, the bank also needs to verify that the message -signature really corresponds to Alice's signature.</p> - -<p>If each party has a certificate which validates the other's identity, -confirms the public key, and is signed by a trusted agency, then they both -will be assured that they are communicating with whom they think they are. -Such a trusted agency is called a <em>Certificate Authority</em>, and -certificates are used for authentication.</p> - -<h3><a name="certificatecontents" id="certificatecontents">Certificate Contents</a></h3> - - <p>A certificate associates a public key with the real identity of - an individual, server, or other entity, known as the subject. As - shown in <a href="#table1">Table 1</a>, information about the subject - includes identifying information (the distinguished name), and the - public key. It also includes the identification and signature of the - Certificate Authority that issued the certificate, and the period of - time during which the certificate is valid. It may have additional - information (or extensions) as well as administrative information - for the Certificate Authority's use, such as a serial number.</p> - - <h4><a name="table1" id="table1">Table 1: Certificate Information</a></h4> - - <table> - - <tr><th>Subject</th> - <td>Distinguished Name, Public Key</td></tr> - <tr><th>Issuer</th> - <td>Distinguished Name, Signature</td></tr> - <tr><th>Period of Validity</th> - <td>Not Before Date, Not After Date</td></tr> - <tr><th>Administrative Information</th> - <td>Version, Serial Number</td></tr> - <tr><th>Extended Information</th> - <td>Basic Constraints, Netscape Flags, etc.</td></tr> - </table> - - - <p>A distinguished name is used to provide an identity in a specific - context -- for instance, an individual might have a personal - certificate as well as one for their identity as an employee. - Distinguished names are defined by the X.509 standard [<a href="#X509">X509</a>], which defines the fields, field names, and - abbreviations used to refer to the fields (see <a href="#table2">Table - 2</a>).</p> - - <h4><a name="table2" id="table2">Table 2: Distinguished Name Information</a></h4> - - <table class="bordered"> - - <tr><th>DN Field</th> - <th>Abbrev.</th> - <th>Description</th> - <th>Example</th></tr> - <tr><td>Common Name</td> - <td>CN</td> - <td>Name being certified</td> - <td>CN=Joe Average</td></tr> - <tr><td>Organization or Company</td> - <td>O</td> - <td>Name is associated with this<br />organization</td> - <td>O=Snake Oil, Ltd.</td></tr> - <tr><td>Organizational Unit</td> - <td>OU</td> - <td>Name is associated with this <br />organization unit, such - as a department</td> - <td>OU=Research Institute</td></tr> - <tr><td>City/Locality</td> - <td>L</td> - <td>Name is located in this City</td> - <td>L=Snake City</td></tr> - <tr><td>State/Province</td> - <td>ST</td> - <td>Name is located in this State/Province</td> - <td>ST=Desert</td></tr> - <tr><td>Country</td> - <td>C</td> - <td>Name is located in this Country (ISO code)</td> - <td>C=XZ</td></tr> - </table> - - - <p>A Certificate Authority may define a policy specifying which - distinguished field names are optional, and which are required. It - may also place requirements upon the field contents, as may users of - certificates. As an example, a Netscape browser requires that the - Common Name for a certificate representing a server has a name which - matches a wildcard pattern for the domain name of that server, such - as <code>*.snakeoil.com</code>.</p> - - <p>The binary format of a certificate is defined using the ASN.1 - notation [<a href="#X208">X208</a>] [<a href="#PKCS">PKCS</a>]. This - notation defines how to specify the contents, and encoding rules - define how this information is translated into binary form. The binary - encoding of the certificate is defined using Distinguished Encoding - Rules (DER), which are based on the more general Basic Encoding Rules - (BER). For those transmissions which cannot handle binary, the binary - form may be translated into an ASCII form by using Base64 encoding - [<a href="#MIME">MIME</a>]. This encoded version is called PEM encoded - (the name comes from "Privacy Enhanced Mail"), when placed between - begin and end delimiter lines as illustrated in the following - example.</p> - - <div class="example"><h3>Example of a PEM-encoded certificate (snakeoil.crt)</h3><pre>-----BEGIN CERTIFICATE----- -MIIC7jCCAlegAwIBAgIBATANBgkqhkiG9w0BAQQFADCBqTELMAkGA1UEBhMCWFkx -FTATBgNVBAgTDFNuYWtlIERlc2VydDETMBEGA1UEBxMKU25ha2UgVG93bjEXMBUG -A1UEChMOU25ha2UgT2lsLCBMdGQxHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhv -cml0eTEVMBMGA1UEAxMMU25ha2UgT2lsIENBMR4wHAYJKoZIhvcNAQkBFg9jYUBz -bmFrZW9pbC5kb20wHhcNOTgxMDIxMDg1ODM2WhcNOTkxMDIxMDg1ODM2WjCBpzEL -MAkGA1UEBhMCWFkxFTATBgNVBAgTDFNuYWtlIERlc2VydDETMBEGA1UEBxMKU25h -a2UgVG93bjEXMBUGA1UEChMOU25ha2UgT2lsLCBMdGQxFzAVBgNVBAsTDldlYnNl -cnZlciBUZWFtMRkwFwYDVQQDExB3d3cuc25ha2VvaWwuZG9tMR8wHQYJKoZIhvcN -AQkBFhB3d3dAc25ha2VvaWwuZG9tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB -gQDH9Ge/s2zcH+da+rPTx/DPRp3xGjHZ4GG6pCmvADIEtBtKBFAcZ64n+Dy7Np8b -vKR+yy5DGQiijsH1D/j8HlGE+q4TZ8OFk7BNBFazHxFbYI4OKMiCxdKzdif1yfaa -lWoANFlAzlSdbxeGVHoT0K+gT5w3UxwZKv2DLbCTzLZyPwIDAQABoyYwJDAPBgNV -HRMECDAGAQH/AgEAMBEGCWCGSAGG+EIBAQQEAwIAQDANBgkqhkiG9w0BAQQFAAOB -gQAZUIHAL4D09oE6Lv2k56Gp38OBDuILvwLg1v1KL8mQR+KFjghCrtpqaztZqcDt -2q2QoyulCgSzHbEGmi0EsdkPfg6mp0penssIFePYNI+/8u9HT4LuKMJX15hxBam7 -dUHzICxBVC1lnHyYGjDuAMhe396lYAn8bCld1/L4NMGBCQ== ------END CERTIFICATE-----</pre></div> - - -<h3><a name="certificateauthorities" id="certificateauthorities">Certificate Authorities</a></h3> - - <p>By first verifying the information in a certificate request - before granting the certificate, the Certificate Authority assures - the identity of the private key owner of a key-pair. For instance, - if Alice requests a personal certificate, the Certificate Authority - must first make sure that Alice really is the person the certificate - request claims.