Apache-SSL

Last updated: September 20, 1999


Scrambling for Safety 3.5 - Thursday September 23 1999
This will be the second conference of 1999, and has been called in response to the exceptional circumstance of two official DTI consultations in the same year, and the Home Office's recent consultation on revising the Interception of Communications Act to cover the Internet.

Contents


Main Features

What is Apache-SSL?

Apache-SSL is a secure Webserver, based on Apache and SSLeay/OpenSSL. It is licensed under a BSD-style licence, which means, in short, that you are free to use it for commercial or non-commercial purposes (although you are advised to read the SSLeay Is this legal? FAQ before deploying a server), so long as you retain the copyright notices. This is the same licence as used by Apache from version 0.8.15.

Download

Current release: apache_1.3.9+ssl_1.37
Release date: September 9, 1999

You will also need openssl-0.9.4, which you can find here.

Apache-SSL source patches can be found on the following UK master distribution sites:

and additional FTP mirrors at:

or HTTP mirrors at:

O/S specific versions:

What do I get?

What you get is a set of patches for Apache (available for versions 1.2.0+ and 1.3.0+), some extra source files, a few READMEs and example configuration files. The patches must be applied to the Apache source, and the result compiled and linked with SSLeay (version 0.5.1b+) or OpenSSL. The modified source will still compile a standard Apache as well as Apache-SSL.

Keeping up to date

The best way to become aware of upgrades is to join the announce Mailing List, where new version are announced.

Bug fixes and patches

Send any bug fixes or enhancements to ben@algroup.co.uk.

Feel free to report bugs or problems to the same place, but I make no promises (unless you want to pay me).

Commercial support

Commercial support is available for both Apache and Apache-SSL. Email me at ben@algroup.co.uk if you are interested.

Digital Certificates

The following companies have requested links to their pages. I do not endorse, recommend, or in any way associate myself with these organisations. They are listed in the order they made the requests.

Digital certificates are available for Apache-SSL from:

PGP key

Should you wish to send me private mail, my PGP key can be found here. Please only use it if it is needed; I hate typing my pass phrase.

FAQ

Why does my browser just hang when I connect to Apache-SSL?

Because you used http: instead of https:. Really.

Also, if you see:

SSL_Accept failed error:140760EB:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
in your error log, it's for the same reason.

The patches don't apply, what's wrong?

If you get:

$ patch < SSLpatch
  Looks like a new-style context diff.
File to patch:

and not much else, then you've probably got an old version of patch. Go and find 2.1 or better, and try again, or, you may have a new "improved" version of patch (for example, 2.5), in which case do "patch -p1 < SSLpatch".

I know that HTTP is on port 80, but where is HTTPS?

You can run HTTPS on any port, but the standard specifies port 443, which is where any compliant browser will look by default. You can force your browser to look on a different port by specifying it in the URL like this:

https://secure.server.hell:666

I want to run secure and non-secure servers on the same machine. Is that possible?

There are two ways to do this: run two server daemons, or run both services from the same daemon. Unless there is a good reason to run two (like using a different product for secure/non-secure), it's usually simplest to run a single daemon and disable SSL on those virtual hosts that don't need it. If you wish to run two daemons you must make sure that they each only try to bind to their alloted ports (normally port 80 for non-secure and 443 for secure). If you wish to run a single daemon, here's an example config file showing how you might do it.

Now I've got my server installed, how do I create a test certificate?

Step one - create the key and request:

  openssl req -new > new.cert.csr
Step two - remove the passphrase from the key (optional):

  openssl rsa -in privkey.pem -out new.cert.key
Step three - convert request into signed cert:

   openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365
The Apache-SSL directives that you need to use the resulting cert are:

  SSLCertificateFile /path/to/certs/new.cert.cert
  SSLCertificateKeyFile /path/to/certs/new.cert.key

How do I access client certs from my CGI?

In release apache_1.3.2+ssl_1.27 and above, you can use the directive:

  SSLExportClientCertificates
Which will create environment variables containing the contents of client certs. For more details, see the SSLExportClientCertificates section in the docs.There is also a working example at: https://www.apache-ssl.org/cgi/cert-export

How do I install FrontPage98 Extensions with Apache-SSL?

Bertrand Renuart has details of how to do this on his web site at http://www.itma.lu/howto/apache.

When installing a Verisign cert, why can't I find "getca" or "getverisign"?

This is because Verisign has never provided Apache-SSL specific instructions. Rather, they tell you what you should do if you were using Stronghold (a commercial Apache based server with SSL support).

The only thing you should do is to save the cert into a file and give the name of that file to the SSLCertificateFile directive. Remember that you need to give the key file in as well (SSLCertificateKeyFile directive).

Common compile errors

  gcc -c  -I../os/unix -I../include -I/usr/local/ssl/include   -funsigned-char -DTARGET=\"httpsd\" -DAPACHE_SSL `../apaci` -DAPACHE_SSL buff.c
  buff.c: In function `ap_read':
  buff.c:259: structure has no member named `stats'
  buff.c:267: structure has no member named `stats'
  buff.c:268: structure has no member named `stats'
  buff.c:269: structure has no member named `stats'
  buff.c:271: structure has no member named `stats'
  buff.c: In function `ap_write':
  buff.c:346: warning: passing arg 2 of `SSL_write' discards `const' from pointer target type
  *** Error code 1

You need to upgrade to OpenSSL.

Is Apache-SSL Y2K Compliant?

Apache-SSL does not add any date processing to the underlying components, so does not affect the overall compliance of your system. The main component, Apache, has this to say on the matter. You should also check your operating system, hardware and any other modules you include.

Mailing Lists

There are two Apache-SSL mailing lists. For support and general help from the Apache-SSL community, send a blank email to mailto:apache-ssl-help@lists.aldigital.co.uk?SUBJECT=anyoldthing. This is probably the most direct route to getting arbitrary questions answered. However, BEFORE posting your question, please check that it hasn't already been answered by searching the archive.

If you simply wish to keep up to date, and to be made aware of new releases and important announcements, then mailto:apache-sslannounce-help@lists.aldigital.co.uk?SUBJECT=sameoldsameold is the one for you.

Apache-SSL is not mod_ssl

There appears to be some confusion regarding Apache-SSL and mod_ssl. To set the record straight: mod_ssl is not a replacement for Apache-SSL - it is an alternative, in the same way that Apache is an alternative to Netscape/Microsoft servers, or Linux is an alternative to FreeBSD. It is a matter of personal choice as to which you run. mod_ssl is what is known as a 'split' - i.e. it was originally derived from Apache-SSL, but has been extensively redeveloped so the code now bears little relation to the original.

Apache-SSL continues to be developed and maintained, our main focus being on reliability, security and performance, rather than features and bells and whistles. I hope this makes things clear. (Adam Laurie).

Links

Other related web resources:

Mirror Web Sites

Credits

Apache-SSL was written by Ben Laurie, who is also an Apache core team member, and an OpenSSL core team member.
The development of Apache-SSL is sponsored by A.L. Digital Ltd., and this site is hosted by them.
Info on FTP mirror sites, CAs, Links, etc., should be sent to: The Web Slaves.
This server is , which is .

Apache-SSL graphics courtesy of Jamie Harrison and The WoW Foundation, based on the original feather by Randy Terbush. Feel free to replicate.



Team A.L. Digital && Apache-SSL Distributed Computing

A.L. Digital Ltd. participate in the Distributed Net encryption cracking efforts, as do many of our friends. To see how our team is doing, click the team logo above. To read more about the project, click on the banner above. To join our team, affiliate yourself with team no. 5209. For your personal privacy, the team membership listing is not open to the public, and we promise not to use it ourselves. For anything.



Copyright © 1995,6,7,8,9 Ben Laurie, Adam Laurie.