©
Ce document utiliseManuel du site Web PHP chinoisLibérer
The wise man doesn't give the right answers, he poses the right questions.
--Claude Levi-Strauss
This chapter is a collection of frequently asked questions (FAQ) and corresponding answers following the popular USENET tradition. Most of these questions occurred on the Newsgroupcomp.infosystems.www.servers.unix
or the mod_ssl Support Mailing Listmodssl-users@modssl.org
. They are collected at this place to avoid answering the same questions over and over.
Please read this chapter at least once when installing mod_ssl or at least search for your problem here before submitting a problem report to the author.
The mod_ssl v1 package was initially created in April 1998 by Ralf S. Engelschall via porting Ben Laurie's Apache-SSL 1.17 source patches for Apache 1.2.6 to Apache 1.3b6. Because of conflicts with Ben Laurie's development cycle it then was re-assembled from scratch for Apache 1.3.0 by merging the old mod_ssl 1.x with the newer Apache-SSL 1.18. From this point on mod_ssl lived its own life as mod_ssl v2. The first publicly released version was mod_ssl 2.0.0 from August 10th, 1998.
After US export restrictions on cryptographic software were loosened,mod_ssl
became part of the Apache HTTP Server with the release of Apache httpd 2.
First, let us explain whatWassenaarand itsArrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologiesis: This is a international regime, established in 1995, to control trade in conventional arms and dual-use goods and technology. It replaced the previousCoComregime. Further details on both the Arrangement and its signatories are available at http://www.wassenaar.org/.
In short, the aim of the Wassenaar Arrangement is to prevent the build up of military capabilities that threaten regional and international security and stability. The Wassenaar Arrangement controls the export of cryptography as a dual-use good, that is, something that has both military and civilian applications. However, the Wassenaar Arrangement also provides an exemption from export controls for mass-market software and free software.
In the current WassenaarList of Dual Use Goods and Technologies And Munitions, underGENERAL SOFTWARE NOTE (GSN)
it saysThe Lists do not control "software" which is either: 1. [...] 2. "in the public domain".
And underDEFINITIONS OF TERMS USED IN THESE LISTS
we findIn the public domain
defined as"technology" or "software" which has been made available without restrictions upon its further dissemination. Note: Copyright restrictions do not remove "technology" or "software" from being "in the public domain".
So, both mod_ssl and OpenSSL arein the public domain
for the purposes of the Wassenaar Arrangement and itsList of Dual Use Goods and Technologies And Munitions List
, and thus not affected by its provisions.
Errors such as "mod_ssl: Child could not open SSLMutex lockfile /opt/apache/logs/ssl_mutex.18332 (System error follows) [...] System: Permission denied (errno: 13)
" are usually caused by overly restrictive permissions on theparentdirectories. Make sure that all parent directories (here/opt
,/opt/apache
和/opt/apache/logs
) have the x-bit set for, at minimum, the UID under which Apache's children are running (see theUser
directive).
Cryptographic software needs a source of unpredictable data to work correctly. Many open source operating systems provide a "randomness device" that serves this purpose (usually named/dev/random
). On other systems, applications have to seed the OpenSSL Pseudo Random Number Generator (PRNG) manually with appropriate data before generating keys or performing public key encryption. As of version 0.9.5, the OpenSSL functions that need randomness report an error if the PRNG has not been seeded with at least 128 bits of randomness.
To prevent this error,mod_ssl
has to provide enough entropy to the PRNG to allow it to work correctly. This can be done via theSSLRandomSeed
directives.
SSL_XXX
variables not available to my CGI & SSI scripts?Yes. HTTP and HTTPS use different server ports (HTTP binds to port 80, HTTPS to port 443), so there is no direct conflict between them. You can either run two separate server instances bound to these ports, or use Apache's elegant virtual hosting facility to create two virtual servers over one instance of Apache - one responding to requests on port 80 and speaking HTTP and the other responding to requests on port 443 speaking HTTPS.
You can run HTTPS on any port, but the standards specify port 443, which is where any HTTPS compliant browser will look by default. You can force your browser to look on a different port by specifying it in the URL like this (for port 666):https://secure.server.dom:666/
While you usually just use
$ telnet localhost 80
GET / HTTP/1.0
for simple testing of Apache via HTTP, it's not so easy for HTTPS because of the SSL protocol between TCP and HTTP. With the help of OpenSSL'ss_client
command, however, you can do a similar check for HTTPS:
$ openssl s_client -connect localhost:443 -state -debug
GET / HTTP/1.0
Before the actual HTTP response you will receive detailed information about the SSL handshake. For a more general command line client which directly understands both HTTP and HTTPS, can perform GET and POST operations, can use a proxy, supports byte ranges, etc. you should have a look at the nifty cURL tool. Using this, you can check that Apache is responding correctly on ports 80 and 443 as follows:
$ curl http://localhost/
$ curl https://localhost/
Because you connected with HTTP to the HTTPS port, i.e. you used an URL of the form "http://
" instead of "https://
". This also happens the other way round when you connect via HTTPS to a HTTP port, i.e. when you try to use "https://
" on a server that doesn't support SSL (on this port). Make sure you are connecting to a virtual server that supports SSL, which is probably the IP associated with your hostname, not localhost (127.0.0.1).
This can happen for various reasons. The most common mistakes include starting Apache with justapachectl start
(orhttpd
) instead ofapachectl startssl
(orhttpd -DSSL
). Your configuration may also be incorrect. Please make sure that yourListen
directives match your
directives. If all else fails, please start afresh, using the default configuration provided bymod_ssl
.
SSL_XXX
variables not available to my CGI & SSI scripts?Please make sure you have "SSLOptions +StdEnvVars
" enabled for the context of your CGI/SSI requests.
Usually, to switch between HTTP and HTTPS, you have to use fully-qualified hyperlinks (because you have to change the URL scheme). Usingmod_rewrite
however, you can manipulate relative hyperlinks, to achieve the same effect.
RewriteEngine on
RewriteRule ^/(.*):SSL$ https://%{SERVER_NAME}/$1 [R,L]
RewriteRule ^/(.*):NOSSL$ http://%{SERVER_NAME}/$1 [R,L]
This rewrite ruleset lets you use hyperlinks of the form, to switch to HTTPS in a relative link.
getca
或getverisign
programs mentioned by Verisign, for installing my Verisign certificate?An RSA private key file is a digital file that you can use to decrypt messages sent to you. It has a public component which you distribute (via your Certificate file) which allows people to encrypt those messages to you.
A Certificate Signing Request (CSR) is a digital file which contains your public key and your name. You send the CSR to a Certifying Authority (CA), who will convert it into a real Certificate, by signing it.
A Certificate contains your RSA public key, your name, the name of the CA, and is digitally signed by the CA. Browsers that know the CA can verify the signature on that Certificate, thereby obtaining your RSA public key. That enables them to send messages which only you can decrypt.
See the 简介 chapter for a general description of the SSL protocol.
Yes. In general, starting Apache withmod_ssl
built-in is just like starting Apache without it. However, if you have a passphrase on your SSL private key file, a startup dialog will pop up which asks you to enter the pass phrase.
Having to manually enter the passphrase when starting the server can be problematic - for example, when starting the server from the system boot scripts. In this case, you can follow the steps below to remove the passphrase from your private key.
PATH
.server.key
和server.crt
files:$ openssl req -new -x509 -nodes -out server.crt -keyout server.key
httpd.conf
file:SSLCertificateFile /path/to/this/server.crt SSLCertificateKeyFile /path/to/this/server.key
server.key
doesnothave any passphrase. To add a passphrase to the key, you should run the following command, and enter & verify the passphrase as requested.$ openssl rsa -des3 -in server.key -out server.key.new
$ mv server.key.new server.key
server.key
file, and the passphrase you entered, in a secure location.Here is a step-by-step description:
PATH
.$ openssl genrsa -des3 -out server.key 1024
server.key
file and the pass-phrase you entered in a secure location. You can see the details of this RSA private key by using the command:$ openssl rsa -noout -text -in server.key
$ openssl rsa -in server.key -out server.key.unsecure
$ openssl req -new -key server.key -out server.csr
https://www.foo.dom/
, enter "www.foo.dom" here. You can see the details of this CSR by using$ openssl req -noout -text -in server.csr
$ openssl x509 -noout -text -in server.crt
server.key
和server.crt
. These can be used as follows in yourhttpd.conf
file:SSLCertificateFile /path/to/this/server.crt SSLCertificateKeyFile /path/to/this/server.keyThe
server.csr
file is no longer needed.The short answer is to use theCA.sh
或CA.pl
script provided by OpenSSL. Unless you have a good reason not to, you should use these for preference. If you cannot, you can create a self-signed Certificate as follows:
$ openssl genrsa -des3 -out server.key 1024
host.key
file and the pass-phrase you entered in a secure location. You can see the details of this RSA private key by using the command:$ openssl rsa -noout -text -in server.key
$ openssl rsa -in server.key -out server.key.unsecure
$ openssl req -new -x509 -nodes -sha1 -days 365 -key server.key -out server.crt
server.crt
file.$ openssl x509 -noout -text -in server.crt
You simply have to read it with the old pass-phrase and write it again, specifying the new pass-phrase. You can accomplish this with the following commands:
$ openssl rsa -des3 -in server.key -out server.key.new
$ mv server.key.new server.key
The first time you're asked for a PEM pass-phrase, you should enter the old pass-phrase. After that, you'll be asked again to enter a pass-phrase - this time, use the new pass-phrase. If you are asked to verify the pass-phrase, you'll need to enter the new pass-phrase a second time.
The reason this dialog pops up at startup and every re-start is that the RSA private key inside your server.key file is stored in encrypted format for security reasons. The pass-phrase is needed decrypt this file, so it can be read and parsed. Removing the pass-phrase removes a layer of security from your server - proceed with caution!
$ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key
$ chmod 400 server.key
Nowserver.key
contains an unencrypted copy of the key. If you point your server at this file, it will not prompt you for a pass-phrase. HOWEVER, if anyone gets this key they will be able to impersonate you on the net. PLEASE make sure that the permissions on this file are such that only root or the web server user can read it (preferably get your web server to start as root but run as another user, and have the key readable only by root).
As an alternative approach you can use the "SSLPassPhraseDialog exec:/path/to/program
" facility. Bear in mind that this is neither more nor less secure, of course.
A private key contains a series of numbers. Two of these numbers form the "public key", the others are part of the "private key". The "public key" bits are included when you generate a CSR, and subsequently form part of the associated Certificate.
To check that the public key in your Certificate matches the public portion of your private key, you simply need to compare these numbers. To view the Certificate and the key run the commands:
$ openssl x509 -noout -text -in server.crt
$ openssl rsa -noout -text -in server.key
The 'modulus' and the 'public exponent' portions in the key and the Certificate must match. As the public exponent is usually 65537 and it's difficult to visually check that the long modulus numbers are the same, you can use the following approach:
$ openssl x509 -noout -modulus -in server.crt | openssl md5
$ openssl rsa -noout -modulus -in server.key | openssl md5
This leaves you with two rather shorter numbers to compare. It is, in theory, possible that these numbers may be the same, without the modulus numbers being the same, but the chances of this are overwhelmingly remote.
Should you wish to check to which key or certificate a particular CSR belongs you can perform the same calculation on the CSR as follows:
$ openssl req -noout -modulus -in server.csr | openssl md5
Errors such asOpenSSL: error:14094412: SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
in the SSL logfile, are usually caused a browser which is unable to handle the server certificate/private-key. For example, Netscape Navigator 3.x is unable to handle RSA key lengths not equal to 1024 bits.
The private key sizes for SSL must be either 512 or 1024 bits, for compatibility with certain web browsers. A keysize of 1024 bits is recommended because keys larger than 1024 bits are incompatible with some versions of Netscape Navigator and Microsoft Internet Explorer, and with other browsers that use RSA's BSAFE cryptography toolkit.
The CA certificates under the path you configured withSSLCACertificatePath
are found by SSLeay through hash symlinks. These hash values are generated by the 'openssl x509 -noout -hash
' command. However, the algorithm used to calculate the hash for a certificate changed between SSLeay 0.8 and 0.9. You will need to remove all old hash symlinks and create new ones after upgrading. Use theMakefile
provided bymod_ssl
.
The default certificate format for SSLeay/OpenSSL is PEM, which is simply Base64 encoded DER, with header and footer lines. For some applications (e.g. Microsoft Internet Explorer) you need the certificate in plain DER format. You can convert a PEM filecert.pem
into the corresponding DER filecert.der
using the following command:$ openssl x509 -in cert.pem -out cert.der -outform DER
getca
或getverisign
programs mentioned by Verisign, for installing my Verisign certificate?Verisign has never provided specific instructions for Apache+mod_ssl. The instructions provided are for C2Net's Stronghold (a commercial Apache based server with SSL support).
To install your certificate, all you need to do is to save the certificate to a file, and give the name of that file to theSSLCertificateFile
directive. You will also need to give it the key file. For more information, see theSSLCertificateKeyFile
directive.
Yes.mod_ssl
has included support for the SGC facility since version 2.1. No special configuration is required - just use the Global ID as your server certificate. Thestep upof the clients is then automatically handled bymod_ssl
at run-time.
Verisign uses an intermediate CA certificate between the root CA certificate (which is installed in the browsers) and the server certificate (which you installed on the server). You should have received this additional CA certificate from Verisign. If not, complain to them. Then, configure this certificate with theSSLCertificateChainFile
directive. This ensures that the intermediate CA certificate is sent to the browser, filling the gap in the certificate chain.
There can be a number of reasons for this, but the main one is problems with the SSL session Cache specified by theSSLSessionCache
directive. The DBM session cache is the most likely source of the problem, so using the SHM session cache (or no cache at all) may help.
SSL uses strong cryptographic encryption, which necessitates a lot of number crunching. When you request a webpage via HTTPS, everything (even the images) is encrypted before it is transferred. So increased HTTPS traffic leads to load increases.
This is usually caused by a/dev/random
device forSSLRandomSeed
which blocks the read(2) call until enough entropy is available to service the request. More information is available in the reference manual for theSSLRandomSeed
directive.
Usually, any SSL ciphers supported by the version of OpenSSL in use, are also supported bymod_ssl
. Which ciphers are available can depend on the way you built OpenSSL. Typically, at least the following ciphers are supported:
To determine the actual list of ciphers available, you should run the following:
$ openssl ciphers -v
By default, OpenSSL doesnotallow ADH ciphers, for security reasons. Please be sure you are aware of the potential side-effects if you choose to enable these ciphers.
In order to use Anonymous Diffie-Hellman (ADH) ciphers, you must build OpenSSL with "-DSSL_ALLOW_ADH
", and then add "ADH
" into yourSSLCipherSuite
.
Either you have made a mistake with yourSSLCipherSuite
directive (compare it with the pre-configured example inhttpd.conf-dist
) or you chose to use DSA/DH algorithms instead of RSA when you generated your private key and ignored or overlooked the warnings. If you have chosen DSA/DH, then your server cannot communicate using RSA-based SSL ciphers (at least until you configure an additional RSA-based certificate/key pair). Modern browsers like NS or IE can only communicate over SSL using RSA ciphers. The result is the "no shared ciphers" error. To fix this, regenerate your server certificate/key pair, using the RSA algorithm.
The reason is very technical, and a somewhat "chicken and egg" problem. The SSL protocol layer stays below the HTTP protocol layer and encapsulates HTTP. When an SSL connection (HTTPS) is established Apache/mod_ssl has to negotiate the SSL protocol parameters with the client. For this, mod_ssl has to consult the configuration of the virtual server (for instance it has to look for the cipher suite, the server certificate, etc.). But in order to go to the correct virtual server Apache has to know theHost
HTTP header field. To do this, the HTTP request header has to be read. This cannot be done before the SSL handshake is finished, but the information is needed in order to complete the SSL handshake phase. Bingo!
Name-Based Virtual Hosting is a very popular method of identifying different virtual hosts. It allows you to use the same IP address and the same port number for many different sites. When people move on to SSL, it seems natural to assume that the same method can be used to have lots of different SSL virtual hosts on the same server.
It comes as rather a shock to learn that it is impossible.
The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the SSL session is a separate transaction, that takes place before the HTTP session has begun. The server receives an SSL request on IP address X and port Y (usually 443). Since the SSL request does not contain any Host: field, the server has no way to decide which SSL virtual host to use. Usually, it will just use the first one it finds, which matches the port and IP address specified.
You can, of course, use Name-Based Virtual Hosting to identify many non-SSL virtual hosts (all on port 80, for example) and then have a single SSL virtual host (on port 443). But if you do this, you must make sure to put the non-SSL port number on the NameVirtualHost directive, e.g.
NameVirtualHost 192.168.1.1:80
Other workaround solutions include:
Using separate IP addresses for different SSL hosts. Using different port numbers for different SSL hosts.
Although SSL compression negotiation was defined in the specification of SSLv2 and TLS, it took until May 2004 for RFC 3749 to define DEFLATE as a negotiable standard compression method.
OpenSSL 0.9.8 started to support this by default when compiled with thezlib
option. If both the client and the server support compression, it will be used. However, most clients still try to initially connect with an SSLv2 Hello. As SSLv2 did not include an array of prefered compression algorithms in its handshake, compression cannot be negotiated with these clients. If the client disables support for SSLv2, either an SSLv3 or TLS Hello may be sent, depending on which SSL library is used, and compression may be set up. You can verify whether clients make use of SSL compression by logging the%{SSL_COMPRESS_METHOD}x
variable.
No, the username/password is transmitted encrypted. The icon in Netscape browsers is not actually synchronized with the SSL/TLS layer. It only toggles to the locked state when the first part of the actual webpage data is transferred, which may confuse people. The Basic Authentication facility is part of the HTTP layer, which is above the SSL/TLS layer in HTTPS. Before any HTTP data communication takes place in HTTPS, the SSL/TLS layer has already completed its handshake phase, and switched to encrypted communication. So don't be confused by this icon.
The first reason is that the SSL implementation in some MSIE versions has some subtle bugs related to the HTTP keep-alive facility and the SSL close notify alerts on socket connection close. Additionally the interaction between SSL and HTTP/1.1 features are problematic in some MSIE versions. You can work around these problems by forcing Apache not to use HTTP/1.1, keep-alive connections or send the SSL close notify messages to MSIE clients. This can be done by using the following directive in your SSL-aware virtual host section:
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
Further, some MSIE versions have problems with particular ciphers. Unfortunately, it is not possible to implement a MSIE-specific workaround for this, because the ciphers are needed as early as the SSL handshake phase. So a MSIE-specificSetEnvIf
won't solve these problems. Instead, you will have to make more drastic adjustments to the global parameters. Before you decide to do this, make sure your clients really have problems. If not, do not make these changes - they will affectallyour clients, MSIE or otherwise.
The next problem is that 56bit export versions of MSIE 5.x browsers have a broken SSLv3 implementation, which interacts badly with OpenSSL versions greater than 0.9.4. You can accept this and require your clients to upgrade their browsers, you can downgrade to OpenSSL 0.9.4 (not advised), or you can work around this, accepting that your workaround will affect other browsers too:
SSLProtocol all -SSLv3
will completely disables the SSLv3 protocol and allow those browsers to work. A better workaround is to disable only those ciphers which cause trouble.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
This also allows the broken MSIE versions to work, but only removes the newer 56bit TLS ciphers.
Another problem with MSIE 5.x clients is that they refuse to connect to URLs of the formhttps://12.34.56.78/
(where IP-addresses are used instead of the hostname), if the server is using the Server Gated Cryptography (SGC) facility. This can only be avoided by using the fully qualified domain name (FQDN) of the website in hyperlinks instead, because MSIE 5.x has an error in the way it handles the SGC negotiation.
And finally there are versions of MSIE which seem to require that an SSL session can be reused (a totally non standard-conforming behaviour, of course). Connecting with those MSIE versions only work if a SSL session cache is used. So, as a work-around, make sure you are using a session cache (see theSSLSessionCache
directive).
This usually occurs when you have created a new server certificate for a given domain, but had previously told your browser to always accept the old server certificate. Once you clear the entry for the old certificate from your browser, everything should be fine. Netscape's SSL implementation is correct, so when you encounter I/O errors with Netscape Navigator it is usually caused by the configured certificates.
The following information resources are available. In case of problems you should search here first.
The following lists all support possibilities for mod_ssl, in order of preference. Please go through these possibilitiesin this order- don't just pick the one you like the look of.
You should always provide at least the following information:
httpd -v
. The OpenSSL version can be determined by running
openssl version
. Alternatively, if you have Lynx installed, you can run the command
lynx -mime_header http://localhost/ | grep Server
to gather this information in a single step.
configure
command line you used.
In general no, at least not unless you provide more details about the code location where Apache dumped core. What is usually always required in order to help you is a backtrace (see next question). Without this information it is mostly impossible to find the problem and help you in fixing it.
Following are the steps you will need to complete, to get a backtrace:
OPTIM="-g -ggdb3"
" to get this. On other platforms at least "OPTIM="-g"
" is needed.CoreDumpDirectory /tmp
" to make sure that the core-dump file can be written. This should result in a/tmp/core
或/tmp/httpd.core
file. If you don't get one of these, try running your server under a non-root UID. Many modern kernels do not allow a process to dump core after it has done asetuid()
(unless it does anexec()
) for security reasons (there can be privileged information left over in memory). If necessary, you can run/path/to/httpd -X
manually to force Apache to not fork.gdb /path/to/httpd /tmp/httpd.core
or a similar command. In GDB, all you have to do then is to enterbt
, and voila, you get the backtrace. For other debuggers consult your local debugger manual.