</p> - - <h4><a name="certificatechains" id="certificatechains">Certificate Chains</a></h4> - - <p>A Certificate Authority may also issue a certificate for - another Certificate Authority. When examining a certificate, - Alice may need to examine the certificate of the issuer, for each - parent Certificate Authority, until reaching one which she has - confidence in. She may decide to trust only certificates with a - limited chain of issuers, to reduce her risk of a "bad" certificate - in the chain.</p> - - - <h4><a name="rootlevelca" id="rootlevelca">Creating a Root-Level CA</a></h4> - - <p>As noted earlier, each certificate requires an issuer to assert - the validity of the identity of the certificate subject, up to - the top-level Certificate Authority (CA). This presents a problem: - Since this is who vouches for the certificate of the top-level - authority, which has no issuer? In this unique case, the - certificate is "self-signed", so the issuer of the certificate is - the same as the subject. As a result, one must exercise extra care - in trusting a self-signed certificate. The wide publication of a - public key by the root authority reduces the risk in trusting this - key -- it would be obvious if someone else publicized a key - claiming to be the authority. Browsers are preconfigured to trust - well-known certificate authorities.</p> - - <p>A number of companies, such as <a href="http://www.thawte.com/">Thawte</a> and <a href="http://www.verisign.com/">VeriSign</a> - have established themselves as Certificate Authorities. These - companies provide the following services:</p> - - <ul> - <li>Verifying certificate requests</li> - <li>Processing certificate requests</li> - <li>Issuing and managing certificates</li> - </ul> - - <p>It is also possible to create your own Certificate Authority. - Although risky in the Internet environment, it may be useful - within an Intranet where the organization can easily verify the - identities of individuals and servers.</p> - - - <h4><a name="certificatemanagement" id="certificatemanagement">Certificate Management</a></h4> - - <p>Establishing a Certificate Authority is a responsibility which - requires a solid administrative, technical, and management - framework. Certificate Authorities not only issue certificates, - they also manage them -- that is, they determine how long - certificates are valid, they renew them, and they keep lists of - certificates that have already been issued but are no longer valid - (Certificate Revocation Lists, or CRLs). Say Alice is entitled to - a certificate as an employee of a company. Say too, that the - certificate needs to be revoked when Alice leaves the company. Since - certificates are objects that get passed around, it is impossible - to tell from the certificate alone that it has been revoked. When - examining certificates for validity, therefore, it is necessary to - contact the issuing Certificate Authority to check CRLs -- this - is not usually an automated part of the process.</p> - - <div class="note"><h3>Note</h3> - <p>If you use a Certificate Authority that is not configured into - browsers by default, it is necessary to load the Certificate - Authority certificate into the browser, enabling the browser to - validate server certificates signed by that Certificate Authority. - Doing so may be dangerous, since once loaded, the browser will - accept all certificates signed by that Certificate Authority.</p> - </div> - - - -</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> -<div class="section"> -<h2><a name="ssl" id="ssl">Secure Sockets Layer (SSL)</a></h2> - -<p>The Secure Sockets Layer protocol is a protocol layer which may be -placed between a reliable connection-oriented network layer protocol -(e.g. TCP/IP) and the application protocol layer (e.g. HTTP). SSL provides -for secure communication between client and server by allowing mutual -authentication, the use of digital signatures for integrity, and encryption -for privacy.</p> - -<p>The protocol is designed to support a range of choices for specific -algorithms used for cryptography, digests, and signatures. This allows -algorithm selection for specific servers to be made based on legal, export -or other concerns, and also enables the protocol to take advantage of new -algorithms. Choices are negotiated between client and server at the start -of establishing a protocol session.</p> - -<h3><a name="table4" id="table4">Table 4: Versions of the SSL protocol</a></h3> - - <table class="bordered"> - - <tr><th>Version</th> - <th>Source</th> - <th>Description</th> - <th>Browser Support</th></tr> - <tr><td>SSL v2.0</td> - <td>Vendor Standard (from Netscape Corp.) [<a href="#SSL2">SSL2</a>]</td> - <td>First SSL protocol for which implementations exists</td> - <td>- NS Navigator 1.x/2.x<br /> - - MS IE 3.x<br /> - - Lynx/2.8+OpenSSL</td></tr> - <tr><td>SSL v3.0</td> - <td>Expired Internet Draft (from Netscape Corp.) [<a href="#SSL3">SSL3</a>]</td> - <td>Revisions to prevent specific security attacks, add non-RSA - ciphers, and support for certificate chains</td> - <td>- NS Navigator 2.x/3.x/4.x<br /> - - MS IE 3.x/4.x<br /> - - Lynx/2.8+OpenSSL</td></tr> - <tr><td>TLS v1.0</td> - <td>Proposed Internet Standard (from IETF) [<a href="#TLS1">TLS1</a>]</td> - <td>Revision of SSL 3.0 to update the MAC layer to HMAC, add block - padding for block ciphers, message order standardization and more - alert messages.</td> - <td>- Lynx/2.8+OpenSSL</td></tr> - </table> - - -<p>There are a number of versions of the SSL protocol, as shown in -<a href="#table4">Table 4</a>. As noted there, one of the benefits in -SSL 3.0 is that it adds support of certificate chain loading. This feature -allows a server to pass a server certificate along with issuer certificates -to the browser. Chain loading also permits the browser to validate the -server certificate, even if Certificate Authority certificates are not -installed for the intermediate issuers, since they are included in the -certificate chain. SSL 3.0 is the basis for the Transport Layer Security -[<a href="#TLS1">TLS</a>] protocol standard, currently in development by -the Internet Engineering Task Force (IETF).</p> - -<h3><a name="session" id="session">Session Establishment</a></h3> - - <p>The SSL session is established by following a handshake sequence - between client and server, as shown in <a href="#figure1">Figure 1</a>. This sequence may vary, depending on whether the server - is configured to provide a server certificate or request a client - certificate. Though cases exist where additional handshake steps - are required for management of cipher information, this article - summarizes one common scenario: see the SSL specification for the full - range of possibilities.</p> - - <div class="note"><h3>Note</h3> - <p>Once an SSL session has been established it may be reused, thus - avoiding the performance penalty of repeating the many steps needed - to start a session. For this the server assigns each SSL session a - unique session identifier which is cached in the server and which the - client can use on forthcoming connections to reduce the handshake - (until the session identifer expires in the cache of the server).</p> - </div> - - <p class="figure"> - <img src="../images/ssl_intro_fig1.gif" alt="" width="423" height="327" /><br /> - <a id="figure1" name="figure1"><dfn>Figure 1</dfn></a>: Simplified SSL - Handshake Sequence</p> - - <p>The elements of the handshake sequence, as used by the client and - server, are listed below:</p> - - <ol> - <li>Negotiate the Cipher Suite to be used during data transfer</li> - <li>Establish and share a session key between client and server</li> - <li>Optionally authenticate the server to the client</li> - <li>Optionally authenticate the client to the server</li> - </ol> - - <p>The first step, Cipher Suite Negotiation, allows the client and - server to choose a Cipher Suite supportable by both of them. The SSL3.0 - protocol specification defines 31 Cipher Suites. A Cipher Suite is - defined by the following components:</p> - - <ul> - <li>Key Exchange Method</li> - <li>Cipher for Data Transfer</li> - <li>Message Digest for creating the Message Authentication Code (MAC)</li> - </ul> - - <p>These three elements are described in the sections that follow.</p> - - -<h3><a name="keyexchange" id="keyexchange">Key Exchange Method</a></h3> - - <p>The key exchange method defines how the shared secret symmetric - cryptography key used for application data transfer will be agreed - upon by client and server. SSL 2.0 uses RSA key exchange only, while - SSL 3.0 supports a choice of key exchange algorithms including the - RSA key exchange when certificates are used, and Diffie-Hellman key - exchange for exchanging keys without certificates and without prior - communication between client and server.</p> - - <p>One variable in the choice of key exchange methods is digital - signatures -- whether or not to use them, and if so, what kind of - signatures to use. Signing with a private key provides assurance - against a man-in-the-middle-attack during the information exchange - used in generating the shared key [<a href="#AC96">AC96</a>, p516].</p> - - -<h3><a name="ciphertransfer" id="ciphertransfer">Cipher for Data Transfer</a></h3> - - <p>SSL uses the conventional cryptography algorithm (symmetric - cryptography) described earlier for encrypting messages in a session. - There are nine choices, including the choice to perform no - encryption:</p> - - <ul> - <li>No encryption</li> - <li>Stream Ciphers - <ul> - <li>RC4 with 40-bit keys</li> - <li>RC4 with 128-bit keys</li> - </ul></li> - <li>CBC Block Ciphers - <ul><li>RC2 with 40 bit key</li> - <li>DES with 40 bit key</li> - <li>DES with 56 bit key</li> - <li>Triple-DES with 168 bit key</li> - <li>Idea (128 bit key)</li> - <li>Fortezza (96 bit key)</li> - </ul></li> - </ul> - - <p>Here "CBC" refers to Cipher Block Chaining, which means that a - portion of the previously encrypted cipher text is used in the - encryption of the current block. "DES" refers to the Data Encryption - Standard [<a href="#AC96">AC96</a>, ch12], which has a number of - variants (including DES40 and 3DES_EDE). "Idea" is one of the best - and cryptographically strongest available algorithms, and "RC2" is - a proprietary algorithm from RSA DSI [<a href="#AC96">AC96</a>, - ch13].</p> - - -<h3><a name="digestfuntion" id="digestfuntion">Digest Function</a></h3> - - <p>The choice of digest function determines how a digest is created - from a record unit. SSL supports the following:</p> - - <ul> - <li>No digest (Null choice)</li> - <li>MD5, a 128-bit hash</li> - <li>Secure Hash Algorithm (SHA-1), a 160-bit hash</li> - </ul> - - <p>The message digest is used to create a Message Authentication Code - (MAC) which is encrypted with the message to provide integrity and to - prevent against replay attacks.</p> - - -<h3><a name="handshake" id="handshake">Handshake Sequence Protocol</a></h3> - - <p>The handshake sequence uses three protocols:</p> - - <ul> - <li>The <dfn>SSL Handshake Protocol</dfn> - for performing the client and server SSL session establishment.</li> - <li>The <dfn>SSL Change Cipher Spec Protocol</dfn> for actually - establishing agreement on the Cipher Suite for the session.</li> - <li>The <dfn>SSL Alert Protocol</dfn> for conveying SSL error - messages between client and server.</li> - </ul> - - <p>These protocols, as well as application protocol data, are - encapsulated in the <dfn>SSL Record Protocol</dfn>, as shown in - <a href="#figure2">Figure 2</a>. An encapsulated protocol is - transferred as data by the lower layer protocol, which does not - examine the data. The encapsulated protocol has no knowledge of the - underlying protocol.</p> - - <p class="figure"> - <img src="../images/ssl_intro_fig2.gif" alt="" width="428" height="217" /><br /> - <a id="figure2" name="figure2"><dfn>Figure 2</dfn></a>: SSL Protocol Stack - </p> - - <p>The encapsulation of SSL control protocols by the record protocol - means that if an active session is renegotiated the control protocols - will be transmitted securely. If there were no session before, then - the Null cipher suite is used, which means there is no encryption and - messages have no integrity digests until the session has been - established.