1<html>
2<head>
3<title>mod_ssl: F.A.Q.</title>
4
5<!--
6  Copyright (c) 1998-2001 Ralf S. Engelschall. All rights reserved.
7
8  Redistribution and use in source and binary forms, with or without
9  modification, are permitted provided that the following conditions
10  are met:
11
12  1. Redistributions of source code must retain the above
13     copyright notice, this list of conditions and the following
14     disclaimer.
15
16  2. Redistributions in binary form must reproduce the above
17     copyright notice, this list of conditions and the following
18     disclaimer in the documentation and/or other materials
19     provided with the distribution.
20
21  3. All advertising materials mentioning features or use of this
22     software must display the following acknowledgment:
23     "This product includes software developed by
24      Ralf S. Engelschall <rse@engelschall.com> for use in the
25      mod_ssl project (http://www.modssl.org/)."
26
27  4. The name "mod_ssl" must not be used to endorse or promote
28     products derived from this software without prior written
29     permission.
30
31  5. Redistributions of any form whatsoever must retain the
32     following acknowledgment:
33     "This product includes software developed by
34      Ralf S. Engelschall <rse@engelschall.com> for use in the
35      mod_ssl project (http://www.modssl.org/)."
36
37  THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY
38  EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
39  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
40  PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL RALF S. ENGELSCHALL OR
41  HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
42  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
43  NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
44  LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
45  HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
46  STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
47  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
48  OF THE POSSIBILITY OF SUCH DAMAGE.
49-->
50<style type="text/css"><!--
51A:link {
52    text-decoration: none;
53    color: #6666cc;
54}
55A:active {
56    text-decoration: none;
57    color: #6666cc;
58}
59A:visited {
60    text-decoration: none;
61    color: #6666cc;
62}
63#sf {
64    font-family: arial,helvetica;
65    font-variant: normal;
66    font-style: normal;
67}
68H1 {
69    font-weight: bold;
70    font-size: 24pt;
71    line-height: 24pt;
72    font-family: arial,helvetica;
73    font-variant: normal;
74    font-style: normal;
75}
76H2 {
77    font-weight: bold;
78    font-size: 18pt;
79    line-height: 18pt;
80    font-family: arial,helvetica;
81    font-variant: normal;
82    font-style: normal;
83}
84H3 {
85    font-weight: bold;
86    font-size: 14pt;
87    line-height: 14pt;
88    font-family: arial,helvetica;
89    font-variant: normal;
90    font-style: normal;
91}
92H4 {
93    font-weight: bold;
94    font-size: 12pt;
95    line-height: 12pt;
96    font-family: arial,helvetica;
97    font-variant: normal;
98    font-style: normal;
99}
100#H {
101}
102#D {
103    background-color: #f0f0f0;
104}
105#faq {
106    font-weight: bold;
107    font-size: 16pt;
108    line-height: 16pt;
109    font-family: arial,helvetica;
110    font-variant: normal;
111    font-style: normal;
112}
113#howto {
114    font-weight: bold;
115    font-size: 16pt;
116    line-height: 16pt;
117    font-family: arial,helvetica;
118    font-variant: normal;
119    font-style: normal;
120}
121#term {
122    font-weight: bold;
123    font-size: 16pt;
124    line-height: 16pt;
125    font-family: arial,helvetica;
126    font-variant: normal;
127    font-style: normal;
128}
129--></style>
130<script type="text/javascript" language="JavaScript">
131<!-- Hiding the code
132function ro_imgNormal(imgName) {
133    if (document.images) {
134        document[imgName].src = eval(imgName + '_n.src');
135        self.status = '';
136    }
137}
138function ro_imgOver(imgName, descript) {
139    if (document.images) {
140        document[imgName].src = eval(imgName + '_o.src');
141        self.status = descript;
142    }
143}
144// done hiding -->
145</script>
146<script type="text/javascript" language="JavaScript">
147<!-- Hiding the code
148if (document.images) {
149    ro_img_prev_top_n = new Image();
150    ro_img_prev_top_n.src = 'ssl_template.navbut-prev-n.gif';
151    ro_img_prev_top_o = new Image();
152    ro_img_prev_top_o.src = 'ssl_template.navbut-prev-s.gif';
153}
154// done hiding -->
155</script>
156<script type="text/javascript" language="JavaScript">
157<!-- Hiding the code
158if (document.images) {
159    ro_img_prev_bot_n = new Image();
160    ro_img_prev_bot_n.src = 'ssl_template.navbut-prev-n.gif';
161    ro_img_prev_bot_o = new Image();
162    ro_img_prev_bot_o.src = 'ssl_template.navbut-prev-s.gif';
163}
164// done hiding -->
165</script>
166<script type="text/javascript" language="JavaScript">
167<!-- Hiding the code
168if (document.images) {
169    ro_img_next_top_n = new Image();
170    ro_img_next_top_n.src = 'ssl_template.navbut-next-n.gif';
171    ro_img_next_top_o = new Image();
172    ro_img_next_top_o.src = 'ssl_template.navbut-next-s.gif';
173}
174// done hiding -->
175</script>
176<script type="text/javascript" language="JavaScript">
177<!-- Hiding the code
178if (document.images) {
179    ro_img_next_bot_n = new Image();
180    ro_img_next_bot_n.src = 'ssl_template.navbut-next-n.gif';
181    ro_img_next_bot_o = new Image();
182    ro_img_next_bot_o.src = 'ssl_template.navbut-next-s.gif';
183}
184// done hiding -->
185</script>
186</head>
187<body bgcolor="#ffffff" text="#000000" link="#333399" alink="#9999ff" vlink="#000066">
188<div align="center">
189<table width="600" cellspacing="0" cellpadding="0" border="0" summary="">
190<tr>
191  <td>
192      <img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="600" height="1" align="bottom" border="0"><br>
193      <table width="600" cellspacing="0" cellpadding="0" summary="">
194      <tr>
195        <td>
196        <table width="600" summary="">
197        <tr>
198            <td align="left" valign="bottom">
199            <font face="Arial,Helvetica" size="+2"><b>mod_ssl</b></font>
200            </td>
201            <td align="right">
202              <img src="ssl_template.head-chapter.gif" alt="Chapter" width="175" height="94"> <img src="ssl_template.head-num-6.gif" alt="6" width="74" height="89">
203            </td>
204        </tr>
205        </table>
206        </td>
207      </tr>
208      <tr>
209        <td><img src="ssl_template.imgdot-1x1-000000.gif" alt="" width="600" height="2" align="bottom" border="0"></td>
210      </tr>
211      <tr>
212        <td>
213           <table width="600" border="0" summary="">
214           <tr>
215            <td valign="top" align="left" width="250">
216<a href="ssl_howto.html" onmouseover="ro_imgOver('ro_img_prev_top', 'previous page'); return true" onmouseout="ro_imgNormal('ro_img_prev_top'); return true" onfocus="ro_imgOver('ro_img_prev_top', 'previous page'); return true" onblur="ro_imgNormal('ro_img_prev_top'); return true"><img name="ro_img_prev_top" src="ssl_template.navbut-prev-n.gif" alt="previous page" width="70" height="18" border="0"></a><br><font color="#000000">HowTo</font>
217            </td>
218            <td valign="top" align="right" width="250">
219<a href="ssl_glossary.html" onmouseover="ro_imgOver('ro_img_next_top', 'next page'); return true" onmouseout="ro_imgNormal('ro_img_next_top'); return true" onfocus="ro_imgOver('ro_img_next_top', 'next page'); return true" onblur="ro_imgNormal('ro_img_next_top'); return true"><img name="ro_img_next_top" src="ssl_template.navbut-next-n.gif" alt="next page" width="70" height="18" border="0"></a><br><font color="#000000">Glossary</font>
220            </td>
221           </tr>
222           </table>
223         </td>
224      </tr>
225      <tr>
226        <td>
227          <br>
228          <img src="ssl_template.title-faq.gif" alt="F.A.Q." width="456" height="60">
229        </td>
230      </tr>
231      </table>
232<div align="right">
233<table cellspacing="0" cellpadding="0" width="200" summary="">
234<tr>
235<td>
236<em>
237``The wise man doesn't give the right answers,
238he poses the right questions.''
239</em>
240</td>
241</tr>
242<tr>
243<td align="right">
244<font size="-1">
245Claude Levi-Strauss
246</font>
247</td>
248</tr>
249</table>
250</div>
251<p>
252<table cellspacing="0" cellpadding="0" border="0" summary="">
253<tr valign="bottom">
254<td>
255<img src="ssl_faq.gfont000.gif" alt="T" width="34" height="34" border="0" align="left">
256his chapter is a collection of frequently asked questions (FAQ) and
257corresponding answers following the popular USENET tradition. Most of these
258questions occured on the Newsgroup <a
259href="news:comp.infosystems.www.servers.unix">
260<code>comp.infosystems.www.servers.unix</code></a> or the mod_ssl Support
261Mailing List <a href="mailto:modssl-users@modssl.org">
262<code>modssl-users@modssl.org</code></a>. They are collected at this place
263to avoid answering the same questions over and over.
264<p>
265Please read this chapter at least once when installing mod_ssl or at least
266search for your problem here before submitting a problem report to the
267author.
268</td>
269<td>
270&nbsp;&nbsp;
271</td>
272<td>
273<div align="right">
274<table cellspacing="0" cellpadding="5" border="0" bgcolor="#ccccff" width="350" summary="">
275<tr>
276<td bgcolor="#333399">
277<font face="Arial,Helvetica" color="#ccccff">
278<b>Table Of Contents</b>
279</font>
280</td>
281</tr>
282<tr>
283<td>
284<font face="Arial,Helvetica" size="-1">
285&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC1"><strong>About the module</strong></a><br>
286&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC2"><strong>What is the history of mod_ssl?</strong></a><br>
287&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC3"><strong>Apache-SSL vs. mod_ssl: differences?</strong></a><br>
288&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC4"><strong>mod_ssl vs. commercial alternatives?</strong></a><br>
289&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC5"><strong>mod_ssl/Apache versions?</strong></a><br>
290&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC6"><strong>mod_ssl and Year 2000?</strong></a><br>
291&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC7"><strong>mod_ssl and Wassenaar Arrangement?</strong></a><br>
292&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC8"><strong>About Installation</strong></a><br>
293&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC9"><strong>Core dumps for HTTPS requests?</strong></a><br>
294&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC10"><strong>Core dumps for Apache+mod_ssl+PHP3?</strong></a><br>
295&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC11"><strong>Undefined symbols on startup?</strong></a><br>
296&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC12"><strong>Permission problem on SSLMutex</strong></a><br>
297&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC13"><strong>Shared memory and process size?</strong></a><br>
298&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC14"><strong>Shared memory and pathname?</strong></a><br>
299&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC15"><strong>PRNG and not enough entropy?</strong></a><br>
300&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC16"><strong>About Configuration</strong></a><br>
301&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC17"><strong>HTTP and HTTPS with a single server?</strong></a><br>
302&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC18"><strong>Where is the HTTPS port?</strong></a><br>
303&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC19"><strong>How to test HTTPS manually?</strong></a><br>
304&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC20"><strong>Why does my connection hang?</strong></a><br>
305&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC21"><strong>Why do I get connection refused?</strong></a><br>
306&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC22"><strong>Why are the SSL_XXX variables missing?</strong></a><br>
307&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC23"><strong>How to switch with relative hyperlinks?</strong></a><br>
308&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC24"><strong>About Certificates</strong></a><br>
309&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC25"><strong>What are Keys, CSRs and Certs?</strong></a><br>
310&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC26"><strong>Difference on startup?</strong></a><br>
311&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC27"><strong>How to create a dummy cert?</strong></a><br>
312&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC28"><strong>How to create a real cert?</strong></a><br>
313&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC29"><strong>How to create my own CA?</strong></a><br>
314&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC30"><strong>How to change a pass phrase?</strong></a><br>
315&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC31"><strong>How to remove a pass phrase?</strong></a><br>
316&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC32"><strong>How to verify a key/cert pair?</strong></a><br>
317&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC33"><strong>Bad Certificate Error?</strong></a><br>
318&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC34"><strong>Why does a 2048-bit key not work?</strong></a><br>
319&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC35"><strong>Why is client auth broken?</strong></a><br>
320&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC36"><strong>How to convert from PEM to DER?</strong></a><br>
321&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC37"><strong>Verisign and the magic getca program?</strong></a><br>
322&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC38"><strong>Global IDs or SGC?</strong></a><br>
323&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC39"><strong>Global IDs and Cert Chain?</strong></a><br>
324&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC40"><strong>About SSL Protocol</strong></a><br>
325&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC41"><strong>Random SSL errors under heavy load?</strong></a><br>
326&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC42"><strong>Why has the server a higher load?</strong></a><br>
327&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC43"><strong>Why are connections horribly slow?</strong></a><br>
328&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC44"><strong>Which ciphers are supported?</strong></a><br>
329&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC45"><strong>How to use Anonymous-DH ciphers</strong></a><br>
330&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC46"><strong>Why do I get 'no shared ciphers'?</strong></a><br>
331&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC47"><strong>HTTPS and name-based vhosts</strong></a><br>
332&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC48"><strong>The lock icon in Netscape locks very late</strong></a><br>
333&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC49"><strong>Why do I get I/O errors with MSIE clients?</strong></a><br>
334&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC50"><strong>Why do I get I/O errors with NS clients?</strong></a><br>
335&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC51"><strong>About Support</strong></a><br>
336&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC52"><strong>Resources in case of problems?</strong></a><br>
337&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC53"><strong>Support in case of problems?</strong></a><br>
338&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC54"><strong>How to write a problem report?</strong></a><br>
339&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC55"><strong>I got a core dump, can you help me?</strong></a><br>
340&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC56"><strong>How to get a backtrace?</strong></a><br>
341</font>
342</td>
343</tr>
344</table>
345</div>
346</td>
347</tr>
348</table>
349<h2><a name="ToC1">About the module</a></h2>
350<ul>
351<p>
352<li><a name="ToC2"></a>
353    <a name="history"></a>
354    <strong id="faq">
355What is the history of mod_ssl?
356</strong>&nbsp;&nbsp;
357    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#history"><b>L</b></a>]
358    <p>
359    The mod_ssl v1 package was initially created in April 1998 by <a
360    href="mailto:rse@engelschall.com">Ralf S. Engelschall</a> via porting <a
361    href="mailto:ben@algroup.co.uk">Ben Laurie</a>'s <a
362    href="http://www.apache-ssl.org/">Apache-SSL</a> 1.17 source patches for
363    Apache 1.2.6 to Apache 1.3b6. Because of conflicts with Ben
364    Laurie's development cycle it then was re-assembled from scratch for
365    Apache 1.3.0 by merging the old mod_ssl 1.x with the newer Apache-SSL
366    1.18. From this point on mod_ssl lived its own life as mod_ssl v2. The
367    first publically released version was mod_ssl 2.0.0 from August 10th,
368    1998. As of this writing (August 1999) the current mod_ssl version is 2.4.0.
369    <p>
370    After one year of very active development with over 1000 working hours and
371    over 40 releases mod_ssl reached its current state. The result is an
372    already very clean source base implementing a very rich functionality.
373    The code size increased by a factor of 4 to currently a total of over
374    10.000 lines of ANSI C consisting of approx. 70% code and 30% code
375    documentation. From the original Apache-SSL code currently approx. 5% is
376    remaining only.
377<p>
378<li><a name="ToC3"></a>
379    <a name="apssl-diff"></a>
380    <strong id="faq">
381What are the functional differences between mod_ssl and Apache-SSL, from where
382it is originally derived?
383</strong>&nbsp;&nbsp;
384    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#apssl-diff"><b>L</b></a>]
385    <p>
386    This neither can be answered in short (there were too many code changes)
387    nor can be answered at all by the author (there would immediately be flame
388    wars with no reasonable results at the end). But as you easily can guess
389    from the 5% of remaining Apache-SSL code, a lot of differences exists,
390    although user-visible backward compatibility exists for most things.
391    <p>
392    When you really want a detailed comparison you have to read the entries in
393    the large <code>CHANGES</code> file that is in the mod_ssl
394    distribution. Usually this is much too hard-core. So I recommend you to
395    either believe in the opinion and recommendations of other users (the
396    simplest approach) or do a comparison yourself (the most reasonable
397    approach). For the latter, grab distributions of mod_ssl (from <a
398    href="http://www.modssl.org/">http://www.modssl.org</a>) and Apache-SSL
399    (from <a href="http://www.apache-ssl.org/">http://www.apache-ssl.org</a>),
400    install both packages, read their documentation and try them out yourself.
401    Then choose the one which pleases you most.
402    <p>
403    A few final hints to help direct your comparison: quality of documentation
404    ("can you easily find answers and are they sufficient?"), quality of
405    source code ("is the source code reviewable so you can make sure there
406    aren't any trapdoors or inherent security risks because of bad programming
407    style?"), easy and clean installation ("can the SSL functionality easily
408    added to an Apache source tree without manual editing or patching?"),
409    clean integration into Apache ("is the SSL functionality encapsulated and
410    cleanly separated from the remaining Apache functionality?"), support for
411    Dynamic Shared Object (DSO) facility ("can the SSL functionality built as
412    a separate DSO for maximum flexibility?"), Win32 port ("is the SSL
413    functionality available also under the Win32 platform?"), amount and
414    quality of functionality ("is the provided SSL functionality and control
415    possibilities sufficient for your situation?"), quality of problem tracing
416    ("is it possible for you to easily trace down the problems via logfiles,
417    etc?"), etc. pp.
418<p>
419<li><a name="ToC4"></a>
420    <a name="apssl-diff"></a>
421    <strong id="faq">
422What are the major differences between mod_ssl and
423the commercial alternatives like Raven or Stronghold?
424</strong>&nbsp;&nbsp;
425    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#apssl-diff"><b>L</b></a>]
426    <p>
427    In the past (until September 20th, 2000) the major difference was
428    the RSA license which one received (very cheaply in contrast to
429    a direct licensing from RSA DSI) with the commercial Apache SSL
430    products. On the other hand, one needed this license only in the US,
431    of course. So for non-US citizens this point was useless. But now
432    even for US citizens the situations changed because the RSA patent
433    expired on September 20th, 2000 and RSA DSI also placed the RSA
434    algorithm explicitly into the public domain.
435    <p>
436    Second, there is the point that one has guaranteed support from
437    the commercial vendors. On the other hand, if you monitored the
438    Open Source quality of mod_ssl and the support activities
439    found on <a href="mailto:modssl-users@modssl.org">
440    <code>modssl-users@modssl.org</code></a>, you could ask yourself
441    whether you are really convinced that you can get better support
442    from a commercial vendor.
443    <p>
444    Third, people often think they would receive perhaps at least a
445    better technical SSL solution than mod_ssl from the commercial
446    vendors. But this is not really true, because all commercial
447    alternatives (Raven 1.4.x, Stronghold 3.x, RedHat SWS 2.x, etc.)
448    <i>are</i> actually based on mod_ssl and OpenSSL. The reason for
449    this common misunderstanding is mainly because some vendors make no
450    attempt to make it reasonably clear that their product is actually
451    mod_ssl based. So, do not think, just because the commercial
452    alternatives are usually more expensive, that you are also receiving
453    an alternative <i>technical</i> SSL solution. This is usually not
454    the case. Actually the vendor versions of Apache, mod_ssl and OpenSSL
455    often stay behind the latest free versions and perhaps this way still do not
456    include important bug and security fixes. On the other hand,
457    it sometimes occurs that a vendor version includes useful changes
458    which are not available through the official freely available
459    packages. But most vendors play fair and contribute back those
460    changes to the free software world, of course.
461    <p>
462    So, in short: There are lots of commercial versions of the popular
463    Apache+mod_ssl+OpenSSL server combination available. Every user
464    should decide carefully whether they really need to buy a commercial
465    version or whether it would not be sufficient to directly use the
466    free and official versions of the Apache, mod_ssl and OpenSSL
467    packages.
468<p>
469<li><a name="ToC5"></a>
470    <a name="what-version"></a>
471    <strong id="faq">
472How do I know which mod_ssl version is for which Apache version?
473</strong>&nbsp;&nbsp;
474    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#what-version"><b>L</b></a>]
475    <p>
476    That's trivial: mod_ssl uses version strings of the syntax
477    <em>&lt;mod_ssl-version&gt;</em>-<em>&lt;apache-version&gt;</em>, for
478    instance <code>2.4.0-1.3.9</code>. This directly indicates that it's
479    mod_ssl version 2.4.0 for Apache version 1.3.9. And this also means you
480    <em>only</em> can apply this mod_ssl version to exactly this Apache
481    version (unless you use the <code>--force</code> option to mod_ssl's
482    <code>configure</code> command ;-).
483<p>
484<li><a name="ToC6"></a>
485    <a name="y2k"></a>
486    <strong id="faq">
487Is mod_ssl Year 2000 compliant?
488</strong>&nbsp;&nbsp;
489    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#y2k"><b>L</b></a>]
490    <p>
491    Yes, mod_ssl is Year 2000 compliant.
492    <p>
493    Because first mod_ssl internally never stores years as two digits.
494    Instead it always uses the ANSI C &amp; POSIX numerical data type
495    <code>time_t</code> type, which on almost all Unix platforms at the moment
496    is a <code>signed long</code> (usually 32-bits) representing seconds since
497    epoch of January 1st, 1970, 00:00 UTC. This signed value overflows in
498    early January 2038 and not in the year 2000. Second, date and time
499    presentations (for instance the variable ``<code>%{TIME_YEAR}</code>'')
500    are done with full year value instead of abbreviating to two digits.
501    <p>
502    Additionally according to a <a
503    href="http://www.apache.org/docs/FAQ.html#year2000">Year 2000
504    statement</a> from the Apache Group, the Apache webserver is Year 2000
505    compliant, too. But whether OpenSSL or the underlaying Operating System
506    (either a Unix or Win32 platform) is Year 2000 compliant is a different
507    question which cannot be answered here.
508<p>
509<li><a name="ToC7"></a>
510    <a name="wassenaar"></a>
511    <strong id="faq">
512What about mod_ssl and the Wassenaar Arrangement?
513</strong>&nbsp;&nbsp;
514    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#wassenaar"><b>L</b></a>]
515    <p>
516    First, let us explain what <i>Wassenaar</i> and it's <i>Arrangement on
517    Export Controls for Conventional Arms and Dual-Use Goods and
518    Technologies</i> is: This is a international regime, established 1995, to
519    control trade in conventional arms and dual-use goods and technology. It
520    replaced the previous <i>CoCom</i> regime. 33 countries are signatories:
521    Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Czech Republic,
522    Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan,
523    Luxembourg, Netherlands, New Zealand, Norway, Poland, Portugal, Republic
524    of Korea, Romania, Russian Federation, Slovak Republic, Spain, Sweden,
525    Switzerland, Turkey, Ukraine, United Kingdom and United States. For more
526    details look at <a
527    href="http://www.wassenaar.org/">http://www.wassenaar.org/</a>.
528    <p>
529    In short: The aim of the Wassenaar Arrangement is to prevent the build up
530    of military capabilities that threaten regional and international security
531    and stability. The Wassenaar Arrangement controls the export of
532    cryptography as a dual-use good, i.e., one that has both military and
533    civilian applications. However, the Wassenaar Arrangement also provides an
534    exemption from export controls for mass-market software and free software.
535    <p>
536    In the current Wassenaar ``<i>List of Dual Use Goods and Technologies And
537    Munitions</i>'', under ``<i>GENERAL SOFTWARE NOTE</i>'' (GSN) it says
538    ``<i>The Lists do not control "software" which is either: 1. [...] 2. "in
539    the public domain".</i>'' And under ``<i>DEFINITIONS OF TERMS USED IN
540    THESE LISTS</i>'' one can find the definition: ``<i>"In the public
541    domain": This means "technology" or "software" which has been made
542    available without restrictions upon its further dissemination. N.B.
543    Copyright restrictions do not remove "technology" or "software" from being
544    "in the public domain".</i>''
545    <p>
546    So, both mod_ssl and OpenSSL are ``in the public domain'' for the purposes
547    of the Wassenaar Agreement and its ``<i>List of Dual Use Goods and
548    Technologies And Munitions List</i>''.
549    <p>
550    Additionally the Wassenaar Agreement itself has no direct consequence for
551    exporting cryptography software. What is actually allowed or forbidden to
552    be exported from the countries has still to be defined in the local laws
553    of each country. And at least according to official press releases from
554    the German BMWi (see <a
555    href="http://www.bmwi.de/presse/1998/1208prm2.html">here</a>) and the
556    Switzerland Bawi (see <a href="http://jya.com/wass-ch.htm">here</a>) there
557    will be no forthcoming export restriction for free cryptography software
558    for their countries. Remember that mod_ssl is created in Germany and
559    distributed from Switzerland.
560    <p>
561    So, mod_ssl and OpenSSL are not affected by the Wassenaar Agreement.
562</ul>
563<p>
564<br>
565<h2><a name="ToC8">About Installation</a></h2>
566<ul>
567<p>
568<li><a name="ToC9"></a>
569    <a name="core-dbm"></a>
570    <strong id="faq">
571When I access my website the first time via HTTPS I get a core dump?
572</strong>&nbsp;&nbsp;
573    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#core-dbm"><b>L</b></a>]
574    <p>
575    There can be a lot of reasons why a core dump can occur, of course.
576    Ranging from buggy third-party modules, over buggy vendor libraries up to
577    a buggy mod_ssl version. But the above situation is often caused by old or
578    broken vendor DBM libraries. To solve it either build mod_ssl with the
579    built-in SDBM library (specify <tt>--enable-rule=SSL_SDBM</tt> at the
580    APACI command line) or switch from ``<tt>SSLSessionCache dbm:</tt>'' to the
581    newer ``<tt>SSLSessionCache shm:</tt>'' variant (after you have rebuilt
582    Apache with MM, of course).
583<p>
584<li><a name="ToC10"></a>
585    <a name="core-php3"></a>
586    <strong id="faq">
587My Apache dumps core when I add both mod_ssl and PHP3?
588</strong>&nbsp;&nbsp;
589    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#core-php3"><b>L</b></a>]
590    <p>
591    Make sure you add mod_ssl to the Apache source tree first and then do a
592    fresh configuration and installation of PHP3. For SSL support EAPI patches
593    are required which have to change internal Apache structures. PHP3 needs
594    to know about these in order to work correctly. Always make sure that
595    <tt>-DEAPI</tt> is contained in the compiler flags when PHP3 is build.
596<p>
597<li><a name="ToC11"></a>
598    <a name="dso-sym"></a>
599    <strong id="faq">
600When I startup Apache I get errors about undefined symbols like ap_global_ctx?
601</strong>&nbsp;&nbsp;
602    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#dso-sym"><b>L</b></a>]
603    <p>
604    This actually means you installed mod_ssl as a DSO, but without rebuilding
605    Apache with EAPI. Because EAPI is a requirement for mod_ssl, you need an
606    extra patched Apache (containing the EAPI patches) and you have to build
607    this Apache with EAPI enabled (explicitly specify
608    <tt>--enable-rule=EAPI</tt> at the APACI command line).
609<p>
610<li><a name="ToC12"></a>
611    <a name="mutex-perm"></a>
612    <strong id="faq">
613When I startup Apache I get permission errors related to SSLMutex?
614</strong>&nbsp;&nbsp;
615    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#mutex-perm"><b>L</b></a>]
616    <p>
617    When you receive entries like ``<code>mod_ssl: Child could not open
618    SSLMutex lockfile /opt/apache/logs/ssl_mutex.18332 (System error follows)
619    [...] System: Permission denied (errno: 13)</code>'' this is usually
620    caused by to restrictive permissions on the <i>parent</i> directories.
621    Make sure that all parent directories (here <code>/opt</code>,
622    <code>/opt/apache</code> and <code>/opt/apache/logs</code>) have the x-bit
623    set at least for the UID under which Apache's children are running (see
624    the <code>User</code> directive of Apache).
625<p>
626<li><a name="ToC13"></a>
627    <a name="mm"></a>
628    <strong id="faq">
629When I use the MM library and the shared memory cache each process grows
6301.5MB according to `top' although I specified 512000 as the cache size?
631</strong>&nbsp;&nbsp;
632    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#mm"><b>L</b></a>]
633    <p>
634    The additional 1MB are caused by the global shared memory pool EAPI
635    allocates for all modules and which is not used by mod_ssl for
636    various reasons. So the actually allocated shared memory is always
637    1MB more than what you specify on <code>SSLSessionCache</code>.
638    But don't be confused by the display of `top': although is
639    indicates that <i>each</i> process grow, this is not reality, of
640    course. Instead the additional memory consumption is shared by
641    all processes, i.e. the 1.5MB are allocated only once per Apache
642    instance and not once per Apache server process.
643<p>
644<li><a name="ToC14"></a>
645    <a name="mmpath"></a>
646    <strong id="faq">
647Apache creates files in a directory declared by the internal
648EAPI_MM_CORE_PATH define. Is there a way to override the path using a
649configuration directive?
650</strong>&nbsp;&nbsp;
651    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#mmpath"><b>L</b></a>]
652    <p>
653    No, there is not configuration directive, because for technical
654    bootstrapping reasons, a directive not possible at all. Instead
655    use ``<code>CFLAGS='-DEAPI_MM_CORE_PATH="/path/to/wherever/"'
656    ./configure ...</code>'' when building Apache or use option
657    <b>-d</b> when starting <code>httpd</code>.
658<p>
659<li><a name="ToC15"></a>
660    <a name="entropy"></a>
661    <strong id="faq">
662When I fire up the server, mod_ssl stops with the error
663"Failed to generate temporary 512 bit RSA private key", why?
664And a "PRNG not seeded" error occurs if I try "make certificate".
665</strong>&nbsp;&nbsp;
666    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#entropy"><b>L</b></a>]
667    <p>
668    Cryptographic software needs a source of unpredictable data
669    to work correctly. Many open source operating systems provide
670    a "randomness device" that serves this purpose (usually named
671    <code>/dev/random</code>). On other systems, applications have to
672    seed the OpenSSL Pseudo Random Number Generator (PRNG) manually with
673    appropriate data before generating keys or performing public key
674    encryption. As of version 0.9.5, the OpenSSL functions that need
675    randomness report an error if the PRNG has not been seeded with
676    at least 128 bits of randomness. So mod_ssl has to provide enough
677    entropy to the PRNG to work correctly. For this one has to use the
678    <code>SSLRandomSeed</code> directives (to solve the run-time problem)
679    and create a <code>$HOME/.rnd</code> file to make sure enough
680    entropy is available also for the "<code>make certificate</code>"
681    step (in case the "<code>make certificate</code>" procedure is not
682    able to gather enough entropy theirself by searching for system
683    files).
684</ul>
685<p>
686<br>
687<h2><a name="ToC16">About Configuration</a></h2>
688<ul>
689<p>
690<li><a name="ToC17"></a>
691    <a name="https-parallel"></a>
692    <strong id="faq">
693Is it possible to provide HTTP and HTTPS with a single server?</strong>
694</strong>&nbsp;&nbsp;
695    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#https-parallel"><b>L</b></a>]
696    <p>
697    Yes, HTTP and HTTPS use different server ports, so there is no direct
698    conflict between them. Either run two separate server instances (one binds
699    to port 80, the other to port 443) or even use Apache's elegant virtual
700    hosting facility where you can easily create two virtual servers which
701    Apache dispatches: one responding to port 80 and speaking HTTP and one
702    responding to port 443 speaking HTTPS.
703<p>
704<li><a name="ToC18"></a>
705    <a name="https-port"></a>
706    <strong id="faq">
707I know that HTTP is on port 80, but where is HTTPS?
708</strong>&nbsp;&nbsp;
709    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#https-port"><b>L</b></a>]
710    <p>
711    You can run HTTPS on any port, but the standards specify port 443, which
712    is where any HTTPS compliant browser will look by default. You can force
713    your browser to look on a different port by specifying it in the URL like
714    this (for port 666): <code>https://secure.server.dom:666/</code>
715<p>
716<li><a name="ToC19"></a>
717    <a name="https-test"></a>
718    <strong id="faq">
719How can I speak HTTPS manually for testing purposes?
720</strong>&nbsp;&nbsp;
721    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#https-test"><b>L</b></a>]
722    <p>
723    While you usually just use
724    <p>
725    <code><b>$ telnet localhost 80</b></code><br>
726    <code><b>GET / HTTP/1.0</b></code>
727    <p>
728    for simple testing the HTTP protocol of Apache, it's not such easy for
729    HTTPS because of the SSL protocol between TCP and HTTP. But with the
730    help of OpenSSL's <code>s_client</code> command you can do a similar
731    check even for HTTPS:
732    <p>
733    <code><b>$ openssl s_client -connect localhost:443 -state -debug</b></code><br>
734    <code><b>GET / HTTP/1.0</b></code>
735    <p>
736    Before the actual HTTP response you receive detailed information about the
737    SSL handshake. For a more general command line client which directly
738    understands both the HTTP and HTTPS scheme, can perform GET and POST
739    methods, can use a proxy, supports byte ranges, etc. you should have a
740    look at nifty <a href="http://curl.haxx.nu/">cURL</a>
741    tool. With it you can directly check if your Apache is running fine on
742    Port 80 and 443 as following:
743    <p>
744    <code><b>$ curl http://localhost/</b></code><br>
745    <code><b>$ curl https://localhost/</b></code><br>
746<p>
747<li><a name="ToC20"></a>
748    <a name="hang"></a>
749    <strong id="faq">
750Why does the connection hang when I connect to my SSL-aware Apache server?
751</strong>&nbsp;&nbsp;
752    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#hang"><b>L</b></a>]
753    <p>
754    Because you connected with HTTP to the HTTPS port, i.e. you used an URL of
755    the form ``<code>http://</code>'' instead of ``<code>https://</code>''.
756    This also happens the other way round when you connect via HTTPS to a HTTP
757    port, i.e. when you try to use ``<code>https://</code>'' on a server that
758    doesn't support SSL (on this port). Make sure you are connecting to a
759    virtual server that supports SSL, which is probably the IP associated with
760    your hostname, not localhost (127.0.0.1).
761<p>
762<li><a name="ToC21"></a>
763    <a name="hang"></a>
764    <strong id="faq">
765Why do I get ``Connection Refused'' messages when trying to access my freshly
766installed Apache+mod_ssl server via HTTPS?
767</strong>&nbsp;&nbsp;
768    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#hang"><b>L</b></a>]
769    <p>
770    There can be various reasons. Some of the common mistakes is that people
771    start Apache with just ``<tt>apachectl start</tt>'' (or
772    ``<tt>httpd</tt>'') instead of ``<tt>apachectl startssl</tt>'' (or
773    ``<tt>httpd -DSSL</tt>''. Or you're configuration is not correct. At
774    least make sure that your ``<tt>Listen</tt>'' directives match your
775    ``<tt>&lt;VirtualHost&gt;</tt>'' directives. And if all fails, please do
776    yourself a favor and start over with the default configuration mod_ssl
777    provides you.
778<p>
779<li><a name="ToC22"></a>
780    <a name="env-vars"></a>
781    <strong id="faq">
782In my CGI programs and SSI scripts the various documented
783<code>SSL_XXX</code> variables do not exists. Why?
784</strong>&nbsp;&nbsp;
785    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#env-vars"><b>L</b></a>]
786    <p>
787    Just make sure you have ``<code>SSLOptions +StdEnvVars</code>''
788    enabled for the context of your CGI/SSI requests.
789<p>
790<li><a name="ToC23"></a>
791    <a name="relative-links"></a>
792    <strong id="faq">
793How can I use relative hyperlinks to switch between HTTP and HTTPS?
794</strong>&nbsp;&nbsp;
795    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#relative-links"><b>L</b></a>]
796    <p>
797    Usually you have to use fully-qualified hyperlinks because
798    you have to change the URL scheme. But with the help of some URL
799    manipulations through mod_rewrite you can achieve the same effect while
800    you still can use relative URLs:
801    <pre>
802    RewriteEngine on
803    RewriteRule   ^/(.*):SSL$   https://%{SERVER_NAME}/$1 [R,L]
804    RewriteRule   ^/(.*):NOSSL$ http://%{SERVER_NAME}/$1  [R,L]
805    </pre>
806    This rewrite ruleset lets you use hyperlinks of the form
807    <pre>
808    &lt;a href="document.html:SSL"&gt
809    </pre>
810</ul>
811<p>
812<br>
813<h2><a name="ToC24">About Certificates</a></h2>
814<ul>
815<p>
816<li><a name="ToC25"></a>
817    <a name="what-is"></a>
818    <strong id="faq">
819What are RSA Private Keys, CSRs and Certificates?</strong>
820</strong>&nbsp;&nbsp;
821    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#what-is"><b>L</b></a>]
822    <p>
823    The RSA private key file is a digital file that you can use to decrypt
824    messages sent to you. It has a public component which you distribute (via
825    your Certificate file) which allows people to encrypt those messages to
826    you. A Certificate Signing Request (CSR) is a digital file which contains
827    your public key and your name. You send the CSR to a Certifying Authority
828    (CA) to be converted into a real Certificate. A Certificate contains your
829    RSA public key, your name, the name of the CA, and is digitally signed by
830    your CA. Browsers that know the CA can verify the signature on that
831    Certificate, thereby obtaining your RSA public key. That enables them to
832    send messages which only you can decrypt.
833    See the <a href="ssl_intro.html">Introduction</a> chapter for a general
834    description of the SSL protocol.
835<p>
836<li><a name="ToC26"></a>
837    <a name="startup"></a>
838    <strong id="faq">
839Seems like there is a difference on startup between the original Apache and an SSL-aware Apache?
840</strong>&nbsp;&nbsp;
841    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#startup"><b>L</b></a>]
842    <p>
843    Yes, in general, starting Apache with a built-in mod_ssl is just like
844    starting an unencumbered Apache, except for the fact that when you have a
845    pass phrase on your SSL private key file. Then a startup dialog pops up
846    asking you to enter the pass phrase.
847    <p>
848    To type in the pass phrase manually when starting the server can be
849    problematic, for instance when starting the server from the system boot
850    scripts. As an alternative to this situation you can follow the steps
851    below under ``How can I get rid of the pass-phrase dialog at Apache
852    startup time?''.
853<p>
854<li><a name="ToC27"></a>
855    <a name="cert-dummy"></a>
856    <strong id="faq">
857How can I create a dummy SSL server Certificate for testing purposes?
858</strong>&nbsp;&nbsp;
859    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#cert-dummy"><b>L</b></a>]
860    <p>
861    A Certificate does not have to be signed by a public CA. You can use your
862    private key to sign the Certificate which contains your public key. You
863    can install this Certificate into your server, and people using Netscape
864    Navigator (not MSIE) will be able to connect after clicking OK to a
865    warning dialogue. You can get MSIE to work, and your customers can
866    eliminate the dialogue, by installing that Certificate manually into their
867    browsers.
868    <p>
869    Just use the ``<code>make certificate</code>'' command at the top-level
870    directory of the Apache source tree right before installing Apache via
871    ``<code>make install</code>''. This creates a self-signed SSL Certificate
872    which expires after 30 days and isn't encrypted (which means you don't
873    need to enter a pass-phrase at Apache startup time).
874    <p>
875    BUT REMEMBER: YOU REALLY HAVE TO CREATE A REAL CERTIFICATE FOR THE LONG
876    RUN! HOW THIS IS DONE IS DESCRIBED IN THE NEXT ANSWER.
877<p>
878<li><a name="ToC28"></a>
879    <a name="cert-real"></a>
880    <strong id="faq">
881Ok, I've got my server installed and want to create a real SSL
882server Certificate for it. How do I do it?
883</strong>&nbsp;&nbsp;
884    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#cert-real"><b>L</b></a>]
885    <p>
886    Here is a step-by-step description:
887    <p>
888    <ol>
889    <li>Make sure OpenSSL is really installed and in your <code>PATH</code>.
890        But some commands even work ok when you just run the
891        ``<code>openssl</code>'' program from within the OpenSSL source tree as
892        ``<code>./apps/openssl</code>''.
893    <p>
894    <li>Create a RSA private key for your Apache server
895       (will be Triple-DES encrypted and PEM formatted):
896       <p>
897       <code><strong>$ openssl genrsa -des3 -out server.key 1024</strong></code>
898       <p>
899       Please backup this <code>server.key</code> file and remember the
900       pass-phrase you had to enter at a secure location.
901       You can see the details of this RSA private key via the command:
902       <p>
903       <code><strong>$ openssl rsa -noout -text -in server.key</strong></code>
904       <p>
905       And you could create a decrypted PEM version (not recommended)
906       of this RSA private key via:
907       <p>
908       <code><strong>$ openssl rsa -in server.key -out server.key.unsecure</strong></code>
909    <p>
910    <li>Create a Certificate Signing Request (CSR) with the server RSA private
911       key (output will be PEM formatted):
912       <p>
913       <code><strong>$ openssl req -new -key server.key -out server.csr</strong></code>
914       <p>
915       Make sure you enter the FQDN ("Fully Qualified Domain Name") of the
916       server when OpenSSL prompts you for the "CommonName", i.e. when you
917       generate a CSR for a website which will be later accessed via
918       <code>https://www.foo.dom/</code>, enter "www.foo.dom" here.
919       You can see the details of this CSR via the command
920       <p>
921       <code><strong>$ openssl req -noout -text -in server.csr</strong></code>
922    <p>
923    <li>You now have to send this Certificate Signing Request (CSR) to
924       a Certifying Authority (CA) for signing. The result is then a real
925       Certificate which can be used for Apache. Here you have two options:
926       First you can let the CSR sign by a commercial CA like Verisign or
927       Thawte. Then you usually have to post the CSR into a web form, pay for
928       the signing and await the signed Certificate you then can store into a
929       server.crt file. For more information about commercial CAs have a look
930       at the following locations:
931       <p>
932       <ul>
933       <li>  Verisign<br>
934             <a href="http://digitalid.verisign.com/server/apacheNotice.htm">
935             http://digitalid.verisign.com/server/apacheNotice.htm
936             </a>
937       <li>  Thawte Consulting<br>
938             <a href="http://www.thawte.com/certs/server/request.html">
939             http://www.thawte.com/certs/server/request.html
940             </a>
941       <li>  CertiSign Certificadora Digital Ltda.<br>
942             <a href="http://www.certisign.com.br">
943             http://www.certisign.com.br
944             </a>
945       <li>  IKS GmbH<br>
946             <a href="http://www.iks-jena.de/produkte/ca/">
947             http://www.iks-jena.de/produkte/ca/
948             </a>
949       <li>  Uptime Commerce Ltd.<br>
950             <a href="http://www.uptimecommerce.com">
951             http://www.uptimecommerce.com
952             </a>
953       <li>  BelSign NV/SA<br>
954             <a href="http://www.belsign.be">
955             http://www.belsign.be
956             </a>
957       </ul>
958       <p>
959       Second you can use your own CA and now have to sign the CSR yourself by
960       this CA. Read the next answer in this FAQ on how to sign a CSR with
961       your CA yourself.
962       You can see the details of the received Certificate via the command:
963       <p>
964       <code><strong>$ openssl x509 -noout -text -in server.crt</strong></code>
965    <p>
966    <li>Now you have two files: <code>server.key</code> and
967    <code>server.crt</code>. These now can be used as following inside your
968    Apache's <code>httpd.conf</code> file:
969       <pre>
970       SSLCertificateFile    /path/to/this/server.crt
971       SSLCertificateKeyFile /path/to/this/server.key
972       </pre>
973       The <code>server.csr</code> file is no longer needed.
974    </ol>
975<p>
976<li><a name="ToC29"></a>
977    <a name="cert-ownca"></a>
978    <strong id="faq">
979How can I create and use my own Certificate Authority (CA)?
980</strong>&nbsp;&nbsp;
981    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#cert-ownca"><b>L</b></a>]
982    <p>
983    The short answer is to use the <code>CA.sh</code> or <code>CA.pl</code>
984    script provided by OpenSSL. The long and manual answer is this:
985    <p>
986    <ol>
987    <li>Create a RSA private key for your CA
988       (will be Triple-DES encrypted and PEM formatted):
989       <p>
990       <code><strong>$ openssl genrsa -des3 -out ca.key 1024</strong></code>
991       <p>
992       Please backup this <code>ca.key</code> file and remember the
993       pass-phrase you currently entered at a secure location.
994       You can see the details of this RSA private key via the command
995       <p>
996       <code><strong>$ openssl rsa -noout -text -in ca.key</strong></code>
997       <p>
998       And you can create a decrypted PEM version (not recommended) of this
999       private key via:
1000       <p>
1001       <code><strong>$ openssl rsa -in ca.key -out ca.key.unsecure</strong></code>
1002    <p>
1003    <li>Create a self-signed CA Certificate (X509 structure)
1004       with the RSA key of the CA (output will be PEM formatted):
1005       <p>
1006       <code><strong>$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt</strong></code>
1007       <p>
1008       You can see the details of this Certificate via the command:
1009       <p>
1010       <code><strong>$ openssl x509 -noout -text -in ca.crt</strong></code>
1011    <p>
1012    <li>Prepare a script for signing which is needed because
1013       the ``<code>openssl ca</code>'' command has some strange requirements
1014       and the default OpenSSL config doesn't allow one easily to use
1015       ``<code>openssl ca</code>'' directly. So a script named
1016       <code>sign.sh</code> is distributed with the mod_ssl distribution
1017       (subdir <code>pkg.contrib/</code>). Use this script for signing.
1018    <p>
1019    <li>Now you can use this CA to sign server CSR's in order to create real
1020       SSL Certificates for use inside an Apache webserver (assuming
1021       you already have a <code>server.csr</code> at hand):
1022       <p>
1023       <code><strong>$ ./sign.sh server.csr</strong></code>
1024       <p>
1025       This signs the server CSR and results in a <code>server.crt</code> file.
1026    </ol>
1027<p>
1028<li><a name="ToC30"></a>
1029    <a name="change-passphrase"></a>
1030    <strong id="faq">
1031How can I change the pass-phrase on my private key file?
1032</strong>&nbsp;&nbsp;
1033    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#change-passphrase"><b>L</b></a>]
1034    <p>
1035    You simply have to read it with the old pass-phrase and write it again
1036    by specifying the new pass-phrase. You can accomplish this with the following
1037    commands:
1038    <p>
1039    <code><strong>$ openssl rsa -des3 -in server.key -out server.key.new</strong></code><br>
1040    <code><strong>$ mv server.key.new server.key</strong></code><br>
1041    <p>
1042    Here you're asked two times for a PEM pass-phrase. At the first
1043    prompt enter the old pass-phrase and at the second prompt
1044    enter the new pass-phrase.
1045<p>
1046<li><a name="ToC31"></a>
1047    <a name="remove-passphrase"></a>
1048    <strong id="faq">
1049How can I get rid of the pass-phrase dialog at Apache startup time?
1050</strong>&nbsp;&nbsp;
1051    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#remove-passphrase"><b>L</b></a>]
1052    <p>
1053    The reason why this dialog pops up at startup and every re-start
1054    is that the RSA private key inside your server.key file is stored in
1055    encrypted format for security reasons. The pass-phrase is needed to be
1056    able to read and parse this file. When you can be sure that your server is
1057    secure enough you perform two steps:
1058    <p>
1059    <ol>
1060    <li>Remove the encryption from the RSA private key (while
1061       preserving the original file):
1062       <p>
1063       <code><strong>$ cp server.key server.key.org</strong></code><br>
1064       <code><strong>$ openssl rsa -in server.key.org -out server.key</strong></code>
1065    <p>
1066    <li>Make sure the server.key file is now only readable by root:
1067       <p>
1068       <code><strong>$ chmod 400 server.key</strong></code>
1069    </ol>
1070    <p>
1071    Now <code>server.key</code> will contain an unencrypted copy of the key.
1072    If you point your server at this file it will not prompt you for a
1073    pass-phrase. HOWEVER, if anyone gets this key they will be able to
1074    impersonate you on the net. PLEASE make sure that the permissions on that
1075    file are really such that only root or the web server user can read it
1076    (preferably get your web server to start as root but run as another
1077    server, and have the key readable only by root).
1078    <p>
1079    As an alternative approach you can use the ``<code>SSLPassPhraseDialog
1080    exec:/path/to/program</code>'' facility. But keep in mind that this is
1081    neither more nor less secure, of course.
1082<p>
1083<li><a name="ToC32"></a>
1084    <a name="verify-key"></a>
1085    <strong id="faq">
1086How do I verify that a private key matches its Certificate?
1087</strong>&nbsp;&nbsp;
1088    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#verify-key"><b>L</b></a>]
1089    <p>
1090    The private key contains a series of numbers. Two of those numbers form
1091    the "public key", the others are part of your "private key". The "public
1092    key" bits are also embedded in your Certificate (we get them from your
1093    CSR). To check that the public key in your cert matches the public
1094    portion of your private key, you need to view the cert and the key and
1095    compare the numbers. To view the Certificate and the key run the
1096    commands:
1097    <p>
1098    <code><strong>$ openssl x509 -noout -text -in server.crt</strong></code><br>
1099    <code><strong>$ openssl rsa -noout -text -in server.key</strong></code>
1100    <p>
1101    The `modulus' and the `public exponent' portions in the key and the
1102    Certificate must match. But since the public exponent is usually 65537
1103    and it's bothering comparing long modulus you can use the following
1104    approach:
1105    <p>
1106    <code><strong>$ openssl x509 -noout -modulus -in server.crt | openssl md5</strong></code><br>
1107    <code><strong>$ openssl rsa -noout -modulus -in server.key | openssl md5</strong></code>
1108    <p>
1109    And then compare these really shorter numbers. With overwhelming
1110    probability they will differ if the keys are different. BTW, if I want to
1111    check to which key or certificate a particular CSR belongs you can compute
1112    <p>
1113    <code><strong>$ openssl req -noout -modulus -in server.csr | openssl md5</strong></code>
1114<p>
1115<li><a name="ToC33"></a>
1116    <a name="keysize1"></a>
1117    <strong id="faq">
1118What does it mean when my connections fail with an "alert bad certificate"
1119error?
1120</strong>&nbsp;&nbsp;
1121    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#keysize1"><b>L</b></a>]
1122    <p>
1123    Usually when you see errors like ``<tt>OpenSSL: error:14094412: SSL
1124    routines:SSL3_READ_BYTES:sslv3 alert bad certificate</tt>'' in the SSL
1125    logfile, this means that the browser was unable to handle the server
1126    certificate/private-key which perhaps contain a RSA-key not equal to 1024
1127    bits. For instance Netscape Navigator 3.x is one of those browsers.
1128<p>
1129<li><a name="ToC34"></a>
1130    <a name="keysize2"></a>
1131    <strong id="faq">
1132Why does my 2048-bit private key not work?
1133</strong>&nbsp;&nbsp;
1134    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#keysize2"><b>L</b></a>]
1135    <p>
1136    The private key sizes for SSL must be either 512 or 1024 for compatibility
1137    with certain web browsers. A keysize of 1024 bits is recommended because
1138    keys larger than 1024 bits are incompatible with some versions of Netscape
1139    Navigator and Microsoft Internet Explorer, and with other browsers that
1140    use RSA's BSAFE cryptography toolkit.
1141<p>
1142<li><a name="ToC35"></a>
1143    <a name="hash-symlinks"></a>
1144    <strong id="faq">
1145Why is client authentication broken after upgrading from
1146SSLeay version 0.8 to 0.9?
1147</strong>&nbsp;&nbsp;
1148    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#hash-symlinks"><b>L</b></a>]
1149    <p>
1150    The CA certificates under the path you configured with
1151    <code>SSLCACertificatePath</code> are found by SSLeay through hash
1152    symlinks. These hash values are generated by the `<code>openssl x509 -noout
1153    -hash</code>' command. But the algorithm used to calculate the hash for a
1154    certificate has changed between SSLeay 0.8 and 0.9. So you have to remove
1155    all old hash symlinks and re-create new ones after upgrading. Use the
1156    <code>Makefile</code> mod_ssl placed into this directory.
1157<p>
1158<li><a name="ToC36"></a>
1159    <a name="pem-to-der"></a>
1160    <strong id="faq">
1161How can I convert a certificate from PEM to DER format?
1162</strong>&nbsp;&nbsp;
1163    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#pem-to-der"><b>L</b></a>]
1164    <p>
1165    The default certificate format for SSLeay/OpenSSL is PEM, which actually
1166    is Base64 encoded DER with header and footer lines. For some applications
1167    (e.g. Microsoft Internet Explorer) you need the certificate in plain DER
1168    format. You can convert a PEM file <code>cert.pem</code> into the
1169    corresponding DER file <code>cert.der</code> with the following command:
1170    <code><strong>$ openssl x509 -in cert.pem -out cert.der -outform DER</strong></code>
1171<p>
1172<li><a name="ToC37"></a>
1173    <a name="verisign-getca"></a>
1174    <strong id="faq">
1175I try to install a Verisign certificate. Why can't I find neither the
1176<code>getca</code> nor <code>getverisign</code> programs Verisign mentions?
1177</strong>&nbsp;&nbsp;
1178    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#verisign-getca"><b>L</b></a>]
1179    <p>
1180    This is because Verisign has never provided specific instructions
1181    for Apache+mod_ssl. Rather they tell you what you should do
1182    if you were using C2Net's Stronghold (a commercial Apache
1183    based server with SSL support). The only thing you have to do
1184    is to save the certificate into a file and give the name of
1185    that file to the <code>SSLCertificateFile</code> directive.
1186    Remember that you need to give the key file in as well (see
1187    <code>SSLCertificateKeyFile</code> directive). For a better
1188    CA-related overview on SSL certificate fiddling you can look at <a
1189    href="http://www.thawte.com/certs/server/keygen/mod_ssl.html">
1190    Thawte's mod_ssl instructions</a>.
1191<p>
1192<li><a name="ToC38"></a>
1193    <a name="gid"></a>
1194    <strong id="faq">
1195Can I use the Server Gated Cryptography (SGC) facility (aka Verisign Global
1196ID) also with mod_ssl?
1197</strong>&nbsp;&nbsp;
1198    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#gid"><b>L</b></a>]
1199    <p>
1200    Yes, mod_ssl since version 2.1 supports the SGC facility. You don't have
1201    to configure anything special for this, just use a Global ID as your
1202    server certificate. The <i>step up</i> of the clients are then
1203    automatically handled by mod_ssl under run-time. For details please read
1204    the <tt>README.GlobalID</tt> document in the mod_ssl distribution.
1205<p>
1206<li><a name="ToC39"></a>
1207    <a name="gid"></a>
1208    <strong id="faq">
1209After I have installed my new Verisign Global ID server certificate, the
1210browsers complain that they cannot verify the server certificate?
1211</strong>&nbsp;&nbsp;
1212    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#gid"><b>L</b></a>]
1213    <p>
1214    That is because Verisign uses an intermediate CA certificate between
1215    the root CA certificate (which is installed in the browsers) and
1216    the server certificate (which you installed in the server). You
1217    should have received this additional CA certificate from Verisign.
1218    If not, complain to them. Then configure this certificate with the
1219    <code>SSLCertificateChainFile</code> directive in the server. This
1220    makes sure the intermediate CA certificate is send to the browser
1221    and this way fills the gap in the certificate chain.
1222</ul>
1223<p>
1224<br>
1225<h2><a name="ToC40">About SSL Protocol</a></h2>
1226<ul>
1227<p>
1228<li><a name="ToC41"></a>
1229    <a name="random-errors"></a>
1230    <strong id="faq">
1231Why do I get lots of random SSL protocol errors under heavy server load?
1232</strong>&nbsp;&nbsp;
1233    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#random-errors"><b>L</b></a>]
1234    <p>
1235    There can be a number of reasons for this, but the main one
1236    is problems with the SSL session Cache specified by the
1237    <tt>SSLSessionCache</tt> directive. The DBM session cache is most
1238    likely the source of the problem, so trying the SHM session cache or
1239    no cache at all may help.
1240<p>
1241<li><a name="ToC42"></a>
1242    <a name="load"></a>
1243    <strong id="faq">
1244Why has my webserver a higher load now that I run SSL there?
1245</strong>&nbsp;&nbsp;
1246    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#load"><b>L</b></a>]
1247    <p>
1248    Because SSL uses strong cryptographic encryption and this needs a lot of
1249    number crunching. And because when you request a webpage via HTTPS even
1250    the images are transfered encrypted. So, when you have a lot of HTTPS
1251    traffic the load increases.
1252<p>
1253<li><a name="ToC43"></a>
1254    <a name="random"></a>
1255    <strong id="faq">
1256Often HTTPS connections to my server require up to 30 seconds for establishing
1257the connection, although sometimes it works faster?
1258</strong>&nbsp;&nbsp;
1259    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#random"><b>L</b></a>]
1260    <p>
1261    Usually this is caused by using a <code>/dev/random</code> device for
1262    <code>SSLRandomSeed</code> which is blocking in read(2) calls if not
1263    enough entropy is available. Read more about this problem in the refernce
1264    chapter under <code>SSLRandomSeed</code>.
1265<p>
1266<li><a name="ToC44"></a>
1267    <a name="ciphers"></a>
1268    <strong id="faq">
1269What SSL Ciphers are supported by mod_ssl?
1270</strong>&nbsp;&nbsp;
1271    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#ciphers"><b>L</b></a>]
1272    <p>
1273    Usually just all SSL ciphers which are supported by the
1274    version of OpenSSL in use (can depend on the way you built
1275    OpenSSL). Typically this at least includes the following:
1276    <p>
1277    <ul>
1278    <li>RC4 with MD5
1279    <li>RC4 with MD5 (export version restricted to 40-bit key)
1280    <li>RC2 with MD5
1281    <li>RC2 with MD5 (export version restricted to 40-bit key)
1282    <li>IDEA with MD5
1283    <li>DES with MD5
1284    <li>Triple-DES with MD5
1285    </ul>
1286    <p>
1287    To determine the actual list of supported ciphers you can
1288    run the following command:
1289    <p>
1290    <code><strong>$ openssl ciphers -v</strong></code><br>
1291<p>
1292<li><a name="ToC45"></a>
1293    <a name="cipher-adh"></a>
1294    <strong id="faq">
1295I want to use Anonymous Diffie-Hellman (ADH) ciphers, but I always get ``no
1296shared cipher'' errors?
1297</strong>&nbsp;&nbsp;
1298    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#cipher-adh"><b>L</b></a>]
1299    <p>
1300    In order to use Anonymous Diffie-Hellman (ADH) ciphers, it is not enough
1301    to just put ``<code>ADH</code>'' into your <code>SSLCipherSuite</code>.
1302    Additionally you have to build OpenSSL with
1303    ``<code>-DSSL_ALLOW_ADH</code>''. Because per default OpenSSL does not
1304    allow ADH ciphers for security reasons. So if you are actually enabling
1305    these ciphers make sure you are informed about the side-effects.
1306<p>
1307<li><a name="ToC46"></a>
1308    <a name="cipher-shared"></a>
1309    <strong id="faq">
1310I always just get a 'no shared ciphers' error if
1311I try to connect to my freshly installed server?
1312</strong>&nbsp;&nbsp;
1313    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#cipher-shared"><b>L</b></a>]
1314    <p>
1315    Either you have messed up your <code>SSLCipherSuite</code>
1316    directive (compare it with the pre-configured example in
1317    <code>httpd.conf-dist</code>) or you have choosen the DSA/DH
1318    algorithms instead of RSA under "<code>make certificate</code>"
1319    and ignored or overseen the warnings. Because if you have choosen
1320    DSA/DH, then your server no longer speaks RSA-based SSL ciphers
1321    (at least not until you also configure an additional RSA-based
1322    certificate/key pair). But current browsers like NS or IE only speak
1323    RSA ciphers. The result is the "no shared ciphers" error. To fix
1324    this, regenerate your server certificate/key pair and this time
1325    choose the RSA algorithm.
1326<p>
1327<li><a name="ToC47"></a>
1328    <a name="vhosts"></a>
1329    <strong id="faq">
1330Why can't I use SSL with name-based/non-IP-based virtual hosts?
1331</strong>&nbsp;&nbsp;
1332    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#vhosts"><b>L</b></a>]
1333    <p>
1334    The reason is very technical. Actually it's some sort of a chicken and
1335    egg problem: The SSL protocol layer stays below the HTTP protocol layer
1336    and encapsulates HTTP. When an SSL connection (HTTPS) is established
1337    Apache/mod_ssl has to negotiate the SSL protocol parameters with the
1338    client. For this mod_ssl has to consult the configuration of the virtual
1339    server (for instance it has to look for the cipher suite, the server
1340    certificate, etc.). But in order to dispatch to the correct virtual server
1341    Apache has to know the <code>Host</code> HTTP header field. For this the
1342    HTTP request header has to be read. This cannot be done before the SSL
1343    handshake is finished. But the information is already needed at the SSL
1344    handshake phase. Bingo!
1345<p>
1346<li><a name="ToC48"></a>
1347    <a name="lock-icon"></a>
1348    <strong id="faq">
1349When I use Basic Authentication over HTTPS the lock icon in Netscape browsers
1350still show the unlocked state when the dialog pops up. Does this mean the
1351username/password is still transmitted unencrypted?
1352</strong>&nbsp;&nbsp;
1353    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#lock-icon"><b>L</b></a>]
1354    <p>
1355    No, the username/password is already transmitted encrypted. The icon in
1356    Netscape browsers is just not really synchronized with the SSL/TLS layer
1357    (it toggles to the locked state when the first part of the actual webpage
1358    data is transferred which is not quite correct) and this way confuses
1359    people. The Basic Authentication facility is part of the HTTP layer and
1360    this layer is above the SSL/TLS layer in HTTPS. And before any HTTP data
1361    communication takes place in HTTPS the SSL/TLS layer has already done the
1362    handshake phase and switched to encrypted communication. So, don't get
1363    confused by this icon.
1364<p>
1365<li><a name="ToC49"></a>
1366    <a name="io-ie"></a>
1367    <strong id="faq">
1368When I connect via HTTPS to an Apache+mod_ssl+OpenSSL server with Microsoft Internet
1369Explorer (MSIE) I get various I/O errors. What is the reason?
1370</strong>&nbsp;&nbsp;
1371    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#io-ie"><b>L</b></a>]
1372    <p>
1373    The first reason is that the SSL implementation in some MSIE versions has
1374    some subtle bugs related to the HTTP keep-alive facility and the SSL close
1375    notify alerts on socket connection close. Additionally the interaction
1376    between SSL and HTTP/1.1 features are problematic with some MSIE versions,
1377    too. You've to work-around these problems by forcing
1378    Apache+mod_ssl+OpenSSL to not use HTTP/1.1, keep-alive connections or
1379    sending the SSL close notify messages to MSIE clients. This can be done by
1380    using the following directive in your SSL-aware virtual host section:
1381    <pre>
1382    SetEnvIf User-Agent ".*MSIE.*" \
1383             <b>nokeepalive ssl-unclean-shutdown \
1384             downgrade-1.0 force-response-1.0</b></pre>
1385    Additionally it is known some MSIE versions have also problems
1386    with particular ciphers. Unfortunately one cannot workaround these
1387    bugs only for those MSIE particular clients, because the ciphers
1388    are already used in the SSL handshake phase. So a MSIE-specific
1389    <tt>SetEnvIf</tt> doesn't work to solve these problems. Instead one
1390    has to do more drastic adjustments to the global parameters. But
1391    before you decide to do this, make sure your clients really have
1392    problems. If not, do not do this, because it affects all(!) your
1393    clients, i.e., also your non-MSIE clients.
1394    <p>
1395    The next problem is that 56bit export versions of MSIE 5.x browsers have a
1396    broken SSLv3 implementation which badly interacts with OpenSSL versions
1397    greater than 0.9.4. You can either accept this and force your clients to
1398    upgrade their browsers, or you downgrade to OpenSSL 0.9.4 (hmmm), or you
1399    can decide to workaround it by accepting the drawback that your workaround
1400    will horribly affect also other browsers:
1401    <pre>
1402    SSLProtocol all <b>-SSLv3</b></pre>
1403    This completely disables the SSLv3 protocol and lets those browsers work.
1404    But usually this is an even less acceptable workaround. A more reasonable
1405    workaround is to address the problem more closely and disable only the
1406    ciphers which cause trouble.
1407    <pre>
1408    SSLCipherSuite ALL:!ADH:<b>!EXPORT56</b>:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</pre>
1409    This also lets the broken MSIE versions work, but only removes the
1410    newer 56bit TLS ciphers.
1411    <p>
1412    Another problem with MSIE 5.x clients is that they refuse to connect to
1413    URLs of the form <tt>https://12.34.56.78/</tt> (IP-addresses are used
1414    instead of the hostname), if the server is using the Server Gated
1415    Cryptography (SGC) facility. This can only be avoided by using the fully
1416    qualified domain name (FQDN) of the website in hyperlinks instead, because
1417    MSIE 5.x has an error in the way it handles the SGC negotiation.
1418    <p>
1419    And finally there are versions of MSIE which seem to require that
1420    an SSL session can be reused (a totally non standard-conforming
1421    behaviour, of course). Connection with those MSIE versions only work
1422    if a SSL session cache is used. So, as a work-around, make sure you
1423    are using a session cache (see <tt>SSLSessionCache</tt> directive).
1424<p>
1425<li><a name="ToC50"></a>
1426    <a name="io-ns"></a>
1427    <strong id="faq">
1428When I connect via HTTPS to an Apache+mod_ssl server with Netscape Navigator I
1429get I/O errors and the message "Netscape has encountered bad data from the
1430server" What's the reason?
1431</strong>&nbsp;&nbsp;
1432    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#io-ns"><b>L</b></a>]
1433    <p>
1434    The problem usually is that you had created a new server certificate with
1435    the same DN, but you had told your browser to accept forever the old
1436    server certificate. Once you clear the entry in your browser for the old
1437    certificate, everything usually will work fine. Netscape's SSL
1438    implementation is correct, so when you encounter I/O errors with Netscape
1439    Navigator it is most of the time caused by the configured certificates.
1440</ul>
1441<p>
1442<br>
1443<h2><a name="ToC51">About Support</a></h2>
1444<ul>
1445<p>
1446<li><a name="ToC52"></a>
1447    <a name="resources"></a>
1448    <strong id="faq">
1449What information resources are available in case of mod_ssl problems?
1450</strong>&nbsp;&nbsp;
1451    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#resources"><b>L</b></a>]
1452    <p>
1453The following information resources are available.
1454In case of problems you should search here first.
1455<p>
1456<ol>
1457<li><em>Answers in the User Manual's F.A.Q. List (this)</em><br>
1458    <a href="http://www.modssl.org/docs/2.8/ssl_faq.html">
1459    http://www.modssl.org/docs/2.8/ssl_faq.html</a><br>
1460    First look inside the F.A.Q. (this text), perhaps your problem is such
1461    popular that it was already answered a lot of times in the past.
1462<p>
1463<li><em>Postings from the modssl-users Support Mailing List</em>
1464    <a href="http://www.modssl.org/support/">
1465    http://www.modssl.org/support/</a><br>
1466    Second search for your problem in one of the existing archives of the
1467    modssl-users mailing list. Perhaps your problem popped up at least once for
1468    another user, too.
1469<p>
1470<li><em>Problem Reports in the Bug Database</em>
1471    <a href="http://www.modssl.org/support/bugdb/">
1472    http://www.modssl.org/support/bugdb/</a><br>
1473    Third look inside the mod_ssl Bug Database. Perhaps
1474    someone else already has reported the problem.
1475</ol>
1476<p>
1477<li><a name="ToC53"></a>
1478    <a name="contact"></a>
1479    <strong id="faq">
1480What support contacts are available in case of mod_ssl problems?
1481</strong>&nbsp;&nbsp;
1482    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#contact"><b>L</b></a>]
1483    <p>
1484The following lists all support possibilities for mod_ssl, in order of
1485preference, i.e. start in this order and do not pick the support possibility
1486you just like most, please.
1487<p>
1488<ol>
1489<li><em>Write a Problem Report into the Bug Database</em><br>
1490    <a href="http://www.modssl.org/support/bugdb/">
1491    http://www.modssl.org/support/bugdb/</a><br>
1492    This is the preferred way of submitting your problem report, because this
1493    way it gets filed into the bug database (it cannot be lost) <em>and</em>
1494    send to the modssl-users mailing list (others see the current problems and
1495    learn from answers).
1496<p>
1497<li><em>Write a Problem Report to the modssl-users Support Mailing List</em><br>
1498    <a href="mailto:modssl-users@modssl.org">
1499    modssl-users&nbsp;@&nbsp;modssl.org</a><br>
1500    This is the second way of submitting your problem report. You have to
1501    subscribe to the list first, but then you can easily discuss your problem
1502    with both the author and the whole mod_ssl user community.
1503<p>
1504<li><em>Write a Problem Report to the author</em><br>
1505    <a href="mailto:rse@engelschall.com">
1506    rse&nbsp;@&nbsp;engelschall.com</a><br>
1507    This is the last way of submitting your problem report. Please avoid this
1508    in your own interest because the author is really a very busy men. Your
1509    mail will always be filed to one of his various mail-folders and is
1510    usually not processed as fast as a posting on modssl-users.
1511</ol>
1512<p>
1513<li><a name="ToC54"></a>
1514    <a name="report-details"></a>
1515    <strong id="faq">
1516What information and details I've to provide to
1517the author when writing a bug report?
1518</strong>&nbsp;&nbsp;
1519    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#report-details"><b>L</b></a>]
1520    <p>
1521You have to at least always provide the following information:
1522<p>
1523<ul>
1524<li><em>Apache, mod_ssl and OpenSSL version information</em><br>
1525    The mod_ssl version you should really know. For instance, it's the version
1526    number in the distribution tarball. The Apache version can be determined
1527    by running ``<code>httpd -v</code>''. The OpenSSL version can be
1528    determined by running ``<code>openssl version</code>''. Alternatively when
1529    you have Lynx installed you can run the command ``<code>lynx -mime_header
1530    http://localhost/ | grep Server</code>'' to determine all information in a
1531    single step.
1532<p>
1533<li><em>The details on how you built and installed Apache+mod_ssl+OpenSSL</em><br>
1534    For this you can provide a logfile of your terminal session which shows
1535    the configuration and install steps. Alternatively you can at least
1536    provide the author with the APACI `<code>configure</code>'' command line
1537    you used (assuming you used APACI, of course).
1538<p>
1539<li><em>In case of core dumps please include a Backtrace</em><br>
1540    In case your Apache+mod_ssl+OpenSSL should really dumped core please attach
1541    a stack-frame ``backtrace'' (see the next question on how to get it).
1542    Without this information the reason for your core dump cannot be found.
1543    So you have to provide the backtrace, please.
1544<p>
1545<li><em>A detailed description of your problem</em><br>
1546    Don't laugh, I'm totally serious. I already got a lot of problem reports
1547    where the people not really said what's the actual problem is. So, in your
1548    own interest (you want the problem be solved, don't you?) include as much
1549    details as possible, please. But start with the essentials first, of
1550    course.
1551</ul>
1552<p>
1553<li><a name="ToC55"></a>
1554    <a name="core-dumped"></a>
1555    <strong id="faq">
1556I got a core dump, can you help me?
1557</strong>&nbsp;&nbsp;
1558    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#core-dumped"><b>L</b></a>]
1559    <p>
1560    In general no, at least not unless you provide more details about the code
1561    location where Apache dumped core. What is usually always required in
1562    order to help you is a backtrace (see next question). Without this
1563    information it is mostly impossible to find the problem and help you in
1564    fixing it.
1565<p>
1566<li><a name="ToC56"></a>
1567    <a name="report-backtrace"></a>
1568    <strong id="faq">
1569Ok, I got a core dump but how do I get a backtrace to find out the reason for it?
1570</strong>&nbsp;&nbsp;
1571    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#report-backtrace"><b>L</b></a>]
1572    <p>
1573Follow the following steps:
1574<p>
1575<ol>
1576<li>Make sure you have debugging symbols available in at least
1577    Apache and mod_ssl. On platforms where you use GCC/GDB you have to build
1578    Apache+mod_ssl with ``<code>OPTIM="-g -ggdb3"</code>'' to achieve this. On
1579    other platforms at least ``<code>OPTIM="-g"</code>'' is needed.
1580<p>
1581<li>Startup the server and try to produce the core-dump. For this you perhaps
1582    want to use a directive like ``<code>CoreDumpDirectory /tmp</code>'' to
1583    make sure that the core-dump file can be written. You then should get a
1584    <code>/tmp/core</code> or <code>/tmp/httpd.core</code> file. When you
1585    don't get this, try to run your server under an UID != 0 (root), because
1586    most "current" kernels do not allow a process to dump core after it has
1587    done a <code>setuid()</code> (unless it does an <code>exec()</code>) for
1588    security reasons (there can be privileged information left over in
1589    memory). Additionally you can run ``<code>/path/to/httpd -X</code>''
1590    manually to force Apache to not fork.
1591<p>
1592<li>Analyze the core-dump. For this run ``<code>gdb /path/to/httpd
1593    /tmp/httpd.core</code>'' or a similar command has to run. In GDB you then
1594    just have to enter the ``<code>bt</code>'' command and, voila, you get the
1595    backtrace. For other debuggers consult your local debugger manual. Send
1596    this backtrace to the author.
1597</ol>
1598</ul>
1599      <p>
1600      <br>
1601      <table summary="">
1602      <tr>
1603        <td>
1604           <table width="600" border="0" summary="">
1605           <tr>
1606            <td valign="top" align="left" width="250">
1607<a href="ssl_howto.html" onmouseover="ro_imgOver('ro_img_prev_bot', 'previous page'); return true" onmouseout="ro_imgNormal('ro_img_prev_bot'); return true" onfocus="ro_imgOver('ro_img_prev_bot', 'previous page'); return true" onblur="ro_imgNormal('ro_img_prev_bot'); return true"><img name="ro_img_prev_bot" src="ssl_template.navbut-prev-n.gif" alt="previous page" width="70" height="18" border="0"></a><br><font color="#000000">HowTo</font>
1608            </td>
1609            <td valign="top" align="right" width="250">
1610<a href="ssl_glossary.html" onmouseover="ro_imgOver('ro_img_next_bot', 'next page'); return true" onmouseout="ro_imgNormal('ro_img_next_bot'); return true" onfocus="ro_imgOver('ro_img_next_bot', 'next page'); return true" onblur="ro_imgNormal('ro_img_next_bot'); return true"><img name="ro_img_next_bot" src="ssl_template.navbut-next-n.gif" alt="next page" width="70" height="18" border="0"></a><br><font color="#000000">Glossary</font>
1611            </td>
1612           </tr>
1613           </table>
1614         </td>
1615      </tr>
1616      <tr>
1617        <td><img src="ssl_template.imgdot-1x1-000000.gif" alt="" width="600" height="2" align="bottom" border="0"></td>
1618      </tr>
1619      <tr>
1620        <td><table width="598" summary="">
1621        <tr>
1622        <td align="left"><font face="Arial,Helvetica">
1623        <a href="http://www.modssl.org/">mod_ssl</a> 2.8, User Manual<br>
1624        The Apache Interface to OpenSSL
1625        </font>
1626        </td>
1627        <td align="right"><font face="Arial,Helvetica">
1628        Copyright &copy; 1998-2001
1629        <a href="http://www.engelschall.com/">Ralf S. Engelschall</a><br>
1630        All Rights Reserved<br>
1631        </font>
1632        </td>
1633        </tr>
1634        </table>
1635        </td>
1636      </tr>
1637      </table>
1638  </td>
1639</tr>
1640</table>
1641</div>
1642</body>
1643</html>
1644