httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject cvs commit: httpd-2.0/docs/manual/ssl ssl_faq.html
Date Thu, 16 May 2002 19:05:24 GMT
jwoolley    02/05/16 12:05:24

  Modified:    .        CHANGES
               docs/conf ssl-std.conf
               docs/manual/ssl ssl_faq.html
  The group consensus was that we're no longer supporting "make certificate,"
  as test certificates just allow people who don't know what they're doing
  to dig a bigger hole for themselves and don't really help anybody who
  DOES know what they're doing much.  So all of the documentation references
  to "make certificate" are now removed.
  PR: 8724
  Revision  Changes    Path
  1.775     +5 -0      httpd-2.0/CHANGES
  Index: CHANGES
  RCS file: /home/cvs/httpd-2.0/CHANGES,v
  retrieving revision 1.774
  retrieving revision 1.775
  diff -u -d -u -r1.774 -r1.775
  --- CHANGES	16 May 2002 06:09:12 -0000	1.774
  +++ CHANGES	16 May 2002 19:05:23 -0000	1.775
  @@ -1,5 +1,10 @@
   Changes with Apache 2.0.37
  +  *) Removed documentation references to the no-longer-supported
  +     "make certificate" feature of mod_ssl for Apache 1.3.x.  Test
  +     certificates, if truly desired, can be generated using openssl
  +     commands.  PR 8724.  [Cliff Woolley]
     *) Remove SSLLog and SSLLogLevel directives in favor of having
        mod_ssl use the standard ErrorLog directives.  [Justin Erenkrantz]
  1.9       +4 -5      httpd-2.0/docs/conf/ssl-std.conf
  Index: ssl-std.conf
  RCS file: /home/cvs/httpd-2.0/docs/conf/ssl-std.conf,v
  retrieving revision 1.8
  retrieving revision 1.9
  diff -u -d -u -r1.8 -r1.9
  --- ssl-std.conf	16 May 2002 06:09:13 -0000	1.8
  +++ ssl-std.conf	16 May 2002 19:05:24 -0000	1.9
  @@ -107,11 +107,10 @@
   #   Server Certificate:
   #   Point SSLCertificateFile at a PEM encoded certificate.  If
   #   the certificate is encrypted, then you will be prompted for a
  -#   pass phrase.  Note that a kill -HUP will prompt again. A test
  -#   certificate can be generated with `make certificate' under
  -#   built time. Keep in mind that if you've both a RSA and a DSA
  -#   certificate you can configure both in parallel (to also allow
  -#   the use of DSA ciphers, etc.)
  +#   pass phrase.  Note that a kill -HUP will prompt again.  Keep
  +#   in mind that if you have both an RSA and a DSA certificate you
  +#   can configure both in parallel (to also allow the use of DSA
  +#   ciphers, etc.)
   SSLCertificateFile @@ServerRoot@@/conf/ssl.crt/server.crt
   #SSLCertificateFile @@ServerRoot@@/conf/ssl.crt/server-dsa.crt
  1.5       +4 -35     httpd-2.0/docs/manual/ssl/ssl_faq.html
  Index: ssl_faq.html
  RCS file: /home/cvs/httpd-2.0/docs/manual/ssl/ssl_faq.html,v
  retrieving revision 1.4
  retrieving revision 1.5
  diff -u -d -u -r1.4 -r1.5
  --- ssl_faq.html	17 Jan 2002 11:18:03 -0000	1.4
  +++ ssl_faq.html	16 May 2002 19:05:24 -0000	1.5
  @@ -87,7 +87,6 @@
   <li><a href="#ToC25">What are Keys, CSRs and Certs?</a></li>
   <li><a href="#ToC26">Difference on startup?</a></li>
  -<li><a href="#ToC27">How to create a dummy cert?</a></li>
   <li><a href="#ToC28">How to create a real cert?</a></li>
   <li><a href="#ToC29">How to create my own CA?</a></li>
   <li><a href="#ToC30">How to change a pass phrase?</a></li>
  @@ -443,7 +442,6 @@
       <strong id="faq">
   When I fire up the server, mod_ssl stops with the error
   "Failed to generate temporary 512 bit RSA private key", why?
  -And a "PRNG not seeded" error occurs if I try "make certificate".
       [<a href="#entropy"><b>L</b></a>]
  @@ -456,13 +454,8 @@
       encryption. As of version 0.9.5, the OpenSSL functions that need
       randomness report an error if the PRNG has not been seeded with
       at least 128 bits of randomness. So mod_ssl has to provide enough
  -    entropy to the PRNG to work correctly. For this one has to use the
  -    <code>SSLRandomSeed</code> directives (to solve the run-time problem)
  -    and create a <code>$HOME/.rnd</code> file to make sure enough
  -    entropy is available also for the "<code>make certificate</code>"
  -    step (in case the "<code>make certificate</code>" procedure is not
  -    able to gather enough entropy theirself by searching for system
  -    files).
  +    entropy to the PRNG to work correctly.  For this one has to use the
  +    <code>SSLRandomSeed</code> directives.
  @@ -633,30 +626,6 @@
       below under ``How can I get rid of the pass-phrase dialog at Apache
       startup time?''.
  -<li><a name="ToC27"></a>
  -    <a name="cert-dummy"></a>
  -    <strong id="faq">
  -How can I create a dummy SSL server Certificate for testing purposes?
  -    [<a href="#cert-dummy"><b>L</b></a>]
  -    <p>
  -    A Certificate does not have to be signed by a public CA. You can use your
  -    private key to sign the Certificate which contains your public key. You
  -    can install this Certificate into your server, and people using Netscape
  -    Navigator (not MSIE) will be able to connect after clicking OK to a
  -    warning dialogue. You can get MSIE to work, and your customers can
  -    eliminate the dialogue, by installing that Certificate manually into their
  -    browsers.
  -    <p>
  -    Just use the ``<code>make certificate</code>'' command at the top-level
  -    directory of the Apache source tree right before installing Apache via
  -    ``<code>make install</code>''. This creates a self-signed SSL Certificate
  -    which expires after 30 days and isn't encrypted (which means you don't
  -    need to enter a pass-phrase at Apache startup time).
  -    <p>
   <li><a name="ToC28"></a>
       <a name="cert-real"></a>
       <strong id="faq">
  @@ -1097,8 +1066,8 @@
       Either you have messed up your <code>SSLCipherSuite</code>
       directive (compare it with the pre-configured example in
       <code>httpd.conf-dist</code>) or you have choosen the DSA/DH
  -    algorithms instead of RSA under "<code>make certificate</code>"
  -    and ignored or overseen the warnings. Because if you have choosen
  +    algorithms instead of RSA when you generated your private key
  +    and ignored or overlooked the warnings.  If you have choosen
       DSA/DH, then your server no longer speaks RSA-based SSL ciphers
       (at least not until you also configure an additional RSA-based
       certificate/key pair). But current browsers like NS or IE only speak

View raw message