January 15, 2009
Apache-SSL source patches can be found on the following UK master distribution sites:
and additional FTP mirrors at:
Feel free to report bugs or problems to the same place, but I make no promises (unless you want to pay me).
Digital certificates are available for Apache-SSL from:
No, it means it works and does what people want. We only update it when there's a bug to be fixed, a new version of Apache comes out, or someone needs a new feature supported.
Why does my browser just hang when I connect to Apache-SSL?
Because you used
http: instead of
Also, if you see:
SSL_Accept failed error:140760EB:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocolin your error log, it's for the same reason.
The patches don't apply, what's wrong?
If you get:
$ patch < SSLpatch Looks like a new-style context diff. File to patch:
and not much else, then you've probably got an old version of patch. Go and find 2.1 or better, and try again, or, you may have a new "improved" version of patch (for example, 2.5), in which case do "patch -p1 < SSLpatch".
I know that HTTP is on port 80, but where is HTTPS?
You can run HTTPS on any port, but the standard specifies port 443, which is where any compliant browser will look by default. You can force your browser to look on a different port by specifying it in the URL like this:
I want to run secure and non-secure servers on the same machine. Is that possible?
There are two ways to do this: run two server daemons, or run both services from the same daemon. Unless there is a good reason to run two (like using a different product for secure/non-secure), it's usually simplest to run a single daemon and disable SSL on those virtual hosts that don't need it. If you wish to run two daemons you must make sure that they each only try to bind to their alloted ports (normally port 80 for non-secure and 443 for secure). If you wish to run a single daemon, here's an example config file showing how you might do it.
Now I've got my server installed, how do I create a test certificate?
Step one - create the key and request:
openssl req -new > new.cert.csrStep two - remove the passphrase from the key (optional):
openssl rsa -in privkey.pem -out new.cert.keyStep three - convert request into signed cert:
openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365The Apache-SSL directives that you need to use the resulting cert are:
SSLCertificateFile /path/to/certs/new.cert.cert SSLCertificateKeyFile /path/to/certs/new.cert.key
How do I create a client certificate?
Step one - create a CA certificate/key pair, as above.
Step two - sign the client request with the CA key:
openssl x509 -req -in client.cert.csr -out client.cert.cert -signkey my.CA.key -CA my.CA.cert -CAkey my.CA.key -CAcreateserial -days 365Step three - issue the file 'client.cert.cert' to the requester.
The Apache-SSL directives that you need to validate against this cert are:
SSLCACertificateFile /path/to/certs/my.CA.cert SSLVerifyClient 2
How do I access client certs from my CGI?
In release apache_1.3.2+ssl_1.27 and above, you can use the directive:
SSLExportClientCertificatesWhich will create environment variables containing the contents of client certs. For more details, see the SSLExportClientCertificates section in the docs.There is also a working example at: https://www.apache-ssl.org/cgi/cert-export
How do I install FrontPage98 Extensions with Apache-SSL?
Bertrand Renuart has details of how to do this on his web site at http://www.itma.lu/howto/apache.
When installing a Verisign cert, why can't I find "getca" or "getverisign"?
Verisign's up to date apache-ssl cert instructions live here: http://www.verisign.com/support/install/apache/v01.html
How do I run Apache-SSL as a shareable (DSO) module?
First, configure the shared module support in the source tree:
then enable the module in your httpd.conf:
LoadModule apache_ssl_module modules/libssl.so
Common compile errors
gcc -c -I../os/unix -I../include -I/usr/local/ssl/include -funsigned-char -DTARGET=\"httpsd\" -DAPACHE_SSL `../apaci` -DAPACHE_SSL buff.c
buff.c: In function `ap_read':
buff.c:259: structure has no member named `stats'
buff.c:267: structure has no member named `stats'
buff.c:268: structure has no member named `stats'
buff.c:269: structure has no member named `stats'
buff.c:271: structure has no member named `stats'
buff.c: In function `ap_write':
buff.c:346: warning: passing arg 2 of `SSL_write' discards `const' from pointer target type
*** Error code 1
You need to upgrade to OpenSSL.
Common runtime errors
The error log says:
You need to upgrade. There was a bug in Apache-SSL version 1.46 that caused this error.
error:0D067007:asn1 encoding routines:ASN1_COLLATE_PRIMITIVE:expecting an asn1 sequence
httpsd: apache_ssl.c:1313: GetSessionFromServer: Assertion `pSession' failed.
Is Apache-SSL Y2K Compliant?
Apache-SSL does not add any date processing to the underlying components, so does not affect the overall compliance of your system. The main component, Apache, has this to say on the matter. You should also check your operating system, hardware and any other modules you include.
Apache starts OK, but I get errors when viewing secure pages
If you see something like this in your error log:
[Fri Apr 28 16:24:08 2000] [error] SSL_accept failed
[Fri Apr 28 16:24:08 2000] [error] error:24064064:random number generator:SSLEAY_RAND_BYTES:prng not seeded
[Fri Apr 28 16:24:08 2000] [error] error:04069003:rsa routines:RSA_generate_key:BN lib
[Fri Apr 28 16:24:08 2000] [error] error:1409B444:SSL routines:SSL3_SEND_SERVER_KEY_EXCHANGE:error generating tmp rsa key
You need to seed your random number generator. This is a feature of OpenSSL since version 0.9.5a. See http://www.apache-ssl.org/docs.html#SSLRandomFile for more details.
How do I use EGD with Apache-SSL?
Ben Srour explains how he did it on Mac OS/X here. The process should be very similar for other Unix variants.
If you simply wish to keep up to date, and to be made aware of new releases and important announcements, then email@example.com is the one for you.
Apache-SSL continues to be developed and maintained, our main focus being on reliability, security and performance, rather than features and bells and whistles. I hope this makes things clear. (Adam Laurie).
Apache-SSL graphics courtesy of Jamie Harrison and The WoW Foundation, based on the original feather by Randy Terbush. Animated graphic by Katherine Cleave of A.L. Digital. Minibutton by King Monty. Feel free to replicate.
A.L. Digital Ltd. participate in the Distributed Net encryption cracking efforts, as do many of our friends. To see how our team is doing, click the team logo above. To read more about the project, click on the banner above. To join our team, affiliate yourself with team no. 5209. For your personal privacy, the team membership listing is not open to the public, and we promise not to use it ourselves. For anything.