?? ssl_faq.html.en
字號:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
This file is generated from xml source: DO NOT EDIT
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-->
<title>SSL/TLS Strong Encryption: FAQ - Apache HTTP Server</title>
<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" />
<link href="../images/favicon.ico" rel="shortcut icon" /></head>
<body id="manual-page"><div id="page-header">
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
<p class="apache">Apache HTTP Server Version 2.0</p>
<img alt="" src="../images/feather.gif" /></div>
<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div>
<div id="path">
<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.0</a> > <a href="./">SSL/TLS</a></div><div id="page-content"><div id="preamble"><h1>SSL/TLS Strong Encryption: FAQ</h1>
<div class="toplang">
<p><span>Available Languages: </span><a href="../en/ssl/ssl_faq.html" title="English"> en </a></p>
</div>
<blockquote>
<p>The wise man doesn't give the right answers,
he poses the right questions.</p>
<p class="cite">-- <cite>Claude Levi-Strauss</cite></p>
</blockquote>
<p>This chapter is a collection of frequently asked questions (FAQ) and
corresponding answers following the popular USENET tradition. Most of these
questions occurred on the Newsgroup <code><a href="news:comp.infosystems.www.servers.unix">comp.infosystems.www.servers.unix</a></code> or the mod_ssl Support
Mailing List <code><a href="mailto:modssl-users@modssl.org">modssl-users@modssl.org</a></code>. They are collected at this place
to avoid answering the same questions over and over.</p>
<p>Please read this chapter at least once when installing mod_ssl or at least
search for your problem here before submitting a problem report to the
author.</p>
</div>
<div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#about">About The Module</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#installation">Installation</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#aboutconfig">Configuration</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#aboutcerts">Certificates</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#aboutssl">The SSL Protocol</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#support">mod_ssl Support</a></li>
</ul></div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="about" id="about">About The Module</a></h2>
<ul>
<li><a href="#history">What is the history of mod_ssl?</a></li>
<li><a href="#y2k">mod_ssl and Year 2000?</a></li>
<li><a href="#wassenaar">mod_ssl and Wassenaar Arrangement?</a></li>
</ul>
<h3><a name="history" id="history">What is the history of mod_ssl?</a></h3>
<p>The mod_ssl v1 package was initially created in April 1998 by <a href="mailto:rse@engelschall.com">Ralf S. Engelschall</a> via porting <a href="mailto:ben@algroup.co.uk">Ben Laurie</a>'s <a href="http://www.apache-ssl.org/">Apache-SSL</a> 1.17 source patches for
Apache 1.2.6 to Apache 1.3b6. Because of conflicts with Ben
Laurie's development cycle it then was re-assembled from scratch for
Apache 1.3.0 by merging the old mod_ssl 1.x with the newer Apache-SSL
1.18. From this point on mod_ssl lived its own life as mod_ssl v2. The
first publicly released version was mod_ssl 2.0.0 from August 10th,
1998. </p>
<p>After US export restrictions on cryptographic software were
loosened, <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> became part of the Apache HTTP
Server with the release of Apache httpd 2.</p>
<h3><a name="wassenaar" id="wassenaar">Is mod_ssl affected by the Wassenaar Arrangement?</a></h3>
<p>First, let us explain what <dfn>Wassenaar</dfn> and its <dfn>Arrangement on
Export Controls for Conventional Arms and Dual-Use Goods and
Technologies</dfn> is: This is a international regime, established in 1995, to
control trade in conventional arms and dual-use goods and technology. It
replaced the previous <dfn>CoCom</dfn> regime. Further details on
both the Arrangement and its signatories are available at <a href="http://www.wassenaar.org/">http://www.wassenaar.org/</a>.</p>
<p>In short, the aim of the Wassenaar Arrangement is to prevent the build up
of military capabilities that threaten regional and international security
and stability. The Wassenaar Arrangement controls the export of
cryptography as a dual-use good, that is, something that has both military and
civilian applications. However, the Wassenaar Arrangement also provides an
exemption from export controls for mass-market software and free software.</p>
<p>In the current Wassenaar <cite>List of Dual Use Goods and Technologies And
Munitions</cite>, under <q>GENERAL SOFTWARE NOTE (GSN)</q> it says
<q>The Lists do not control "software" which is either: 1. [...] 2. "in
the public domain".</q> And under <q>DEFINITIONS OF TERMS USED IN
THESE LISTS</q> we find <q>In the public
domain</q> defined as <q>"technology" or "software" which has been made
available without restrictions upon its further dissemination. Note:
Copyright restrictions do not remove "technology" or "software" from being
"in the public domain".</q></p>
<p>So, both mod_ssl and OpenSSL are <q>in the public domain</q> for the purposes
of the Wassenaar Arrangement and its <q>List of Dual Use Goods and
Technologies And Munitions List</q>, and thus not affected by its provisions.</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="installation" id="installation">Installation</a></h2>
<ul>
<li><a href="#mutex">Why do I get permission errors related to
SSLMutex when I start Apache?</a></li>
<li><a href="#entropy">Why does mod_ssl stop with the error "Failed to
generate temporary 512 bit RSA private key", when I start Apache?</a></li>
</ul>
<h3><a name="mutex" id="mutex">Why do I get permission errors related to
SSLMutex when I start Apache?</a></h3>
<p>Errors such as ``<code>mod_ssl: Child could not open
SSLMutex lockfile /opt/apache/logs/ssl_mutex.18332 (System error follows)
[...] System: Permission denied (errno: 13)</code>'' are usually
caused by overly restrictive permissions on the <em>parent</em> directories.
Make sure that all parent directories (here <code>/opt</code>,
<code>/opt/apache</code> and <code>/opt/apache/logs</code>) have the x-bit
set for, at minimum, the UID under which Apache's children are running (see
the <code class="directive"><a href="../mod/mpm_common.html#user">User</a></code> directive).</p>
<h3><a name="entropy" id="entropy">Why does mod_ssl stop with the error
"Failed to generate temporary 512 bit RSA private key", when I start
Apache?</a></h3>
<p>Cryptographic software needs a source of unpredictable data
to work correctly. Many open source operating systems provide
a "randomness device" that serves this purpose (usually named
<code>/dev/random</code>). On other systems, applications have to
seed the OpenSSL Pseudo Random Number Generator (PRNG) manually with
appropriate data before generating keys or performing public key
encryption. As of version 0.9.5, the OpenSSL functions that need
randomness report an error if the PRNG has not been seeded with
at least 128 bits of randomness.</p>
<p>To prevent this error, <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> has to provide
enough entropy to the PRNG to allow it to work correctly. This can
be done via the <code class="directive"><a href="../mod/mod_ssl.html#sslrandomseed">SSLRandomSeed</a></code>
directives.</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="aboutconfig" id="aboutconfig">Configuration</a></h2>
<ul>
<li><a href="#parallel">Is it possible to provide HTTP and HTTPS from
the same server?</a></li>
<li><a href="#ports">Which port does HTTPS use?</a></li>
<li><a href="#httpstest">How do I speak HTTPS manually for testing
purposes?</a></li>
<li><a href="#hang">Why does the connection hang when I connect to my
SSL-aware Apache server</a></li>
<li><a href="#refused">Why do I get ``Connection Refused'' errors, when
trying to access my newly installed Apache+mod_ssl server via HTTPS?</a></li>
<li><a href="#envvars">Why are the <code>SSL_XXX</code> variables not
available to my CGI & SSI scripts?</a></li>
<li><a href="#relative">How can I switch between HTTP and HTTPS in
relative hyperlinks?</a></li>
</ul>
<h3><a name="parallel" id="parallel">Is it possible to provide HTTP and HTTPS
from the same server?</a></h3>
<p>Yes. HTTP and HTTPS use different server ports (HTTP binds to
port 80, HTTPS to port 443), so there is no direct conflict between
them. You can either run two separate server instances bound to
these ports, or use Apache's elegant virtual hosting facility to
create two virtual servers over one instance of Apache - one
responding to requests on port 80 and speaking HTTP and the other
responding to requests on port 443 speaking HTTPS.</p>
<h3><a name="ports" id="ports">Which port does HTTPS use?</a></h3>
<p>You can run HTTPS on any port, but the standards specify port 443, which
is where any HTTPS compliant browser will look by default. You can force
your browser to look on a different port by specifying it in the URL like
this (for port 666): <code>https://secure.server.dom:666/</code></p>
<h3><a name="httpstest" id="httpstest">How do I speak HTTPS manually for testing purposes?</a></h3>
<p>While you usually just use</p>
<div class="example"><p><code>$ telnet localhost 80<br />
GET / HTTP/1.0</code></p></div>
<p>for simple testing of Apache via HTTP, it's not so easy for
HTTPS because of the SSL protocol between TCP and HTTP. With the
help of OpenSSL's <code>s_client</code> command, however, you can
do a similar check for HTTPS:</p>
<div class="example"><p><code>$ openssl s_client -connect localhost:443 -state -debug<br />
GET / HTTP/1.0</code></p></div>
<p>Before the actual HTTP response you will receive detailed
information about the SSL handshake. For a more general command
line client which directly understands both HTTP and HTTPS, can
perform GET and POST operations, can use a proxy, supports byte
ranges, etc. you should have a look at the nifty
<a href="http://curl.haxx.se/">cURL</a> tool. Using this, you can
check that Apache is responding correctly on ports 80 and 443 as
follows:</p>
<div class="example"><p><code>$ curl http://localhost/<br />
$ curl https://localhost/</code></p></div>
<h3><a name="hang" id="hang">Why does the connection hang when I connect
to my SSL-aware Apache server?</a></h3>
<p>Because you connected with HTTP to the HTTPS port, i.e. you used an URL of
the form ``<code>http://</code>'' instead of ``<code>https://</code>''.
This also happens the other way round when you connect via HTTPS to a HTTP
port, i.e. when you try to use ``<code>https://</code>'' on a server that
doesn't support SSL (on this port). Make sure you are connecting to a
virtual server that supports SSL, which is probably the IP associated with
your hostname, not localhost (127.0.0.1).</p>
<h3><a name="refused" id="refused">Why do I get ``Connection Refused'' messages,
when trying to access my newly installed Apache+mod_ssl server via HTTPS?</a></h3>
<p>This can happen for various reasons. The most common mistakes
include starting Apache with just <code>apachectl start</code> (or
<code class="program"><a href="../programs/httpd.html">httpd</a></code>) instead of <code>apachectl startssl</code> (or
<code>httpd -DSSL</code>). Your configuration may also be incorrect.
Please make sure that your <code class="directive"><a href="../mod/mpm_common.html#listen">Listen</a></code> directives match your
<code class="directive"><a href="../mod/core.html#virtualhost"><VirtualHost></a></code>
directives. If all else fails, please start afresh, using the default
configuration provided by <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>.</p>
<h3><a name="envvars" id="envvars">Why are the <code>SSL_XXX</code> variables
not available to my CGI & SSI scripts?</a></h3>
<p>Please make sure you have ``<code>SSLOptions +StdEnvVars</code>''
enabled for the context of your CGI/SSI requests.</p>
<h3><a name="relative" id="relative">How can I switch between HTTP and HTTPS in relative
hyperlinks?</a></h3>
<p>Usually, to switch between HTTP and HTTPS, you have to use
fully-qualified hyperlinks (because you have to change the URL
scheme). Using <code class="module"><a href="../mod/mod_rewrite.html">mod_rewrite</a></code> however, you can
manipulate relative hyperlinks, to achieve the same effect.</p>
<div class="example"><p><code>
RewriteEngine on<br />
RewriteRule ^/(.*):SSL$ https://%{SERVER_NAME}/$1 [R,L]<br />
RewriteRule ^/(.*):NOSSL$ http://%{SERVER_NAME}/$1 [R,L]
</code></p></div>
<p>This rewrite ruleset lets you use hyperlinks of the form
<code><a href="document.html:SSL"></code>, to switch to HTTPS
in a relative link.</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="aboutcerts" id="aboutcerts">Certificates</a></h2>
<ul>
<li><a href="#keyscerts">What are RSA Private Keys, CSRs and
Certificates?</a></li>
<li><a href="#startup">Is there a difference on startup between
the original Apache and an SSL-aware Apache?</a></li>
<li><a href="#selfcert">How do I create a self-signed SSL
Certificate for testing purposes?</a></li>
<li><a href="#realcert">How do I create a real SSL Certificate?</a></li>
<li><a href="#ownca">How do I create and use my own Certificate
Authority (CA)?</a></li>
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -