Різне

SSL.TLS Strong Encryption: FAQ, Apache HTTP Server Version 2.

23.09.2015

SSL/TLS Strong Encryption: FAQ

Available Languages: en

The wise man doesn’t give the right answers, he poses the right questions.

— Claude Levi-Strauss

This chapter is a collection of frequently asked questions (FAQ) and corresponding answers following the popular USENET tradition. Most of these questions occurred on the Newsgroup comp.infosystems.www.servers.unix or the mod_ssl Support Mailing List modssl-users@modssl.org. They are collected at this place to avoid answering the same questions over and over.

About The Module
What is the history of mod_ssl?

The mod_ssl v1 package was initially created in April 1998 by Ralf S. Engelschall via porting Ben Laurie ‘s Apache-SSL 1.17 source patches for Apache 1.2.6 to Apache 1.3b6. Because of conflicts with Ben Laurie’s development cycle it was then re-assembled from scratch for Apache 1.3.0 by merging the old mod_ssl 1.x with the newer Apache-SSL 1.18. From this point on mod_ssl lived its own life as mod_ssl v2. The first publicly released version was mod_ssl 2.0.0 from August 10th, 1998.

After US export restrictions on cryptographic software were loosened, mod_ssl became part of the Apache HTTP Server with the release of Apache httpd 2.

Is mod_ssl affected by the Wassenaar Arrangement?

First, let us explain what Wassenaar and its Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies is: This is a international regime, established in 1995, to control trade in conventional arms and dual-use goods and technology. It replaced the previous CoCom regime. Further details on both the Arrangement and its signatories are available at http://www.wassenaar.org/ .

In short, the aim of the Wassenaar Arrangement is to prevent the build up of military capabilities that threaten regional and international security and stability. The Wassenaar Arrangement controls the export of cryptography as a dual-use good that is something that has both military and civilian applications. However, the Wassenaar Arrangement also provides an exemption from export controls for mass-market software and free software.

In the current Wassenaar List of Dual Use Goods and Technologies And Munitions. under GENERAL SOFTWARE NOTE (GSN) it says The Lists do not control «software» which is either: 1. [. ] 2. «in the public domain». And under DEFINITIONS OF TERMS USED IN THESE LISTS we find In the public domain defined as «technology» or «software» which has been made available without restrictions upon its further dissemination. Note: Copyright restrictions do not remove «technology» or «software» from being «in the public domain».

So, both mod_ssl and OpenSSL are in the public domain for the purposes of the Wassenaar Arrangement and its List of Dual Use Goods and Technologies And Munitions List. and thus not affected by its provisions.

Installation
Why do I get permission errors related to SSLMutex when I start Apache?

Errors such as « mod_ssl: Child could not open SSLMutex lockfile /opt/apache/logs/ssl_mutex.18332 (System error follows) [. ] System: Permission denied (errno: 13) » are usually caused by overly restrictive permissions on the parent directories. Make sure that all parent directories (here /opt. /opt/apache and /opt/apache/logs ) have the x-bit set for, at minimum, the UID under which Apache’s children are running (see the User directive).

Why does mod_ssl stop with the error «Failed to generate temporary 512 bit RSA private key» when I start Apache?

To prevent this error, mod_ssl has to provide enough entropy to the PRNG to allow it to work correctly. This can be done via the SSLRandomSeed directive.

Configuration
Is it possible to provide HTTP and HTTPS from the same server?

Yes. HTTP and HTTPS use different server ports (HTTP binds to port 80, HTTPS to port 443), so there is no direct conflict between them. You can either run two separate server instances bound to these ports, or use Apache’s elegant virtual hosting facility to create two virtual servers, both served by the same instance of Apache — one responding over HTTP to requests on port 80, and the other responding to over HTTPS requests on port 443.

Which port does HTTPS use?

Короткий опис статті: cert ssl

Джерело: SSL/TLS Strong Encryption: FAQ — Apache HTTP Server Version 2.2

Також ви можете прочитати