📄 ssl_faq.html
字号:
</td><td> </td><td><div align="right"><table cellspacing="0" cellpadding="5" border="0" bgcolor="#ccccff" width="350" summary=""><tr><td bgcolor="#333399"><font face="Arial,Helvetica" color="#ccccff"><b>Table Of Contents</b></font></td></tr><tr><td><font face="Arial,Helvetica" size="-1"> <a href="#ToC1"><strong>About the module</strong></a><br> <a href="#ToC2"><strong>What is the history of mod_ssl?</strong></a><br> <a href="#ToC3"><strong>Apache-SSL vs. mod_ssl: differences?</strong></a><br> <a href="#ToC4"><strong>mod_ssl vs. commercial alternatives?</strong></a><br> <a href="#ToC5"><strong>mod_ssl/Apache versions?</strong></a><br> <a href="#ToC6"><strong>mod_ssl and Year 2000?</strong></a><br> <a href="#ToC7"><strong>mod_ssl and Wassenaar Arrangement?</strong></a><br> <a href="#ToC8"><strong>About Installation</strong></a><br> <a href="#ToC9"><strong>Core dumps for HTTPS requests?</strong></a><br> <a href="#ToC10"><strong>Core dumps for Apache+mod_ssl+PHP3?</strong></a><br> <a href="#ToC11"><strong>Undefined symbols on startup?</strong></a><br> <a href="#ToC12"><strong>Permission problem on SSLMutex</strong></a><br> <a href="#ToC13"><strong>Shared memory and process size?</strong></a><br> <a href="#ToC14"><strong>Shared memory and pathname?</strong></a><br> <a href="#ToC15"><strong>PRNG and not enough entropy?</strong></a><br> <a href="#ToC16"><strong>About Configuration</strong></a><br> <a href="#ToC17"><strong>HTTP and HTTPS with a single server?</strong></a><br> <a href="#ToC18"><strong>Where is the HTTPS port?</strong></a><br> <a href="#ToC19"><strong>How to test HTTPS manually?</strong></a><br> <a href="#ToC20"><strong>Why does my connection hang?</strong></a><br> <a href="#ToC21"><strong>Why do I get connection refused?</strong></a><br> <a href="#ToC22"><strong>Why are the SSL_XXX variables missing?</strong></a><br> <a href="#ToC23"><strong>How to switch with relative hyperlinks?</strong></a><br> <a href="#ToC24"><strong>About Certificates</strong></a><br> <a href="#ToC25"><strong>What are Keys, CSRs and Certs?</strong></a><br> <a href="#ToC26"><strong>Difference on startup?</strong></a><br> <a href="#ToC27"><strong>How to create a dummy cert?</strong></a><br> <a href="#ToC28"><strong>How to create a real cert?</strong></a><br> <a href="#ToC29"><strong>How to create my own CA?</strong></a><br> <a href="#ToC30"><strong>How to change a pass phrase?</strong></a><br> <a href="#ToC31"><strong>How to remove a pass phrase?</strong></a><br> <a href="#ToC32"><strong>How to verify a key/cert pair?</strong></a><br> <a href="#ToC33"><strong>Bad Certificate Error?</strong></a><br> <a href="#ToC34"><strong>Why does a 2048-bit key not work?</strong></a><br> <a href="#ToC35"><strong>Why is client auth broken?</strong></a><br> <a href="#ToC36"><strong>How to convert from PEM to DER?</strong></a><br> <a href="#ToC37"><strong>Verisign and the magic getca program?</strong></a><br> <a href="#ToC38"><strong>Global IDs or SGC?</strong></a><br> <a href="#ToC39"><strong>Global IDs and Cert Chain?</strong></a><br> <a href="#ToC40"><strong>About SSL Protocol</strong></a><br> <a href="#ToC41"><strong>Random SSL errors under heavy load?</strong></a><br> <a href="#ToC42"><strong>Why has the server a higher load?</strong></a><br> <a href="#ToC43"><strong>Why are connections horribly slow?</strong></a><br> <a href="#ToC44"><strong>Which ciphers are supported?</strong></a><br> <a href="#ToC45"><strong>How to use Anonymous-DH ciphers</strong></a><br> <a href="#ToC46"><strong>Why do I get 'no shared ciphers'?</strong></a><br> <a href="#ToC47"><strong>HTTPS and name-based vhosts</strong></a><br> <a href="#ToC48"><strong>The lock icon in Netscape locks very late</strong></a><br> <a href="#ToC49"><strong>Why do I get I/O errors with MSIE clients?</strong></a><br> <a href="#ToC50"><strong>Why do I get I/O errors with NS clients?</strong></a><br> <a href="#ToC51"><strong>About Support</strong></a><br> <a href="#ToC52"><strong>Resources in case of problems?</strong></a><br> <a href="#ToC53"><strong>Support in case of problems?</strong></a><br> <a href="#ToC54"><strong>How to write a problem report?</strong></a><br> <a href="#ToC55"><strong>I got a core dump, can you help me?</strong></a><br> <a href="#ToC56"><strong>How to get a backtrace?</strong></a><br></font></td></tr></table></div></td></tr></table><h2><a name="ToC1">About the module</a></h2><ul><p><li><a name="ToC2"></a> <a name="history"></a> <strong id="faq">What is the history of mod_ssl?</strong> [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#history"><b>L</b></a>] <p> The mod_ssl v1 package was initially created in April 1998 by <a href="mailto:rse@engelschall.com">Ralf S. Engelschall</a> via porting <a href="mailto:ben@algroup.co.uk">Ben Laurie</a>'s <a href="http://www.apache-ssl.org/">Apache-SSL</a> 1.17 source patches for Apache 1.2.6 to Apache 1.3b6. Because of conflicts with Ben Laurie's development cycle it then was re-assembled from scratch for Apache 1.3.0 by merging the old mod_ssl 1.x with the newer Apache-SSL 1.18. From this point on mod_ssl lived its own life as mod_ssl v2. The first publically released version was mod_ssl 2.0.0 from August 10th, 1998. As of this writing (August 1999) the current mod_ssl version is 2.4.0. <p> After one year of very active development with over 1000 working hours and over 40 releases mod_ssl reached its current state. The result is an already very clean source base implementing a very rich functionality. The code size increased by a factor of 4 to currently a total of over 10.000 lines of ANSI C consisting of approx. 70% code and 30% code documentation. From the original Apache-SSL code currently approx. 5% is remaining only.<p><li><a name="ToC3"></a> <a name="apssl-diff"></a> <strong id="faq">What are the functional differences between mod_ssl and Apache-SSL, from whereit is originally derived?</strong> [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#apssl-diff"><b>L</b></a>] <p> This neither can be answered in short (there were too many code changes) nor can be answered at all by the author (there would immediately be flame wars with no reasonable results at the end). But as you easily can guess from the 5% of remaining Apache-SSL code, a lot of differences exists, although user-visible backward compatibility exists for most things. <p> When you really want a detailed comparison you have to read the entries in the large <code>CHANGES</code> file that is in the mod_ssl distribution. Usually this is much too hard-core. So I recommend you to either believe in the opinion and recommendations of other users (the simplest approach) or do a comparison yourself (the most reasonable approach). For the latter, grab distributions of mod_ssl (from <a href="http://www.modssl.org/">http://www.modssl.org</a>) and Apache-SSL (from <a href="http://www.apache-ssl.org/">http://www.apache-ssl.org</a>), install both packages, read their documentation and try them out yourself. Then choose the one which pleases you most. <p> A few final hints to help direct your comparison: quality of documentation ("can you easily find answers and are they sufficient?"), quality of source code ("is the source code reviewable so you can make sure there aren't any trapdoors or inherent security risks because of bad programming style?"), easy and clean installation ("can the SSL functionality easily added to an Apache source tree without manual editing or patching?"), clean integration into Apache ("is the SSL functionality encapsulated and cleanly separated from the remaining Apache functionality?"), support for Dynamic Shared Object (DSO) facility ("can the SSL functionality built as a separate DSO for maximum flexibility?"), Win32 port ("is the SSL functionality available also under the Win32 platform?"), amount and quality of functionality ("is the provided SSL functionality and control possibilities sufficient for your situation?"), quality of problem tracing ("is it possible for you to easily trace down the problems via logfiles, etc?"), etc. pp.<p><li><a name="ToC4"></a> <a name="apssl-diff"></a> <strong id="faq">What are the major differences between mod_ssl andthe commercial alternatives like Raven or Stronghold?</strong> [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#apssl-diff"><b>L</b></a>] <p> In the past (until September 20th, 2000) the major difference was the RSA license which one received (very cheaply in contrast to a direct licensing from RSA DSI) with the commercial Apache SSL products. On the other hand, one needed this license only in the US, of course. So for non-US citizens this point was useless. But now even for US citizens the situations changed because the RSA patent expired on September 20th, 2000 and RSA DSI also placed the RSA algorithm explicitly into the public domain. <p> Second, there is the point that one has guaranteed support from the commercial vendors. On the other hand, if you monitored the Open Source quality of mod_ssl and the support activities found on <a href="mailto:modssl-users@modssl.org"> <code>modssl-users@modssl.org</code></a>, you could ask yourself whether you are really convinced that you can get better support from a commercial vendor. <p> Third, people often think they would receive perhaps at least a better technical SSL solution than mod_ssl from the commercial vendors. But this is not really true, because all commercial alternatives (Raven 1.4.x, Stronghold 3.x, RedHat SWS 2.x, etc.) <i>are</i> actually based on mod_ssl and OpenSSL. The reason for this common misunderstanding is mainly because some vendors make no attempt to make it reasonably clear that their product is actually mod_ssl based. So, do not think, just because the commercial alternatives are usually more expensive, that you are also receiving an alternative <i>technical</i> SSL solution. This is usually not the case. Actually the vendor versions of Apache, mod_ssl and OpenSSL often stay behind the latest free versions and perhaps this way still do not include important bug and security fixes. On the other hand, it sometimes occurs that a vendor version includes useful changes which are not available through the official freely available packages. But most vendors play fair and contribute back those changes to the free software world, of course. <p> So, in short: There are lots of commercial versions of the popular Apache+mod_ssl+OpenSSL server combination available. Every user should decide carefully whether they really need to buy a commercial version or whether it would not be sufficient to directly use the free and official versions of the Apache, mod_ssl and OpenSSL packages.<p><li><a name="ToC5"></a> <a name="what-version"></a> <strong id="faq">How do I know which mod_ssl version is for which Apache version?</strong> [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#what-version"><b>L</b></a>] <p> That's trivial: mod_ssl uses version strings of the syntax <em><mod_ssl-version></em>-<em><apache-version></em>, for instance <code>2.4.0-1.3.9</code>. This directly indicates that it's mod_ssl version 2.4.0 for Apache version 1.3.9. And this also means you <em>only</em> can apply this mod_ssl version to exactly this Apache version (unless you use the <code>--force</code> option to mod_ssl's <code>configure</code> command ;-).<p><li><a name="ToC6"></a> <a name="y2k"></a> <strong id="faq">Is mod_ssl Year 2000 compliant?</strong> [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#y2k"><b>L</b></a>] <p> Yes, mod_ssl is Year 2000 compliant. <p> Because first mod_ssl internally never stores years as two digits. Instead it always uses the ANSI C & POSIX numerical data type <code>time_t</code> type, which on almost all Unix platforms at the moment is a <code>signed long</code> (usually 32-bits) representing seconds since epoch of January 1st, 1970, 00:00 UTC. This signed value overflows in early January 2038 and not in the year 2000. Second, date and time presentations (for instance the variable ``<code>%{TIME_YEAR}</code>'') are done with full year value instead of abbreviating to two digits. <p> Additionally according to a <a href="http://www.apache.org/docs/misc/FAQ.html#year2000">Year 2000 statement</a> from the Apache Group, the Apache webserver is Year 2000 compliant, too. But whether OpenSSL or the underlaying Operating System (either a Unix or Win32 platform) is Year 2000 compliant is a different question which cannot be answered here.<p><li><a name="ToC7"></a> <a name="wassenaar"></a> <strong id="faq">What about mod_ssl and the Wassenaar Arrangement?</strong> [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#wassenaar"><b>L</b></a>] <p> First, let us explain what <i>Wassenaar</i> and it's <i>Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies</i> is: This is a international regime, established 1995, to control trade in conventional arms and dual-use goods and technology. It replaced the previous <i>CoCom</i> regime. 33 countries are signatories: Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Luxembourg, Netherlands, New Zealand, Norway, Poland, Portugal, Republic of Korea, Romania, Russian Federation, Slovak Republic, Spain, Sweden, Switzerland, Turkey, Ukraine, United Kingdom and United States. For more details look at <a href="http://www.wassenaar.org/">http://www.wassenaar.org/</a>. <p> In short: The aim of the Wassenaar Arrangement is to prevent the build up of military capabilities that threaten regional and international security and stability. The Wassenaar Arrangement controls the export of cryptography as a dual-use good, i.e., one that has both military and civilian applications. However, the Wassenaar Arrangement also provides an exemption from export controls for mass-market software and free software.⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -