目录搜索
首页版本说明从1.3升级到2.0编译时配置的改变运行时配置的改变杂项变化第三方模块从 2.0 升级到 2.2编译时配置的改变运行时配置的改变杂项变化第三方模块Apache 2.1/2.2 版本的新特性核心增强模块增强程序增强针对模块开发者的变化Apache 2.0 版本的新特性核心的增强模块的增强Apache许可证参考手册编译与安装针对心急者的概述要求下载解压配置源代码树编译安装配置测试升级启动Apache是怎样启动的启动时发生错误随系统启动时启动额外信息停止与重新启动简介立即停止优雅重启立即重启优雅停止附录:信号和竞争条件运行时配置指令主配置文件配置文件的语法模块指令的作用域.htaccess文件配置段配置段(容器)的类型文件系统和网络空间虚拟主机代理允许使用哪些指令?配置段的合并内容缓冲简介缓冲概述安全方面的考虑文件句柄缓冲内存缓冲磁盘缓冲服务器全局配置服务器标识文件定位限制资源的使用日志文件安全警告错误日志访问日志日志滚动管道日志虚拟主机其他日志文件从URL到文件系统的映射相关模块和指令DocumentRootDocumentRoot以外的文件用户目录URL重定向反向代理重写引擎File Not Found安全方面的提示保持不断更新和升级ServerRoot目录的权限服务器端包含关于CGI未指定为脚本的CGI指定为脚本的CGI其他动态内容的来源系统设置的保护默认配置下服务器文件的保护观察日志文件动态共享对象(DSO)实现用法概要背景知识优点和缺点内容协商关于内容协商Apache中的内容协商协商的方法打乱品质值透明内容协商的扩展超链和名称转换说明缓冲说明更多信息自定义错误响应行为配置自定义错误响应与重定向地址和端口绑定概述针对IPv6的特殊考虑怎样与虚拟主机协同工作多路处理模块(MPM)简介选择一个MPM默认的MPM环境变量设置环境变量使用环境变量用于特殊目的的环境变量示例处理器的使用什么是处理器?例子程序员注意事项过滤器Apache2中的过滤器智能过虑使用过滤器CGI脚本的Suexec执行开始之前suEXEC的安全模型配置和安装suEXEC启用和禁用suEXEC使用suEXEC调试suEXEC谨防Jabberwock:警告和举例性能调整硬件和操作系统运行时的配置编译时的配置附录:踪迹的详细分析URL重写指南mod_rewrite简介实践方案URL的规划内容的处理对访问的限制其他虚拟主机文档总述虚拟主机支持配置指令基于主机名的虚拟主机基于域名的虚拟主机和基于IP的虚拟主机比较使用基于域名的虚拟主机与旧版浏览器的兼容性基于IP地址的虚拟主机系统需求如何配置Apache设置多个守护进程配置拥有多个虚拟主机的单一守护进程动态配置大量虚拟主机动机概述简单的动态虚拟主机一个实际的个人主页系统在同一个服务器上架设多个主机的虚拟系统更为有效的基于IP地址的虚拟主机使用老版本的Apache使用mod_rewrite实现简单的动态虚拟主机使用mod_rewrite的个人主页系统使用独立的虚拟主机配置文件虚拟主机的普通配置示例在一个IP地址上运行多个基于域名的web站点在多于一个IP的情况下使用基于域名的虚拟主机在不同的IP的地址(比如一个内部和一个外部地址)上提供相同的内容在不同的端口上运行不同的站点建立基于IP的虚拟主机混用基于端口和基于IP的虚拟主机混用基于域名和基于IP的虚拟主机将虚拟主机和代理模块一起使用使用默认虚拟主机将一个基于域名的虚拟主机移植为一个基于IP的虚拟主机使用ServerPath指令深入讨论虚拟主机的匹配解析配置文件虚拟主机匹配小技巧文件描述符限制关于DNS和Apache一个简单示例拒绝服务"主服务器"地址避免这些问题的小技巧附录:进一步的提示常见问题概述SSL/TLS 加密概述文档mod_ssl绪论密码技术证书安全套接字层(SSL)参考兼容性配置指令环境变量自定义日志功能如何...加密方案和强制性高等级安全客户认证和访问控制常见问题解答About The ModuleInstallationConfigurationCertificatesThe SSL Protocolmod_ssl Support如何.../指南概述认证相关模块和指令简介先决条件启用认证允许多人访问可能存在的问题其他认证方法更多信息CGI动态页面简介配置Apache以允许CGI编写CGI程序程序还是不能运行!幕后是怎样操作的?CGI模块/库更多信息服务器端包含简介什么是SSI?配置服务器以允许SSI基本SSI指令附加的例子我还能设置其它什么?执行命令高级SSI技术总结.htaccess文件.htaccess文件工作原理和使用方法(不)使用.htaccess文件的场合指令的生效认证举例服务器端包含(SSI)举例CGI举例疑难解答用户网站目录用户网站目录用UserDir设置文件路径限定哪些用户可以使用此功能启用对每个用户都有效的cgi目录允许用户改变配置对特定平台的说明概述Microsoft Windows其他平台在Microsoft Windows中使用Apache对操作系统的要求下载 Apache for Windows安装 Apache for Windows配置 Apache for Windows以服务方式运行 Apache for Windows作为控制台程序运行Apache测试安装编译Windows下的Apache系统要求命令行编译Developer Studio集成开发环境的工作区编译项目组件在Novell NetWare平台上使用ApacheRequirementsDownloading Apache for NetWareInstalling Apache for NetWareRunning Apache for NetWareConfiguring Apache for NetWareCompiling Apache for NetWare在HP-UX中运行ApacheThe Apache EBCDIC PortOverview of the Apache EBCDIC PortDesign GoalsTechnical SolutionPorting NotesDocument Storage NotesApache Modules' StatusThird Party Modules' Status服务器与支持程序概述httpd语法选项ab语法选项Bugsapachectl语法选项apxs语法选项举例configure语法选项环境变量dbmmanage语法选项Bugshtcacheclean语法选项返回值htdbm语法选项Bugs返回值举例安全方面的考虑限制htdigest语法选项htpasswd语法选项返回值举例安全方面的考虑限制logresolve语法选项rotatelogs语法选项Portabilitysuexec语法选项其他程序log_server_statussplit-logfile杂项文档概述相关标准HTTP推荐标准HTML推荐标准认证语言/国家代码Apache 模块描述模块的术语说明状态源代码文件模块标识符兼容性描述指令的术语说明语法默认值(Default)作用域(Context)覆盖项(Override)状态模块(Module)兼容性(Compatibility)Apache核心(Core)特性AcceptFilterAcceptPathInfoAccessFileNameAddDefaultCharsetAddOutputFilterByTypeAllowEncodedSlashesAllowOverrideAuthNameAuthTypeCGIMapExtensionContentDigestDefaultType<Directory><DirectoryMatch>DocumentRootEnableMMAPEnableSendfileErrorDocumentErrorLogFileETag<Files><FilesMatch>ForceTypeHostnameLookups<IfDefine><IfModule>IncludeKeepAliveKeepAliveTimeout<Limit><LimitExcept>LimitInternalRecursionLimitRequestBodyLimitRequestFieldsLimitRequestFieldSizeLimitRequestLineLimitXMLRequestBody<Location><LocationMatch>LogLevelMaxKeepAliveRequestsNameVirtualHostOptionsRequireRLimitCPURLimitMEMRLimitNPROCSatisfyScriptInterpreterSourceServerAdminServerAliasServerNameServerPathServerRootServerSignatureServerTokensSetHandlerSetInputFilterSetOutputFilterTimeOutTraceEnableUseCanonicalNameUseCanonicalPhysicalPort<VirtualHost>Apache MPM 公共指令AcceptMutexCoreDumpDirectoryEnableExceptionHookGracefulShutdownTimeoutGroupListenListenBackLogLockFileMaxClientsMaxMemFreeMaxRequestsPerChildMaxSpareThreadsMinSpareThreadsPidFileReceiveBufferSizeScoreBoardFileSendBufferSizeServerLimitStartServersStartThreadsThreadLimitThreadsPerChildThreadStackSizeUserApache MPM beosMaxRequestsPerThreadCoreDumpDirectoryGroupListenListenBacklogMaxClientsMaxMemFreeMaxSpareThreadsMinSpareThreadsPidFileReceiveBufferSizeScoreBoardFileSendBufferSizeStartThreadsUserApache MPM eventAcceptMutexCoreDumpDirectoryEnableExceptionHookGroupListenListenBacklogLockFileMaxClientsMaxMemFreeMaxRequestsPerChildMaxSpareThreadsMinSpareThreadsPidFileScoreBoardFileSendBufferSizeServerLimitStartServersThreadLimitThreadsPerChildThreadStackSizeUserApache