</p> - - -<h3><a name="datatransfer" id="datatransfer">Data Transfer</a></h3> - - <p>The SSL Record Protocol, shown in <a href="#figure3">Figure 3</a>, - is used to transfer application and SSL Control data between the - client and server, possibly fragmenting this data into smaller units, - or combining multiple higher level protocol data messages into single - units. It may compress, attach digest signatures, and encrypt these - units before transmitting them using the underlying reliable transport - protocol (Note: currently all major SSL implementations lack support - for compression).</p> - - <p class="figure"> - <img src="../images/ssl_intro_fig3.gif" alt="" width="423" height="323" /><br /> - <a id="figure3" name="figure3"><dfn>Figure 3</dfn></a>: SSL Record Protocol - </p> - - -<h3><a name="securehttp" id="securehttp">Securing HTTP Communication</a></h3> - - <p>One common use of SSL is to secure Web HTTP communication between - a browser and a webserver. This case does not preclude the use of - non-secured HTTP. The secure version is mainly plain HTTP over SSL - (named HTTPS), but with one major difference: it uses the URL scheme - <code>https</code> rather than <code>http</code> and a different - server port (by default 443). This mainly is what <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> provides to you for the Apache webserver...</p> - -</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> -<div class="section"> -<h2><a name="references" id="references">References</a></h2> - -<dl> -<dt><a id="AC96" name="AC96">[AC96]</a></dt> -<dd>Bruce Schneier, <q>Applied Cryptography</q>, 2nd Edition, Wiley, -1996. See <a href="http://www.counterpane.com/">http://www.counterpane.com/</a> for various other materials by Bruce -Schneier.</dd> - -<dt><a id="X208" name="X208">[X208]</a></dt> -<dd>ITU-T Recommendation X.208, <q>Specification of Abstract Syntax Notation -One (ASN.1)</q>, 1988. See for instance <a href="http://www.itu.int/rec/recommendation.asp?type=items&lang=e&parent=T-REC-X.208-198811-I">http://www.itu.int/rec/recommendation.asp?type=items&lang=e&parent=T-REC-X.208-198811-I</a>. -</dd> - -<dt><a id="X509" name="X509">[X509]</a></dt> -<dd>ITU-T Recommendation X.509, <q>The Directory - Authentication -Framework</q>. See for instance <a href="http://www.itu.int/rec/recommendation.asp?type=folders&lang=e&parent=T-REC-X.509">http://www.itu.int/rec/recommendation.asp?type=folders&lang=e&parent=T-REC-X.509</a>. -</dd> - -<dt><a id="PKCS" name="PKCS">[PKCS]</a></dt> -<dd><q>Public Key Cryptography Standards (PKCS)</q>, -RSA Laboratories Technical Notes, See <a href="http://www.rsasecurity.com/rsalabs/pkcs/">http://www.rsasecurity.com/rsalabs/pkcs/</a>.</dd> - -<dt><a id="MIME" name="MIME">[MIME]</a></dt> -<dd>N. Freed, N. Borenstein, <q>Multipurpose Internet Mail Extensions -(MIME) Part One: Format of Internet Message Bodies</q>, RFC2045. -See for instance <a href="http://ietf.org/rfc/rfc2045.txt">http://ietf.org/rfc/rfc2045.txt</a>.</dd> - -<dt><a id="SSL2" name="SSL2">[SSL2]</a></dt> -<dd>Kipp E.B. Hickman, <q>The SSL Protocol</q>, 1995. See <a href="http://www.netscape.com/eng/security/SSL_2.html">http://www.netscape.com/eng/security/SSL_2.html</a>.</dd> - -<dt><a id="SSL3" name="SSL3">[SSL3]</a></dt> -<dd>Alan O. Freier, Philip Karlton, Paul C. Kocher, <q>The SSL Protocol -Version 3.0</q>, 1996. See <a href="http://www.netscape.com/eng/ssl3/draft302.txt">http://www.netscape.com/eng/ssl3/draft302.txt</a>.</dd> - -<dt><a id="TLS1" name="TLS1">[TLS1]</a></dt> -<dd>Tim Dierks, Christopher Allen, <q>The TLS Protocol Version 1.0</q>, -1999. See <a href="http://ietf.org/rfc/rfc2246.txt">http://ietf.org/rfc/rfc2246.txt</a>.</dd> -</dl> -</div></div> -<div class="bottomlang"> -<p><span>Available Languages: </span><a href="../en/ssl/ssl_intro.html" title="English"> en </a> | -<a href="../ja/ssl/ssl_intro.html" hreflang="ja" rel="alternate" title="Japanese"> ja </a></p> -</div><div id="footer"> -<p class="apache">Copyright 2009 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> -<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div> -</body></html>
\ No newline at end of file diff --git a/rubbos/app/apache2/manual/ssl/ssl_intro.html.ja.utf8 b/rubbos/app/apache2/manual/ssl/ssl_intro.html.ja.utf8 deleted file mode 100644 index eb497b47..00000000 --- a/rubbos/app/apache2/manual/ssl/ssl_intro.html.ja.utf8 +++ /dev/null @@ -1,695 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml" lang="ja" xml:lang="ja"><head><!-- - XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - This file is generated from xml source: DO NOT EDIT - XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - --> -<title>SSL/TLS æå·å: ã¯ããã« - Apache HTTP ãµãŒã</title> -<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> -<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> -<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /> -<link href="../images/favicon.ico" rel="shortcut icon" /></head> -<body id="manual-page"><div id="page-header"> -<p class="menu"><a href="../mod/">ã¢ãžã¥ãŒã«</a> | <a href="../mod/directives.html">ãã£ã¬ã¯ãã£ã</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">çšèª</a> | <a href="../sitemap.html">ãµã€ãããã</a></p> -<p class="apache">Apache HTTP ãµãŒã ããŒãžã§ã³ 2.0</p> -<img alt="" src="../images/feather.gif" /></div> -<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div> -<div id="path"> -<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP ãµãŒã</a> > <a href="http://httpd.apache.org/docs/">ããã¥ã¡ã³ããŒã·ã§ã³</a> > <a href="../">ããŒãžã§ã³ 2.0</a> > <a href="./">SSL/TLS</a></div><div id="page-content"><div id="preamble"><h1>SSL/TLS æå·å: ã¯ããã«</h1> -<div class="toplang"> -<p><span>Available Languages: </span><a href="../en/ssl/ssl_intro.html" hreflang="en" rel="alternate" title="English"> en </a> | -<a href="../ja/ssl/ssl_intro.html" title="Japanese"> ja </a></p> -</div> - -<blockquote> -<p>æšæºèŠæ Œã®è¯ãæã¯ãããããã®èŠæ Œããéžã¹ããšããããšã ã -ãããŠãããæ¬åœã«ã©ã®èŠæ Œãæ°ã«å
