archive-com.com » COM » C » CAPITALSAFETY.COM

Total: 175

Choose link from "Titles, links and description words view":

Or switch to "Titles and links view".
  • SSL/TLS Strong Encryption: An Introduction - Apache HTTP Server
    as one for their identity as an employee Distinguished names are defined by the X 509 standard X509 which defines the fields field names and abbreviations used to refer to the fields see Table 2 Table 2 Distinguished Name Information DN Field Abbrev Description Example Common Name CN Name being certified CN Joe Average Organization or Company O Name is associated with this organization O Snake Oil Ltd Organizational Unit OU Name is associated with this organization unit such as a department OU Research Institute City Locality L Name is located in this City L Snake City State Province ST Name is located in this State Province ST Desert Country C Name is located in this Country ISO code C XZ A Certificate Authority may define a policy specifying which distinguished field names are optional and which are required It may also place requirements upon the field contents as may users of certificates For example a Netscape browser requires that the Common Name for a certificate representing a server matches a wildcard pattern for the domain name of that server such as snakeoil com The binary format of a certificate is defined using the ASN 1 notation X208 PKCS This notation defines how to specify the contents and encoding rules define how this information is translated into binary form The binary encoding of the certificate is defined using Distinguished Encoding Rules DER which are based on the more general Basic Encoding Rules BER For those transmissions which cannot handle binary the binary form may be translated into an ASCII form by using Base64 encoding MIME When placed between begin and end delimiter lines as below this encoded version is called a PEM Privacy Enhanced Mail encoded certificate Example of a PEM encoded certificate snakeoil crt BEGIN CERTIFICATE MIIC7jCCAlegAwIBAgIBATANBgkqhkiG9w0BAQQFADCBqTELMAkGA1UEBhMCWFkx FTATBgNVBAgTDFNuYWtlIERlc2VydDETMBEGA1UEBxMKU25ha2UgVG93bjEXMBUG A1UEChMOU25ha2UgT2lsLCBMdGQxHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhv cml0eTEVMBMGA1UEAxMMU25ha2UgT2lsIENBMR4wHAYJKoZIhvcNAQkBFg9jYUBz bmFrZW9pbC5kb20wHhcNOTgxMDIxMDg1ODM2WhcNOTkxMDIxMDg1ODM2WjCBpzEL MAkGA1UEBhMCWFkxFTATBgNVBAgTDFNuYWtlIERlc2VydDETMBEGA1UEBxMKU25h a2UgVG93bjEXMBUGA1UEChMOU25ha2UgT2lsLCBMdGQxFzAVBgNVBAsTDldlYnNl cnZlciBUZWFtMRkwFwYDVQQDExB3d3cuc25ha2VvaWwuZG9tMR8wHQYJKoZIhvcN AQkBFhB3d3dAc25ha2VvaWwuZG9tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB gQDH9Ge s2zcH da rPTx DPRp3xGjHZ4GG6pCmvADIEtBtKBFAcZ64n Dy7Np8b vKR yy5DGQiijsH1D j8HlGE q4TZ8OFk7BNBFazHxFbYI4OKMiCxdKzdif1yfaa lWoANFlAzlSdbxeGVHoT0K gT5w3UxwZKv2DLbCTzLZyPwIDAQABoyYwJDAPBgNV HRMECDAGAQH AgEAMBEGCWCGSAGG EIBAQQEAwIAQDANBgkqhkiG9w0BAQQFAAOB gQAZUIHAL4D09oE6Lv2k56Gp38OBDuILvwLg1v1KL8mQR KFjghCrtpqaztZqcDt 2q2QoyulCgSzHbEGmi0EsdkPfg6mp0penssIFePYNI 8u9HT4LuKMJX15hxBam7 dUHzICxBVC1lnHyYGjDuAMhe396lYAn8bCld1 L4NMGBCQ END CERTIFICATE Certificate Authorities By verifying the information in a certificate request before granting the certificate the Certificate Authority assures itself of the identity of the private key owner of a key pair For instance if Alice requests a personal certificate the Certificate Authority must first make sure that Alice really is the person the certificate claims she is Certificate Chains A Certificate Authority may also issue a certificate for another Certificate Authority When examining a certificate Alice may need to examine the certificate of the issuer for each parent Certificate Authority until reaching one which she has confidence in She may decide to trust only certificates with a limited chain of issuers to reduce her risk of a bad certificate in the chain Creating a Root Level CA As noted earlier each certificate requires an issuer to assert the validity of the identity of the certificate subject up to the top level Certificate Authority CA This presents a problem who can vouch for the certificate of the top level authority which has no issuer In this unique case the certificate is self signed so the issuer of the certificate is the same as the subject Browsers are preconfigured to trust well known certificate authorities but it is important to exercise extra care in trusting a self signed certificate The wide publication of a public key by the root authority reduces the risk in trusting this key it would be obvious if someone else publicized a key claiming to be the authority A number of companies such as Thawte and VeriSign have established themselves as Certificate Authorities These companies provide the following services Verifying certificate requests Processing certificate requests Issuing and managing certificates It is also possible to create your own Certificate Authority Although risky in the Internet environment it may be useful within an Intranet where the organization can easily verify the identities of individuals and servers Certificate Management Establishing a Certificate Authority is a responsibility which requires a solid administrative technical and management framework Certificate Authorities not only issue certificates they also manage them that is they determine for how long certificates remain valid they renew them and they keep lists of certificates that were issued in the past but are no longer valid Certificate Revocation Lists or CRLs For example if Alice is entitled to a certificate as an employee of a company but has now left that company her certificate may need to be revoked Because certificates are only issued after the subject s identity has been verified and can then be passed around to all those with whom the subject may communicate it is impossible to tell from the certificate alone that it has been revoked When examining certificates for validity therefore it is necessary to contact the issuing Certificate Authority to check CRLs this is usually not an automated part of the process Note If you use a Certificate Authority that browsers are not configured to trust by default it is necessary to load the Certificate Authority certificate into the browser enabling the browser to validate server certificates signed by that Certificate Authority Doing so may be dangerous since once loaded the browser will accept all certificates signed by that Certificate Authority Secure Sockets Layer SSL The Secure Sockets Layer protocol is a protocol layer which may be placed between a reliable connection oriented network layer protocol e g TCP IP and the application protocol layer e g HTTP SSL provides for secure communication between client and server by allowing mutual authentication the use of digital signatures for integrity and encryption for privacy The protocol is designed to support a range of choices for specific algorithms used for cryptography digests and signatures This allows algorithm selection for specific servers to be made based on legal export or other concerns and also enables the protocol to take advantage of new algorithms Choices are negotiated between client and server at the start of establishing a protocol session Table 4 Versions of the SSL protocol Version Source Description Browser Support

    Original URL path: http://bc.capitalsafety.com/manual/ssl/ssl_intro.html (2016-02-16)
    Open archived version from archive


  • SSL/TLS Strong Encryption: Compatibility - Apache HTTP Server
    renamed SSL X509VerifyDir arg SSLCACertificatePath arg renamed SSL Log file SSLLogFile file renamed SSL Connect flag SSLEngine flag renamed SSL ClientAuth arg SSLVerifyClient arg renamed SSL X509VerifyDepth arg SSLVerifyDepth arg renamed SSL FetchKeyPhraseFrom arg not directly mappable use SSLPassPhraseDialog SSL SessionDir dir not directly mappable use SSLSessionCache SSL Require expr not directly mappable use SSLRequire SSL CertFileType arg functionality not supported SSL KeyFileType arg functionality not supported SSL X509VerifyPolicy arg functionality not supported SSL LogX509Attributes arg functionality not supported Stronghold 2 x compatibility StrongholdAccelerator engine SSLCryptoDevice engine renamed StrongholdKey dir functionality not needed StrongholdLicenseFile dir functionality not needed SSLFlag flag SSLEngine flag renamed SSLSessionLockFile file SSLMutex file renamed SSLCipherList spec SSLCipherSuite spec renamed RequireSSL SSLRequireSSL renamed SSLErrorFile file functionality not supported SSLRoot dir functionality not supported SSL CertificateLogDir dir functionality not supported AuthCertDir dir functionality not supported SSL Group name functionality not supported SSLProxyMachineCertPath dir SSLProxyMachineCertificatePath dir renamed SSLProxyMachineCertFile file SSLProxyMachineCertificateFile file renamed SSLProxyCipherList spec SSLProxyCipherSpec spec renamed Environment Variables The mapping between environment variable names used by the older SSL solutions and the names used by mod ssl is given in Table 2 Table 2 Environment Variable Derivation Old Variable mod ssl Variable Comment SSL PROTOCOL VERSION SSL PROTOCOL renamed SSLEAY VERSION SSL VERSION LIBRARY renamed HTTPS SECRETKEYSIZE SSL CIPHER USEKEYSIZE renamed HTTPS KEYSIZE SSL CIPHER ALGKEYSIZE renamed HTTPS CIPHER SSL CIPHER renamed HTTPS EXPORT SSL CIPHER EXPORT renamed SSL SERVER KEY SIZE SSL CIPHER ALGKEYSIZE renamed SSL SERVER CERTIFICATE SSL SERVER CERT renamed SSL SERVER CERT START SSL SERVER V START renamed SSL SERVER CERT END SSL SERVER V END renamed SSL SERVER CERT SERIAL SSL SERVER M SERIAL renamed SSL SERVER SIGNATURE ALGORITHM SSL SERVER A SIG renamed SSL SERVER DN SSL SERVER S DN renamed SSL SERVER CN SSL SERVER S DN CN renamed SSL SERVER EMAIL SSL SERVER S DN Email renamed SSL SERVER O SSL SERVER S DN O renamed SSL SERVER OU SSL SERVER S DN OU renamed SSL SERVER C SSL SERVER S DN C renamed SSL SERVER SP SSL SERVER S DN SP renamed SSL SERVER L SSL SERVER S DN L renamed SSL SERVER IDN SSL SERVER I DN renamed SSL SERVER ICN SSL SERVER I DN CN renamed SSL SERVER IEMAIL SSL SERVER I DN Email renamed SSL SERVER IO SSL SERVER I DN O renamed SSL SERVER IOU SSL SERVER I DN OU renamed SSL SERVER IC SSL SERVER I DN C renamed SSL SERVER ISP SSL SERVER I DN SP renamed SSL SERVER IL SSL SERVER I DN L renamed SSL CLIENT CERTIFICATE SSL CLIENT CERT renamed SSL CLIENT CERT START SSL CLIENT V START renamed SSL CLIENT CERT END SSL CLIENT V END renamed SSL CLIENT CERT SERIAL SSL CLIENT M SERIAL renamed SSL CLIENT SIGNATURE ALGORITHM SSL CLIENT A SIG renamed SSL CLIENT DN SSL CLIENT S DN renamed SSL CLIENT CN SSL CLIENT S DN CN renamed SSL CLIENT EMAIL SSL CLIENT S DN Email renamed SSL CLIENT O SSL CLIENT S DN O

    Original URL path: http://bc.capitalsafety.com/manual/ssl/ssl_compat.html (2016-02-16)
    Open archived version from archive

  • SSL/TLS Strong Encryption: How-To - Apache HTTP Server
    LOW SSLv2 EXP eNULL Directory usr local apache2 htdocs but finally deny all browsers which haven t upgraded SSLRequire SSL CIPHER USEKEYSIZE 128 Directory How can I create an SSL server which accepts all types of ciphers in general but requires a strong ciphers for access to a particular URL Obviously a server wide SSLCipherSuite which restricts ciphers to the strong variants isn t the answer here However mod ssl can be reconfigured within Location blocks to give a per directory solution and can automatically force a renegotiation of the SSL parameters to meet the new configuration This can be done as follows be liberal in general SSLCipherSuite ALL ADH RC4 RSA HIGH MEDIUM LOW SSLv2 EXP eNULL Location strong area but https hostname strong area and below requires strong ciphers SSLCipherSuite HIGH MEDIUM Location Client Authentication and Access Control How can I force clients to authenticate using certificates How can I force clients to authenticate using certificates for a particular URL but still allow arbitrary clients to access the rest of the server How can I allow only clients who have certificates to access a particular URL but allow all clients to access the rest of the server How can I require HTTPS with strong ciphers and either basic authentication or client certificates for access to part of the Intranet website for clients coming from the Internet How can I force clients to authenticate using certificates When you know all of your users eg as is often the case on a corporate Intranet you can require plain certificate authentication All you need to do is to create client certificates signed by your own CA certificate ca crt and then verify the clients against this certificate httpd conf require a client certificate which has to be directly signed by our CA certificate in ca crt SSLVerifyClient require SSLVerifyDepth 1 SSLCACertificateFile conf ssl crt ca crt How can I force clients to authenticate using certificates for a particular URL but still allow arbitrary clients to access the rest of the server To force clients to authenticate using certificates for a particular URL you can use the per directory reconfiguration features of mod ssl httpd conf SSLVerifyClient none SSLCACertificateFile conf ssl crt ca crt Location secure area SSLVerifyClient require SSLVerifyDepth 1 Location How can I allow only clients who have certificates to access a particular URL but allow all clients to access the rest of the server The key to doing this is checking that part of the client certificate matches what you expect Usually this means checking all or part of the Distinguished Name DN to see if it contains some known string There are two ways to do this using either mod auth basic or SSLRequire The mod auth basic method is generally required when the certificates are completely arbitrary or when their DNs have no common fields usually the organisation etc In this case you should establish a password database containing all clients allowed as follows httpd conf SSLVerifyClient

    Original URL path: http://bc.capitalsafety.com/manual/ssl/ssl_howto.html (2016-02-16)
    Open archived version from archive

  • SSL/TLS Strong Encryption: FAQ - Apache HTTP Server
    protocol Is there a difference on startup between the original Apache and an SSL aware Apache Yes In general starting Apache with mod ssl built in is just like starting Apache without it However if you have a passphrase on your SSL private key file a startup dialog will pop up which asks you to enter the pass phrase Having to manually enter the passphrase when starting the server can be problematic for example when starting the server from the system boot scripts In this case you can follow the steps below to remove the passphrase from your private key How do I create a self signed SSL Certificate for testing purposes Make sure OpenSSL is installed and in your PATH Run the following command to create server key and server crt files openssl req new x509 nodes out server crt keyout server key These can be used as follows in your httpd conf file SSLCertificateFile path to this server crt SSLCertificateKeyFile path to this server key It is important that you are aware that this server key does not have any passphrase To add a passphrase to the key you should run the following command and enter verify the passphrase as requested openssl rsa des3 in server key out server key new mv server key new server key Please backup the server key file and the passphrase you entered in a secure location How do I create a real SSL Certificate Here is a step by step description Make sure OpenSSL is installed and in your PATH Create a RSA private key for your Apache server will be Triple DES encrypted and PEM formatted openssl genrsa des3 out server key 1024 Please backup this server key file and the pass phrase you entered in a secure location You can see the details of this RSA private key by using the command openssl rsa noout text in server key If necessary you can also create a decrypted PEM version not recommended of this RSA private key with openssl rsa in server key out server key unsecure Create a Certificate Signing Request CSR with the server RSA private key output will be PEM formatted openssl req new key server key out server csr Make sure you enter the FQDN Fully Qualified Domain Name of the server when OpenSSL prompts you for the CommonName i e when you generate a CSR for a website which will be later accessed via https www foo dom enter www foo dom here You can see the details of this CSR by using openssl req noout text in server csr You now have to send this Certificate Signing Request CSR to a Certifying Authority CA to be signed Once the CSR has been signed you will have a real Certificate which can be used by Apache You can have a CSR signed by a commercial CA or you can create your own CA to sign it Commercial CAs usually ask you to post the CSR into a web form pay for the signing and then send a signed Certificate which you can store in a server crt file For more information about commercial CAs see the following locations Verisign http digitalid verisign com server apacheNotice htm Thawte http www thawte com CertiSign Certificadora Digital Ltda http www certisign com br IKS GmbH http www iks jena de leistungen ca Uptime Commerce Ltd http www uptimecommerce com BelSign NV SA http www belsign be For details on how to create your own CA and use this to sign a CSR see below Once your CSR has been signed you can see the details of the Certificate as follows openssl x509 noout text in server crt You should now have two files server key and server crt These can be used as follows in your httpd conf file SSLCertificateFile path to this server crt SSLCertificateKeyFile path to this server key The server csr file is no longer needed How do I create and use my own Certificate Authority CA The short answer is to use the CA sh or CA pl script provided by OpenSSL Unless you have a good reason not to you should use these for preference If you cannot you can create a self signed Certificate as follows Create a RSA private key for your server will be Triple DES encrypted and PEM formatted openssl genrsa des3 out server key 1024 Please backup this host key file and the pass phrase you entered in a secure location You can see the details of this RSA private key by using the command openssl rsa noout text in server key If necessary you can also create a decrypted PEM version not recommended of this RSA private key with openssl rsa in server key out server key unsecure Create a self signed Certificate X509 structure with the RSA key you just created output will be PEM formatted openssl req new x509 nodes sha1 days 365 key server key out server crt This signs the server CSR and results in a server crt file You can see the details of this Certificate using openssl x509 noout text in server crt How can I change the pass phrase on my private key file You simply have to read it with the old pass phrase and write it again specifying the new pass phrase You can accomplish this with the following commands openssl rsa des3 in server key out server key new mv server key new server key The first time you re asked for a PEM pass phrase you should enter the old pass phrase After that you ll be asked again to enter a pass phrase this time use the new pass phrase If you are asked to verify the pass phrase you ll need to enter the new pass phrase a second time How can I get rid of the pass phrase dialog at Apache startup time The reason this dialog pops up at startup and every re start is that the RSA private key inside your server key file is stored in encrypted format for security reasons The pass phrase is needed decrypt this file so it can be read and parsed Removing the pass phrase removes a layer of security from your server proceed with caution Remove the encryption from the RSA private key while keeping a backup copy of the original file cp server key server key org openssl rsa in server key org out server key Make sure the server key file is only readable by root chmod 400 server key Now server key contains an unencrypted copy of the key If you point your server at this file it will not prompt you for a pass phrase HOWEVER if anyone gets this key they will be able to impersonate you on the net PLEASE make sure that the permissions on this file are such that only root or the web server user can read it preferably get your web server to start as root but run as another user and have the key readable only by root As an alternative approach you can use the SSLPassPhraseDialog exec path to program facility Bear in mind that this is neither more nor less secure of course How do I verify that a private key matches its Certificate A private key contains a series of numbers Two of these numbers form the public key the others are part of the private key The public key bits are included when you generate a CSR and subsequently form part of the associated Certificate To check that the public key in your Certificate matches the public portion of your private key you simply need to compare these numbers To view the Certificate and the key run the commands openssl x509 noout text in server crt openssl rsa noout text in server key The modulus and the public exponent portions in the key and the Certificate must match As the public exponent is usually 65537 and it s difficult to visually check that the long modulus numbers are the same you can use the following approach openssl x509 noout modulus in server crt openssl md5 openssl rsa noout modulus in server key openssl md5 This leaves you with two rather shorter numbers to compare It is in theory possible that these numbers may be the same without the modulus numbers being the same but the chances of this are overwhelmingly remote Should you wish to check to which key or certificate a particular CSR belongs you can perform the same calculation on the CSR as follows openssl req noout modulus in server csr openssl md5 Why do connections fail with an alert bad certificate error Errors such as OpenSSL error 14094412 SSL routines SSL3 READ BYTES sslv3 alert bad certificate in the SSL logfile are usually caused a browser which is unable to handle the server certificate private key For example Netscape Navigator 3 x is unable to handle RSA key lengths not equal to 1024 bits Why does my 2048 bit private key not work The private key sizes for SSL must be either 512 or 1024 bits for compatibility with certain web browsers A keysize of 1024 bits is recommended because keys larger than 1024 bits are incompatible with some versions of Netscape Navigator and Microsoft Internet Explorer and with other browsers that use RSA s BSAFE cryptography toolkit Why is client authentication broken after upgrading from SSLeay version 0 8 to 0 9 The CA certificates under the path you configured with SSLCACertificatePath are found by SSLeay through hash symlinks These hash values are generated by the openssl x509 noout hash command However the algorithm used to calculate the hash for a certificate changed between SSLeay 0 8 and 0 9 You will need to remove all old hash symlinks and create new ones after upgrading Use the Makefile provided by mod ssl How can I convert a certificate from PEM to DER format The default certificate format for SSLeay OpenSSL is PEM which is simply Base64 encoded DER with header and footer lines For some applications e g Microsoft Internet Explorer you need the certificate in plain DER format You can convert a PEM file cert pem into the corresponding DER file cert der using the following command openssl x509 in cert pem out cert der outform DER Why can t I find the getca or getverisign programs mentioned by Verisign for installing my Verisign certificate Verisign has never provided specific instructions for Apache mod ssl The instructions provided are for C2Net s Stronghold a commercial Apache based server with SSL support To install your certificate all you need to do is to save the certificate to a file and give the name of that file to the SSLCertificateFile directive You will also need to give it the key file For more information see the SSLCertificateKeyFile directive Can I use the Server Gated Cryptography SGC facility aka Verisign Global ID with mod ssl Yes mod ssl has included support for the SGC facility since version 2 1 No special configuration is required just use the Global ID as your server certificate The step up of the clients is then automatically handled by mod ssl at run time Why do browsers complain that they cannot verify my Verisign Global ID server certificate Verisign uses an intermediate CA certificate between the root CA certificate which is installed in the browsers and the server certificate which you installed on the server You should have received this additional CA certificate from Verisign If not complain to them Then configure this certificate with the SSLCertificateChainFile directive This ensures that the intermediate CA certificate is sent to the browser filling the gap in the certificate chain The SSL Protocol Why do I get lots of random SSL protocol errors under heavy server load Why does my webserver have a higher load now that it serves