archive-fr.com » FR » O » OBSPM.FR

Total: 155

Choose link from "Titles, links and description words view":

Or switch to "Titles and links view".
  • Issues Regarding DNS and Apache - Apache HTTP Server
    Here is a snippet that avoids both of these problems VirtualHost 10 0 0 1 ServerName www abc dom ServerAdmin webgirl abc dom DocumentRoot www abc VirtualHost Denial of Service There are at least two forms that denial of service can come in If you are running a version of Apache prior to version 1 2 then your server will not even boot if one of the two DNS lookups mentioned above fails for any of your virtual hosts In some cases this DNS lookup may not even be under your control for example if abc dom is one of your customers and they control their own DNS they can force your pre 1 2 server to fail while booting simply by deleting the www abc dom record Another form is far more insidious Consider this configuration snippet VirtualHost www abc dom ServerAdmin webgirl abc dom DocumentRoot www abc VirtualHost VirtualHost www def dom ServerAdmin webguy def dom DocumentRoot www def VirtualHost Suppose that you ve assigned 10 0 0 1 to www abc dom and 10 0 0 2 to www def dom Furthermore suppose that def dom has control of their own DNS With this config you have put def dom into a position where they can steal all traffic destined to abc dom To do so all they have to do is set www def dom to 10 0 0 1 Since they control their own DNS you can t stop them from pointing the www def dom record wherever they wish Requests coming in to 10 0 0 1 including all those where users typed in URLs of the form http www abc dom whatever will all be served by the def dom virtual host To better understand why this happens requires a more in depth discussion of how Apache matches up incoming requests with the virtual host that will serve it A rough document describing this is available The main server Address The addition of name based virtual host support in Apache 1 1 requires Apache to know the IP address es of the host that httpd is running on To get this address it uses either the global ServerName if present or calls the C function gethostname which should return the same as typing hostname at the command prompt Then it performs a DNS lookup on this address At present there is no way to avoid this lookup If you fear that this lookup might fail because your DNS server is down then you can insert the hostname in etc hosts where you probably already have it so that the machine can boot properly Then ensure that your machine is configured to use etc hosts in the event that DNS fails Depending on what OS you are using this might be accomplished by editing etc resolv conf or maybe etc nsswitch conf If your server doesn t have to perform DNS for any other reason then you might be able to get away with

    Original URL path: http://ama09.obspm.fr/manual-2.0/dns-caveats.html (2015-11-16)
    Open archived version from archive


  • SSL/TLS Strong Encryption: An Introduction - Apache HTTP Server
    X509 which defines the fields field names and abbreviations used to refer to the fields see Table 2 Table 2 Distinguished Name Information DN Field Abbrev Description Example Common Name CN Name being certified CN Joe Average Organization or Company O Name is associated with this organization O Snake Oil Ltd Organizational Unit OU Name is associated with this organization unit such as a department OU Research Institute City Locality L Name is located in this City L Snake City State Province ST Name is located in this State Province ST Desert Country C Name is located in this Country ISO code C XZ A Certificate Authority may define a policy specifying which distinguished field names are optional and which are required It may also place requirements upon the field contents as may users of certificates As an example a Netscape browser requires that the Common Name for a certificate representing a server has a name which matches a wildcard pattern for the domain name of that server such as snakeoil com The binary format of a certificate is defined using the ASN 1 notation X208 PKCS This notation defines how to specify the contents and encoding rules define how this information is translated into binary form The binary encoding of the certificate is defined using Distinguished Encoding Rules DER which are based on the more general Basic Encoding Rules BER For those transmissions which cannot handle binary the binary form may be translated into an ASCII form by using Base64 encoding MIME This encoded version is called PEM encoded the name comes from Privacy Enhanced Mail when placed between begin and end delimiter lines as illustrated in the following example Example of a PEM encoded certificate snakeoil crt BEGIN CERTIFICATE MIIC7jCCAlegAwIBAgIBATANBgkqhkiG9w0BAQQFADCBqTELMAkGA1UEBhMCWFkx FTATBgNVBAgTDFNuYWtlIERlc2VydDETMBEGA1UEBxMKU25ha2UgVG93bjEXMBUG A1UEChMOU25ha2UgT2lsLCBMdGQxHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhv cml0eTEVMBMGA1UEAxMMU25ha2UgT2lsIENBMR4wHAYJKoZIhvcNAQkBFg9jYUBz bmFrZW9pbC5kb20wHhcNOTgxMDIxMDg1ODM2WhcNOTkxMDIxMDg1ODM2WjCBpzEL MAkGA1UEBhMCWFkxFTATBgNVBAgTDFNuYWtlIERlc2VydDETMBEGA1UEBxMKU25h a2UgVG93bjEXMBUGA1UEChMOU25ha2UgT2lsLCBMdGQxFzAVBgNVBAsTDldlYnNl cnZlciBUZWFtMRkwFwYDVQQDExB3d3cuc25ha2VvaWwuZG9tMR8wHQYJKoZIhvcN AQkBFhB3d3dAc25ha2VvaWwuZG9tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB gQDH9Ge s2zcH da rPTx DPRp3xGjHZ4GG6pCmvADIEtBtKBFAcZ64n Dy7Np8b vKR yy5DGQiijsH1D j8HlGE q4TZ8OFk7BNBFazHxFbYI4OKMiCxdKzdif1yfaa lWoANFlAzlSdbxeGVHoT0K gT5w3UxwZKv2DLbCTzLZyPwIDAQABoyYwJDAPBgNV HRMECDAGAQH AgEAMBEGCWCGSAGG EIBAQQEAwIAQDANBgkqhkiG9w0BAQQFAAOB gQAZUIHAL4D09oE6Lv2k56Gp38OBDuILvwLg1v1KL8mQR KFjghCrtpqaztZqcDt 2q2QoyulCgSzHbEGmi0EsdkPfg6mp0penssIFePYNI 8u9HT4LuKMJX15hxBam7 dUHzICxBVC1lnHyYGjDuAMhe396lYAn8bCld1 L4NMGBCQ END CERTIFICATE Certificate Authorities By first verifying the information in a certificate request before granting the certificate the Certificate Authority assures the identity of the private key owner of a key pair For instance if Alice requests a personal certificate the Certificate Authority must first make sure that Alice really is the person the certificate request claims Certificate Chains A Certificate Authority may also issue a certificate for another Certificate Authority When examining a certificate Alice may need to examine the certificate of the issuer for each parent Certificate Authority until reaching one which she has confidence in She may decide to trust only certificates with a limited chain of issuers to reduce her risk of a bad certificate in the chain Creating a Root Level CA As noted earlier each certificate requires an issuer to assert the validity of the identity of the certificate subject up to the top level Certificate Authority CA This presents a problem Since this is who vouches for the certificate of the top level authority which has no issuer In this unique case the certificate is self signed so the issuer of the certificate is the same as the subject As a result one must exercise extra care in trusting a self signed certificate The wide publication of a public key by the root authority reduces the risk in trusting this key it would be obvious if someone else publicized a key claiming to be the authority Browsers are preconfigured to trust well known certificate authorities A number of companies such as Thawte and VeriSign have established themselves as Certificate Authorities These companies provide the following services Verifying certificate requests Processing certificate requests Issuing and managing certificates It is also possible to create your own Certificate Authority Although risky in the Internet environment it may be useful within an Intranet where the organization can easily verify the identities of individuals and servers Certificate Management Establishing a Certificate Authority is a responsibility which requires a solid administrative technical and management framework Certificate Authorities not only issue certificates they also manage them that is they determine how long certificates are valid they renew them and they keep lists of certificates that have already been issued but are no longer valid Certificate Revocation Lists or CRLs Say Alice is entitled to a certificate as an employee of a company Say too that the certificate needs to be revoked when Alice leaves the company Since certificates are objects that get passed around it is impossible to tell from the certificate alone that it has been revoked When examining certificates for validity therefore it is necessary to contact the issuing Certificate Authority to check CRLs this is not usually an automated part of the process Note If you use a Certificate Authority that is not configured into browsers by default it is necessary to load the Certificate Authority certificate into the browser enabling the browser to validate server certificates signed by that Certificate Authority Doing so may be dangerous since once loaded the browser will accept all certificates signed by that Certificate Authority Secure Sockets Layer SSL The Secure Sockets Layer protocol is a protocol layer which may be placed between a reliable connection oriented network layer protocol e g TCP IP and the application protocol layer e g HTTP SSL provides for secure communication between client and server by allowing mutual authentication the use of digital signatures for integrity and encryption for privacy The protocol is designed to support a range of choices for specific algorithms used for cryptography digests and signatures This allows algorithm selection for specific servers to be made based on legal export or other concerns and also enables the protocol to take advantage of new algorithms Choices are negotiated between client and server at the start of establishing a protocol session Table 4 Versions of the SSL protocol Version Source Description Browser Support SSL v2 0 Vendor Standard from Netscape Corp SSL2 First SSL protocol for which implementations exists NS Navigator 1 x 2 x MS IE 3 x Lynx 2 8 OpenSSL

    Original URL path: http://ama09.obspm.fr/manual-2.0/ssl/ssl_intro.html (2015-11-16)
    Open archived version from archive

  • SSL/TLS Strong Encryption: Compatibility - Apache HTTP Server
    file renamed SSL CipherSuite arg SSLCipherSuite arg renamed SSL X509VerifyDir arg SSLCACertificatePath arg renamed SSL Log file SSLLogFile file renamed SSL Connect flag SSLEngine flag renamed SSL ClientAuth arg SSLVerifyClient arg renamed SSL X509VerifyDepth arg SSLVerifyDepth arg renamed SSL FetchKeyPhraseFrom arg not directly mappable use SSLPassPhraseDialog SSL SessionDir dir not directly mappable use SSLSessionCache SSL Require expr not directly mappable use SSLRequire SSL CertFileType arg functionality not supported SSL KeyFileType arg functionality not supported SSL X509VerifyPolicy arg functionality not supported SSL LogX509Attributes arg functionality not supported Stronghold 2 x compatibility StrongholdAccelerator dir functionality not supported StrongholdKey dir functionality not supported StrongholdLicenseFile dir functionality not supported SSLFlag flag SSLEngine flag renamed SSLSessionLockFile file SSLMutex file renamed SSLCipherList spec SSLCipherSuite spec renamed RequireSSL SSLRequireSSL renamed SSLErrorFile file functionality not supported SSLRoot dir functionality not supported SSL CertificateLogDir dir functionality not supported AuthCertDir dir functionality not supported SSL Group name functionality not supported SSLProxyMachineCertPath dir functionality not supported SSLProxyMachineCertFile file functionality not supported SSLProxyCACertificatePath dir functionality not supported SSLProxyCACertificateFile file functionality not supported SSLProxyVerifyDepth number functionality not supported SSLProxyCipherList spec functionality not supported Environment Variables When you use SSLOptions CompatEnvVars additional environment variables are generated They all correspond to existing official mod ssl variables The currently implemented variable derivation is listed in Table 2 Table 2 Environment Variable Derivation Old Variable mod ssl Variable Comment SSL PROTOCOL VERSION SSL PROTOCOL renamed SSLEAY VERSION SSL VERSION LIBRARY renamed HTTPS SECRETKEYSIZE SSL CIPHER USEKEYSIZE renamed HTTPS KEYSIZE SSL CIPHER ALGKEYSIZE renamed HTTPS CIPHER SSL CIPHER renamed HTTPS EXPORT SSL CIPHER EXPORT renamed SSL SERVER KEY SIZE SSL CIPHER ALGKEYSIZE renamed SSL SERVER CERTIFICATE SSL SERVER CERT renamed SSL SERVER CERT START SSL SERVER V START renamed SSL SERVER CERT END SSL SERVER V END renamed SSL SERVER CERT SERIAL SSL SERVER M SERIAL renamed SSL SERVER SIGNATURE ALGORITHM SSL SERVER A SIG renamed SSL SERVER DN SSL SERVER S DN renamed SSL SERVER CN SSL SERVER S DN CN renamed SSL SERVER EMAIL SSL SERVER S DN Email renamed SSL SERVER O SSL SERVER S DN O renamed SSL SERVER OU SSL SERVER S DN OU renamed SSL SERVER C SSL SERVER S DN C renamed SSL SERVER SP SSL SERVER S DN SP renamed SSL SERVER L SSL SERVER S DN L renamed SSL SERVER IDN SSL SERVER I DN renamed SSL SERVER ICN SSL SERVER I DN CN renamed SSL SERVER IEMAIL SSL SERVER I DN Email renamed SSL SERVER IO SSL SERVER I DN O renamed SSL SERVER IOU SSL SERVER I DN OU renamed SSL SERVER IC SSL SERVER I DN C renamed SSL SERVER ISP SSL SERVER I DN SP renamed SSL SERVER IL SSL SERVER I DN L renamed SSL CLIENT CERTIFICATE SSL CLIENT CERT renamed SSL CLIENT CERT START SSL CLIENT V START renamed SSL CLIENT CERT END SSL CLIENT V END renamed SSL CLIENT CERT SERIAL SSL CLIENT M SERIAL renamed SSL CLIENT SIGNATURE ALGORITHM SSL CLIENT A SIG renamed SSL CLIENT DN SSL CLIENT S DN