¥ããªããã°ã -äžå¹ŽåŸ
ã€ã ãã§æ¢ããŠããèŠæ ŒãçŸããã</p> - -<p class="cite">-- <cite>A. Tanenbaum</cite>, "Introduction to -Computer Networks"</p> -</blockquote> - -<p> -å
¥éãšããããšã§ããã®ç« 㯠WebãHTTPãApache ã«éããŠãã -èªè
åãã§ãããã»ãã¥ãªãã£å°é家åãã§ã¯ãããŸããã -SSL ãããã³ã«ã®æ±ºå®çãªæåŒãã§ããã€ããã¯ãããŸããã -ãŸããçµç¹å
ã®èªèšŒç®¡çã®ããã®ç¹å®ã®ãã¯ããã¯ãã -ç¹èš±ã茞åºèŠå¶ãªã©ã®éèŠãªæ³çãªåé¡ã«ã€ããŠãæ±ããŸããã -ããããæŽãªãç 究ãžã®åºçºç¹ãšããŠè²ã
ãªæŠå¿µãå®çŸ©ãäŸã䞊ã¹ãããšã§ - mod_ssl ã®ãŠãŒã¶ã«åºç€ç¥èãæäŸããäºãç®çãšããŠããŸãã</p> - -<p>ããã«ç€ºãããå
容ã¯äž»ã«ãåèè
ã®èš±å¯ã®äž -The Open Group Research Institute ã® <a href="http://home.earthlink.net/~fjhirsch/">Frederick J. Hirsch</a> - æ°ã®èšäº <a href="http://home.earthlink.net/~fjhirsch/Papers/wwwj/article.html"> -Introducing SSL and Certificates using SSLeay</a> ãåºã«ããŠããŸãã -æ°ã®èšäºã¯ <a href="http://www.ora.com/catalog/wjsum97/">Web Security: A Matter of -Trust</a>, World Wide Web Journal, Volume 2, Issue 3, Summer 1997 -ã«æ²èŒãããŸããã -è¯å®çãªæèŠã¯ <a href="mailto:hirsch@fjhirsch.com">Frederick Hirsch</a> æ° - (å
èšäºã®èè
) ãžå
šãŠã®èŠæ
㯠<a href="mailto:rse@engelschall.com">Ralf S. Engelschall</a> ( -<code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> ã®äœè
) ãžãé¡ãããŸãã -[蚳泚: èš³ã«ã€ããŠã¯ <a href="mailto:apache-docs@ml.apache.or.jp"> -Apache ããã¥ã¡ã³ã翻蚳ãããžã§ã¯ã</a> -ãžãé¡ãããŸãã]</p> -</div> -<div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#cryptographictech">æå·åæè¡</a></li> -<li><img alt="" src="../images/down.gif" /> <a href="#certificates">蚌ææž</a></li> -<li><img alt="" src="../images/down.gif" /> <a href="#ssl">Secure Sockets Layer (SSL)</a></li> -<li><img alt="" src="../images/down.gif" /> <a href="#references">åèæç®</a></li> -</ul></div> -<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> -<div class="section"> -<h2><a name="cryptographictech" id="cryptographictech">æå·åæè¡</a></h2> - -<p>SSL ãç解ããã«ã¯ãæå·ã¢ã«ãŽãªãºã ã -ã¡ãã»ãŒãžãã€ãžã§ã¹ãé¢æ°(å¥å: äžæ¹åé¢æ°ãããã·ã¥é¢æ°)ã -é»å眲åãªã©ãžã®ç解ãå¿
èŠã§ãã -ãããã®æè¡ã¯æ¬ãäžžããšå¿
èŠãªé¡ç®ã§ -(äŸãã° [<a href="#AC96">AC96</a>] ãåç
§)ã -ãã©ã€ãã·ãŒãä¿¡çšãèªèšŒãªã©ã®æè¡ã®åºç€ãšãªã£ãŠããŸãã</p> - -<h3><a name="cryptographicalgo" id="cryptographicalgo">æå·ã¢ã«ãŽãªãºã </a></h3> - - <p>äŸãã°ãã¢ãªã¹ãééã®ããã«éè¡ã«ã¡ãã»ãŒãžãéããããšããŸãã - å£åº§çªå·ãééã®éé¡ãå«ãŸããããã - ã¢ãªã¹ã¯ãã®ã¡ãã»ãŒãžãç§å¯ã«ããããšæããŸãã - 解決æ¹æ³ã®äžã€ã¯æå·ã¢ã«ãŽãªãºã ã䜿ã£ãŠãã¡ãã»ãŒãžã - èªãŸããã人以å€ã¯èªãããšãã§ããªãæå·åããã - 圢æ
ã«å€ããŠããŸãããšã§ãã - ãã®åœ¢æ
ã«ãªããšã - ã¡ãã»ãŒãžã¯ç§å¯ã®éµã«ãã£ãŠã®ã¿è§£éããããšãã§ããŸãã - éµãªãã§ã¯ãã¡ãã»ãŒãžã¯åœ¹ã«ç«ã¡ãŸããã - è¯ãæå·ã¢ã«ãŽãªãºã ã¯ã䟵å
¥è
ãå
ã®ããã¹ãã解èªããããšã - éåžžã«é£ãããããããåªåãå²ã«åããªããããŸãã</p> - - <p>æå·ã¢ã«ãŽãªãºã ã«ã¯ - åŸæ¥åãšå
¬ééµã®äºã€ã®çš®é¡ããããŸãã</p> - - <dl> - <dt>åŸæ¥åæå·</dt> - <dd>察称æå·ãšããŠãç¥ããã - éä¿¡è
ãšåä¿¡è
ãéµãå
±æããããšãå¿
èŠã§ãã - éµãšã¯ãã¡ãã»ãŒãžãæå·åããã埩å·ããã®ã«äœ¿ãããç§å¯ - ã®æ
å ±ã®ããšã§ãã - ããããã®éµãç§å¯ãªããéä¿¡è
ãšåä¿¡è
以å€ã¯èª°ãã¡ãã»ãŒãžãèª - ãããšãã§ããŸããã - ããããã¢ãªã¹ãšéè¡ãç§å¯ã®éµãç¥ã£ãŠãããªãã - 圌ãã¯ãäºãã«ç§å¯ã®ã¡ãã»ãŒãžãéãããšãã§ããã§ãããã - ãã ããäºåã«å
å¯ã«éµãéžã¶ãšããä»äºã¯åé¡ãå«ãã§ããŸãã</dd> - - <dt>å
¬ééµæå·</dt> - <dd>é察称æå·ãšããŠãç¥ããã - ã¡ãã»ãŒãžãæå·åããããšã®ã§ããäºã€ã®éµ - ã䜿çšããã¢ã«ãŽãªãºã ãå®çŸ©ããããšã§éµã®ããåãã®åé¡ã解決 - ããŸãã - ãããããéµãæå·åã«äœ¿ããããªãã - ããçæ¹ã®éµã§åŸ©å·ããªããã°ãããŸããã - ãã®æ¹åŒã«ãã£ãŠãäžã€ã®éµãå
¬è¡šããŠ(å
¬ééµ)ã - ããçæ¹ãç§å¯ã«ããŠãã(ç§å¯éµ)ã ãã§ã - å®å
šãªã¡ãã»ãŒãžãåãåãããšãã§ããŸãã</dd> - </dl> - - <p>誰ããæå·åãããã¡ãã»ãŒãžãå
¬ééµã«ãã£ãŠæå·å - ããããšãã§ããŸãããç§å¯éµã®æã¡äž»ã ãããããèªãããšã - ã§ããŸãã - ãã®æ¹æ³ã§ãéè¡ã®å
¬ééµã䜿ã£ãŠæå·åããããšã§ã - ã¢ãªã¹ã¯ç§å¯ã®ã¡ãã»ãŒãžãéãããšãã§ããŸãã - éè¡ã®ã¿ã埩å·ããããšãã§ããŸãã</p> - - -<h3><a name="messagedigests" id="messagedigests">ã¡ãã»ãŒãžãã€ãžã§ã¹ã</a></h3> - - <p>ã¢ãªã¹ã¯ã¡ãã»ãŒãžãç§å¯ã«ããããšãã§ããŸããã - 誰ããäŸãã°èªåã«ééããããã«ã¡ãã»ãŒãžãå€æŽãããã - å¥ã®ãã®ã«çœ®ãæããŠããŸããããããªããšããåé¡ããããŸãã - ã¢ãªã¹ã®ã¡ãã»ãŒãžã®ä¿¡çšãä¿èšŒããæ¹æ³ã®äžã€ã¯ã - ã¡ãã»ãŒãžã®ç°¡æœãªãã€ãžã§ã¹ããäœã£ãŠããããéè¡ã«éããšãããã®ã§ãã - ã¡ãã»ãŒãžãåãåããšéè¡ããã€ãžã§ã¹ããäœæãã - ã¢ãªã¹ãéã£ããã®ãšæ¯ã¹ãŸããããäžèŽãããªãã - åãåã£ãã¡ãã»ãŒãžã¯ç¡å·ã ãšããããšã«ãªããŸãã</p> - - <p>ãã®ãããªèŠçŽã¯<dfn>ã¡ãã»ãŒãžãã€ãžã§ã¹ã</dfn>ã - <em>äžæ¹è¡é¢æ°</em>ããŸãã¯<em>ããã·ã¥é¢æ°</em>ãšåŒã°ããŸãã - ã¡ãã»ãŒãžãã€ãžã§ã¹ãã¯é·ãå¯å€é·ã®ã¡ãã»ãŒãžãã - çãåºå®é·ã®è¡šçŸãäœãã®ã«äœ¿ãããŸãã - ãã€ãžã§ã¹ãã¢ã«ãŽãªãºã ã¯ã¡ãã»ãŒãžãã - äžæãªãã€ãžã§ã¹ããçæããããã«äœãããŠããŸãã - ã¡ãã»ãŒãžãã€ãžã§ã¹ãã¯ãã€ãžã§ã¹ãããå
ã®ã¡ãã»ãŒãžã - å€å®ããã®ããšãŠãé£ããããã«ã§ããŠããŸãã - ãŸããåãèŠçŽãäœæããäºã€ã®ã¡ãã»ãŒãžãæ¢ãã®ã¯äžå¯èœã§ãã - ãã£ãŠãåãèŠçŽã䜿ã£ãŠã¡ãã»ãŒãžã眮ãæãããšãã - å¯èœæ§ãæé€ããŠããŸãã</p> - -<p>ã¢ãªã¹ãžã®ããäžã€ã®åé¡ã¯ããã®ãã€ãžã§ã¹ããå®å
šã«éãæ¹æ³ãæ¢ãããšã§ãã -ãããã§ããã°ãã¡ãã»ãŒãžã®ä¿¡çšãä¿èšŒãããŸãã -äžã€ã®æ¹æ³ã¯ãã®ãã€ãžã§ã¹ãã«é»å眲åãå«ãããšã§ãã</p> - - -<h3><a name="digitalsignatures" id="digitalsignatures">é»å眲å</a></h3> -<p>ã¢ãªã¹ãéè¡ã«ã¡ãã»ãŒãžãéã£ããšããéè¡ã¯ã -䟵å
¥è
ã圌女ã«ãªãããŸããŠåœŒå¥³ã®å£åº§ãžã®ååŒãç³è«ããŠããªããã -ã¡ãã»ãŒãžãæ¬åœã«åœŒå¥³ããã®ãã®ã確å®ã«åãããªããã°ãããŸããã -ã¢ãªã¹ã«ãã£ãŠäœæãããã¡ãã»ãŒãžã«å«ãŸãã -<em>é»å眲å</em>ãããã§åœ¹ã«ç«ã¡ãŸãã</p> - -<p>é»å眲åã¯ã¡ãã»ãŒãžã®ãã€ãžã§ã¹ãããã®ä»ã®æ
å ±(åŠççªå·ãªã©)ã -éä¿¡è
ã®ç§å¯éµã§æå·åããããšã§äœãããŸãã -誰ããå
¬ééµã䜿ã£ãŠçœ²åã<em>埩å·</em>ããããšãã§ããŸããã -眲åè
ã®ã¿ãç§å¯éµãç¥ã£ãŠããŸãã -ããã¯ã圌ãã®ã¿ã眲åãããããšãæå³ããŸãã -ãã€ãžã§ã¹ããé»å眲åã«å«ãããšã¯ã -ãã®çœ²åããã®ã¡ãã»ãŒãžã®ã¿ã«æå¹ã§ããããšãæå³ããŸãã -ããã¯ã誰ããã€ãžã§ã¹ããå€ããŠçœ²åãããããšãã§ããªãããã -ã¡ãã»ãŒãžã®ä¿¡çšãä¿èšŒããŸãã</p> - -<p>䟵å
¥è
ã眲åãååããŠåŸæ¥ã«åå©çšããã®ãé²ããã -é»å眲åã«ã¯äžæãªåŠççªå·ãå«ãŸããŸãã -ããã¯ãã¢ãªã¹ããããªã¡ãã»ãŒãžã¯éã£ãŠããªããšèšãè©æ¬º -ããéè¡ãå®ããŸãã -圌女ã ãã眲åãããããã§ãã(åŠèªé²æ¢)</p> - -</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> -<div class="section"> -<h2><a name="certificates" id="certificates">蚌ææž</a></h2> - -<p>ã¢ãªã¹ã¯ç§å¯ã®ã¡ãã»ãŒãžãéè¡ã«éãã -眲åãããŠãã¡ãã»ãŒãžã®ä¿¡çšãä¿èšŒããããšãã§ããããã«ãªããŸãããã -éä¿¡ããŠããçžæãæ¬åœã«éè¡ãªã®ã確ãããªããŠã¯ãããŸããã -ããã¯ã圌女ã䜿ãå
¬ééµãéè¡ã®ç§å¯éµãšå¯Ÿã«ãªã£ãŠãããã®ãã -圌女ã¯ç¢ºãããªããŠã¯ãããªããšããããšãæå³ããŸãã -åæ§ã«ãéè¡ã¯ã¡ãã»ãŒãžã®çœ²åãæ¬åœã«ã¢ãªã¹ã®çœ²åã確èªããå¿
èŠã -ãããŸãã</p> - -<p>ããäž¡è
ã«èº«å
ã蚌æããå
¬ééµã確èªãããŸãä¿¡é Œãããæ©é¢ã眲å -ãã蚌ææžãããã°ãäž¡è
ãšãéä¿¡çžæã«ã€ããŠæ£ããçžæã ãš -確信ããããšãã§ããŸãã -ãã®ãããªä¿¡é Œãããæ©é¢ã¯<em>èªèšŒå±</em> - (Certificate Authority ãŸã㯠CA) ãšåŒã°ãã -蚌ææž (certificate) ãèªèšŒ (authentication) ã«äœ¿ãããŸãã</p> - -<h3><a name="certificatecontents" id="certificatecontents">蚌ææžã®å
容</a></h3> - - <p>蚌ææžã¯å
¬ééµãšå人ããµãŒãããã®ä»ã®äž»äœã®å®åšã®èº«å
ã - é¢é£ä»ããŸãã - <a href="#table1">è¡š1</a>ã«ç€ºãããããã«èšŒæ察象ã®æ
å ±ã¯ - 身å
蚌æã®æ
å ±(èå¥å)ãšå
¬ééµãå«ãŸããŸãã - 蚌ææžã¯ãŸããèªèšŒå±ã®èº«å
蚌æãšçœ²åããããŠèšŒææžã®æå¹æéã - å«ã¿ãŸãã - ã·ãªã¢ã«ãã³ããŒãªã©ã®èªèšŒå±ã®ç®¡çäžã®æ
å ±ã - ãã®ä»ã®è¿œå ã®æ
å ±ãå«ãŸããŠãããããããŸããã</p> - - <h4><a name="table1" id="table1">è¡š1: 蚌ææžæ
å ±</a></h4> - - <table> - - <tr><th>蚌æ察象</th> - <td>èå¥åãå
¬ééµ</td></tr> - <tr><th>çºè¡è
</th> - <td>èå¥åãå
¬ééµ</td></tr> - <tr><th>æå¹æé</th> - <td>éå§æ¥ã倱å¹æ¥</td></tr> - <tr><th>管çæ
å ±</th> - <td>ããŒãžã§ã³ãã·ãªã¢ã«ãã³ããŒ</td></tr> - <tr><th>æ¡åŒµæ
å ±</th> - <td>åºæ¬çãªå¶çŽããããã¹ã±ãŒããã©ãã°ããã®ä»</td></tr> - </table> - - - <p>èå¥å(ãã£ã¹ãã£ã³ã°ã€ãã·ã¥ã»ããŒã )ã¯ç¹å®ã®ç¶æ³ã«ããã - 身å蚌æãæäŸããã®ã«äœ¿ãããŠããŸããäŸãã°ããã人㯠- ç§çšãšäŒç€Ÿãšã§å¥ã
ã®èº«å蚌æãæã€ãããããŸããã - - èå¥å㯠X.509 æšæºèŠæ Œ [<a href="#X509">X509</a>] ã§å®çŸ©ãããŠããŸãã - X.509 æšæºèŠæ Œã¯ãé
ç®ãé
ç®åããããŠé
ç®ã®ç¥ç§°ãå®çŸ©ããŠããŸãã(<a href="#table2">è¡š - 2</a> åç
§)</p> - - <h4><a name="table2" id="table2">è¡š 2: èå¥åæ
å ±</a></h4> - - <table class="bordered"> - - <tr><th>èå¥åé
ç®</th> - <th>ç¥ç§°</th> - <th>説æ</th> - <th>äŸ</th></tr> - <tr><td>Common Name (ã³ã¢ã³ããŒã )</td> - <td>CN</td> - <td>èªèšŒãããåå<br /> - SSLæ¥ç¶ããURL</td> - <td>CN=www.example.com</td></tr> - <tr><td>Organization or Company (çµç¹å)</td> - <td>O</td> - <td>å£äœã®æ£åŒè±èªçµç¹å</td> - <td>O=Example Japan K.K.</td></tr> - <tr><td>Organizational Unit (éšéå)</td> - <td>OU</td> - <td>éšçœ²åãªã©</td> - <td>OU=Customer Service</td></tr> - <tr><td>City/Locality (åžåºçºæ)</td> - <td>L</td> - <td>æåšããŠãåžåºçºæ</td> - <td>L=Sapporo</td></tr> - <tr><td>State/Province (éœéåºç)</td> - <td>ST</td> - <td>æåšããŠãéœéåºç</td> - <td>ST=Hokkaido</td></tr> - <tr><td>Country(åœ)</td> - <td>C</td> - <td>æåšããŠããåœåã® ISO ã³ãŒã<br /> - æ¥æ¬ã®å Žå JP - </td> - <td>C=JP</td></tr> - </table> - - - <p>èªèšŒå±ã¯ã©ã®é
ç®ãçç¥å¯èœã§ã©ããå¿
é ãã®æ¹éãå®çŸ©ãã - ãããããŸãããé
ç®ã®å
容ã«ã€ããŠãèªèšŒå±ã蚌ææžã®ãŠãŒã¶ããã® - èŠä»¶ããããããããŸããã - äŸãã°ããããã¹ã±ãŒãã®ãã©ãŠã¶ã¯ãµãŒãã®èšŒææžã® - Common Name (ã³ã¢ã³ããŒã )ããµãŒãã®ãã¡ã€ã³åã® - <code>*.example.com</code> - ãšãããããªã¯ã€ã«ãã«ãŒãã®ãã¿ãŒã³ã«ãããããããš - ãèŠæ±ããŸãã</p> - - <p>ãã€ããªåœ¢åŒã®èšŒææžã¯ ASN.1 è¡šèšæ³ - [<a href="#X208">X208</a>] [<a href="#PKCS">PKCS</a>] 㧠- å®çŸ©ãããŠããŸãã - ãã®è¡šèšæ³ã¯å
容ãã©ã®ããã«èšè¿°ããããå®çŸ©ãã - 笊å·åã®èŠå®ããã®æ
å ±ãã©ã®ããã«ãã€ããªåœ¢åŒã«å€æããããã - å®çŸ©ããŸãã - 蚌ææžã®ãã€ããªç¬Šå·å㯠Distinguished Encoding - Rules (DER) ã§å®çŸ©ãããããã¯ããäžè¬ç㪠Basic Encoding Rules - (BER) ã«åºã¥ããŠããŸãã - ãã€ããªåœ¢åŒãæ±ãããšã®ã§ããªãéä¿¡ã§ã¯ã - ãã€ããªåœ¢åŒã¯ Base64 笊å·å [<a href="#MIME">MIME</a>] 㧠- ASCII 圢åŒã«å€æãããããšããããŸãã - ãã®ããã«ç¬Šå·åããã以äžã®äŸã«ç€ºãããããã«åºåãè¡ã« - æãŸãããã®ã¯ PEM 笊å·åããããšèšããŸãã - (PEM ã®åå㯠"Privacy Enhanced Mail" ã«ç±æ¥ããŸã)</p> - - <div class="example"><h3>PEM 笊å·åããã蚌ææžã®äŸ (example.crt)</h3><pre>-----BEGIN CERTIFICATE----- -MIIC7jCCAlegAwIBAgIBATANBgkqhkiG9w0BAQQFADCBqTELMAkGA1UEBhMCWFkx -FTATBgNVBAgTDFNuYWtlIERlc2VydDETMBEGA1UEBxMKU25ha2UgVG93bjEXMBUG -A1UEChMOU25ha2UgT2lsLCBMdGQxHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhv -cml0eTEVMBMGA1UEAxMMU25ha2UgT2lsIENBMR4wHAYJKoZIhvcNAQkBFg9jYUBz -bmFrZW9pbC5kb20wHhcNOTgxMDIxMDg1ODM2WhcNOTkxMDIxMDg1ODM2WjCBpzEL -MAkGA1UEBhMCWFkxFTATBgNVBAgTDFNuYWtlIERlc2VydDETMBEGA1UEBxMKU25h -a2UgVG93bjEXMBUGA1UEChMOU25ha2UgT2lsLCBMdGQxFzAVBgNVBAsTDldlYnNl -cnZlciBUZWFtMRkwFwYDVQQDExB3d3cuc25ha2VvaWwuZG9tMR8wHQYJKoZIhvcN -AQkBFhB3d3dAc25ha2VvaWwuZG9tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB -gQDH9Ge/s2zcH+da+rPTx/DPRp3xGjHZ4GG6pCmvADIEtBtKBFAcZ64n+Dy7Np8b -vKR+yy5DGQiijsH1D/j8HlGE+q4TZ8OFk7BNBFazHxFbYI4OKMiCxdKzdif1yfaa -lWoANFlAzlSdbxeGVHoT0K+gT5w3UxwZKv2DLbCTzLZyPwIDAQABoyYwJDAPBgNV -HRMECDAGAQH/AgEAMBEGCWCGSAGG+EIBAQQEAwIAQDANBgkqhkiG9w0BAQQFAAOB -gQAZUIHAL4D09oE6Lv2k56Gp38OBDuILvwLg1v1KL8mQR+KFjghCrtpqaztZqcDt -2q2QoyulCgSzHbEGmi0EsdkPfg6mp0penssIFePYNI+/8u9HT4LuKMJX15hxBam7 -dUHzICxBVC1lnHyYGjDuAMhe396lYAn8bCld1/L4NMGBCQ== ------END CERTIFICATE-----</pre></div> - - -<h3><a name="certificateauthorities" id="certificateauthorities">èªèšŒå±</a></h3> - - <p>ãŸã蚌ææžã®ç³è«ã®æ
å ±ã確èªããããšã§ã - èªèšŒå±ã¯ç§å¯éµã®æã¡äž»ã®èº«å
ãä¿èšŒããŸãã - äŸãã°ãã¢ãªã¹ãå人蚌ææžãç³è«ãããšãããšã - èªèšŒå±ã¯ã¢ãªã¹ã蚌ææžã®ç³è«ã䞻匵ããéãã® - 人ç©ã ãšããããšã確èªããªããŠã¯ãããŸããã</p> - - <h4><a name="certificatechains" id="certificatechains">蚌ææžéå±€æ§é </a></h4> - - <p>èªèšŒå±ã¯ä»ã®èªèšŒå±ãžã®èšŒææžãçºè¡ããããšãã§ããŸãã - æªç¥ã®èšŒææžã調ã¹ãæã«ãã¢ãªã¹ã¯ãã®èšŒææžã®çºè¡è
- ã«èªä¿¡ãæãŠããŸã§ãçºè¡è
ã®èšŒææžã - ãã®äžäœéå±€ã®èªèšŒå±ããã©ã£ãŠèª¿ã¹ãå¿
èŠããããŸãã - ãæªè³ªãªã蚌ææžã®å±éºæ§ãæžããããã - 圌女ã¯éãããé£éã®çºè¡è
ã®ã¿ä¿¡é Œããããã« - 決ããããšãã§ããŸãã</p> - - - <h4><a name="rootlevelca" id="rootlevelca">æäžäœèªèšŒå±ã®äœæ</a></h4> - - <p>åã«è¿°ã¹ãããã«ãå
šãŠã®èšŒææžã«ã€ããŠã - æäžäœã®èªèšŒå±(CA)ãŸã§ããããã®çºè¡è
ã - 察象ã®èº«å
蚌æã®æå¹æ§ãæããã«ããå¿
èŠããããŸãã - åé¡ã¯ã誰ããã®æäžäœã®èªèšŒæ©é¢ã®èšŒææžãä¿èšŒããã®ãã - ãšããããšã§ãã - ãã®ãããªå Žåã«éãã蚌ææžã¯ãèªå·±çœ²åããããŸãã - ã€ãŸãã蚌ææžã®çºè¡è
ãšèšŒæ察象ãåããšããããšã«ãªããŸãã - ãã®çµæãèªå·±çœ²åããã蚌ææžãä¿¡çšããã«ã¯ - 现å¿ã®æ³šæãå¿
èŠã§ãã - æäžäœèªèšŒå±ãå
¬ééµãåºãå
¬è¡šããããšã§ã - ãã®éµãä¿¡é Œãããªã¹ã¯ãäœãããããšãã§ããŸãã - ãããä»äººããã®èªèšŒå±ã«ãªãããŸããæã«ããããé²èŠãã - ããããã§ãã - å€ãã®ãã©ãŠã¶ã¯æåãªèªèšŒå±ãä¿¡é Œããããã« - èšå®ãããŠããŸãã</p> - - <p><a href="http://www.thawte.com/">Thawte</a> - ã <a href="http://www.verisign.com/">VeriSign</a> - ã®ãããªå€ãã®äŒç€ŸãèªèšŒå±ãšããŠéèšããŸããã - ãã®ãããªäŒç€Ÿã¯ä»¥äžã®ãµãŒãã¹ãæäŸããŸã:</p> - - <ul> - <li>蚌ææžç³è«ã®ç¢ºèª</li> - <li>蚌ææžç³è«ã®åŠç</li> - <li>蚌ææžã®çºè¡ãšç®¡ç</li> - </ul> - - <p>èªåã§èªèšŒå±ãäœãããšãå¯èœã§ãã - ã€ã³ã¿ãŒãããç°å¢ã§ã¯å±éºã§ããã - å人ããµãŒãã®èº«å
蚌æãç°¡åã«è¡ããçµç¹ã® - ã€ã³ãã©ãããå
ã§ã¯åœ¹ã«ç«ã€ãããããŸããã</p> - - - <h4><a name="certificatemanagement" id="certificatemanagement">蚌ææžç®¡ç</a></h4> - - <p>èªèšŒå±ã®éèšã¯åŸ¹åºãã管çãæè¡ãéçšã®äœå¶ãå¿
èŠãšãã - 責任ã®ããä»äºã§ãã - èªèšŒå±ã¯èšŒææžãçºè¡ããã ãã§ãªãã - 管çãããªããã°ãªããŸããã - å
·äœçã«ã¯ã蚌ææžããã€ãŸã§æå¹ãã決å®ããæŽæ°ãã - ãŸãæ¢ã«çºè¡ãããã倱å¹ãã蚌ææžã®ãªã¹ã - (Certificate Revocation Lists ãŸã㯠CRL) - ã管çããªããã°ãããŸããã - äŸãã°ãã¢ãªã¹ãäŒç€Ÿãã瀟å¡ãšããŠèšŒææžãäžãããããšããŸãã - ãããŠãã¢ãªã¹ãäŒç€ŸãèŸãããšãã«ã¯èšŒææžãåãæ¶ããªããã° - ãããªããšããŸãã - 蚌ææžã¯æ¬¡ã
ãšäººã«æž¡ãããŠãããã®ãªã®ã§ã - 蚌ææžãã®ãã®ããããããåãæ¶ããããå€æããããšã¯ - äžå¯èœã§ãã - ãã£ãŠã蚌ææžã®æå¹æ§ã調ã¹ããšãã«ã¯ã - èªèšŒå±ã«é£çµ¡ã㊠CRL ãç
§åããå¿
èŠããããŸãã - æ®éãã®éçšã¯èªååãããŠãããã®ã§ã¯ãããŸããã</p> - - <div class="note"><h3>泚æ</h3> - <p>ããã©ã«ãã§ãã©ãŠã¶ã«èšå®ãããŠããªãèªèšŒå±ã䜿ã£ãå Žåã - èªèšŒå±ã®èšŒææžããã©ãŠã¶ã«èªã¿èŸŒãã§ã - ãã©ãŠã¶ããã®èªèšŒå±ã«ãã£ãŠçœ²åããããµãŒãã®èšŒææžã - æå¹åããå¿
èŠããããŸãã - äžåºŠèªã¿èŸŒãŸãããšããã®èªèšŒå±ã«ãã£ãŠçœ²åãããå
šãŠã® - 蚌ææžãåãå
¥ãããããå±éºã䌎ããŸãã</p> - </div> - - - -</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> -<div class="section"> -<h2><a name="ssl" id="ssl">Secure Sockets Layer (SSL)</a></h2> - -<p>Secure Sockets Layer ãããã³ã«ã¯ä¿¡é Œæ§ã®ããã³ãã¯ã·ã§ã³åã® -ãããã¯ãŒã¯å±€ã®ãããã³ã«(äŸãã°ãTCP/IP)ãš -ã¢ããªã±ãŒã·ã§ã³å±€ã®ãããã³ã«(äŸãã°ãHTTP) -ã®éã«çœ®ãããšãã§ããŸãã -SSL ã¯ãçžäºèªèšŒã«ãã£ãŠãµãŒããšã¯ã©ã€ã¢ã³ãéã®å®å
šãªéä¿¡ãã -é»å眲åã«ãã£ãŠããŒã¿ã®å®å
šæ§ãã -ãããŠæå·åã«ãã£ãŠãã©ã€ãã·ãæäŸããŸãã</p> - -<p>SSL ãããã³ã«ã¯æå·åããã€ãžã§ã¹ããé»å眲åã«ã€ããŠã -æ§ã
ãªã¢ã«ãŽãªãºã ããµããŒãããããã«ã§ããŠããŸãã -ããããããšã§ãæ³ã茞åºã®èŠå¶ãèæ
®ã«å
¥ããŠããµãŒãã«åããã -ã¢ã«ãŽãªãºã ãéžã¶ããšãã§ãããŸããæ°ããã¢ã«ãŽãªãºã ã -å©çšããŠããããšãå¯èœã«ããŠããŸãã -ã¢ã«ãŽãªãºã ã®éžæã¯ãããã³ã«ã»ãã·ã§ã³éå§æã« -ãµãŒããšã¯ã©ã€ã¢ã³ãéã§åã決ããããŸãã</p> - -<h3><a name="table4" id="table4">è¡š4: SSL ãããã³ã«ã®ããŒãžã§ã³</a></h3> - - <table class="bordered"> - - <tr><th>ããŒãžã§ã³</th> - <th>åºå
ž</th> - <th>説æ</th> - <th>ãã©ãŠã¶ã®ãµããŒã</th></tr> - <tr><td>SSL v2.0</td> - <td>Vendor Standard (Netscape Corp. ãã) [<a href="#SSL2">SSL2</a>]</td> - <td>å®è£
ãçŸåããåããŠã® SSL ãããã³ã«</td> - <td>- NS Navigator 1.x/2.x<br /> - - MS IE 3.x<br /> - - Lynx/2.8+OpenSSL</td></tr> - <tr><td>SSL v3.0</td> - <td>Expired Internet Draft (Netscape Corp. ãã) [<a href="#SSL3">SSL3</a>]</td> - <td>ç¹å®ã®ã»ãã¥ãªãã£æ»æãé²ãããã®æ¹èšã - éRSA æå·ã®è¿œå ã蚌ææžéå±€æ§é ã®ãµããŒã</td> - <td>- NS Navigator 2.x/3.x/4.x<br /> - - MS IE 3.x/4.x<br /> - - Lynx/2.8+OpenSSL</td></tr> - <tr><td>TLS v1.0</td> - <td>Proposed Internet Standard (IETF ãã) [<a href="#TLS1">TLS1</a>]</td> - <td>MAC ã¬ã€ã€ã HMAC ãžæŽæ°ããããã¯æå·ã® block - paddingãã¡ãã»ãŒãžé åºã®æšæºåãèŠåæã®å
å®ãªã©ã®ãã - SSL 3.0 ãæ¹èšã</td> - <td>- Lynx/2.8+OpenSSL</td></tr> - </table> - - -<p><a href="#table4">è¡š4</a>ã«ç€ºããããšãããSSL ãããã³ã«ã«ã¯ -ããã€ãã®ããŒãžã§ã³ããããŸãã -è¡šã«ãæžãããŠããããã«ãSSL 3.0 ã®å©ç¹ã®äžã€ã¯ -蚌ææžéå±€æ§é ããµããŒãããããšã§ãã -ãã®æ©èœã«ãã£ãŠããµãŒãã¯èªåã®èšŒææžã«å ããŠã -çºè¡è
ã®èšŒææžããã©ãŠã¶ã«æž¡ãããšãã§ããŸãã -蚌ææžéå±€æ§é ã«ãã£ãŠã -ãã©ãŠã¶ã«çºè¡è
ã®èšŒææžãçŽæ¥ç»é²ãããŠããªããŠãã -éå±€ã®äžã«å«ãŸããŠããã°ã -ãã©ãŠã¶ã¯ãµãŒãã®èšŒææžãæå¹åããããšãã§ããŸãã -SSL 3.0 ã¯çŸåš Internet Engineering Task Force (IETF) -ã«ãã£ãŠéçºãããŠãã Transport Layer Security -[<a href="#TLS1">TLS</a>] ãããã³ã«æšæºèŠæ Œã®åºç€ãšãªã£ãŠããŸãã</p> - -<h3><a name="session" id="session">ã»ãã·ã§ã³ã®ç¢ºç«</a></h3> - - <p><a href="#figure1">å³1</a>ã§ç€ºãããããã«ã - ã»ãã·ã§ã³ã®ç¢ºç«ã¯ã¯ã©ã€ã¢ã³ããšãµãŒãéã® - ãã³ãã·ã§ãŒã¯ã·ãŒã¯ãšã³ã¹ã«ãã£ãŠè¡ãªãããŸãã - ãµãŒãã蚌ææžãæäŸããããã¯ã©ã€ã¢ã³ãã®èšŒææžããªã¯ãšã¹ãããã - ãšãããµãŒãã®èšå®ã«ããããã®ã·ãŒã¯ãšã³ã¹ã¯ç°ãªããã®ãšãªããŸãã - æå·æ
å ±ã®ç®¡çã®ããã«ãè¿œå ã®ãã³ãã·ã§ãŒã¯éçšãå¿
èŠã«ãªã - å ŽåããããŸããããã®èšäºã§ã¯ - ããããã·ããªãªãæçã«èª¬æããŸãã - å
šãŠã®å¯èœæ§ã«ã€ãã¯ãSSL ä»æ§æžãåç
§ããŠãã ããã</p> - - <div class="note"><h3>泚æ</h3> - <p>äžåºŠ SSL ã»ãã·ã§ã³ã確ç«ãããšãã»ãã·ã§ã³ãåå©çšããããšã§ã - ã»ãã·ã§ã³ãéå§ããããã®å€ãã®éçšãç¹°ãè¿ããšãã - ããã©ãŒãã³ã¹ã®æ倱ãé²ããŸãã - ãã®ããããµãŒãã¯å
šãŠã®ã»ãã·ã§ã³ã«äžæãªã»ãã·ã§ã³èå¥åã - å²ãåœãŠããµãŒãã«ãã£ãã·ã¥ããã¯ã©ã€ã¢ã³ãã¯æ¬¡åãã - (èå¥åããµãŒãã®ãã£ãã·ã¥ã§æéåãã«ãªããŸã§ã¯) - ãã³ãã·ã§ãŒã¯ãªãã§æ¥ç¶ããããšãã§ããŸãã</p> - </div> - - <p class="figure"> - <img src="../images/ssl_intro_fig1.gif" alt="" width="423" height="327" /><br /> - <a id="figure1" name="figure1"><dfn>å³1</dfn></a>: SSL - ãã³ãã·ã§ãŒã¯ã·ãŒã¯ãšã³ã¹æŠç¥</p> - - <p>ãµãŒããšã¯ã©ã€ã¢ã³ãã§äœ¿ããã - ãã³ãã·ã§ãŒã¯ã·ãŒã¯ãšã³ã¹ã®èŠçŽ ã以äžã«ç€ºããŸã:</p> - - <ol> - <li>ããŒã¿éä¿¡ã«äœ¿ãããæå·ã¹ã€ãŒãã®åã決ã</li> - <li>ã¯ã©ã€ã¢ã³ããšãµãŒãéã§ã®ã»ãã·ã§ã³éµã®ç¢ºç«ãšå
±æ</li> - <li>ãªãã·ã§ã³ãšããŠãã¯ã©ã€ã¢ã³ãã«å¯ŸãããµãŒãã®èªèšŒ</li> - <li>ãªãã·ã§ã³ãšããŠããµãŒãã«å¯Ÿããã¯ã©ã€ã¢ã³ãã®èªèšŒ</li> - </ol> - - <p>第äžã¹ãããã®æå·ã¹ã€ãŒãåã決ãã«ãã£ãŠã - ãµãŒããšã¯ã©ã€ã¢ã³ãã¯ããããã«ãã£ã - æå·ã¹ã€ãŒããéžã¶ããšãã§ããŸãã - SSL3.0 ãããã³ã«ã®ä»æ§æžã¯ 31 ã®æå·ã¹ã€ãŒããå®çŸ©ããŠããŸãã - æå·ã¹ã€ãŒãã¯ä»¥äžã®ã³ã³ããŒãã³ãã«ããå®çŸ©ãããŠããŸã:</p> - - <ul> - <li>éµã®äº€ææ段</li> - <li>ããŒã¿éä¿¡ã®æå·è¡</li> - <li>Message Authentication Code (MAC) äœæã®ããã® - ã¡ãã»ãŒãžãã€ãžã§ã¹ã</li> - </ul> - - <p>ãããã®äžã€ã®èŠçŽ ã¯ä»¥äžã®ã»ã¯ã·ã§ã³ã§èª¬æãããŠããŸãã</p> - - -<h3><a name="keyexchange" id="keyexchange">éµã®äº€ææ段</a></h3> - - <p>éµã®äº€ææ段ã¯ã¢ããªã±ãŒã·ã§ã³ã®ããŒã¿éä¿¡ã«äœ¿ããã - å
±æããã察称æå·éµãã©ã®ããã«ãã¯ã©ã€ã¢ã³ããšãµãŒã㧠- åã決ããããå®çŸ©ããŸãã - SSL 2.0 㯠RSA éµäº€æãã䜿ããŸãããã - SSL 3.0 ã¯èšŒææžã䜿ããããšã㯠RSA éµäº€æã䜿ãã - 蚌ææžãç¡ããã¯ã©ã€ã¢ã³ããšãµãŒãã®äºåã®éä¿¡ãç¡ãå Žå㯠- Diffie-Hellman éµäº€æã䜿ã - ãªã©æ§ã
ãªéµäº€æã¢ã«ãŽãªãºã ããµããŒãããŸãã</p> - - <p>éµã®äº€ææ¹æ³ã«ãããäžã€ã®éžæè¢ã¯é»å眲åã§ãã - é»å眲åã䜿ããã©ããããŸãã - ã©ã®çš®é¡ã®çœ²åã䜿ãããšããéžæããããŸãã - ç§å¯éµã§çœ²åããããšã§å
±æéµãçæãããæ
å ±äº€æããæã® - ãã³ã»ã€ã³ã»ã¶ã»ããã«æ»æãé²ãããšãã§ããŸãã - [<a href="#AC96">AC96</a>, p516]</p> - - -<h3><a name="ciphertransfer" id="ciphertransfer">ããŒã¿éä¿¡ã®æå·è¡</a></h3> - - <p>SSL ã¯ã»ãã·ã§ã³ã®ã¡ãã»ãŒãžã®æå·åã«åè¿°ãã - åŸæ¥åæå·(察称æå·)ãçšããŸãã - æå·åããªããšããéžæè¢ãå«ãä¹ã€ã®éžæè¢ããããŸã:</p> - - <ul> - <li>æå·åãªã</li> - <li>ã¹ããªãŒã æå· - <ul> - <li>40-bit éµã§ã® RC4</li> - <li>128-bit éµã§ã® RC4</li> - </ul></li> - <li>CBC ãããã¯æå· - <ul><li>40 bit éµã§ã® RC2</li> - <li>40 bit éµã§ã® DES</li> - <li>56 bit éµã§ã® DES</li> - <li>168 bit éµã§ã® Triple-DES</li> - <li>Idea (128 bit éµ)</li> - <li>Fortezza (96 bit éµ)</li> - </ul></li> - </ul> - - <p>ããã§ã® CBC ãšã¯æå·ãããã¯é£é (Cipher Block Chaining) - ã®ç¥ã§ãäžã€åã®æå·åãããæå·æã®äžéšã - ãããã¯ã®æå·åã«äœ¿ãããããšãæå³ããŸãã - DES ã¯ããŒã¿æå·åæšæºèŠæ Œ (Data Encryption Standard) - [<a href="#AC96">AC96</a>, ch12] ã®ç¥ã§ã - DES40 ã 3DES_EDE ãå«ãããã€ãã®çš®é¡ããããŸãã - Idea ã¯æé«ãªãã®ã®äžã€ã§ãæå·è¡çã«ã¯çŸåšããäžã§ - æã匷åãªãã®ã§ãã - RC2 㯠RSA DSI ã«ããç¬å çãªã¢ã«ãŽãªãºã ã§ãã - [<a href="#AC96">AC96</a>, - ch13]</p> - - -<h3><a name="digestfuntion" id="digestfuntion">ãã€ãžã§ã¹ãé¢æ°</a></h3> - - <p> - ãã€ãžã§ã¹ãé¢æ°ã®éžæã¯ã¬ã³ãŒããŠãããããã©ã®ããã«ãã€ãžã§ã¹ããçæããããã決å®ããŸãã - SSL ã¯ä»¥äžããµããŒãããŸã:</p> - - <ul> - <li>ãã€ãžã§ã¹ããªã</li> - <li>MD5 (128-bit ããã·ã¥)</li> - <li>Secure Hash Algorithm (SHA-1) (160-bit ããã·ã¥)</li> - </ul> - - <p>ã¡ãã»ãŒãžãã€ãžã§ã¹ã㯠Message Authentication Code (MAC) - ã®çæã«äœ¿ãããã¡ãã»ãŒãžãšå
±ã«æå·åãããã¡ãã»ãŒãžã®ä¿¡çšã - æäŸãããªãã¬ã€æ»æãé²ããŸãã</p> - - -<h3><a name="handshake" id="handshake">ãã³ãã·ã§ãŒã¯ã·ãŒã¯ãšã³ã¹ãããã³ã«</a></h3> - - <p>ãã³ãã·ã§ãŒã¯ã·ãŒã¯ãšã³ã¹ã¯äžã€ã®ãããã³ã«ã䜿ããŸã:</p> - - <ul> - <li><dfn>SSL ãã³ãã·ã§ãŒã¯ãããã³ã«</dfn>㯠- ã¯ã©ã€ã¢ã³ããšãµãŒãéã§ã® SSL ã»ãã·ã§ã³ã®ç¢ºç«ã«äœ¿ãããŸãã</li> - <li><dfn>SSL æå·ä»æ§å€æŽãããã³ã«</dfn>㯠- ã»ãã·ã§ã³ã§ã®æå·ã¹ã€ãŒãã®åã決ãã«äœ¿ãããŸãã</li> - <li><dfn>SSL èŠåãããã³ã«</dfn>㯠- ã¯ã©ã€ã¢ã³ããµãŒãé㧠SSL ãšã©ãŒãäŒéããã®ã«äœ¿ãããŸãã</li> - </ul> - - <p>äžã€ã®ãããã³ã«ã¯ãã¢ããªã±ãŒã·ã§ã³ãããã³ã«ããŒã¿ãšãšãã«ã - <a href="#figure2">å³2</a>ã«ç€ºããšãã <dfn>SSL ã¬ã³ãŒããããã³ã«</dfn> - ã§ã«ãã»ã«åãããŸãã - ã«ãã»ã«åããããããã³ã«ã¯ããŒã¿ãæ€æ»ããªã - äžå±€ã®ãããã³ã«ã«ãã£ãŠããŒã¿ãšããŠäŒéãããŸãã - ã«ãã»ã«åããããããã³ã«ã¯äžå±€ã®ãããã³ã«ã«é¢ããŠäžåé¢ç¥ããŸããã</p> - - <p class="figure"> - <img src="../images/ssl_intro_fig2.gif" alt="" width="428" height="217" /><br /> - <a id="figure2" name="figure2"><dfn>å³2</dfn></a>: SSL ãããã³ã«ã¹ã¿ã㯠- </p> - - <p> - ã¬ã³ãŒããããã³ã«ã«ãã SSL ã³ã³ãããŒã«ãããã³ã«ã®ã«ãã»ã«åã¯ã - ã¢ã¯ãã£ããªã»ãã·ã§ã³ã®äºåç®ã®éä¿¡ããã£ãå Žåã - ã³ã³ãããŒã«ãããã³ã«ãå®å
šã§ããããšãæå³ããŸãã - æ¢ã«ã»ãã·ã§ã³ãç¡ãå Žåã¯ãNull æå·ã¹ã€ãŒãã䜿ããã - æå·åã¯è¡ãªããããã»ãã·ã§ã³ã確ç«ãããŸã§ã¯ - ãã€ãžã§ã¹ããç¡ãç¶æ
ãšãªããŸãã</p> - - -<h3><a name="datatransfer" id="datatransfer">ããŒã¿éä¿¡</a></h3> - - <p><a href="#figure3">å³3</a>ã«ç€ºããã SSL ã¬ã³ãŒããããã³ã« - ã¯ã¯ã©ã€ã¢ã³ããšãµãŒãéã®ã¢ããªã±ãŒã·ã§ã³ã - SSL ã³ã³ãããŒã«ããŒã¿ã®éä¿¡ã«äœ¿ãããŸãã - ãã®ããŒã¿ã¯ããå°ãããŠãããã«åãããããã - ããã€ãã®é«çŽãããã³ã«ããŸãšããŠäžãŠããããšããŠéä¿¡ã - è¡ãªãããããšããããŸãã - ããŒã¿ãå§çž®ãããã€ãžã§ã¹ã眲åãæ·»ä»ããŠã - ãããã®ãŠããããæå·åããã®ã¡ãããŒã¹ãšãªã£ãŠãã - ä¿¡é Œæ§ã®ãããã©ã³ã¹ããŒããããã³ã«ãçšãããããããŸããã - (泚æ: çŸåšã¡ãžã£ãŒãª SLL å®è£
ã§å§çž®ããµããŒãããŠãããã®ã¯ãããŸãã)</p> - - <p class="figure"> - <img src="../images/ssl_intro_fig3.gif" alt="" width="423" height="323" /><br /> - <a id="figure3" name="figure3"><dfn>å³ 3</dfn></a>: SSL ã¬ã³ãŒããããã³ã« - </p> - - -<h3><a name="securehttp" id="securehttp">HTTP éä¿¡ã®å®å
šå</a></h3> - - <p>ãããã SSL ã®äœ¿ãæ¹ã¯ãã©ãŠã¶ãšãŠã§ããµãŒãéã® HTTP éä¿¡ - ã®å®å
šåã§ãã - ããã¯ãåŸæ¥ã®å®å
šã§ã¯ãªã HTTP ã®äœ¿çšãé€å€ãããã®ã§ã¯ãããŸããã - å®å
šåããããã®ã¯äž»ã« SSH äžã®æ®éã® HTTP ã§ãHTTPS ãšåŒã°ããŸãã - 倧ããªéãã¯ãURL ã¹ããŒã ã« <code>http</code> ã®ä»£ããã« <code>https</code> - ãçšãããµãŒããå¥ã®ããŒãã䜿ãããšã§ã (ããã©ã«ãã§ã¯443)ã - ããã䞻㫠<code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> ã Apache ãŠã§ããµãŒãã«æäŸããæ©èœã§ãã</p> - -</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> -<div class="section"> -<h2><a name="references" id="references">åèæç®</a></h2> - -<dl> -<dt><a id="AC96" name="AC96">[AC96]</a></dt> -<dd>Bruce Schneier, <q>Applied Cryptography</q>, 2nd Edition, Wiley, -1996. See <a href="http://www.counterpane.com/">http://www.counterpane.com/</a> for various other materials by Bruce -Schneier.</dd> - -<dt><a id="X208" name="X208">[X208]</a></dt> -<dd>ITU-T Recommendation X.208, <q>Specification of Abstract Syntax Notation -One (ASN.1)</q>, 1988. See for instance <a href="http://www.itu.int/rec/recommendation.asp?type=items&lang=e&parent=T-REC-X.208-198811-I">http://www.itu.int/rec/recommendation.asp?type=items&lang=e&parent=T-REC-X.208-198811-I</a>. -</dd> - -<dt><a id="X509" name="X509">[X509]</a></dt> -<dd>ITU-T Recommendation X.509, <q>The Directory - Authentication -Framework</q>. See for instance <a href="http://www.itu.int/rec/recommendation.asp?type=folders&lang=e&parent=T-REC-X.509">http://www.itu.int/rec/recommendation.asp?type=folders&lang=e&parent=T-REC-X.509</a>. -</dd> - -<dt><a id="PKCS" name="PKCS">[PKCS]</a></dt> -<dd><q>Public Key Cryptography Standards (PKCS)</q>, -RSA Laboratories Technical Notes, See <a href="http://www.rsasecurity.com/rsalabs/pkcs/">http://www.rsasecurity.com/rsalabs/pkcs/</a>.</dd> - -<dt><a id="MIME" name="MIME">[MIME]</a></dt> -<dd>N. Freed, N. Borenstein, <q>Multipurpose Internet Mail Extensions -(MIME) Part One: Format of Internet Message Bodies</q>, RFC2045. -See for instance <a href="http://ietf.org/rfc/rfc2045.txt">http://ietf.org/rfc/rfc2045.txt</a>.</dd> - -<dt><a id="SSL2" name="SSL2">[SSL2]</a></dt> -<dd>Kipp E.B. Hickman, <q>The SSL Protocol</q>, 1995. See <a href="http://www.netscape.com/eng/security/SSL_2.html">http://www.netscape.com/eng/security/SSL_2.html</a>.</dd> - -<dt><a id="SSL3" name="SSL3">[SSL3]</a></dt> -<dd>Alan O. Freier, Philip Karlton, Paul C. Kocher, <q>The SSL Protocol -Version 3.0</q>, 1996. See <a href="http://www.netscape.com/eng/ssl3/draft302.txt">http://www.netscape.com/eng/ssl3/draft302.txt</a>.</dd> - -<dt><a id="TLS1" name="TLS1">[TLS1]</a></dt> -<dd>Tim Dierks, Christopher Allen, <q>The TLS Protocol Version 1.0</q>, -1999. See <a href="http://ietf.org/rfc/rfc2246.txt">http://ietf.org/rfc/rfc2246.txt</a>.</dd> -</dl> -</div></div> -<div class="bottomlang"> -<p><span>Available Languages: </span><a href="../en/ssl/ssl_intro.html" hreflang="en" rel="alternate" title="English"> en </a> | -<a href="../ja/ssl/ssl_intro.html" title="Japanese"> ja </a></p> -</div><div id="footer"> -<p class="apache">Copyright 2009 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> -<p class="menu"><a href="../mod/">ã¢ãžã¥ãŒã«</a> | <a href="../mod/directives.html">ãã£ã¬ã¯ãã£ã</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">çšèª</a> | <a href="../sitemap.html">ãµã€ãããã</a></p></div> -</body></html>
\ No newline at end of file |