SSL encrypted traffic Why do HTTPS connections to my server sometimes take up to 30 seconds to establish a connection What SSL Ciphers are supported by mod ssl Why do I get no shared cipher errors when trying to use Anonymous Diffie Hellman ADH ciphers Why do I get a no shared ciphers error when connecting to my newly installed server Why can t I use SSL with name based non IP based virtual hosts Why is it not possible to use Name Based Virtual Hosting to identify different SSL virtual hosts How do I get SSL compression working When I use Basic Authentication over HTTPS the lock icon in Netscape browsers stays unlocked when the dialog pops up Does this mean the username password is being sent unencrypted Why do I get I O errors when connecting via HTTPS to an Apache mod ssl server with Microsoft Internet Explorer MSIE Why do I get I O errors or the message Netscape has encountered bad data from the server when connecting via HTTPS to an Apache mod ssl server with Netscape Navigator Why do I get lots of random SSL protocol errors under heavy server load There can be a number of reasons for this but the main one is problems with the SSL session Cache specified by the SSLSessionCache directive The DBM session cache is the most likely source of the problem so using the SHM session cache or no cache at all may help Why does my webserver have a higher load now that it serves SSL encrypted traffic SSL uses strong cryptographic encryption which necessitates a lot of number crunching When you request a webpage via HTTPS everything even the images is encrypted before it is transferred So increased HTTPS traffic leads to load increases Why do HTTPS connections to my server sometimes take up to 30 seconds to establish a connection This is usually caused by a dev random device for SSLRandomSeed which blocks the read 2 call until enough entropy is available to service the request More information is available in the reference manual for the SSLRandomSeed directive What SSL Ciphers are supported by mod ssl Usually any SSL ciphers supported by the version of OpenSSL in use are also supported by mod ssl Which ciphers are available can depend on the way you built OpenSSL Typically at least the following ciphers are supported RC4 with MD5 RC4 with MD5 export version restricted to 40 bit key RC2 with MD5 RC2 with MD5 export version restricted to 40 bit key IDEA with MD5 DES with MD5 Triple DES with MD5 To determine the actual list of ciphers available you should run the following openssl ciphers v Why do I get no shared cipher errors when trying to use Anonymous Diffie Hellman ADH ciphers By default OpenSSL does not allow ADH ciphers for security reasons Please be sure you are aware of the potential side effects if you choose to enable these ciphers In order to use Anonymous Diffie Hellman ADH ciphers you must build OpenSSL with DSSL ALLOW ADH and then add ADH into your SSLCipherSuite Why do I get a no shared ciphers error when connecting to my newly installed server Either you have made a mistake with your SSLCipherSuite directive compare it with the pre configured example in httpd conf dist or you chose to use DSA DH algorithms instead of RSA when you generated your private key and ignored or overlooked the warnings If you have chosen DSA DH then your server cannot communicate using RSA based SSL ciphers at least until you configure an additional RSA based certificate key pair Modern browsers like NS or IE can only communicate over SSL using RSA ciphers The result is the no shared ciphers error To fix this regenerate your server certificate key pair using the RSA algorithm Why can t I use SSL with name based non IP based virtual hosts The reason is very technical and a somewhat chicken and egg problem The SSL protocol layer stays below the HTTP protocol layer and encapsulates HTTP When an SSL connection HTTPS is established Apache mod ssl has to negotiate the SSL protocol parameters with the client For this mod ssl has to consult the configuration of the virtual server for instance it has to look for the cipher suite the server certificate etc But in order to go to the correct virtual server Apache has to know the Host HTTP header field To do this the HTTP request header has to be read This cannot be done before the SSL handshake is finished but the information is needed in order to complete the SSL handshake phase Bingo Why is it not possible to use Name Based Virtual Hosting to identify different SSL virtual hosts Name Based Virtual Hosting is a very popular method of identifying different virtual hosts It allows you to use the same IP address and the same port number for many different sites When people move on to SSL it seems natural to assume that the same method can be used to have lots of different SSL virtual hosts on the same server It comes as rather a shock to learn that it is impossible The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol So the SSL session is a separate transaction that takes place before the HTTP session has begun The server receives an SSL request on IP address X and port Y usually 443 Since the SSL request does not contain any Host field the server has no way to decide which SSL virtual host to use Usually it will just use the first one it finds which matches the port and IP address specified You can of course use Name Based Virtual Hosting to identify many non SSL virtual hosts all on port 80 for example and then have a single SSL virtual host on port 443 But if you do this you must make sure to

    Original URL path: http://bc.capitalsafety.com/manual/ssl/ssl_faq.html (2016-02-16)
    Open archived version from archive

  • How-To / Tutorials - Apache HTTP Server
    access to a resource based on arbitrary criteria There are a variety of different ways that this can be accomplished See Access Control Dynamic Content with CGI The CGI Common Gateway Interface defines a way for a web server to interact with external content generating programs which are often referred to as CGI programs or CGI scripts It is the simplest and most common way to put dynamic content on your web site This document will be an introduction to setting up CGI on your Apache web server and getting started writing CGI programs See CGI Dynamic Content htaccess files htaccess files provide a way to make configuration changes on a per directory basis A file containing one or more configuration directives is placed in a particular document directory and the directives apply to that directory and all subdirectories thereof See htaccess files Introduction to Server Side Includes SSI Server Side Includes are directives that are placed in HTML pages and evaluated on the server while the pages are being served They let you add dynamically generated content to an existing HTML page without having to serve the entire page via a CGI program or other dynamic technology See Server

    Original URL path: http://bc.capitalsafety.com/manual/howto/ (2016-02-16)
    Open archived version from archive

  • Platform Specific Notes - Apache HTTP Server
    This document explain them See Compiling Apache for Microsoft Windows Other Platforms Novell NetWare This document explains how to install configure and run Apache 2 0 under Novell NetWare 5 1 and above See Using Apache With Novell NetWare EBCDIC Version 1 3 of the Apache HTTP Server is the first version which includes a port to a non ASCII mainframe machine which uses the EBCDIC character set as its

    Original URL path: http://bc.capitalsafety.com/manual/platform/ (2016-02-16)
    Open archived version from archive

  • Compiling Apache for Microsoft Windows - Apache HTTP Server
    tricky to force ms do masm bat for example to perform the patent encumberances as mentioned above Patches to add the argument list to the appropriate bat lines in these scripts aren t incorporated thus far Optional zlib library for mod deflate Zlib must be installed into a srclib subdirectory named zlib This must be built in place Zlib can be obtained from http www zlib net the mod deflate is confirmed to work correctly with version 1 2 3 nmake f win32 Makefile msc nmake f win32 Makefile msc test Command Line Build First unpack the Apache distribution into an appropriate directory Open a command line prompt and cd to that directory The master Apache makefile instructions are contained in the Makefile win file To compile Apache on Windows NT simply use one of the following commands to compiled the release or debug build respectively nmake f Makefile win apacher nmake f Makefile win apached Either command will compile Apache The latter will include debugging information in the resulting files making it easier to find bugs and track down problems Developer Studio Workspace IDE Build Apache can also be compiled using VC s Visual Studio development environment To simplify this process a Visual Studio workspace Apache dsw is provided This workspace exposes the entire list of working dsp projects that are required for the complete Apache binary release It includes dependencies between the projects to assure that they are built in the appropriate order Open the Apache dsw workspace and select InstallBin Release or Debug build as desired as the Active Project InstallBin causes all related project to be built and then invokes Makefile win to move the compiled executables and dlls You may personalize the INSTDIR choice by changing InstallBin s Settings General tab Build command line entry INSTDIR defaults to the Apache2 directory If you only want a test compile without installing you may build the BuildBin project instead The dsp project files are distributed in Visual C 6 0 format Visual C 5 0 97 will recognize them Visual C 7 0 net must convert Apache dsw plus the dsp files into an Apache sln plus msproj files be sure you reconvert the msproj file if any of the source dsp files change This is really trivial just open Apache dsw in the VC 7 0 IDE once again Visual C 7 0 net users should also use the Build menu Configuration Manager dialog to uncheck both the Debug and Release Solution modules abs mod ssl and mod deflate These modules are built by invoking nmake or the IDE directly with the BinBuild target to build those modules explicitly only if the srclib directories openssl and or zlib exist Exported mak files pose a greater hassle but they are required for Visual C 5 0 users to build mod ssl abs ab with SSL support and or mod deflate VC 7 0 net users also benefit nmake builds are faster than binenv builds Build the entire

    Original URL path: http://bc.capitalsafety.com/manual/platform/win_compiling.html (2016-02-16)
    Open archived version from archive

  • Running a High-Performance Web Server on HPUX - Apache HTTP Server
    accomplished with adb against the disc image of the kernel The variable name is tcp hash size Notice that it s critically important that you use W to write a 32 bit quantity not w to write a 16 bit value when patching the disc image because the tcp hash size variable is a 32 bit quantity How to pick the value Examine the output of ftp ftp cup hp com dist networking tools connhist and see how many total TCP connections exist on the system You probably want that number divided by the hash table size to be reasonably small say less than 10 Folks can look at HP s SPECweb96 disclosures for some common settings These can be found at http www specbench org If an HP UX system was performing at 1000 SPECweb96 connections per second the TIME WAIT time of 60 seconds would mean 60 000 TCP connections being tracked Folks can check their listen queue depths with ftp ftp cup hp com dist networking misc listenq If folks are running Apache on a PA 8000 based system they should consider chatr ing the Apache executable to have a large page size This would be chatr pi L BINARY The GID of the running executable must have MLOCK privileges Setprivgrp 1m should be consulted for assigning MLOCK The change can be validated by running Glance and examining the memory regions of the server s to make sure that they show a non trivial fraction of the text segment being locked If folks are running Apache on MP systems they might consider writing a small program that uses mpctl to bind processes to processors A simple pid numcpu algorithm is probably sufficient This might even go into the source code If folks are concerned about the number

    Original URL path: http://bc.capitalsafety.com/manual/platform/perf-hp.html (2016-02-16)
    Open archived version from archive



  •