httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From iga...@apache.org
Subject svn commit: r942800 - in /httpd/httpd/trunk/docs/manual/ssl: ssl_faq.html.en ssl_faq.xml
Date Mon, 10 May 2010 15:58:06 GMT
Author: igalic
Date: Mon May 10 15:58:06 2010
New Revision: 942800

URL: http://svn.apache.org/viewvc?rev=942800&view=rev
Log:
Removing the obscenely obsolete FAQs'' from the SSL FAQ.

Modified:
    httpd/httpd/trunk/docs/manual/ssl/ssl_faq.html.en
    httpd/httpd/trunk/docs/manual/ssl/ssl_faq.xml

Modified: httpd/httpd/trunk/docs/manual/ssl/ssl_faq.html.en
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/ssl/ssl_faq.html.en?rev=942800&r1=942799&r2=942800&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/ssl/ssl_faq.html.en (original)
+++ httpd/httpd/trunk/docs/manual/ssl/ssl_faq.html.en Mon May 10 15:58:06 2010
@@ -266,16 +266,8 @@ dialog at Apache startup time?</a></li>
 Certificate?</a></li>
 <li><a href="#badcert">Why do connections fail with an "alert bad 
 certificate" error?</a></li>
-<li><a href="#keysize">Why does my 2048-bit private key not work?</a></li>
-<li><a href="#hashsymlinks">Why is client authentication broken after 
-upgrading from SSLeay version 0.8 to 0.9?</a></li>
 <li><a href="#pemder">How can I convert a certificate from PEM to DER 
 format?</a></li>
-<li><a href="#verisign">Why can't I find the
-<code>getca</code> or <code>getverisign</code> programs mentioned
by
-Verisign, for installing my Verisign certificate?</a></li>
-<li><a href="#sgc">Can I use the Server Gated Cryptography (SGC)
-facility (aka Verisign Global ID) with mod_ssl?</a></li>
 <li><a href="#gid">Why do browsers complain that they cannot
 verify my Verisign Global ID server certificate?</a></li>
 </ul>
@@ -545,25 +537,6 @@ bad certificate" error?</a></h3>
     unable to handle RSA key lengths not equal to 1024 bits.</p>
 
 
-<h3><a name="keysize" id="keysize">Why does my 2048-bit private key not work?</a></h3>
-<p>The private key sizes for SSL must be either 512 or 1024 bits, for compatibility
-    with certain web browsers. A keysize of 1024 bits is recommended because
-    keys larger than 1024 bits are incompatible with some versions of Netscape
-    Navigator and Microsoft Internet Explorer, and with other browsers that
-    use RSA's BSAFE cryptography toolkit.</p>
-
-
-<h3><a name="hashsymlinks" id="hashsymlinks">Why is client authentication broken
after upgrading from
-SSLeay version 0.8 to 0.9?</a></h3>
-<p>The CA certificates under the path you configured with
-    <code>SSLCACertificatePath</code> are found by SSLeay through hash
-    symlinks. These hash values are generated by the `<code>openssl x509 -noout
-    -hash</code>' command. However, the algorithm used to calculate the hash for a
-    certificate changed between SSLeay 0.8 and 0.9. You will need to remove
-    all old hash symlinks and create new ones after upgrading. Use the
-    <code>Makefile</code> provided by <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>.</p>
-
-
 <h3><a name="pemder" id="pemder">How can I convert a certificate from PEM to
DER format?</a></h3>
 <p>The default certificate format for SSLeay/OpenSSL is PEM, which is simply
     Base64 encoded DER, with header and footer lines. For some applications
@@ -573,29 +546,6 @@ SSLeay version 0.8 to 0.9?</a></h3>
     <code><strong>$ openssl x509 -in cert.pem -out cert.der -outform DER</strong></code></p>
 
 
-<h3><a name="verisign" id="verisign">Why can't I find the
-<code>getca</code> or <code>getverisign</code> programs mentioned
by 
-Verisign, for installing my Verisign certificate?</a></h3>
-<p>Verisign has never provided specific instructions
-    for Apache+mod_ssl. The instructions provided are for C2Net's 
-    Stronghold (a commercial Apache based server with SSL support).</p> 
-    <p>To install your certificate, all you need to do is to save the 
-    certificate to a file, and give the name of that file to the 
-    <code class="directive"><a href="../mod/mod_ssl.html#sslcertificatefile">SSLCertificateFile</a></code>
directive.
-    You will also need to give it the key file. For more information, 
-    see the <code class="directive"><a href="../mod/mod_ssl.html#sslcertificatekeyfile">SSLCertificateKeyFile</a></code>
-    directive.</p> 
-
-
-<h3><a name="sgc" id="sgc">Can I use the Server Gated Cryptography (SGC) 
-facility (aka Verisign Global ID) with mod_ssl?</a></h3>
-<p>Yes. <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>
has included support for the SGC 
-    facility since version 2.1. No special configuration is required - 
-    just use the Global ID as your server certificate. The 
-    <em>step up</em> of the clients is then automatically handled by 
-    <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>
at run-time.</p> 
-
-
 <h3><a name="gid" id="gid">Why do browsers complain that they cannot 
 verify my Verisign Global ID server certificate?</a></h3>
 <p>Verisign uses an intermediate CA certificate between the root CA 
@@ -723,7 +673,8 @@ error when connecting to my newly instal
     Apache has to know the <code>Host</code> HTTP header field. To do this, the
     HTTP request header has to be read. This cannot be done before the SSL
     handshake is finished, but the information is needed in order to 
-    complete the SSL handshake phase. Bingo!</p>
+    complete the SSL handshake phase. See the next question for how to
+    circumvent this issue.</p>
 
 
 <h3><a name="vhosts2" id="vhosts2">Is it possible to use Name-Based

Modified: httpd/httpd/trunk/docs/manual/ssl/ssl_faq.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/ssl/ssl_faq.xml?rev=942800&r1=942799&r2=942800&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/ssl/ssl_faq.xml (original)
+++ httpd/httpd/trunk/docs/manual/ssl/ssl_faq.xml Mon May 10 15:58:06 2010
@@ -272,16 +272,8 @@ dialog at Apache startup time?</a></li>
 Certificate?</a></li>
 <li><a href="#badcert">Why do connections fail with an "alert bad 
 certificate" error?</a></li>
-<li><a href="#keysize">Why does my 2048-bit private key not work?</a></li>
-<li><a href="#hashsymlinks">Why is client authentication broken after 
-upgrading from SSLeay version 0.8 to 0.9?</a></li>
 <li><a href="#pemder">How can I convert a certificate from PEM to DER 
 format?</a></li>
-<li><a href="#verisign">Why can't I find the
-<code>getca</code> or <code>getverisign</code> programs mentioned
by
-Verisign, for installing my Verisign certificate?</a></li>
-<li><a href="#sgc">Can I use the Server Gated Cryptography (SGC)
-facility (aka Verisign Global ID) with mod_ssl?</a></li>
 <li><a href="#gid">Why do browsers complain that they cannot
 verify my Verisign Global ID server certificate?</a></li>
 </ul>
@@ -551,25 +543,6 @@ bad certificate" error?</title>
     unable to handle RSA key lengths not equal to 1024 bits.</p>
 </section>
 
-<section id="keysize"><title>Why does my 2048-bit private key not work?</title>
-<p>The private key sizes for SSL must be either 512 or 1024 bits, for compatibility
-    with certain web browsers. A keysize of 1024 bits is recommended because
-    keys larger than 1024 bits are incompatible with some versions of Netscape
-    Navigator and Microsoft Internet Explorer, and with other browsers that
-    use RSA's BSAFE cryptography toolkit.</p>
-</section>
-
-<section id="hashsymlinks"><title>Why is client authentication broken after upgrading
from
-SSLeay version 0.8 to 0.9?</title>
-<p>The CA certificates under the path you configured with
-    <code>SSLCACertificatePath</code> are found by SSLeay through hash
-    symlinks. These hash values are generated by the `<code>openssl x509 -noout
-    -hash</code>' command. However, the algorithm used to calculate the hash for a
-    certificate changed between SSLeay 0.8 and 0.9. You will need to remove
-    all old hash symlinks and create new ones after upgrading. Use the
-    <code>Makefile</code> provided by <module>mod_ssl</module>.</p>
-</section>
-
 <section id="pemder"><title>How can I convert a certificate from PEM to DER format?</title>
 <p>The default certificate format for SSLeay/OpenSSL is PEM, which is simply
     Base64 encoded DER, with header and footer lines. For some applications
@@ -579,29 +552,6 @@ SSLeay version 0.8 to 0.9?</title>
     <code><strong>$ openssl x509 -in cert.pem -out cert.der -outform DER</strong></code></p>
 </section>
 
-<section id="verisign"><title>Why can't I find the
-<code>getca</code> or <code>getverisign</code> programs mentioned
by 
-Verisign, for installing my Verisign certificate?</title>
-<p>Verisign has never provided specific instructions
-    for Apache+mod_ssl. The instructions provided are for C2Net's 
-    Stronghold (a commercial Apache based server with SSL support).</p> 
-    <p>To install your certificate, all you need to do is to save the 
-    certificate to a file, and give the name of that file to the 
-    <directive module="mod_ssl">SSLCertificateFile</directive> directive.
-    You will also need to give it the key file. For more information, 
-    see the <directive module="mod_ssl">SSLCertificateKeyFile</directive>
-    directive.</p> 
-</section>
-
-<section id="sgc"><title>Can I use the Server Gated Cryptography (SGC) 
-facility (aka Verisign Global ID) with mod_ssl?</title>
-<p>Yes. <module>mod_ssl</module> has included support for the SGC 
-    facility since version 2.1. No special configuration is required - 
-    just use the Global ID as your server certificate. The 
-    <em>step up</em> of the clients is then automatically handled by 
-    <module>mod_ssl</module> at run-time.</p> 
-</section>
-
 <section id="gid"><title>Why do browsers complain that they cannot 
 verify my Verisign Global ID server certificate?</title>
 <p>Verisign uses an intermediate CA certificate between the root CA 
@@ -731,7 +681,8 @@ error when connecting to my newly instal
     Apache has to know the <code>Host</code> HTTP header field. To do this, the
     HTTP request header has to be read. This cannot be done before the SSL
     handshake is finished, but the information is needed in order to 
-    complete the SSL handshake phase. Bingo!</p>
+    complete the SSL handshake phase. See the next question for how to
+    circumvent this issue.</p>
 </section>
 
 <section id="vhosts2"><title>Is it possible to use Name-Based



Mime
View raw message