MPM netwareMaxThreadsListenListenBacklogMaxMemFreeMaxRequestsPerChildMaxSpareThreadsMinSpareThreadsReceiveBufferSizeSendBufferSizeStartThreadsThreadStackSizeApache MPM os2GroupListenListenBacklogMaxRequestsPerChildMaxSpareThreadsMinSpareThreadsPidFileReceiveBufferSizeSendBufferSizeStartServersUserApache MPM prefork工作方式MaxSpareServersMinSpareServersAcceptMutexCoreDumpDirectoryEnableExceptionHookGroupListenListenBacklogLockFileMaxClientsMaxMemFreeMaxRequestsPerChildPidFileReceiveBufferSizeScoreBoardFileSendBufferSizeServerLimitStartServersUserApache MPM winntWin32DisableAcceptExCoreDumpDirectoryListenListenBacklogMaxMemFreeMaxRequestsPerChildPidFileReceiveBufferSizeScoreBoardFileSendBufferSizeThreadLimitThreadsPerChildThreadStackSizeApache MPM worker工作方式AcceptMutexCoreDumpDirectoryEnableExceptionHookGroupListenListenBacklogLockFileMaxClientsMaxMemFreeMaxRequestsPerChildMaxSpareThreadsMinSpareThreadsPidFileReceiveBufferSizeScoreBoardFileSendBufferSizeServerLimitStartServersThreadLimitThreadsPerChildThreadStackSizeUserApache Module mod_actionsAction指令Script指令Apache Module mod_alias处理顺序AliasAliasMatchRedirectRedirectMatchRedirectPermanentRedirectTempScriptAliasScriptAliasMatchApache Module mod_asis用法Apache Module mod_auth_basicAuthBasicAuthoritativeAuthBasicProviderApache Module mod_auth_digest使用摘要认证配合 MS Internet Explorer 6 工作AuthDigestAlgorithmAuthDigestDomainAuthDigestNcCheckAuthDigestNonceFormatAuthDigestNonceLifetimeAuthDigestProviderAuthDigestQopAuthDigestShmemSizeApache Module mod_authn_alias示例<AuthnProviderAlias>Apache Module mod_authn_anon示例AnonymousAnonymous_LogEmailAnonymous_MustGiveEmailAnonymous_NoUserIDAnonymous_VerifyEmailApache Module mod_authn_dbd配置示例AuthDBDUserPWQueryAuthDBDUserRealmQueryApache Module mod_authn_dbmAuthDBMTypeAuthDBMUserFileApache Module mod_authn_defaultAuthDefaultAuthoritativeApache Module mod_authn_fileAuthUserFileApache Module mod_authnz_ldapContentsOperationThe require Directives举例Using TLSUsing SSLUsing Microsoft FrontPage with mod_authnz_ldapAuthLDAPBindDNAuthLDAPBindPasswordAuthLDAPCharsetConfigAuthLDAPCompareDNOnServerAuthLDAPDereferenceAliasesAuthLDAPGroupAttributeAuthLDAPGroupAttributeIsDNAuthLDAPRemoteUserIsDNAuthLDAPUrlAuthzLDAPAuthoritativeApache Module mod_authz_dbmAuthDBMGroupFileAuthzDBMAuthoritativeAuthzDBMTypeApache Module mod_authz_defaultAuthzDefaultAuthoritativeApache Module mod_authz_groupfileAuthGroupFileAuthzGroupFileAuthoritativeApache Module mod_authz_hostAllowDenyOrderApache Module mod_authz_owner配置示例AuthzOwnerAuthoritativeApache Module mod_authz_userAuthzUserAuthoritativeApache Module mod_autoindexAutoindex Request Query ArgumentsAddAltAddAltByEncodingAddAltByTypeAddDescriptionAddIconAddIconByEncodingAddIconByTypeDefaultIconHeaderNameIndexIgnoreIndexOptionsIndexOrderDefaultIndexStyleSheetReadmeNameApache Module mod_cacheRelated Modules and Directives配置示例CacheDefaultExpireCacheDisableCacheEnableCacheIgnoreCacheControlCacheIgnoreHeadersCacheIgnoreNoLastModCacheLastModifiedFactorCacheMaxExpireCacheStoreNoStoreCacheStorePrivateApache Module mod_cern_metaMetaDirMetaFilesMetaSuffixApache Module mod_cgiCGI 环境变量CGI 脚本的调试ScriptLogScriptLogBufferScriptLogLengthApache Module mod_cgidScriptSockScriptLogScriptLogBufferScriptLogLengthApache Module mod_charset_liteCommon ProblemsCharsetDefaultCharsetOptionsCharsetSourceEncApache Module mod_davEnabling WebDAVSecurity IssuesComplex ConfigurationsDavDavDepthInfinityDavMinTimeoutApache Module mod_dav_fsDavLockDBApache Module mod_dav_lockDavGenericLockDBApache Module mod_dbdConnection PoolingApache DBD APISQL Prepared StatementsDBDExptimeDBDKeepDBDMaxDBDMinDBDParamsDBDPersistDBDPrepareSQLDBDriverApache Module mod_deflate配置举例启用压缩代理服务器DeflateBufferSizeDeflateCompressionLevelDeflateFilterNoteDeflateMemLevelDeflateWindowSizeApache Module mod_dirDirectoryIndexDirectorySlashApache Module mod_disk_cacheCacheDirLengthCacheDirLevelsCacheMaxFileSizeCacheMinFileSizeCacheRootApache Module mod_dumpio启用dumpio支持DumpIOInputDumpIOOutputApache Module mod_echoProtocolEchoApache Module mod_envPassEnvSetEnvUnsetEnvApache Module mod_exampleCompiling the example moduleUsing the mod_example ModuleExampleApache Module mod_expires交替间隔语法ExpiresActiveExpiresByTypeExpiresDefaultApache Module mod_ext_filter举例ExtFilterDefineExtFilterOptionsApache Module mod_file_cacheUsing mod_file_cacheCacheFileMMapFileApache Module mod_filterSmart FilteringFilter DeclarationsConfiguring the ChainExamplesProtocol HandlingFilterChainFilterDeclareFilterProtocolFilterProviderFilterTraceApache Module mod_headers处理顺序前处理和后处理举例HeaderRequestHeaderApache Module mod_identIdentityCheckIdentityCheckTimeoutApache Module mod_imagemapNew FeaturesImagemap FileExample MapfileReferencing your mapfileImapBaseImapDefaultImapMenuApache Module mod_includeEnabling Server-Side IncludesPATH_INFO with Server Side IncludesBasic ElementsInclude VariablesVariable SubstitutionFlow Control ElementsSSIEndTagSSIErrorMsgSSIStartTagSSITimeFormatSSIUndefinedEchoXBitHackApache Module mod_info安全问题选择哪些信息可以被显示已知的局限AddModuleInfoApache Module mod_isapi用法附加注释程序员注记ISAPIAppendLogToErrorsISAPIAppendLogToQueryISAPICacheFileISAPIFakeAsyncISAPILogNotSupportedISAPIReadAheadBufferApache Module mod_ldap示例配置LDAP 连接池LDAP 缓冲使用SSL/TLSSSL/TLS 证书LDAPCacheEntriesLDAPCacheTTLLDAPConnectionTimeoutLDAPOpCacheEntriesLDAPOpCacheTTLLDAPSharedCacheFileLDAPSharedCacheSizeLDAPTrustedClientCertLDAPTrustedGlobalCertLDAPTrustedModeLDAPVerifyServerCertApache Module mod_log_config定制日志文件格式安全考虑BufferedLogsCookieLogCustomLogLogFormatTransferLogApache Module mod_log_forensic定制日志文件格式安全考虑ForensicLogApache Module mod_logio定制日志文件格式Apache Module mod_mem_cacheMCacheMaxObjectCountMCacheMaxObjectSizeMCacheMaxStreamingBufferMCacheMinObjectSizeMCacheRemovalAlgorithmMCacheSizeApache Module mod_mime带多扩展名的文件内容编码字符集和语言AddCharsetAddEncodingAddHandlerAddInputFilterAddLanguageAddOutputFilterAddTypeDefaultLanguageModMimeUsePathInfoMultiviewsMatchRemoveCharsetRemoveEncodingRemoveHandlerRemoveInputFilterRemoveLanguageRemoveOutputFilterRemoveTypeTypesConfigApache Module mod_mime_magic"Magic文件"的格式性能问题注意MimeMagicFileApache Module mod_negotiation类型表MultiViewsCacheNegotiatedDocsForceLanguagePriorityLanguagePriorityApache Module mod_nw_sslNWSSLTrustedCertsNWSSLUpgradeableSecureListenApache Module mod_proxy正向和反向代理简单示例控制对代理服务器的访问缓慢启动局域网代理协议调整请求体AllowCONNECTNoProxy<Proxy>ProxyBadHeaderProxyBlockProxyDomainProxyErrorOverrideProxyIOBufferSize<ProxyMatch>ProxyMaxForwardsProxyPassProxyPassReverseProxyPassReverseCookieDomainProxyPassReverseCookiePathProxyPreserveHostProxyReceiveBufferSizeProxyRemoteProxyRemoteMatchProxyRequestsProxyTimeoutProxyViaApache Module mod_proxy_ajpOverview of the protocolBasic Packet StructureRequest Packet StructureResponse Packet StructureApache Module mod_proxy_balancerLoad balancer scheduler algorithmRequest Counting AlgorithmWeighted Traffic Counting AlgorithmEnabling Balancer Manager SupportApache Module mod_proxy_connectApache Module mod_proxy_ftp为什么xxx类型的文件不能从FTP下载?如何强制文件xxx使用FTP的ASCII形式下载?我如何使用FTP上传?我如何能访问我自己home目录以外的FTP文件?我如何才能在浏览器的URL框中隐藏FTP的明文密码?Apache Module mod_proxy_httpApache Module mod_rewrite特殊字符的引用环境变量实用方案RewriteBaseRewriteCondRewriteEngineRewriteLockRewriteLogRewriteLogLevelRewriteMapRewriteOptionsRewriteRuleApache Module mod_setenvifBrowserMatchBrowserMatchNoCaseSetEnvIfSetEnvIfNoCaseApache Module mod_so为Windows创建可加载模块LoadFileLoadModuleApache Module mod_spelingCheckSpellingApache Module mod_ssl环境变量Custom Log FormatsSSLCACertificateFileSSLCACertificatePathSSLCADNRequestFileSSLCADNRequestPathSSLCARevocationFileSSLCARevocationPathSSLCertificateChainFileSSLCertificateFileSSLCertificateKeyFileSSLCipherSuiteSSLCryptoDeviceSSLEngineSSLHonorCipherOrderSSLMutexSSLOptionsSSLPassPhraseDialogSSLProtocolSSLProxyCACertificateFileSSLProxyCACertificatePathSSLProxyCARevocationFileSSLProxyCARevocationPathSSLProxyCipherSuiteSSLProxyEngineSSLProxyMachineCertificateFileSSLProxyMachineCertificatePathSSLProxyProtocolSSLProxyVerifySSLProxyVerifyDepthSSLRandomSeedSSLRequireSSLRequireSSLSSLSessionCacheSSLSessionCacheTimeoutSSLUserNameSSLVerifyClientSSLVerifyDepthApache Module mod_statusEnabling Status Support自动更新Machine Readable Status FileExtendedStatusApache Module mod_suexecSuexecUserGroupApache Module mod_unique_idTheoryApache Module mod_userdirUserDirApache Module mod_usertrackLogging2-digit or 4-digit dates for cookies?CookieDomainCookieExpiresCookieNameCookieStyleCookieTrackingApache Module mod_version<IfVersion>Apache Module mod_vhost_alias目录名称的转换示例VirtualDocumentRootVirtualDocumentRootIPVirtualScriptAliasVirtualScriptAliasIP开发者文档OverviewTopicsExternal ResourcesApache API notesBasic conceptsHow handlers workResource allocation and resource poolsConfigurationDebugging Memory Allocation in APRAvailable debugging optionsAllowable CombinationsActivating Debugging OptionsDocumenting Apache 2.0Apache 2.0 Hook FunctionsCreating a hook functionHooking the hookConverting Modules from Apache 1.3 to Apache 2.0The easier changes ...The messier changes...Request Processing in Apache 2.0The Request Processing CycleThe Request Parsing PhaseThe Security PhaseThe Preparation PhaseThe Handler PhaseHow Filters Work in Apache 2.0Filter TypesHow are filters inserted?AsisExplanations词汇和索引词汇表模块索引指令索引指令速查译者声明
文字

SSL/TLS Strong Encryption: FAQ

The wise man doesn't give the right answers, he poses the right questions.

-- Claude Levi-Strauss

This chapter is a collection of frequently asked questions (FAQ) and corresponding answers following the popular USENET tradition. Most of these questions occurred on the Newsgroup comp.infosystems.www.servers.unix or the mod_ssl Support Mailing List modssl-users@modssl.org. They are collected at this place to avoid answering the same questions over and over.

Please read this chapter at least once when installing mod_ssl or at least search for your problem here before submitting a problem report to the author.

About The Module

  • What is the history of mod_ssl?
  • mod_ssl and Year 2000?
  • mod_ssl and Wassenaar Arrangement?

What is the history of mod_ssl?

The mod_ssl v1 package was initially created in April 1998 by Ralf S. Engelschall via porting Ben Laurie's Apache-SSL 1.17 source patches for Apache 1.2.6 to Apache 1.3b6. Because of conflicts with Ben Laurie's development cycle it then was re-assembled from scratch for Apache 1.3.0 by merging the old mod_ssl 1.x with the newer Apache-SSL 1.18. From this point on mod_ssl lived its own life as mod_ssl v2. The first publicly released version was mod_ssl 2.0.0 from August 10th, 1998.

After US export restrictions on cryptographic software were loosened, mod_ssl became part of the Apache HTTP Server with the release of Apache httpd 2.

Is mod_ssl affected by the Wassenaar Arrangement?

First, let us explain what Wassenaar and its Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies is: This is a international regime, established in 1995, to control trade in conventional arms and dual-use goods and technology. It replaced the previous CoCom regime. Further details on both the Arrangement and its signatories are available at http://www.wassenaar.org/.

In short, the aim of the Wassenaar Arrangement is to prevent the build up of military capabilities that threaten regional and international security and stability. The Wassenaar Arrangement controls the export of cryptography as a dual-use good, that is, something that has both military and civilian applications. However, the Wassenaar Arrangement also provides an exemption from export controls for mass-market software and free software.

In the current Wassenaar List of Dual Use Goods and Technologies And Munitions, under GENERAL SOFTWARE NOTE (GSN) it says The Lists do not control "software" which is either: 1. [...] 2. "in the public domain". And under DEFINITIONS OF TERMS USED IN THESE LISTS we find In the public domain defined as "technology" or "software" which has been made available without restrictions upon its further dissemination. Note: Copyright restrictions do not remove "technology" or "software" from being "in the public domain".

So, both mod_ssl and OpenSSL are in the public domain for the purposes of the Wassenaar Arrangement and its List of Dual Use Goods and Technologies And Munitions List, and thus not affected by its provisions.

Installation

  • Why do I get permission errors related to SSLMutex when I start Apache?
  • Why does mod_ssl stop with the error "Failed to generate temporary 512 bit RSA private key", when I start Apache?

Why do I get permission errors related to SSLMutex when I start Apache?

Errors such as "mod_ssl: Child could not open SSLMutex lockfile /opt/apache/logs/ssl_mutex.18332 (System error follows) [...] System: Permission denied (errno: 13)" are usually caused by overly restrictive permissions on the parent directories. Make sure that all parent directories (here /opt, /opt/apache/opt/apache/logs) have the x-bit set for, at minimum, the UID under which Apache's children are running (see the User directive).

Why does mod_ssl stop with the error "Failed to generate temporary 512 bit RSA private key", when I start Apache?

Cryptographic software needs a source of unpredictable data to work correctly. Many open source operating systems provide a "randomness device" that serves this purpose (usually named /dev/random). On other systems, applications have to seed the OpenSSL Pseudo Random Number Generator (PRNG) manually with appropriate data before generating keys or performing public key encryption. As of version 0.9.5, the OpenSSL functions that need randomness report an error if the PRNG has not been seeded with at least 128 bits of randomness.

To prevent this error, mod_ssl has to provide enough entropy to the PRNG to allow it to work correctly. This can be done via the SSLRandomSeed directives.

Configuration

  • Is it possible to provide HTTP and HTTPS from the same server?
  • Which port does HTTPS use?
  • How do I speak HTTPS manually for testing purposes?
  • Why does the connection hang when I connect to my SSL-aware Apache server
  • Why do I get "Connection Refused" errors, when trying to access my newly installed Apache+mod_ssl server via HTTPS?
  • Why are the SSL_XXX variables not available to my CGI & SSI scripts?
  • How can I switch between HTTP and HTTPS in relative hyperlinks?

Is it possible to provide HTTP and HTTPS from the same server?

Yes. HTTP and HTTPS use different server ports (HTTP binds to port 80, HTTPS to port 443), so there is no direct conflict between them. You can either run two separate server instances bound to these ports, or use Apache's elegant virtual hosting facility to create two virtual servers over one instance of Apache - one responding to requests on port 80 and speaking HTTP and the other responding to requests on port 443 speaking HTTPS.

Which port does HTTPS use?

You can run HTTPS on any port, but the standards specify port 443, which is where any HTTPS compliant browser will look by default. You can force your browser to look on a different port by specifying it in the URL like this (for port 666): https://secure.server.dom:666/

How do I speak HTTPS manually for testing purposes?

While you usually just use

$ telnet localhost 80
GET / HTTP/1.0

for simple testing of Apache via HTTP, it's not so easy for HTTPS because of the SSL protocol between TCP and HTTP. With the help of OpenSSL's s_client command, however, you can do a similar check for HTTPS:

$ openssl s_client -connect localhost:443 -state -debug
GET / HTTP/1.0

Before the actual HTTP response you will receive detailed information about the SSL handshake. For a more general command line client which directly understands both HTTP and HTTPS, can perform GET and POST operations, can use a proxy, supports byte ranges, etc. you should have a look at the nifty cURL tool. Using this, you can check that Apache is responding correctly on ports 80 and 443 as follows:

$ curl http://localhost/
$ curl https://localhost/

Why does the connection hang when I connect to my SSL-aware Apache server?

Because you connected with HTTP to the HTTPS port, i.e. you used an URL of the form "http://" instead of "https://". This also happens the other way round when you connect via HTTPS to a HTTP port, i.e. when you try to use "https://" on a server that doesn't support SSL (on this port). Make sure you are connecting to a virtual server that supports SSL, which is probably the IP associated with your hostname, not localhost (127.0.0.1).

Why do I get "Connection Refused" messages, when trying to access my newly installed Apache+mod_ssl server via HTTPS?

This can happen for various reasons. The most common mistakes include starting Apache with just apachectl start (or httpd) instead of apachectl startssl (or httpd -DSSL). Your configuration may also be incorrect. Please make sure that your Listen directives match your <VirtualHost> directives. If all else fails, please start afresh, using the default configuration provided by mod_ssl.

Why are the SSL_XXX variables not available to my CGI & SSI scripts?

Please make sure you have "SSLOptions +StdEnvVars" enabled for the context of your CGI/SSI requests.

How can I switch between HTTP and HTTPS in relative hyperlinks?

Usually, to switch between HTTP and HTTPS, you have to use fully-qualified hyperlinks (because you have to change the URL scheme). Using mod_rewrite however, you can manipulate relative hyperlinks, to achieve the same effect.

RewriteEngine on
RewriteRule ^/(.*):SSL$ https://%{SERVER_NAME}/$1 [R,L]
RewriteRule ^/(.*):NOSSL$ http://%{SERVER_NAME}/$1 [R,L]

This rewrite ruleset lets you use hyperlinks of the form <a href="document.html:SSL">, to switch to HTTPS in a relative link.

Certificates

  • What are RSA Private Keys, CSRs and Certificates?
  • Is there a difference on startup between the original Apache and an SSL-aware Apache?
  • How do I create a self-signed SSL Certificate for testing purposes?
  • How do I create a real SSL Certificate?
  • How do I create and use my own Certificate Authority (CA)?
  • How can I change the pass-phrase on my private key file?
  • How can I get rid of the pass-phrase dialog at Apache startup time?
  • How do I verify that a private key matches its Certificate?
  • Why do connections fail with an "alert bad certificate" error?
  • Why does my 2048-bit private key not work?
  • Why is client authentication broken after upgrading from SSLeay version 0.8 to 0.9?
  • How can I convert a certificate from PEM to DER format?
  • Why can't I find the getcagetverisign programs mentioned by Verisign, for installing my Verisign certificate?
  • Can I use the Server Gated Cryptography (SGC) facility (aka Verisign Global ID) with mod_ssl?
  • Why do browsers complain that they cannot verify my Verisign Global ID server certificate?

What are RSA Private Keys, CSRs and Certificates?

An RSA private key file is a digital file that you can use to decrypt messages sent to you. It has a public component which you distribute (via your Certificate file) which allows people to encrypt those messages to you.

A Certificate Signing Request (CSR) is a digital file which contains your public key and your name. You send the CSR to a Certifying Authority (CA), who will convert it into a real Certificate, by signing it.

A Certificate contains your RSA public key, your name, the name of the CA, and is digitally signed by the CA. Browsers that know the CA can verify the signature on that Certificate, thereby obtaining your RSA public key. That enables them to send messages which only you can decrypt.

See the 简介 chapter for a general description of the SSL protocol.

Is there a difference on startup between the original Apache and an SSL-aware Apache?

Yes. In general, starting Apache with mod_ssl built-in is just like starting Apache without it. However, if you have a passphrase on your SSL private key file, a startup dialog will pop up which asks you to enter the pass phrase.

Having to manually enter the passphrase when starting the server can be problematic - for example, when starting the server from the system boot scripts. In this case, you can follow the steps below to remove the passphrase from your private key.

How do I create a self-signed SSL Certificate for testing purposes?

  1. Make sure OpenSSL is installed and in your PATH.

  2. Run the following command, to create server.keyserver.crt files:
    $ openssl req -new -x509 -nodes -out server.crt -keyout server.key
    These can be used as follows in your httpd.conf file:
                 SSLCertificateFile    /path/to/this/server.crt
                 SSLCertificateKeyFile /path/to/this/server.key
    	
  3. It is important that you are aware that this server.key does not have any passphrase. To add a passphrase to the key, you should run the following command, and enter & verify the passphrase as requested.

    $ openssl rsa -des3 -in server.key -out server.key.new
    $ mv server.key.new server.key

    Please backup the server.key file, and the passphrase you entered, in a secure location.

How do I create a real SSL Certificate?

Here is a step-by-step description:

  1. Make sure OpenSSL is installed and in your PATH.

  2. Create a RSA private key for your Apache server (will be Triple-DES encrypted and PEM formatted):

    $ openssl genrsa -des3 -out server.key 1024

    Please backup this server.key file and the pass-phrase you entered in a secure location. You can see the details of this RSA private key by using the command:

    $ openssl rsa -noout -text -in server.key

    If necessary, you can also create a decrypted PEM version (not recommended) of this RSA private key with:

    $ openssl rsa -in server.key -out server.key.unsecure

  3. Create a Certificate Signing Request (CSR) with the server RSA private key (output will be PEM formatted):

    $ openssl req -new -key server.key -out server.csr

    Make sure you enter the FQDN ("Fully Qualified Domain Name") of the server when OpenSSL prompts you for the "CommonName", i.e. when you generate a CSR for a website which will be later accessed via https://www.foo.dom/, enter "www.foo.dom" here. You can see the details of this CSR by using

    $ openssl req -noout -text -in server.csr

  4. You now have to send this Certificate Signing Request (CSR) to a Certifying Authority (CA) to be signed. Once the CSR has been signed, you will have a real Certificate, which can be used by Apache. You can have a CSR signed by a commercial CA, or you can create your own CA to sign it.
    Commercial CAs usually ask you to post the CSR into a web form, pay for the signing, and then send a signed Certificate, which you can store in a server.crt file. For more information about commercial CAs see the following locations:

    1. Verisign
      http://digitalid.verisign.com/server/apacheNotice.htm
    2. Thawte
      http://www.thawte.com/
    3. CertiSign Certificadora Digital Ltda.
      http://www.certisign.com.br
    4. IKS GmbH
      http://www.iks-jena.de/leistungen/ca/
    5. Uptime Commerce Ltd.
      http://www.uptimecommerce.com
    6. BelSign NV/SA
      http://www.belsign.be
    For details on how to create your own CA, and use this to sign a CSR, see below.
    Once your CSR has been signed, you can see the details of the Certificate as follows:

    $ openssl x509 -noout -text -in server.crt
  5. You should now have two files: server.keyserver.crt. These can be used as follows in your httpd.conf file:
           SSLCertificateFile    /path/to/this/server.crt
           SSLCertificateKeyFile /path/to/this/server.key
           
    The server.csr file is no longer needed.

How do I create and use my own Certificate Authority (CA)?

The short answer is to use the CA.shCA.pl script provided by OpenSSL. Unless you have a good reason not to, you should use these for preference. If you cannot, you can create a self-signed Certificate as follows:

  1. Create a RSA private key for your server (will be Triple-DES encrypted and PEM formatted):

    $ openssl genrsa -des3 -out server.key 1024

    Please backup this host.key file and the pass-phrase you entered in a secure location. You can see the details of this RSA private key by using the command:
    $ openssl rsa -noout -text -in server.key

    If necessary, you can also create a decrypted PEM version (not recommended) of this RSA private key with:

    $ openssl rsa -in server.key -out server.key.unsecure

  2. Create a self-signed Certificate (X509 structure) with the RSA key you just created (output will be PEM formatted):

    $ openssl req -new -x509 -nodes -sha1 -days 365 -key server.key -out server.crt

    This signs the server CSR and results in a server.crt file.
    You can see the details of this Certificate using:

    $ openssl x509 -noout -text -in server.crt

How can I change the pass-phrase on my private key file?

You simply have to read it with the old pass-phrase and write it again, specifying the new pass-phrase. You can accomplish this with the following commands:

$ openssl rsa -des3 -in server.key -out server.key.new
$ mv server.key.new server.key

The first time you're asked for a PEM pass-phrase, you should enter the old pass-phrase. After that, you'll be asked again to enter a pass-phrase - this time, use the new pass-phrase. If you are asked to verify the pass-phrase, you'll need to enter the new pass-phrase a second time.

How can I get rid of the pass-phrase dialog at Apache startup time?

The reason this dialog pops up at startup and every re-start is that the RSA private key inside your server.key file is stored in encrypted format for security reasons. The pass-phrase is needed decrypt this file, so it can be read and parsed. Removing the pass-phrase removes a layer of security from your server - proceed with caution!

  1. Remove the encryption from the RSA private key (while keeping a backup copy of the original file):

    $ cp server.key server.key.org
    $ openssl rsa -in server.key.org -out server.key

  2. Make sure the server.key file is only readable by root:

    $ chmod 400 server.key

Now server.key contains an unencrypted copy of the key. If you point your server at this file, it will not prompt you for a pass-phrase. HOWEVER, if anyone gets this key they will be able to impersonate you on the net. PLEASE make sure that the permissions on this file are such that only root or the web server user can read it (preferably get your web server to start as root but run as another user, and have the key readable only by root).

As an alternative approach you can use the "SSLPassPhraseDialog exec:/path/to/program" facility. Bear in mind that this is neither more nor less secure, of course.

How do I verify that a private key matches its Certificate?

A private key contains a series of numbers. Two of these numbers form the "public key", the others are part of the "private key". The "public key" bits are included when you generate a CSR, and subsequently form part of the associated Certificate.

To check that the public key in your Certificate matches the public portion of your private key, you simply need to compare these numbers. To view the Certificate and the key run the commands:

$ openssl x509 -noout -text -in server.crt
$ openssl rsa -noout -text -in server.key

The 'modulus' and the 'public exponent' portions in the key and the Certificate must match. As the public exponent is usually 65537 and it's difficult to visually check that the long modulus numbers are the same, you can use the following approach:

$ openssl x509 -noout -modulus -in server.crt | openssl md5
$ openssl rsa -noout -modulus -in server.key | openssl md5

This leaves you with two rather shorter numbers to compare. It is, in theory, possible that these numbers may be the same, without the modulus numbers being the same, but the chances of this are overwhelmingly remote.

Should you wish to check to which key or certificate a particular CSR belongs you can perform the same calculation on the CSR as follows:

$ openssl req -noout -modulus -in server.csr | openssl md5

Why do connections fail with an "alert bad certificate" error?

Errors such as OpenSSL: error:14094412: SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate in the SSL logfile, are usually caused a browser which is unable to handle the server certificate/private-key. For example, Netscape Navigator 3.x is unable to handle RSA key lengths not equal to 1024 bits.

Why does my 2048-bit private key not work?

The private key sizes for SSL must be either 512 or 1024 bits, for compatibility with certain web browsers. A keysize of 1024 bits is recommended because keys larger than 1024 bits are incompatible with some versions of Netscape Navigator and Microsoft Internet Explorer, and with other browsers that use RSA's BSAFE cryptography toolkit.

Why is client authentication broken after upgrading from SSLeay version 0.8 to 0.9?

The CA certificates under the path you configured with SSLCACertificatePath are found by SSLeay through hash symlinks. These hash values are generated by the 'openssl x509 -noout -hash' command. However, the algorithm used to calculate the hash for a certificate changed between SSLeay 0.8 and 0.9. You will need to remove all old hash symlinks and create new ones after upgrading. Use the Makefile provided by mod_ssl.

How can I convert a certificate from PEM to DER format?

The default certificate format for SSLeay/OpenSSL is PEM, which is simply Base64 encoded DER, with header and footer lines. For some applications (e.g. Microsoft Internet Explorer) you need the certificate in plain DER format. You can convert a PEM file cert.pem into the corresponding DER file cert.der using the following command: $ openssl x509 -in cert.pem -out cert.der -outform DER

Why can't I find the getcagetverisign programs mentioned by Verisign, for installing my Verisign certificate?

Verisign has never provided specific instructions for Apache+mod_ssl. The instructions provided are for C2Net's Stronghold (a commercial Apache based server with SSL support).

To install your certificate, all you need to do is to save the certificate to a file, and give the name of that file to the SSLCertificateFile directive. You will also need to give it the key file. For more information, see the SSLCertificateKeyFile directive.

Can I use the Server Gated Cryptography (SGC) facility (aka Verisign Global ID) with mod_ssl?

Yes. mod_ssl has included support for the SGC facility since version 2.1. No special configuration is required - just use the Global ID as your server certificate. The step up of the clients is then automatically handled by mod_ssl at run-time.

Why do browsers complain that they cannot verify my Verisign Global ID server certificate?

Verisign uses an intermediate CA certificate between the root CA certificate (which is installed in the browsers) and the server certificate (which you installed on the server). You should have received this additional CA certificate from Verisign. If not, complain to them. Then, configure this certificate with the SSLCertificateChainFile directive. This ensures that the intermediate CA certificate is sent to the browser, filling the gap in the certificate chain.

The SSL Protocol

  • Why do I get lots of random SSL protocol errors under heavy server load?
  • Why does my webserver have a higher load, now that it serves SSL encrypted traffic?
  • Why do HTTPS connections to my server sometimes take up to 30 seconds to establish a connection?
  • What SSL Ciphers are supported by mod_ssl?
  • Why do I get "no shared cipher" errors, when trying to use Anonymous Diffie-Hellman (ADH) ciphers?
  • Why do I get a 'no shared ciphers' error when connecting to my newly installed server?
  • Why can't I use SSL with name-based/non-IP-based virtual hosts?
  • Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?
  • How do I get SSL compression working?
  • When I use Basic Authentication over HTTPS the lock icon in Netscape browsers stays unlocked when the dialog pops up. Does this mean the username/password is being sent unencrypted?
  • Why do I get I/O errors when connecting via HTTPS to an Apache+mod_ssl server with Microsoft Internet Explorer (MSIE)?
  • Why do I get I/O errors, or the message "Netscape has encountered bad data from the server", when connecting via HTTPS to an Apache+mod_ssl server with Netscape Navigator?

Why do I get lots of random SSL protocol errors under heavy server load?

There can be a number of reasons for this, but the main one is problems with the SSL session Cache specified by the SSLSessionCache directive. The DBM session cache is the most likely source of the problem, so using the SHM session cache (or no cache at all) may help.

Why does my webserver have a higher load, now that it serves SSL encrypted traffic?

SSL uses strong cryptographic encryption, which necessitates a lot of number crunching. When you request a webpage via HTTPS, everything (even the images) is encrypted before it is transferred. So increased HTTPS traffic leads to load increases.

Why do HTTPS connections to my server sometimes take up to 30 seconds to establish a connection?

This is usually caused by a /dev/random device for SSLRandomSeed which blocks the read(2) call until enough entropy is available to service the request. More information is available in the reference manual for the SSLRandomSeed directive.

What SSL Ciphers are supported by mod_ssl?

Usually, any SSL ciphers supported by the version of OpenSSL in use, are also supported by mod_ssl. Which ciphers are available can depend on the way you built OpenSSL. Typically, at least the following ciphers are supported:

  1. RC4 with MD5
  2. RC4 with MD5 (export version restricted to 40-bit key)
  3. RC2 with MD5
  4. RC2 with MD5 (export version restricted to 40-bit key)
  5. IDEA with MD5
  6. DES with MD5
  7. Triple-DES with MD5

To determine the actual list of ciphers available, you should run the following:

$ openssl ciphers -v

Why do I get "no shared cipher" errors, when trying to use Anonymous Diffie-Hellman (ADH) ciphers?

By default, OpenSSL does not allow ADH ciphers, for security reasons. Please be sure you are aware of the potential side-effects if you choose to enable these ciphers.

In order to use Anonymous Diffie-Hellman (ADH) ciphers, you must build OpenSSL with "-DSSL_ALLOW_ADH", and then add "ADH" into your SSLCipherSuite.

Why do I get a 'no shared ciphers' error when connecting to my newly installed server?

Either you have made a mistake with your SSLCipherSuite directive (compare it with the pre-configured example in httpd.conf-dist) or you chose to use DSA/DH algorithms instead of RSA when you generated your private key and ignored or overlooked the warnings. If you have chosen DSA/DH, then your server cannot communicate using RSA-based SSL ciphers (at least until you configure an additional RSA-based certificate/key pair). Modern browsers like NS or IE can only communicate over SSL using RSA ciphers. The result is the "no shared ciphers" error. To fix this, regenerate your server certificate/key pair, using the RSA algorithm.

Why can't I use SSL with name-based/non-IP-based virtual hosts?

The reason is very technical, and a somewhat "chicken and egg" problem. The SSL protocol layer stays below the HTTP protocol layer and encapsulates HTTP. When an SSL connection (HTTPS) is established Apache/mod_ssl has to negotiate the SSL protocol parameters with the client. For this, mod_ssl has to consult the configuration of the virtual server (for instance it has to look for the cipher suite, the server certificate, etc.). But in order to go to the correct virtual server Apache has to know the Host HTTP header field. To do this, the HTTP request header has to be read. This cannot be done before the SSL handshake is finished, but the information is needed in order to complete the SSL handshake phase. Bingo!

Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?

Name-Based Virtual Hosting is a very popular method of identifying different virtual hosts. It allows you to use the same IP address and the same port number for many different sites. When people move on to SSL, it seems natural to assume that the same method can be used to have lots of different SSL virtual hosts on the same server.

It comes as rather a shock to learn that it is impossible.

The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the SSL session is a separate transaction, that takes place before the HTTP session has begun. The server receives an SSL request on IP address X and port Y (usually 443). Since the SSL request does not contain any Host: field, the server has no way to decide which SSL virtual host to use. Usually, it will just use the first one it finds, which matches the port and IP address specified.

You can, of course, use Name-Based Virtual Hosting to identify many non-SSL virtual hosts (all on port 80, for example) and then have a single SSL virtual host (on port 443). But if you do this, you must make sure to put the non-SSL port number on the NameVirtualHost directive, e.g.

NameVirtualHost 192.168.1.1:80

Other workaround solutions include:

Using separate IP addresses for different SSL hosts. Using different port numbers for different SSL hosts.

How do I get SSL compression working?

Although SSL compression negotiation was defined in the specification of SSLv2 and TLS, it took until May 2004 for RFC 3749 to define DEFLATE as a negotiable standard compression method.

OpenSSL 0.9.8 started to support this by default when compiled with the zlib option. If both the client and the server support compression, it will be used. However, most clients still try to initially connect with an SSLv2 Hello. As SSLv2 did not include an array of prefered compression algorithms in its handshake, compression cannot be negotiated with these clients. If the client disables support for SSLv2, either an SSLv3 or TLS Hello may be sent, depending on which SSL library is used, and compression may be set up. You can verify whether clients make use of SSL compression by logging the %{SSL_COMPRESS_METHOD}x variable.

When I use Basic Authentication over HTTPS the lock icon in Netscape browsers stays unlocked when the dialog pops up. Does this mean the username/password is being sent unencrypted?

No, the username/password is transmitted encrypted. The icon in Netscape browsers is not actually synchronized with the SSL/TLS layer. It only toggles to the locked state when the first part of the actual webpage data is transferred, which may confuse people. The Basic Authentication facility is part of the HTTP layer, which is above the SSL/TLS layer in HTTPS. Before any HTTP data communication takes place in HTTPS, the SSL/TLS layer has already completed its handshake phase, and switched to encrypted communication. So don't be confused by this icon.

Why do I get I/O errors when connecting via HTTPS to an Apache+mod_ssl server with Microsoft Internet Explorer (MSIE)?

The first reason is that the SSL implementation in some MSIE versions has some subtle bugs related to the HTTP keep-alive facility and the SSL close notify alerts on socket connection close. Additionally the interaction between SSL and HTTP/1.1 features are problematic in some MSIE versions. You can work around these problems by forcing Apache not to use HTTP/1.1, keep-alive connections or send the SSL close notify messages to MSIE clients. This can be done by using the following directive in your SSL-aware virtual host section:

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

Further, some MSIE versions have problems with particular ciphers. Unfortunately, it is not possible to implement a MSIE-specific workaround for this, because the ciphers are needed as early as the SSL handshake phase. So a MSIE-specific SetEnvIf won't solve these problems. Instead, you will have to make more drastic adjustments to the global parameters. Before you decide to do this, make sure your clients really have problems. If not, do not make these changes - they will affect all your clients, MSIE or otherwise.

The next problem is that 56bit export versions of MSIE 5.x browsers have a broken SSLv3 implementation, which interacts badly with OpenSSL versions greater than 0.9.4. You can accept this and require your clients to upgrade their browsers, you can downgrade to OpenSSL 0.9.4 (not advised), or you can work around this, accepting that your workaround will affect other browsers too:

SSLProtocol all -SSLv3

will completely disables the SSLv3 protocol and allow those browsers to work. A better workaround is to disable only those ciphers which cause trouble.

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

This also allows the broken MSIE versions to work, but only removes the newer 56bit TLS ciphers.

Another problem with MSIE 5.x clients is that they refuse to connect to URLs of the form https://12.34.56.78/ (where IP-addresses are used instead of the hostname), if the server is using the Server Gated Cryptography (SGC) facility. This can only be avoided by using the fully qualified domain name (FQDN) of the website in hyperlinks instead, because MSIE 5.x has an error in the way it handles the SGC negotiation.

And finally there are versions of MSIE which seem to require that an SSL session can be reused (a totally non standard-conforming behaviour, of course). Connecting with those MSIE versions only work if a SSL session cache is used. So, as a work-around, make sure you are using a session cache (see the SSLSessionCache directive).

Why do I get I/O errors, or the message "Netscape has encountered bad data from the server", when connecting via HTTPS to an Apache+mod_ssl server with Netscape Navigator?

This usually occurs when you have created a new server certificate for a given domain, but had previously told your browser to always accept the old server certificate. Once you clear the entry for the old certificate from your browser, everything should be fine. Netscape's SSL implementation is correct, so when you encounter I/O errors with Netscape Navigator it is usually caused by the configured certificates.

mod_ssl Support

  • What information resources are available in case of mod_ssl problems?
  • What support contacts are available in case of mod_ssl problems?
  • What information should I provide when writing a bug report?
  • I had a core dump, can you help me?
  • How do I get a backtrace, to help find the reason for my core dump?

What information resources are available in case of mod_ssl problems?

The following information resources are available. In case of problems you should search here first.

Answers in the User Manual's F.A.Q. List (this)
http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html
First check the F.A.Q. (this text). If your problem is a common one, it may have been answered several times before, and been included in this doc.
Postings from the modssl-users Support Mailing List http://www.modssl.org/support/
Search for your problem in the archives of the modssl-users mailing list. You're probably not the first person to have had this problem!

What support contacts are available in case of mod_ssl problems?

The following lists all support possibilities for mod_ssl, in order of preference. Please go through these possibilities in this order - don't just pick the one you like the look of.

  1. Send a Problem Report to the modssl-users Support Mailing List
    modssl-users@modssl.org
    This is the preferred way of submitting your problem report, because this way, others can see the problem, and learn from any answers. You must subscribe to the list first, but you can then easily discuss your problem with both the author and the whole mod_ssl user community.
  2. Send a Problem Report to the Apache httpd Users Support Mailing List
    users@httpd.apache.org
    This is the second way of submitting your problem report. Again, you must subscribe to the list first, but you can then easily discuss your problem with the whole Apache httpd user community.
  3. Write a Problem Report in the Bug Database
    http://httpd.apache.org/bug_report.html
    This is the last way of submitting your problem report. You should only do this if you've already posted to the mailing lists, and had no success. Please follow the instructions on the above page carefully.

What information should I provide when writing a bug report?

You should always provide at least the following information:

Apache and OpenSSL version information
The Apache version can be determined by running httpd -v. The OpenSSL version can be determined by running openssl version. Alternatively, if you have Lynx installed, you can run the command lynx -mime_header http://localhost/ | grep Server to gather this information in a single step.
The details on how you built and installed Apache+mod_ssl+OpenSSL
For this you can provide a logfile of your terminal session which shows the configuration and install steps. If this is not possible, you should at least provide the configure command line you used.
In case of core dumps please include a Backtrace
If your Apache+mod_ssl+OpenSSL dumps its core, please attach a stack-frame "backtrace" (see below for information on how to get this). Without this information, the reason for your core dump cannot be found
A detailed description of your problem
Don't laugh, we really mean it! Many problem reports don't include a description of what the actual problem is. Without this, it's very difficult for anyone to help you. So, it's in your own interest (you want the problem be solved, don't you?) to include as much detail as possible, please. Of course, you should still include all the essentials above too.

I had a core dump, can you help me?

In general no, at least not unless you provide more details about the code location where Apache dumped core. What is usually always required in order to help you is a backtrace (see next question). Without this information it is mostly impossible to find the problem and help you in fixing it.

How do I get a backtrace, to help find the reason for my core dump?

Following are the steps you will need to complete, to get a backtrace:

  1. Make sure you have debugging symbols available, at least in Apache. On platforms where you use GCC/GDB, you will have to build Apache+mod_ssl with "OPTIM="-g -ggdb3"" to get this. On other platforms at least "OPTIM="-g"" is needed.
  2. Start the server and try to reproduce the core-dump. For this you may want to use a directive like "CoreDumpDirectory /tmp" to make sure that the core-dump file can be written. This should result in a /tmp/core/tmp/httpd.core file. If you don't get one of these, try running your server under a non-root UID. Many modern kernels do not allow a process to dump core after it has done a setuid() (unless it does an exec()) for security reasons (there can be privileged information left over in memory). If necessary, you can run /path/to/httpd -X manually to force Apache to not fork.
  3. Analyze the core-dump. For this, run gdb /path/to/httpd /tmp/httpd.core or a similar command. In GDB, all you have to do then is to enter bt, and voila, you get the backtrace. For other debuggers consult your local debugger manual.
上一篇:下一篇: