summaryrefslogtreecommitdiffstats
path: root/rubbos/app/apache2/manual/ssl/ssl_faq.html.en
blob: 16801dd6882acb0bbebedc75550ba1c7c3c0c5b9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
              This file is generated from xml source: DO NOT EDIT
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      -->
<title>SSL/TLS Strong Encryption: FAQ - Apache HTTP Server</title>
<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" />
<link href="../images/favicon.ico" rel="shortcut icon" /></head>
<body id="manual-page"><div id="page-header">
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
<p class="apache">Apache HTTP Server Version 2.0</p>
<img alt="" src="../images/feather.gif" /></div>
<div class="up"><a href="./"><img title="&lt;-" alt="&lt;-" src="../images/left.gif" /></a></div>
<div id="path">
<a href="http://www.apache.org/">Apache</a> &gt; <a href="http://httpd.apache.org/">HTTP Server</a> &gt; <a href="http://httpd.apache.org/docs/">Documentation</a> &gt; <a href="../">Version 2.0</a> &gt; <a href="./">SSL/TLS</a></div><div id="page-content"><div id="preamble"><h1>SSL/TLS Strong Encryption: FAQ</h1>
<div class="toplang">
<p><span>Available Languages: </span><a href="../en/ssl/ssl_faq.html" title="English">&nbsp;en&nbsp;</a></p>
</div>

<blockquote>
<p>The wise man doesn't give the right answers,
he poses the right questions.</p>
<p class="cite">-- <cite>Claude Levi-Strauss</cite></p>

</blockquote>
<p>This chapter is a collection of frequently asked questions (FAQ) and
corresponding answers following the popular USENET tradition. Most of these
questions occurred on the Newsgroup <code><a href="news:comp.infosystems.www.servers.unix">comp.infosystems.www.servers.unix</a></code> or the mod_ssl Support
Mailing List <code><a href="mailto:modssl-users@modssl.org">modssl-users@modssl.org</a></code>. They are collected at this place
to avoid answering the same questions over and over.</p>

<p>Please read this chapter at least once when installing mod_ssl or at least
search for your problem here before submitting a problem report to the
author.</p>
</div>
<div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#about">About The Module</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#installation">Installation</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#aboutconfig">Configuration</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#aboutcerts">Certificates</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#aboutssl">The SSL Protocol</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#support">mod_ssl Support</a></li>
</ul></div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="about" id="about">About The Module</a></h2>
<ul>
<li><a href="#history">What is the history of mod_ssl?</a></li>
<li><a href="#wassenaar">mod_ssl and Wassenaar Arrangement?</a></li>
</ul>

<h3><a name="history" id="history">What is the history of mod_ssl?</a></h3>
<p>The mod_ssl v1 package was initially created in April 1998 by <a href="mailto:rse@engelschall.com">Ralf S. Engelschall</a> via porting <a href="mailto:ben@algroup.co.uk">Ben Laurie</a>'s <a href="http://www.apache-ssl.org/">Apache-SSL</a> 1.17 source patches for
    Apache 1.2.6 to Apache 1.3b6. Because of conflicts with Ben
    Laurie's development cycle it then was re-assembled from scratch for
    Apache 1.3.0 by merging the old mod_ssl 1.x with the newer Apache-SSL
    1.18. From this point on mod_ssl lived its own life as mod_ssl v2. The
    first publicly released version was mod_ssl 2.0.0 from August 10th,
    1998. </p>
    
    <p>After US export restrictions on cryptographic software were
    loosened, <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> became part of the Apache HTTP
    Server with the release of Apache httpd 2.</p>


<h3><a name="wassenaar" id="wassenaar">Is mod_ssl affected by the Wassenaar Arrangement?</a></h3>
<p>First, let us explain what <dfn>Wassenaar</dfn> and its <dfn>Arrangement on
    Export Controls for Conventional Arms and Dual-Use Goods and
    Technologies</dfn> is: This is a international regime, established in 1995, to
    control trade in conventional arms and dual-use goods and technology. It
    replaced the previous <dfn>CoCom</dfn> regime. Further details on 
    both the Arrangement and its signatories are available at <a href="http://www.wassenaar.org/">http://www.wassenaar.org/</a>.</p>

    <p>In short, the aim of the Wassenaar Arrangement is to prevent the build up
    of military capabilities that threaten regional and international security
    and stability. The Wassenaar Arrangement controls the export of
    cryptography as a dual-use good, that is, something that has both military and
    civilian applications. However, the Wassenaar Arrangement also provides an
    exemption from export controls for mass-market software and free software.</p>
    
    <p>In the current Wassenaar <cite>List of Dual Use Goods and Technologies And
    Munitions</cite>, under <q>GENERAL SOFTWARE NOTE (GSN)</q> it says
    <q>The Lists do not control "software" which is either: 1. [...] 2. "in
    the public domain".</q> And under <q>DEFINITIONS OF TERMS USED IN
    THESE LISTS</q> we find <q>In the public
    domain</q> defined as <q>"technology" or "software" which has been made
    available without restrictions upon its further dissemination. Note:
    Copyright restrictions do not remove "technology" or "software" from being
    "in the public domain".</q></p>
    
    <p>So, both mod_ssl and OpenSSL are <q>in the public domain</q> for the purposes
    of the Wassenaar Arrangement and its <q>List of Dual Use Goods and
    Technologies And Munitions List</q>, and thus not affected by its provisions.</p>


</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="installation" id="installation">Installation</a></h2>
<ul>
<li><a href="#mutex">Why do I get permission errors related to 
SSLMutex when I start Apache?</a></li>
<li><a href="#entropy">Why does mod_ssl stop with the error "Failed to 
generate temporary 512 bit RSA private key" when I start Apache?</a></li>
</ul>

<h3><a name="mutex" id="mutex">Why do I get permission errors related to 
	SSLMutex when I start Apache?</a></h3>
    <p>Errors such as ``<code>mod_ssl: Child could not open
    SSLMutex lockfile /opt/apache/logs/ssl_mutex.18332 (System error follows)
    [...] System: Permission denied (errno: 13)</code>'' are usually
    caused by overly restrictive permissions on the <em>parent</em> directories.
    Make sure that all parent directories (here <code>/opt</code>,
    <code>/opt/apache</code> and <code>/opt/apache/logs</code>) have the x-bit
    set for, at minimum, the UID under which Apache's children are running (see
    the <code class="directive"><a href="../mod/mpm_common.html#user">User</a></code> directive).</p>


<h3><a name="entropy" id="entropy">Why does mod_ssl stop with the error
	"Failed to generate temporary 512 bit RSA private key" when I start 
	Apache?</a></h3>
    <p>Cryptographic software needs a source of unpredictable data
    to work correctly. Many open source operating systems provide
    a "randomness device" that serves this purpose (usually named
    <code>/dev/random</code>). On other systems, applications have to
    seed the OpenSSL Pseudo Random Number Generator (PRNG) manually with
    appropriate data before generating keys or performing public key
    encryption. As of version 0.9.5, the OpenSSL functions that need
    randomness report an error if the PRNG has not been seeded with
    at least 128 bits of randomness.</p>
    <p>To prevent this error, <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> has to provide 
    enough entropy to the PRNG to allow it to work correctly. This can 
    be done via the <code class="directive"><a href="../mod/mod_ssl.html#sslrandomseed">SSLRandomSeed</a></code> 
    directive.</p>

</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="aboutconfig" id="aboutconfig">Configuration</a></h2>
<ul>
<li><a href="#parallel">Is it possible to provide HTTP and HTTPS from 
the same server?</a></li>
<li><a href="#ports">Which port does HTTPS use?</a></li>
<li><a href="#httpstest">How do I speak HTTPS manually for testing 
purposes?</a></li>
<li><a href="#hang">Why does the connection hang when I connect to my 
SSL-aware Apache server?</a></li>
<li><a href="#refused">Why do I get ``Connection Refused'' errors, when 
trying to access my newly installed Apache+mod_ssl server via HTTPS?</a></li>
<li><a href="#envvars">Why are the <code>SSL_XXX</code> variables not
available to my CGI &amp; SSI scripts?</a></li>
<li><a href="#relative">How can I switch between HTTP and HTTPS in 
relative hyperlinks?</a></li>
</ul>

<h3><a name="parallel" id="parallel">Is it possible to provide HTTP and HTTPS 
	from the same server?</a></h3>
    <p>Yes. HTTP and HTTPS use different server ports (HTTP binds to 
    port 80, HTTPS to port 443), so there is no direct conflict between 
    them. You can either run two separate server instances bound to 
    these ports, or use Apache's elegant virtual hosting facility to 
    create two virtual servers, both served by the same instance of Apache 
    - one responding over HTTP to requests on port 80, and the other 
    responding over HTTPS to requests on port 443.</p>


<h3><a name="ports" id="ports">Which port does HTTPS use?</a></h3>
<p>You can run HTTPS on any port, but the standards specify port 443, which
    is where any HTTPS compliant browser will look by default. You can force
    your browser to look on a different port by specifying it in the URL. For
    example, if your server is set up to serve pages over HTTPS on port 8080,
    you can access them at <code>https://example.com:8080/</code></p>


<h3><a name="httpstest" id="httpstest">How do I speak HTTPS manually for testing purposes?</a></h3>
 <p>While you usually just use</p>
    
    <div class="example"><p><code>$ telnet localhost 80<br />
    GET / HTTP/1.0</code></p></div>

    <p>for simple testing of Apache via HTTP, it's not so easy for
    HTTPS because of the SSL protocol between TCP and HTTP. With the
    help of OpenSSL's <code>s_client</code> command, however, you can 
    do a similar check via HTTPS:</p>
    
    <div class="example"><p><code>$ openssl s_client -connect localhost:443 -state -debug<br />
    GET / HTTP/1.0</code></p></div>

    <p>Before the actual HTTP response you will receive detailed
    information about the SSL handshake. For a more general command
    line client which directly understands both HTTP and HTTPS, can
    perform GET and POST operations, can use a proxy, supports byte
    ranges, etc. you should have a look at the nifty
    <a href="http://curl.haxx.se/">cURL</a> tool. Using this, you can
    check that Apache is responding correctly to requests via HTTP and
    HTTPS as follows:</p>

    <div class="example"><p><code>$ curl http://localhost/<br />
    $ curl https://localhost/</code></p></div>


<h3><a name="hang" id="hang">Why does the connection hang when I connect 
    to my SSL-aware Apache server?</a></h3>

<p>This can happen when you try to connect to a HTTPS server (or virtual
    server) via HTTP (eg, using <code>http://example.com/</code> instead of
    <code>https://example.com</code>). It can also happen when trying to
    connect via HTTPS to a HTTP server (eg, using
    <code>https://example.com/</code> on a server which doesn't support HTTPS,
    or which supports it on a non-standard port). Make sure that you're
    connecting to a (virtual) server that supports SSL.</p>

<h3><a name="refused" id="refused">Why do I get ``Connection Refused'' messages, 
    when trying to access my newly installed Apache+mod_ssl server via HTTPS?</a></h3>
<p>
    This error can be caused by an incorrect configuration.
    Please make sure that your <code class="directive"><a href="../mod/mpm_common.html#listen">Listen</a></code> directives match your 
    <code class="directive"><a href="../mod/core.html#virtualhost">&lt;VirtualHost&gt;</a></code>
    directives. If all else fails, please start afresh, using the default 
    configuration provided by <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>.</p>


<h3><a name="envvars" id="envvars">Why are the <code>SSL_XXX</code> variables 
    not available to my CGI &amp; SSI scripts?</a></h3>
<p>Please make sure you have ``<code>SSLOptions +StdEnvVars</code>''
    enabled for the context of your CGI/SSI requests.</p>


<h3><a name="relative" id="relative">How can I switch between HTTP and HTTPS in relative 
    hyperlinks?</a></h3>

<p>Usually, to switch between HTTP and HTTPS, you have to use 
    fully-qualified hyperlinks (because you have to change the URL 
    scheme).  Using <code class="module"><a href="../mod/mod_rewrite.html">mod_rewrite</a></code> however, you can 
    manipulate relative hyperlinks, to achieve the same effect.</p>
    <div class="example"><p><code>
    RewriteEngine on<br />
    RewriteRule   ^/(.*):SSL$   https://%{SERVER_NAME}/$1 [R,L]<br />
    RewriteRule   ^/(.*):NOSSL$ http://%{SERVER_NAME}/$1  [R,L]
    </code></p></div>

    <p>This rewrite ruleset lets you use hyperlinks of the form
    <code>&lt;a href="document.html:SSL"&gt;</code>, to switch to HTTPS
    in a relative link. (Replace SSL with NOSSL to switch to HTTP.)</p>

</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="aboutcerts" id="aboutcerts">Certificates</a></h2>
<ul>
<li><a href="#keyscerts">What are RSA Private Keys, CSRs and 
Certificates?</a></li>
<li><a href="#startup">Is there a difference on startup between
a non-SSL-aware Apache and an SSL-aware Apache?</a></li>
<li><a href="#selfcert">How do I create a self-signed SSL 
Certificate for testing purposes?</a></li>
<li><a href="#realcert">How do I create a real SSL Certificate?</a></li>
<li><a href="#ownca">How do I create and use my own Certificate 
Authority (CA)?</a></li>
<li><a href="#passphrase">How can I change the pass-phrase on my private 
key file?</a></li>
<li><a href="#removepassphrase">How can I get rid of the pass-phrase 
dialog at Apache startup time?</a></li>
<li><a href="#verify">How do I verify that a private key matches its 
Certificate?</a></li>
<li><a href="#badcert">Why do connections fail with an "alert bad 
certificate" error?</a></li>
<li><a href="#keysize">Why does my 2048-bit private key not work?</a></li>
<li><a href="#hashsymlinks">Why is client authentication broken after 
upgrading from SSLeay version 0.8 to 0.9?</a></li>
<li><a href="#pemder">How can I convert a certificate from PEM to DER 
format?</a></li>
<li><a href="#verisign">Why can't I find the
<code>getca</code> or <code>getverisign</code> programs mentioned by
Verisign, for installing my Verisign certificate?</a></li>
<li><a href="#sgc">Can I use the Server Gated Cryptography (SGC)
facility (aka Verisign Global ID) with mod_ssl?</a></li>
<li><a href="#gid">Why do browsers complain that they cannot
verify my Verisign Global ID server certificate?</a></li>
</ul>

<h3><a name="keyscerts" id="keyscerts">What are RSA Private Keys, CSRs and Certificates?</a></h3>
<p>An RSA private key file is a digital file that you can use to decrypt
    messages sent to you. It has a public component which you distribute (via
    your Certificate file) which allows people to encrypt those messages to
    you.</p>
    <p>A Certificate Signing Request (CSR) is a digital file which contains
    your public key and your name. You send the CSR to a Certifying Authority
    (CA), who will convert it into a real Certificate, by signing it.</p> 
    <p>A Certificate contains your
    RSA public key, your name, the name of the CA, and is digitally signed by
    the CA. Browsers that know the CA can verify the signature on that
    Certificate, thereby obtaining your RSA public key. That enables them to
    send messages which only you can decrypt.</p>
    <p>See the <a href="ssl_intro.html">Introduction</a> chapter for a general
    description of the SSL protocol.</p>


<h3><a name="startup" id="startup">Is there a difference on startup between 
    a non-SSL-aware Apache and an SSL-aware Apache?</a></h3>
<p>Yes. In general, starting Apache with 
    <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> built-in is just like starting Apache 
    without it. However, if you have a passphrase on your SSL private 
    key file, a startup dialog will pop up which asks you to enter the 
    pass phrase.</p>
    
    <p>Having to manually enter the passphrase when starting the server 
    can be problematic - for example, when starting the server from the 
    system boot scripts. In this case, you can follow the steps
    <a href="#removepassphrase">below</a> to remove the passphrase from
    your private key. Bear in mind that doing so brings additional security
    risks - proceed with caution!</p>


<h3><a name="selfcert" id="selfcert">How do I create a self-signed SSL 
Certificate for testing purposes?</a></h3>
    <ol>
    <li>Make sure OpenSSL is installed and in your <code>PATH</code>.<br />
    <br />
    </li>
    <li>Run the following command, to create <code>server.key</code> and
        <code>server.crt</code> files:<br />
	<code><strong>$ openssl req -new -x509 -nodes -out server.crt 
			-keyout server.key</strong></code><br />
	These can be used as follows in your <code>httpd.conf</code> 
	file:
        <pre>
             SSLCertificateFile    /path/to/this/server.crt
             SSLCertificateKeyFile /path/to/this/server.key
	</pre>
    </li>
    <li>It is important that you are aware that this 
	<code>server.key</code> does <em>not</em> have any passphrase.
	To add a passphrase to the key, you should run the following 
	command, and enter &amp; verify the passphrase as requested.<br />
	<p><code><strong>$ openssl rsa -des3 -in server.key -out 
	server.key.new</strong></code><br />
	<code><strong>$ mv server.key.new server.key</strong></code><br /></p>
	Please backup the <code>server.key</code> file, and the passphrase 
	you entered, in a secure location.
    </li>
    </ol>


<h3><a name="realcert" id="realcert">How do I create a real SSL Certificate?</a></h3>
<p>Here is a step-by-step description:</p>
    <ol>
    <li>Make sure OpenSSL is installed and in your <code>PATH</code>.
    <br />
    <br />
    </li>
    <li>Create a RSA private key for your Apache server
       (will be Triple-DES encrypted and PEM formatted):<br />
       <br />
       <code><strong>$ openssl genrsa -des3 -out server.key 1024</strong></code><br />
       <br />
       Please backup this <code>server.key</code> file and the
       pass-phrase you entered in a secure location.
       You can see the details of this RSA private key by using the command:<br />

       <br />
       <code><strong>$ openssl rsa -noout -text -in server.key</strong></code><br />
       <br />
       If necessary, you can also create a decrypted PEM version (not 
       recommended) of this RSA private key with:<br />
       <br />
       <code><strong>$ openssl rsa -in server.key -out server.key.unsecure</strong></code><br />
       <br />

    </li>
    <li>Create a Certificate Signing Request (CSR) with the server RSA private
       key (output will be PEM formatted):<br />
       <br />
       <code><strong>$ openssl req -new -key server.key -out server.csr</strong></code><br />
       <br />
       Make sure you enter the FQDN ("Fully Qualified Domain Name") of the
       server when OpenSSL prompts you for the "CommonName", i.e. when you
       generate a CSR for a website which will be later accessed via
       <code>https://www.foo.dom/</code>, enter "www.foo.dom" here.
       You can see the details of this CSR by using<br />

       <br />
       <code><strong>$ openssl req -noout -text -in server.csr</strong></code><br />
       <br />
    </li>
    <li>You now have to send this Certificate Signing Request (CSR) to
       a Certifying Authority (CA) to be signed. Once the CSR has been 
       signed, you will have a real Certificate, which can be used by
       Apache. You can have a CSR signed by a commercial CA, or you can 
       create your own CA to sign it.<br />
       Commercial CAs usually ask you to post the CSR into a web form, 
       pay for the signing, and then send a signed Certificate, which 
       you can store in a server.crt file. For more information about 
       commercial CAs see the following locations:<br />
       <br />
       <ol>
       <li>  Verisign<br />
             <a href="http://digitalid.verisign.com/server/apacheNotice.htm">
             http://digitalid.verisign.com/server/apacheNotice.htm
             </a>
       </li>
       <li>  Thawte<br />
         <a href="http://www.thawte.com/">http://www.thawte.com/</a>
       </li>
       <li>  CertiSign Certificadora Digital Ltda.<br />
             <a href="http://www.certisign.com.br">
             http://www.certisign.com.br
             </a>
       </li>
       <li>  IKS GmbH<br />
             <a href="http://www.iks-jena.de/leistungen/ca/">
             http://www.iks-jena.de/leistungen/ca/
             </a>
       </li>
       <li>  Uptime Commerce Ltd.<br />
             <a href="http://www.uptimecommerce.com">
             http://www.uptimecommerce.com
             </a>
       </li>
       <li>  BelSign NV/SA<br />
             <a href="http://www.belsign.be">
             http://www.belsign.be
             </a>
       </li>
       </ol>

       For details on how to create your own CA, and use this to sign
       a CSR, see <a href="#ownca">below</a>.<br />
       
       Once your CSR has been signed, you can see the details of the 
       Certificate as follows:<br />
       <br />
       <code><strong>$ openssl x509 -noout -text -in server.crt</strong></code><br />

    </li>
    <li>You should now have two files: <code>server.key</code> and
    <code>server.crt</code>. These can be used as follows in your
    <code>httpd.conf</code> file:
       <pre>
       SSLCertificateFile    /path/to/this/server.crt
       SSLCertificateKeyFile /path/to/this/server.key
       </pre>
       The <code>server.csr</code> file is no longer needed.
    </li>

    </ol>


<h3><a name="ownca" id="ownca">How do I create and use my own Certificate Authority (CA)?</a></h3>
    <p>The short answer is to use the <code>CA.sh</code> or <code>CA.pl</code>
    script provided by OpenSSL. Unless you have a good reason not to, 
    you should use these for preference. If you cannot, you can create a
    self-signed Certificate as follows:</p>
    
    <ol>
    <li>Create a RSA private key for your server
       (will be Triple-DES encrypted and PEM formatted):<br />
       <br />
       <code><strong>$ openssl genrsa -des3 -out server.key 1024</strong></code><br />
       <br />
       Please backup this <code>host.key</code> file and the
       pass-phrase you entered in a secure location.
       You can see the details of this RSA private key by using the 
       command:<br />
       <code><strong>$ openssl rsa -noout -text -in server.key</strong></code><br />
       <br />
       If necessary, you can also create a decrypted PEM version (not 
       recommended) of this RSA private key with:<br />
       <br />
       <code><strong>$ openssl rsa -in server.key -out server.key.unsecure</strong></code><br />
       <br />
    </li>
    <li>Create a self-signed Certificate (X509 structure)
       with the RSA key you just created (output will be PEM formatted):<br />
       <br />
       <code><strong>$ openssl req -new -x509 -nodes -sha1 -days 365 
		       -key server.key -out server.crt</strong></code><br />
       <br />
       This signs the server CSR and results in a <code>server.crt</code> file.<br />
       You can see the details of this Certificate using:<br />
       <br />
       <code><strong>$ openssl x509 -noout -text -in server.crt</strong></code><br />
       <br />
    </li>
    </ol>


<h3><a name="passphrase" id="passphrase">How can I change the pass-phrase on my private key file?</a></h3>
<p>You simply have to read it with the old pass-phrase and write it again,
    specifying the new pass-phrase. You can accomplish this with the following
    commands:</p>

    
    <p><code><strong>$ openssl rsa -des3 -in server.key -out server.key.new</strong></code><br />
    <code><strong>$ mv server.key.new server.key</strong></code><br /></p>
    
    <p>The first time you're asked for a PEM pass-phrase, you should
    enter the old pass-phrase. After that, you'll be asked again to 
    enter a pass-phrase - this time, use the new pass-phrase. If you
    are asked to verify the pass-phrase, you'll need to enter the new 
    pass-phrase a second time.</p>


<h3><a name="removepassphrase" id="removepassphrase">How can I get rid of the pass-phrase dialog at Apache startup time?</a></h3>
<p>The reason this dialog pops up at startup and every re-start
    is that the RSA private key inside your server.key file is stored in
    encrypted format for security reasons. The pass-phrase is needed to decrypt
    this file, so it can be read and parsed. Removing the pass-phrase 
    removes a layer of security from your server - proceed with caution!</p>
    <ol>
    <li>Remove the encryption from the RSA private key (while
       keeping a backup copy of the original file):<br />
       <br />
       <code><strong>$ cp server.key server.key.org</strong></code><br />
       <code><strong>$ openssl rsa -in server.key.org -out server.key</strong></code><br />

       <br />
    </li>
    <li>Make sure the server.key file is only readable by root:<br />
       <br />
       <code><strong>$ chmod 400 server.key</strong></code><br />
       <br />
    </li>
    </ol>

    <p>Now <code>server.key</code> contains an unencrypted copy of the key.
    If you point your server at this file, it will not prompt you for a
    pass-phrase. HOWEVER, if anyone gets this key they will be able to
    impersonate you on the net. PLEASE make sure that the permissions on this
    file are such that only root or the web server user can read it
    (preferably get your web server to start as root but run as another
    user, and have the key readable only by root).</p>
    
    <p>As an alternative approach you can use the ``<code>SSLPassPhraseDialog
    exec:/path/to/program</code>'' facility. Bear in mind that this is
    neither more nor less secure, of course.</p>


<h3><a name="verify" id="verify">How do I verify that a private key matches its Certificate?</a></h3>
<p>A private key contains a series of numbers. Two of these numbers form
    the "public key", the others are part of the "private key". The "public
    key" bits are included when you generate a CSR, and subsequently form
    part of the associated Certificate.</p>
    <p>To check that the public key in your Certificate matches the public
    portion of your private key, you simply need to compare these numbers. 
    To view the Certificate and the key run the commands:</p>
    
    <p><code><strong>$ openssl x509 -noout -text -in server.crt</strong></code><br />
    <code><strong>$ openssl rsa -noout -text -in server.key</strong></code></p>
    
    <p>The `modulus' and the `public exponent' portions in the key and the
    Certificate must match. As the public exponent is usually 65537
    and it's difficult to visually check that the long modulus numbers
    are the same, you can use the following approach:</p>
    
    <p><code><strong>$ openssl x509 -noout -modulus -in server.crt | openssl md5</strong></code><br />
    <code><strong>$ openssl rsa -noout -modulus -in server.key | openssl md5</strong></code></p>
    
    <p>This leaves you with two rather shorter numbers to compare. It is,
    in theory, possible that these numbers may be the same, without the 
    modulus numbers being the same, but the chances of this are 
    overwhelmingly remote.</p>
    <p>Should you wish to check to which key or certificate a particular 
    CSR belongs you can perform the same calculation on the CSR as 
    follows:</p>
    
    <p><code><strong>$ openssl req -noout -modulus -in server.csr | openssl md5</strong></code></p>


<h3><a name="badcert" id="badcert">Why do connections fail with an "alert 
bad certificate" error?</a></h3>
<p>Errors such as <code>OpenSSL: error:14094412: SSL
    routines:SSL3_READ_BYTES:sslv3 alert bad certificate</code> in the SSL
    logfile, are usually caused by a browser which is unable to handle the server
    certificate/private-key. For example, Netscape Navigator 3.x is 
    unable to handle RSA key lengths not equal to 1024 bits.</p>


<h3><a name="keysize" id="keysize">Why does my 2048-bit private key not work?</a></h3>
<p>The private key sizes for SSL must be either 512 or 1024 bits, for compatibility
    with certain web browsers. A keysize of 1024 bits is recommended because
    keys larger than 1024 bits are incompatible with some versions of Netscape
    Navigator and Microsoft Internet Explorer, and with other browsers that
    use RSA's BSAFE cryptography toolkit.</p>


<h3><a name="hashsymlinks" id="hashsymlinks">Why is client authentication broken after upgrading from
SSLeay version 0.8 to 0.9?</a></h3>
<p>The CA certificates under the path you configured with
    <code>SSLCACertificatePath</code> are found by SSLeay through hash
    symlinks. These hash values are generated by the `<code>openssl x509 -noout
    -hash</code>' command. However, the algorithm used to calculate the hash for a
    certificate changed between SSLeay 0.8 and 0.9. You will need to remove
    all old hash symlinks and create new ones after upgrading. Use the
    <code>Makefile</code> provided by <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>.</p>


<h3><a name="pemder" id="pemder">How can I convert a certificate from PEM to DER format?</a></h3>
<p>The default certificate format for SSLeay/OpenSSL is PEM, which is simply
    Base64 encoded DER, with header and footer lines. For some applications
    (e.g. Microsoft Internet Explorer) you need the certificate in plain DER
    format. You can convert a PEM file <code>cert.pem</code> into the
    corresponding DER file <code>cert.der</code> using the following command:
    <code><strong>$ openssl x509 -in cert.pem -out cert.der -outform DER</strong></code></p>


<h3><a name="verisign" id="verisign">Why can't I find the
<code>getca</code> or <code>getverisign</code> programs mentioned by 
Verisign, for installing my Verisign certificate?</a></h3>
<p>Verisign has never provided specific instructions
    for Apache+mod_ssl. The instructions provided are for C2Net's 
    Stronghold (a commercial Apache based server with SSL support).</p> 
    <p>To install your certificate, all you need to do is to save the 
    certificate to a file, and give the name of that file to the 
    <code class="directive"><a href="../mod/mod_ssl.html#sslcertificatefile">SSLCertificateFile</a></code> directive.
    You will also need to give it the key file. For more information, 
    see the <code class="directive"><a href="../mod/mod_ssl.html#sslcertificatekeyfile">SSLCertificateKeyFile</a></code>
    directive.</p> 


<h3><a name="sgc" id="sgc">Can I use the Server Gated Cryptography (SGC) 
facility (aka Verisign Global ID) with mod_ssl?</a></h3>
<p>Yes. <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> has included support for the SGC 
    facility since version 2.1. No special configuration is required - 
    just use the Global ID as your server certificate. The 
    <em>step up</em> of the clients is then automatically handled by 
    <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> at run-time.</p> 


<h3><a name="gid" id="gid">Why do browsers complain that they cannot 
verify my Verisign Global ID server certificate?</a></h3>
<p>Verisign uses an intermediate CA certificate between the root CA 
    certificate (which is installed in the browsers) and the server 
    certificate (which you installed on the server). You should have 
    received this additional CA certificate from Verisign.
    If not, complain to them. Then, configure this certificate with the
    <code class="directive"><a href="../mod/mod_ssl.html#sslcertificatechainfile">SSLCertificateChainFile</a></code> 
    directive. This ensures that the intermediate CA certificate is 
    sent to the browser, filling the gap in the certificate chain.</p>

</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="aboutssl" id="aboutssl">The SSL Protocol</a></h2>
<ul>
<li><a href="#random">Why do I get lots of random SSL protocol 
errors under heavy server load?</a></li>
<li><a href="#load">Why does my webserver have a higher load, now
that it serves SSL encrypted traffic?</a></li>
<li><a href="#establishing">Why do HTTPS connections to my server
sometimes take up to 30 seconds to establish a connection?</a></li>
<li><a href="#ciphers">What SSL Ciphers are supported by mod_ssl?</a></li>
<li><a href="#adh">Why do I get ``no shared cipher'' errors, when
trying to use Anonymous Diffie-Hellman (ADH) ciphers?</a></li>
<li><a href="#sharedciphers">Why do I get a 'no shared ciphers'
error when connecting to my newly installed server?</a></li>
<li><a href="#vhosts">Why can't I use SSL with name-based/non-IP-based 
virtual hosts?</a></li>
<li><a href="#vhosts2">Why is it not possible to use Name-Based Virtual
Hosting to identify different SSL virtual hosts?</a></li>
<li><a href="#comp">How do I get SSL compression working?</a></li>
<li><a href="#lockicon">When I use Basic Authentication over HTTPS
the lock icon in Netscape browsers stays unlocked when the dialog pops up.
Does this mean the username/password is being sent unencrypted?</a></li>
<li><a href="#msie">Why do I get I/O errors when connecting via
HTTPS to an Apache+mod_ssl server with Microsoft Internet Explorer 
(MSIE)?</a></li>
<li><a href="#nn">Why do I get I/O errors, or the message "Netscape has 
encountered bad data from the server", when connecting via
HTTPS to an Apache+mod_ssl server with Netscape Navigator?</a></li>
</ul>

<h3><a name="random" id="random">Why do I get lots of random SSL protocol 
errors under heavy server load?</a></h3>
<p>There can be a number of reasons for this, but the main one
    is problems with the SSL session Cache specified by the
    <code class="directive"><a href="../mod/mod_ssl.html#sslsessioncache">SSLSessionCache</a></code> directive. The DBM session
    cache is the most likely source of the problem, so using the SHM session cache (or
    no cache at all) may help.</p>


<h3><a name="load" id="load">Why does my webserver have a higher load, now 
that it serves SSL encrypted traffic?</a></h3>
<p>SSL uses strong cryptographic encryption, which necessitates a lot of
    number crunching. When you request a webpage via HTTPS, everything (even
    the images) is encrypted before it is transferred. So increased HTTPS
    traffic leads to load increases.</p>


<h3><a name="establishing" id="establishing">Why do HTTPS connections to my server 
sometimes take up to 30 seconds to establish a connection?</a></h3>
<p>This is usually caused by a <code>/dev/random</code> device for
    <code class="directive"><a href="../mod/mod_ssl.html#sslrandomseed">SSLRandomSeed</a></code> which blocks the 
    read(2) call until enough entropy is available to service the 
    request. More information is available in the reference
    manual for the <code class="directive"><a href="../mod/mod_ssl.html#sslrandomseed">SSLRandomSeed</a></code>
    directive.</p>


<h3><a name="ciphers" id="ciphers">What SSL Ciphers are supported by mod_ssl?</a></h3>
<p>Usually, any SSL ciphers supported by the version of OpenSSL in use, 
    are also supported by <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>. Which ciphers are 
    available can depend on the way you built OpenSSL. Typically, at 
    least the following ciphers are supported:</p>
    
    <ol>
    <li>RC4 with MD5</li>
    <li>RC4 with MD5 (export version restricted to 40-bit key)</li>
    <li>RC2 with MD5</li>
    <li>RC2 with MD5 (export version restricted to 40-bit key)</li>
    <li>IDEA with MD5</li>
    <li>DES with MD5</li>
    <li>Triple-DES with MD5</li>
    </ol>
    
    <p>To determine the actual list of ciphers available, you should run 
    the following:</p>
    <div class="example"><p><code>$ openssl ciphers -v</code></p></div>


<h3><a name="adh" id="adh">Why do I get ``no shared cipher'' errors, when 
trying to use Anonymous Diffie-Hellman (ADH) ciphers?</a></h3>
<p>By default, OpenSSL does <em>not</em> allow ADH ciphers, for security
    reasons. Please be sure you are aware of the potential side-effects 
    if you choose to enable these ciphers.</p>
    <p>In order to use Anonymous Diffie-Hellman (ADH) ciphers, you must 
    build OpenSSL with ``<code>-DSSL_ALLOW_ADH</code>'', and then add
    ``<code>ADH</code>'' into your <code class="directive"><a href="../mod/mod_ssl.html#sslciphersuite">SSLCipherSuite</a></code>.</p>


<h3><a name="sharedciphers" id="sharedciphers">Why do I get a 'no shared ciphers' 
error when connecting to my newly installed server?</a></h3>
<p>Either you have made a mistake with your 
    <code class="directive"><a href="../mod/mod_ssl.html#sslciphersuite">SSLCipherSuite</a></code>
    directive (compare it with the pre-configured example in
    <code>httpd.conf-dist</code>) or you chose to use DSA/DH
    algorithms instead of RSA when you generated your private key
    and ignored or overlooked the warnings. If you have chosen
    DSA/DH, then your server cannot communicate using RSA-based SSL 
    ciphers (at least until you configure an additional RSA-based
    certificate/key pair). Modern browsers like NS or IE can only 
    communicate over SSL using RSA ciphers. The result is the 
    "no shared ciphers" error. To fix this, regenerate your server 
    certificate/key pair, using the RSA algorithm.</p>


<h3><a name="vhosts" id="vhosts">Why can't I use SSL with name-based/non-IP-based virtual hosts?</a></h3>
<p>The reason is very technical, and a somewhat "chicken and egg" problem. 
    The SSL protocol layer stays below the HTTP protocol layer and 
    encapsulates HTTP. When an SSL connection (HTTPS) is established
    Apache/mod_ssl has to negotiate the SSL protocol parameters with the
    client. For this, mod_ssl has to consult the configuration of the virtual
    server (for instance it has to look for the cipher suite, the server
    certificate, etc.). But in order to go to the correct virtual server
    Apache has to know the <code>Host</code> HTTP header field. To do this, the
    HTTP request header has to be read. This cannot be done before the SSL
    handshake is finished, but the information is needed in order to 
    complete the SSL handshake phase. Bingo!</p>


<h3><a name="vhosts2" id="vhosts2">Why is it not possible to use Name-Based
Virtual Hosting to identify different SSL virtual hosts?</a></h3>
    <p>Name-Based Virtual Hosting is a very popular method of identifying
    different virtual hosts. It allows you to use the same IP address and
    the same port number for many different sites. When people move on to
    SSL, it seems natural to assume that the same method can be used to have
    lots of different SSL virtual hosts on the same server.</p>

    <p>It comes as rather a shock to learn that it is impossible.</p> 

    <p>The reason is that the SSL protocol is a separate layer which
    encapsulates the HTTP protocol. So the SSL session is a separate 
    transaction, that takes place before the HTTP session has begun. 
    The server receives an SSL request on IP address X and port Y 
    (usually 443). Since the SSL request does not contain any Host: 
    field, the server has no way to decide which SSL virtual host to use.
    Usually, it will just use the first one it finds, which matches the 
    port and IP address specified.</p> 

    <p>You can, of course, use Name-Based Virtual Hosting to identify many
    non-SSL virtual hosts (all on port 80, for example) and then 
    have a single SSL virtual host (on port 443). But if you do this,
    you must make sure to put the non-SSL port number on the NameVirtualHost
    directive, e.g.</p> 

    <div class="example"><p><code>
      NameVirtualHost 192.168.1.1:80
    </code></p></div>
    
    <p>Other workaround solutions include: </p>

    <p>Using separate IP addresses for different SSL hosts. 
    Using different port numbers for different SSL hosts.</p> 


<h3><a name="comp" id="comp">How do I get SSL compression working?</a></h3>
<p>Although SSL compression negotiation was defined in the specification
of SSLv2 and TLS, it took until May 2004 for RFC 3749 to define DEFLATE as
a negotiable standard compression method.
</p>
<p>OpenSSL 0.9.8 started to support this by default when compiled with the
<code>zlib</code> option. If both the client and the server support compression,
it will be used. However, most clients still try to initially connect with an
SSLv2 Hello. As SSLv2 did not include an array of prefered compression algorithms
in its handshake, compression cannot be negotiated with these clients.
If the client disables support for SSLv2, either an SSLv3 or TLS Hello
may be sent, depending on which SSL library is used, and compression may 
be set up. You can verify whether clients make use of SSL compression by 
logging the <code>%{SSL_COMPRESS_METHOD}x</code> variable.
</p>


<h3><a name="lockicon" id="lockicon">When I use Basic Authentication over HTTPS 
the lock icon in Netscape browsers stays unlocked when the dialog pops up. 
Does this mean the username/password is being sent unencrypted?</a></h3>
<p>No, the username/password is transmitted encrypted. The icon in
    Netscape browsers is not actually synchronized with the SSL/TLS layer.
    It only toggles to the locked state when the first part of the actual 
    webpage data is transferred, which may confuse people. The Basic 
    Authentication facility is part of the HTTP layer, which is above 
    the SSL/TLS layer in HTTPS. Before any HTTP data communication takes 
    place in HTTPS, the SSL/TLS layer has already completed its handshake 
    phase, and switched to encrypted communication. So don't be
    confused by this icon.</p>


<h3><a name="msie" id="msie">Why do I get I/O errors when connecting via 
HTTPS to an Apache+mod_ssl server with Microsoft Internet Explorer (MSIE)?</a></h3>
<p>The first reason is that the SSL implementation in some MSIE versions has
    some subtle bugs related to the HTTP keep-alive facility and the SSL close
    notify alerts on socket connection close. Additionally the interaction
    between SSL and HTTP/1.1 features are problematic in some MSIE versions. 
    You can work around these problems by forcing Apache not to use HTTP/1.1, 
    keep-alive connections or send the SSL close notify messages to MSIE clients. 
    This can be done by using the following directive in your SSL-aware 
    virtual host section:</p>
    <div class="example"><p><code>
    SetEnvIf User-Agent ".*MSIE.*" \<br />
             nokeepalive ssl-unclean-shutdown \<br />
             downgrade-1.0 force-response-1.0
    </code></p></div>
    <p>Further, some MSIE versions have problems with particular ciphers. 
    Unfortunately, it is not possible to implement a MSIE-specific 
    workaround for this, because the ciphers are needed as early as the 
    SSL handshake phase. So a MSIE-specific 
    <code class="directive"><a href="../mod/mod_setenvif.html#setenvif">SetEnvIf</a></code> won't solve these 
    problems. Instead, you will have to make more drastic
    adjustments to the global parameters. Before you decide to do
    this, make sure your clients really have problems. If not, do not 
    make these changes - they will affect <em>all</em> your clients, MSIE
    or otherwise.</p>

    <p>The next problem is that 56bit export versions of MSIE 5.x 
    browsers have a broken SSLv3 implementation, which interacts badly 
    with OpenSSL versions greater than 0.9.4. You can accept this and 
    require your clients to upgrade their browsers, you can downgrade to 
    OpenSSL 0.9.4 (not advised), or you can work around this, accepting 
    that your workaround will affect other browsers too:</p>
    <div class="example"><p><code>SSLProtocol all -SSLv3</code></p></div>
    <p>will completely disables the SSLv3 protocol and allow those 
    browsers to work. A better workaround is to disable only those 
    ciphers which cause trouble.</p>
    <div class="example"><p><code>SSLCipherSuite
    ALL:!ADH:<strong>!EXPORT56</strong>:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</code>
    </p></div>

    <p>This also allows the broken MSIE versions to work, but only removes the
    newer 56bit TLS ciphers.</p>
    
    <p>Another problem with MSIE 5.x clients is that they refuse to connect to
    URLs of the form <code>https://12.34.56.78/</code> (where IP-addresses are used
    instead of the hostname), if the server is using the Server Gated
    Cryptography (SGC) facility. This can only be avoided by using the fully
    qualified domain name (FQDN) of the website in hyperlinks instead, because
    MSIE 5.x has an error in the way it handles the SGC negotiation.</p>
    
    <p>And finally there are versions of MSIE which seem to require that
    an SSL session can be reused (a totally non standard-conforming
    behaviour, of course). Connecting with those MSIE versions only work
    if a SSL session cache is used. So, as a work-around, make sure you
    are using a session cache (see the <code class="directive"><a href="../mod/mod_ssl.html#sslsessioncache">SSLSessionCache</a></code> directive).</p>


<h3><a name="nn" id="nn">Why do I get I/O errors, or the message "Netscape has
encountered bad data from the server", when connecting via
HTTPS to an Apache+mod_ssl server with Netscape Navigator?</a></h3>
<p>
    This usually occurs when you have created a new server certificate for
    a given domain, but had previously told your browser to always accept 
    the old server certificate. Once you clear the entry for the old 
    certificate from your browser, everything should be fine. Netscape's SSL
    implementation is correct, so when you encounter I/O errors with Netscape
    Navigator it is usually caused by the configured certificates.</p>