    Original URL path: http://ama09.obspm.fr/manual-2.0/ssl/ssl_compat.html (2015-11-16)
    Open archived version from archive

  • SSL/TLS Strong Encryption: How-To - Apache HTTP Server
    initial handshake so export browsers can upgrade via SGC facility SSLCipherSuite ALL ADH RC4 RSA HIGH MEDIUM LOW SSLv2 EXP eNULL Directory usr local apache2 htdocs but finally deny all browsers which haven t upgraded SSLRequire SSL CIPHER USEKEYSIZE 128 Directory How can I create an SSL server which accepts all types of ciphers in general but requires a strong ciphers for access to a particular URL Obviously you cannot just use a server wide SSLCipherSuite which restricts the ciphers to the strong variants But mod ssl allows you to reconfigure the cipher suite in per directory context and automatically forces a renegotiation of the SSL parameters to meet the new configuration So the solution is be liberal in general SSLCipherSuite ALL ADH RC4 RSA HIGH MEDIUM LOW SSLv2 EXP eNULL Location strong area but https hostname strong area and below requires strong ciphers SSLCipherSuite HIGH MEDIUM Location Client Authentication and Access Control simple certificate based client authentication selective certificate based client authentication particular certificate based client authentication intranet vs internet authentication How can I authenticate clients based on certificates when I know all my clients When you know your user community i e a closed user group situation as it s the case for instance in an Intranet you can use plain certificate authentication All you have to do is to create client certificates signed by your own CA certificate ca crt and then verify the clients against this certificate httpd conf require a client certificate which has to be directly signed by our CA certificate in ca crt SSLVerifyClient require SSLVerifyDepth 1 SSLCACertificateFile conf ssl crt ca crt How can I authenticate my clients for a particular URL based on certificates but still allow arbitrary clients to access the remaining parts of the server For this we again use the per directory reconfiguration feature of mod ssl httpd conf SSLVerifyClient none SSLCACertificateFile conf ssl crt ca crt Location secure area SSLVerifyClient require SSLVerifyDepth 1 Location How can I authenticate only particular clients for a some URLs based on certificates but still allow arbitrary clients to access the remaining parts of the server The key is to check for various ingredients of the client certificate Usually this means to check the whole or part of the Distinguished Name DN of the Subject For this two methods exists The mod auth based variant and the SSLRequire variant The first method is good when the clients are of totally different type i e when their DNs have no common fields usually the organisation etc In this case you ve to establish a password database containing all clients The second method is better when your clients are all part of a common hierarchy which is encoded into the DN Then you can match them more easily The first method httpd conf SSLVerifyClient none Directory usr local apache2 htdocs secure area SSLVerifyClient require SSLVerifyDepth 5 SSLCACertificateFile conf ssl crt ca crt SSLCACertificatePath conf ssl crt SSLOptions FakeBasicAuth SSLRequireSSL AuthName Snake Oil Authentication AuthType

    Original URL path: http://ama09.obspm.fr/manual-2.0/ssl/ssl_howto.html (2015-11-16)
    Open archived version from archive

  • SSL/TLS Strong Encryption: FAQ - Apache HTTP Server
    the context of your CGI SSI requests How can I use relative hyperlinks to switch between HTTP and HTTPS Usually you have to use fully qualified hyperlinks because you have to change the URL scheme But with the help of some URL manipulations through mod rewrite you can achieve the same effect while you still can use relative URLs RewriteEngine on RewriteRule SSL https SERVER NAME 1 R L RewriteRule NOSSL http SERVER NAME 1 R L This rewrite ruleset lets you use hyperlinks of the form a href document html SSL About Certificates What are Keys CSRs and Certs Difference on startup How to create a real cert How to create my own CA How to change a pass phrase How to remove a pass phrase How to verify a key cert pair Bad Certificate Error Why does a 2048 bit key not work Why is client auth broken How to convert from PEM to DER Verisign and the magic getca program Global IDs or SGC Global IDs and Cert Chain What are RSA Private Keys CSRs and Certificates The RSA private key file is a digital file that you can use to decrypt messages sent to you It has a public component which you distribute via your Certificate file which allows people to encrypt those messages to you A Certificate Signing Request CSR is a digital file which contains your public key and your name You send the CSR to a Certifying Authority CA to be converted into a real Certificate A Certificate contains your RSA public key your name the name of the CA and is digitally signed by your CA Browsers that know the CA can verify the signature on that Certificate thereby obtaining your RSA public key That enables them to send messages which only you can decrypt See the Introduction chapter for a general description of the SSL protocol Seems like there is a difference on startup between the original Apache and an SSL aware Apache Yes in general starting Apache with a built in mod ssl is just like starting an unencumbered Apache except for the fact that when you have a pass phrase on your SSL private key file Then a startup dialog pops up asking you to enter the pass phrase To type in the pass phrase manually when starting the server can be problematic for instance when starting the server from the system boot scripts As an alternative to this situation you can follow the steps below under How can I get rid of the pass phrase dialog at Apache startup time Ok I ve got my server installed and want to create a real SSL server Certificate for it How do I do it Here is a step by step description Make sure OpenSSL is really installed and in your PATH But some commands even work ok when you just run the openssl program from within the OpenSSL source tree as apps openssl Create a RSA private key for your Apache server will be Triple DES encrypted and PEM formatted openssl genrsa des3 out server key 1024 Please backup this server key file and remember the pass phrase you had to enter at a secure location You can see the details of this RSA private key via the command openssl rsa noout text in server key And you could create a decrypted PEM version not recommended of this RSA private key via openssl rsa in server key out server key unsecure Create a Certificate Signing Request CSR with the server RSA private key output will be PEM formatted openssl req new key server key out server csr Make sure you enter the FQDN Fully Qualified Domain Name of the server when OpenSSL prompts you for the CommonName i e when you generate a CSR for a website which will be later accessed via https www foo dom enter www foo dom here You can see the details of this CSR via the command openssl req noout text in server csr You now have to send this Certificate Signing Request CSR to a Certifying Authority CA for signing The result is then a real Certificate which can be used for Apache Here you have two options First you can let the CSR sign by a commercial CA like Verisign or Thawte Then you usually have to post the CSR into a web form pay for the signing and await the signed Certificate you then can store into a server crt file For more information about commercial CAs have a look at the following locations Verisign http digitalid verisign com server apacheNotice htm Thawte Consulting http www thawte com certs server request html CertiSign Certificadora Digital Ltda http www certisign com br IKS GmbH http www iks jena de produkte ca Uptime Commerce Ltd http www uptimecommerce com BelSign NV SA http www belsign be Second you can use your own CA and now have to sign the CSR yourself by this CA Read the next answer in this FAQ on how to sign a CSR with your CA yourself You can see the details of the received Certificate via the command openssl x509 noout text in server crt Now you have two files server key and server crt These now can be used as following inside your Apache s httpd conf file SSLCertificateFile path to this server crt SSLCertificateKeyFile path to this server key The server csr file is no longer needed How can I create and use my own Certificate Authority CA The short answer is to use the CA sh or CA pl script provided by OpenSSL The long and manual answer is this Create a RSA private key for your CA will be Triple DES encrypted and PEM formatted openssl genrsa des3 out ca key 1024 Please backup this ca key file and remember the pass phrase you currently entered at a secure location You can see the details of this RSA private key via the command openssl rsa noout text in ca key And you can create a decrypted PEM version not recommended of this private key via openssl rsa in ca key out ca key unsecure Create a self signed CA Certificate X509 structure with the RSA key of the CA output will be PEM formatted openssl req new x509 days 365 key ca key out ca crt You can see the details of this Certificate via the command openssl x509 noout text in ca crt Prepare a script for signing which is needed because the openssl ca command has some strange requirements and the default OpenSSL config doesn t allow one easily to use openssl ca directly So a script named sign sh is distributed with the mod ssl distribution subdir pkg contrib Use this script for signing Now you can use this CA to sign server CSR s in order to create real SSL Certificates for use inside an Apache webserver assuming you already have a server csr at hand sign sh server csr This signs the server CSR and results in a server crt file How can I change the pass phrase on my private key file You simply have to read it with the old pass phrase and write it again by specifying the new pass phrase You can accomplish this with the following commands openssl rsa des3 in server key out server key new mv server key new server key Here you re asked two times for a PEM pass phrase At the first prompt enter the old pass phrase and at the second prompt enter the new pass phrase How can I get rid of the pass phrase dialog at Apache startup time The reason why this dialog pops up at startup and every re start is that the RSA private key inside your server key file is stored in encrypted format for security reasons The pass phrase is needed to be able to read and parse this file When you can be sure that your server is secure enough you perform two steps Remove the encryption from the RSA private key while preserving the original file cp server key server key org openssl rsa in server key org out server key Make sure the server key file is now only readable by root chmod 400 server key Now server key will contain an unencrypted copy of the key If you point your server at this file it will not prompt you for a pass phrase HOWEVER if anyone gets this key they will be able to impersonate you on the net PLEASE make sure that the permissions on that file are really such that only root or the web server user can read it preferably get your web server to start as root but run as another server and have the key readable only by root As an alternative approach you can use the SSLPassPhraseDialog exec path to program facility But keep in mind that this is neither more nor less secure of course How do I verify that a private key matches its Certificate The private key contains a series of numbers Two of those numbers form the public key the others are part of your private key The public key bits are also embedded in your Certificate we get them from your CSR To check that the public key in your cert matches the public portion of your private key you need to view the cert and the key and compare the numbers To view the Certificate and the key run the commands openssl x509 noout text in server crt openssl rsa noout text in server key The modulus and the public exponent portions in the key and the Certificate must match But since the public exponent is usually 65537 and it s bothering comparing long modulus you can use the following approach openssl x509 noout modulus in server crt openssl md5 openssl rsa noout modulus in server key openssl md5 And then compare these really shorter numbers With overwhelming probability they will differ if the keys are different BTW if I want to check to which key or certificate a particular CSR belongs you can compute openssl req noout modulus in server csr openssl md5 What does it mean when my connections fail with an alert bad certificate error Usually when you see errors like OpenSSL error 14094412 SSL routines SSL3 READ BYTES sslv3 alert bad certificate in the SSL logfile this means that the browser was unable to handle the server certificate private key which perhaps contain a RSA key not equal to 1024 bits For instance Netscape Navigator 3 x is one of those browsers Why does my 2048 bit private key not work The private key sizes for SSL must be either 512 or 1024 for compatibility with certain web browsers A keysize of 1024 bits is recommended because keys larger than 1024 bits are incompatible with some versions of Netscape Navigator and Microsoft Internet Explorer and with other browsers that use RSA s BSAFE cryptography toolkit Why is client authentication broken after upgrading from SSLeay version 0 8 to 0 9 The CA certificates under the path you configured with SSLCACertificatePath are found by SSLeay through hash symlinks These hash values are generated by the openssl x509 noout hash command But the algorithm used to calculate the hash for a certificate has changed between SSLeay 0 8 and 0 9 So you have to remove all old hash symlinks and re create new ones after upgrading Use the Makefile mod ssl placed into this directory How can I convert a certificate from PEM to DER format The default certificate format for SSLeay OpenSSL is PEM which actually is Base64 encoded DER with header and footer lines For some applications e g Microsoft Internet Explorer you need the certificate in plain DER format You can convert a PEM file cert pem into the corresponding DER file cert der with the following command openssl x509 in cert pem out cert der outform DER I try to install a Verisign certificate Why can t I find neither the getca nor getverisign programs Verisign mentions This is because Verisign has never provided specific instructions for Apache mod ssl Rather they tell you what you should do if you were using C2Net s Stronghold a commercial Apache based server with SSL support The only thing you have to do is to save the certificate into a file and give the name of that file to the SSLCertificateFile directive Remember that you need to give the key file in as well see SSLCertificateKeyFile directive For a better CA related overview on SSL certificate fiddling you can look at Thawte s mod ssl instructions Can I use the Server Gated Cryptography SGC facility aka Verisign Global ID also with mod ssl Yes mod ssl since version 2 1 supports the SGC facility You don t have to configure anything special for this just use a Global ID as your server certificate The step up of the clients are then automatically handled by mod ssl under run time For details please read the README GlobalID document in the mod ssl distribution After I have installed my new Verisign Global ID server certificate the browsers complain that they cannot verify the server certificate That is because Verisign uses an intermediate CA certificate between the root CA certificate which is installed in the browsers and the server certificate which you installed in the server You should have received this additional CA certificate from Verisign If not complain to them Then configure this certificate with the SSLCertificateChainFile directive in the server This makes sure the intermediate CA certificate is send to the browser and this way fills the gap in the certificate chain About SSL Protocol Random SSL errors under heavy load Why has the server a higher load Why are connections horribly slow Which ciphers are supported How to use Anonymous DH ciphers Why do I get no shared ciphers HTTPS and name based vhosts Why is it not possible to use Name Based Virtual Hosting to identify different SSL virtual hosts The lock icon in Netscape locks very late Why do I get I O errors with MSIE clients Why do I get I O errors with NS clients Why do I get lots of random SSL protocol errors under heavy server load There can be a number of reasons for this but the main one is problems with the SSL session Cache specified by the SSLSessionCache directive The DBM session cache is most likely the source of the problem so trying the SHM session cache or no cache at all may help Why has my webserver a higher load now that I run SSL there Because SSL uses strong cryptographic encryption and this needs a lot of number crunching And because when you request a webpage via HTTPS even the images are transferred encrypted So when you have a lot of HTTPS traffic the load increases Often HTTPS connections to my server require up to 30 seconds for establishing the connection although sometimes it works faster Usually this is caused by using a dev random device for SSLRandomSeed which is blocking in read 2 calls if not enough entropy is available Read more about this problem in the reference chapter under SSLRandomSeed What SSL Ciphers are supported by mod ssl Usually just all SSL ciphers which are supported by the version of OpenSSL in use can depend on the way you built OpenSSL Typically this at least includes the following RC4 with MD5 RC4 with MD5 export version restricted to 40 bit key RC2 with MD5 RC2 with MD5 export version restricted to 40 bit key IDEA with MD5 DES with MD5 Triple DES with MD5 To determine the actual list of supported ciphers you can run the following command openssl ciphers v I want to use Anonymous Diffie Hellman ADH ciphers but I always get no shared cipher errors In order to use Anonymous Diffie Hellman ADH ciphers it is not enough to just put ADH into your SSLCipherSuite Additionally you have to build OpenSSL with DSSL ALLOW ADH Because per default OpenSSL does not allow ADH ciphers for security reasons So if you are actually enabling these ciphers make sure you are informed about the side effects I always just get a no shared ciphers error if I try to connect to my freshly installed server Either you have messed up your SSLCipherSuite directive compare it with the pre configured example in httpd conf dist or you have chosen the DSA DH algorithms instead of RSA when you generated your private key and ignored or overlooked the warnings If you have chosen DSA DH then your server no longer speaks RSA based SSL ciphers at least not until you also configure an additional RSA based certificate key pair But current browsers like NS or IE only speak RSA ciphers The result is the no shared ciphers error To fix this regenerate your server certificate key pair and this time choose the RSA algorithm Why can t I use SSL with name based non IP based virtual hosts The reason is very technical Actually it s some sort of a chicken and egg problem The SSL protocol layer stays below the HTTP protocol layer and encapsulates HTTP When an SSL connection HTTPS is established Apache mod ssl has to negotiate the SSL protocol parameters with the client For this mod ssl has to consult the configuration of the virtual server for instance it has to look for the cipher suite the server certificate etc But in order to dispatch to the correct virtual server Apache has to know the Host HTTP header field For this the HTTP request header has to be read This cannot be done before the SSL handshake is finished But the information is already needed at the SSL handshake phase Bingo Why is it

    Original URL path: http://ama09.obspm.fr/manual-2.0/ssl/ssl_faq.html (2015-11-16)
    Open archived version from archive

  • How-To / Tutorials - Apache HTTP Server
    want to have See Authentication Authorization and Access Control Dynamic Content with CGI The CGI Common Gateway Interface defines a way for a web server to interact with external content generating programs which are often referred to as CGI programs or CGI scripts It is the simplest and most common way to put dynamic content on your web site This document will be an introduction to setting up CGI on your Apache web server and getting started writing CGI programs See CGI Dynamic Content htaccess files htaccess files provide a way to make configuration changes on a per directory basis A file containing one or more configuration directives is placed in a particular document directory and the directives apply to that directory and all subdirectories thereof See htaccess files Introduction to Server Side Includes SSI Server Side Includes are directives that are placed in HTML pages and evaluated on the server while the pages are being served They let you add dynamically generated content to an existing HTML page without having to serve the entire page via a CGI program or other dynamic technology See Server Side Includes SSI Per user web directories On systems with multiple users each user

    Original URL path: http://ama09.obspm.fr/manual-2.0/howto/ (2015-11-16)
    Open archived version from archive

  • Apache Tutorials - Apache HTTP Server
    the authors or their assignees Please consult the official Apache Server documentation to verify what you read on external sites Installation Getting Started Basic Configuration Security Logging CGI and SSI Other Features Installation Getting Started Getting Started with Apache 1 3 ApacheToday Configuring Your Apache Server Installation ApacheToday Getting Installing and Running Apache on Unix O Reilly Network Apache DevCenter Maximum Apache Getting Started CNET Builder com How to Build the Apache of Your Dreams Developer Shed Basic Configuration An Amble Through Apache Configuration O Reilly Network Apache DevCenter Using htaccess Files with Apache ApacheToday Setting Up Virtual Hosts ApacheToday Maximum Apache Configure Apache CNET Builder com Getting More Out of Apache Developer Shed Security Security and Apache An Essential Primer LinuxPlanet Using User Authentication Apacheweek DBM User Authentication Apacheweek An Introduction to Securing Apache Linux com Securing Apache Access Control Linux com Apache Authentication Part 1 Part 2 Part 3 Part 4 ApacheToday mod access Restricting Access by Host ApacheToday Logging Log Rhythms O Reilly Network Apache DevCenter Gathering Visitor Information Customising Your Logfiles Apacheweek Apache Guide Logging Part 1 Part 2 Part 3 Part 4 Part 5 ApacheToday CGI and SSI Dynamic Content with CGI ApacheToday The Idiot

    Original URL path: http://ama09.obspm.fr/manual-2.0/misc/tutorials.html (2015-11-16)
    Open archived version from archive

  • Platform Specific Notes - Apache HTTP Server
    begin compiling Apache This document explain them See Compiling Apache for Microsoft Windows Other Platforms Novell NetWare This document explains how to install configure and run Apache 2 0 under Novell NetWare 5 1 and above See Using Apache With Novell NetWare EBCDIC Version 1 3 of the Apache HTTP Server is the first version which includes a port to a non ASCII mainframe machine which uses the EBCDIC character

    Original URL path: http://ama09.obspm.fr/manual-2.0/platform/ (2015-11-16)
    Open archived version from archive



  •