September 9, 1999
Apache-SSL source patches can be found on the following UK master distribution sites:
and additional FTP mirrors at:
Feel free to report bugs or problems to the same place, but I make no promises (unless you want to pay me).
Digital certificates are available for Apache-SSL from:
Because you used
http: instead of
Also, if you see:
SSL_Accept failed error:140760EB:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocolin your error log, it's for the same reason.
The patches don't apply, what's wrong?
If you get:
$ patch < SSLpatch Looks like a new-style context diff. File to patch:
and not much else, then you've probably got an old version of patch. Go and find 2.1 or better, and try again, or, you may have a new "improved" version of patch (for example, 2.5), in which case do "patch -p1 < SSLpatch".
I know that HTTP is on port 80, but where is HTTPS?
You can run HTTPS on any port, but the standard specifies port 443, which is where any compliant browser will look by default. You can force your browser to look on a different port by specifying it in the URL like this:
I want to run secure and non-secure servers on the same machine. Is that possible?
There are two ways to do this: run two server daemons, or run both services from the same daemon. Unless there is a good reason to run two (like using a different product for secure/non-secure), it's usually simplest to run a single daemon and disable SSL on those virtual hosts that don't need it. If you wish to run two daemons you must make sure that they each only try to bind to their alloted ports (normally port 80 for non-secure and 443 for secure). If you wish to run a single daemon, here's an example config file showing how you might do it.
Now I've got my server installed, how do I create a test certificate?
Step one - create the key and request:
openssl req -new > new.cert.csrStep two - remove the passphrase from the key (optional):
openssl rsa -in privkey.pem -out new.cert.keyStep three - convert request into signed cert:
openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365The Apache-SSL directives that you need to use the resulting cert are:
SSLCertificateFile /path/to/certs/new.cert.cert SSLCertificateKeyFile /path/to/certs/new.cert.key
How do I access client certs from my CGI?
In release apache_1.3.2+ssl_1.27 and above, you can use the directive:
SSLExportClientCertificatesWhich will create environment variables containing the contents of client certs. For more details, see the SSLExportClientCertificates section in the docs.There is also a working example at: https://www.apache-ssl.org/cgi/cert-export
How do I install FrontPage98 Extensions with Apache-SSL?
Bertrand Renuart has details of how to do this on his web site at http://www.itma.lu/howto/apache.
When installing a Verisign cert, why can't I find "getca" or "getverisign"?
This is because Verisign has never provided Apache-SSL specific instructions. Rather, they tell you what you should do if you were using Stronghold (a commercial Apache based server with SSL support).
The only thing you should do is to save the cert into a file and give the name of that file to the SSLCertificateFile directive. Remember that you need to give the key file in as well (SSLCertificateKeyFile directive).
Common compile errors
gcc -c -I../os/unix -I../include -I/usr/local/ssl/include -funsigned-char -DTARGET=\"httpsd\" -DAPACHE_SSL `../apaci` -DAPACHE_SSL buff.c
buff.c: In function `ap_read':
buff.c:259: structure has no member named `stats'
buff.c:267: structure has no member named `stats'
buff.c:268: structure has no member named `stats'
buff.c:269: structure has no member named `stats'
buff.c:271: structure has no member named `stats'
buff.c: In function `ap_write':
buff.c:346: warning: passing arg 2 of `SSL_write' discards `const' from pointer target type
*** Error code 1
You need to upgrade to OpenSSL.
Is Apache-SSL Y2K Compliant?
Apache-SSL does not add any date processing to the underlying components, so does not affect the overall compliance of your system. The main component, Apache, has this to say on the matter. You should also check your operating system, hardware and any other modules you include.
If you simply wish to keep up to date, and to be made aware of new releases and important announcements, then mailto:email@example.com?SUBJECT=sameoldsameold is the one for you.
Apache-SSL continues to be developed and maintained, our main focus being on reliability, security and performance, rather than features and bells and whistles. I hope this makes things clear. (Adam Laurie).
Apache-SSL graphics courtesy of Jamie Harrison and The WoW Foundation, based on the original feather by Randy Terbush. Feel free to replicate.
A.L. Digital Ltd. participate in the Distributed Net encryption cracking efforts, as do many of our friends. To see how our team is doing, click the team logo above. To read more about the project, click on the banner above. To join our team, affiliate yourself with team no. 5209. For your personal privacy, the team membership listing is not open to the public, and we promise not to use it ourselves. For anything.