</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="support" id="support">mod_ssl Support</a></h2>
<ul>
<li><a href="#resources">What information resources are available in 
case of mod_ssl problems?</a></li>
<li><a href="#contact">What support contacts are available in case of 
mod_ssl problems?</a></li>
<li><a href="#reportdetails">What information should I 
provide when writing a bug report?</a></li>
<li><a href="#coredumphelp">I had a core dump, can you help me?</a></li>
<li><a href="#backtrace">How do I get a backtrace, to help find the reason
for my core dump?</a></li>
</ul>

<h3><a name="resources" id="resources">What information resources are available in case of mod_ssl problems?</a></h3>
<p>The following information resources are available.
    In case of problems you should search here first.</p>

    <dl>
    <dt>Answers in the User Manual's F.A.Q. List (this)</dt>
    <dd><a href="http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html">
	http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html</a><br />
	First check the F.A.Q. (this text). If your problem is a common
	one, it may have been answered several times before, and been included
	in this doc.
    </dd>
    <dt>Postings from the modssl-users Support Mailing List
        <a href="http://www.modssl.org/support/">http://www.modssl.org/support/</a></dt>
    <dd>Search for your problem in the archives of the modssl-users mailing list. 
	You're probably not the first person to have had this problem!
    </dd>
    </dl>


<h3><a name="contact" id="contact">What support contacts are available in case 
of mod_ssl problems?</a></h3>
 <p>The following lists all support possibilities for mod_ssl, in order of
	 preference. Please go through these possibilities 
	 <em>in this order</em> - don't just pick the one you like the look of. </p>
    <ol>
    <li><em>Send a Problem Report to the modssl-users Support Mailing List</em><br />
        <a href="mailto:modssl-users@modssl.org">
        modssl-users@modssl.org</a><br />
        This is the preferred way of submitting your problem report, because this way,
	others can see the problem, and learn from any answers. You must subscribe to 
        the list first, but you can then easily discuss your problem with both the 
	author and the whole mod_ssl user community.
        </li>

    <li><em>Send a Problem Report to the Apache httpd Users Support Mailing List</em><br />
        <a href="mailto:users@httpd.apache.org">
        users@httpd.apache.org</a><br />
        This is the second way of submitting your problem report. Again, you must
        subscribe to the list first, but you can then easily discuss your problem
        with the whole Apache httpd user community.
    </li>

    <li><em>Write a Problem Report in the Bug Database</em><br />
	<a href="http://httpd.apache.org/bug_report.html">
	http://httpd.apache.org/bug_report.html</a><br />
        This is the last way of submitting your problem report. You should only
	do this if you've already posted to the mailing lists, and had no success.
	Please follow the instructions on the above page <em>carefully</em>.
    </li>
    </ol>


<h3><a name="reportdetails" id="reportdetails">What information should I
provide when writing a bug report?</a></h3>
<p>You should always provide at least the following information:</p>

    <dl>
    <dt>Apache and OpenSSL version information</dt>
    <dd>The Apache version can be determined
        by running <code>httpd -v</code>. The OpenSSL version can be
        determined by running <code>openssl version</code>. Alternatively, if
        you have Lynx installed, you can run the command <code>lynx -mime_header
        http://localhost/ | grep Server</code> to gather this information in a
        single step.
    </dd>

    <dt>The details on how you built and installed Apache+mod_ssl+OpenSSL</dt>
    <dd>For this you can provide a logfile of your terminal session which shows
    the configuration and install steps. If this is not possible, you 
    should at least provide the <code class="program"><a href="../programs/configure.html">configure</a></code> command line you used.
    </dd>

    <dt>In case of core dumps please include a Backtrace</dt>
    <dd>If your Apache+mod_ssl+OpenSSL dumps its core, please attach
    a stack-frame ``backtrace'' (see <a href="#backtrace">below</a> 
    for information on how to get this). This information is required
    in order to find a reason for your core dump.
    </dd>
    
    <dt>A detailed description of your problem</dt>
    <dd>Don't laugh, we really mean it! Many problem reports don't 
    include a description of what the actual problem is. Without this,
    it's very difficult for anyone to help you. So, it's in your own 
    interest (you want the problem be solved, don't you?) to include as 
    much detail as possible, please. Of course, you should still include
    all the essentials above too.
    </dd>
    </dl>


<h3><a name="coredumphelp" id="coredumphelp">I had a core dump, can you help me?</a></h3>
<p>In general no, at least not unless you provide more details about the code
    location where Apache dumped core. What is usually always required in
    order to help you is a backtrace (see next question). Without this
    information it is mostly impossible to find the problem and help you in
    fixing it.</p>


<h3><a name="backtrace" id="backtrace">How do I get a backtrace, to help find 
the reason for my core dump?</a></h3>
<p>Following are the steps you will need to complete, to get a backtrace:</p>
    <ol>
    <li>Make sure you have debugging symbols available, at least
        in Apache. On platforms where you use GCC/GDB, you will have to build
        Apache+mod_ssl with ``<code>OPTIM="-g -ggdb3"</code>'' to get this. On
        other platforms at least ``<code>OPTIM="-g"</code>'' is needed.
    </li>

    <li>Start the server and try to reproduce the core-dump. For this you may
        want to use a directive like ``<code>CoreDumpDirectory /tmp</code>'' to
	make sure that the core-dump file can be written. This should result
	in a <code>/tmp/core</code> or <code>/tmp/httpd.core</code> file. If you
        don't get one of these, try running your server under a non-root UID. 
        Many modern kernels do not allow a process to dump core after it has
        done a <code>setuid()</code> (unless it does an <code>exec()</code>) for
        security reasons (there can be privileged information left over in
        memory). If necessary, you can run <code>/path/to/httpd -X</code>
        manually to force Apache to not fork.
    </li>

    <li>Analyze the core-dump. For this, run <code>gdb /path/to/httpd
        /tmp/httpd.core</code> or a similar command. In GDB, all you 
	have to do then is to enter <code>bt</code>, and voila, you get the
        backtrace. For other debuggers consult your local debugger manual. 
    </li>
    </ol>

</div></div>
<div class="bottomlang">
<p><span>Available Languages: </span><a href="../en/ssl/ssl_faq.html" title="English">&nbsp;en&nbsp;</a></p>
</div><div id="footer">
<p class="apache">Copyright 2009 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div>
</body></html>