httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From iga...@apache.org
Subject svn commit: r1037224 - in /httpd/httpd/trunk/docs/manual: mod/mod_asis.xml.ja mod/mod_asis.xml.ko ssl/ssl_howto.html.en ssl/ssl_howto.xml
Date Sat, 20 Nov 2010 14:29:53 GMT
Author: igalic
Date: Sat Nov 20 14:29:52 2010
New Revision: 1037224

URL: http://svn.apache.org/viewvc?rev=1037224&view=rev
Log:
A first attempt at PR#50307
Trying to get rid of old- or un-facts.
./build.sh all

Modified:
    httpd/httpd/trunk/docs/manual/mod/mod_asis.xml.ja
    httpd/httpd/trunk/docs/manual/mod/mod_asis.xml.ko
    httpd/httpd/trunk/docs/manual/ssl/ssl_howto.html.en
    httpd/httpd/trunk/docs/manual/ssl/ssl_howto.xml

Modified: httpd/httpd/trunk/docs/manual/mod/mod_asis.xml.ja
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_asis.xml.ja?rev=1037224&r1=1037223&r2=1037224&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_asis.xml.ja [utf-8] (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_asis.xml.ja [utf-8] Sat Nov 20 14:29:52 2010
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
 <?xml-stylesheet type="text/xsl" href="../style/manual.ja.xsl"?>
-<!-- English Revision: 420990:926536 (outdated) -->
+<!-- English Revision: 420990:1036315 (outdated) -->
 
 <!--
  Licensed to the Apache Software Foundation (ASF) under one or more

Modified: httpd/httpd/trunk/docs/manual/mod/mod_asis.xml.ko
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_asis.xml.ko?rev=1037224&r1=1037223&r2=1037224&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_asis.xml.ko [euc-kr] (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_asis.xml.ko [euc-kr] Sat Nov 20 14:29:52 2010
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="EUC-KR" ?>
 <!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
 <?xml-stylesheet type="text/xsl" href="../style/manual.ko.xsl"?>
-<!-- English Revision: 151408:926536 (outdated) -->
+<!-- English Revision: 151408:1036315 (outdated) -->
 
 <!--
  Licensed to the Apache Software Foundation (ASF) under one or more

Modified: httpd/httpd/trunk/docs/manual/ssl/ssl_howto.html.en
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/ssl/ssl_howto.html.en?rev=1037224&r1=1037223&r2=1037224&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/ssl/ssl_howto.html.en (original)
+++ httpd/httpd/trunk/docs/manual/ssl/ssl_howto.html.en Sat Nov 20 14:29:52 2010
@@ -75,54 +75,26 @@ export browsers to upgrade to stronger e
 requires a strong cipher for access to a particular URL?</a></li>
 </ul>
 
-<h3><a name="realssl" id="realssl">How can I create a real SSLv2-only server?</a></h3>
-
-    <p>The following creates an SSL server which speaks only the SSLv2 protocol and
-    its ciphers.</p>
-
-    <div class="example"><h3>httpd.conf</h3><p><code>
-      SSLProtocol -all +SSLv2<br />
-      SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP<br />
-    </code></p></div>
-
-
 <h3><a name="onlystrong" id="onlystrong">How can I create an SSL server which
accepts strong encryption
 only?</a></h3>
 
-    <p>The following enables only the seven strongest ciphers:</p>
+    <p>The following enables only the strongest ciphers:</p>
     <div class="example"><h3>httpd.conf</h3><p><code>
-      SSLProtocol all<br />
-      SSLCipherSuite HIGH:MEDIUM<br />
+      SSLProtocol all -SSLv3<br />
+      SSLCipherSuite HIGH:!ADH:!EXP:!MD5:!NULL<br />
     </code></p></div>
 
+    <p>While with the following configuration you enable two ciphers
+    which are resonably secure, and fast:</p>
 
-<h3><a name="upgradeenc" id="upgradeenc">How can I create an SSL server which
accepts strong encryption
-only, but allows export browsers to upgrade to stronger encryption?</a></h3>
-
-    <p>This facility is called Server Gated Cryptography (SGC) and requires 
-    a Global ID server certificate, signed by a special CA certificate 
-    from Verisign. This enables strong encryption in 'export' versions of 
-    browsers, which traditionally could not support it (because of US export 
-    restrictions).</p>
-    <p>When a browser connects with an export cipher, the server sends its Global
-    ID certificate. The browser verifies this, and can then upgrade its
-    cipher suite before any HTTP communication takes place. The problem 
-    lies in allowing browsers to upgrade in this fashion, but still requiring
-    strong encryption. In other words, we want browsers to either start a 
-    connection with strong encryption, or to start with export ciphers but 
-    upgrade to strong encryption before beginning HTTP communication.</p>
-    <p>This can be done as follows:</p>
     <div class="example"><h3>httpd.conf</h3><p><code>
-      # allow all ciphers for the initial handshake,<br />
-      # so export browsers can upgrade via SGC facility<br />
-      SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL<br />
-      <br />
-      &lt;Directory /usr/local/apache2/htdocs&gt;<br />
-      # but finally deny all browsers which haven't upgraded<br />
-      SSLRequire %{SSL_CIPHER_USEKEYSIZE} &gt;= 128<br />
-      &lt;/Directory&gt;
+      SSLProtocol all -SSLv3<br />
+      SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!ADH:!EXP:!MD5:!NULL<br />
+      SSLHonorCipherOrder on
     </code></p></div>
 
+    <p>This strongly reflects the default value of <code class="directive"><a
href="../mod/mod_ssl.html#sslciphersuite">SSLCipherSuite</a></code> and is
the recommanded way to configure it.</p>
+
 
 <h3><a name="strongurl" id="strongurl">How can I create an SSL server which accepts
all types of ciphers
 in general, but requires a strong ciphers for access to a particular
@@ -141,7 +113,7 @@ URL?</a></h3>
       &lt;Location /strong/area&gt;<br />
       # but https://hostname/strong/area/ and below<br />
       # requires strong ciphers<br />
-      SSLCipherSuite HIGH:MEDIUM<br />
+      SSLCipherSuite HIGH:!ADH:!EXP:!MD5:!NULL<br />
       &lt;/Location&gt;
     </code></p></div>
 

Modified: httpd/httpd/trunk/docs/manual/ssl/ssl_howto.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/ssl/ssl_howto.xml?rev=1037224&r1=1037223&r2=1037224&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/ssl/ssl_howto.xml (original)
+++ httpd/httpd/trunk/docs/manual/ssl/ssl_howto.xml Sat Nov 20 14:29:52 2010
@@ -73,53 +73,26 @@ export browsers to upgrade to stronger e
 requires a strong cipher for access to a particular URL?</a></li>
 </ul>
 
-<section id="realssl">
-<title>How can I create a real SSLv2-only server?</title>
-    <p>The following creates an SSL server which speaks only the SSLv2 protocol and
-    its ciphers.</p>
-
-    <example><title>httpd.conf</title>
-      SSLProtocol -all +SSLv2<br />
-      SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP<br />
-    </example>
-</section>
-
 <section id="onlystrong">
 <title>How can I create an SSL server which accepts strong encryption
 only?</title>
-    <p>The following enables only the seven strongest ciphers:</p>
+    <p>The following enables only the strongest ciphers:</p>
     <example><title>httpd.conf</title>
-      SSLProtocol all<br />
-      SSLCipherSuite HIGH:MEDIUM<br />
+      SSLProtocol all -SSLv3<br />
+      SSLCipherSuite HIGH:!ADH:!EXP:!MD5:!NULL<br />
     </example>
-</section>
 
-<section id="upgradeenc">
-<title>How can I create an SSL server which accepts strong encryption
-only, but allows export browsers to upgrade to stronger encryption?</title>
-    <p>This facility is called Server Gated Cryptography (SGC) and requires 
-    a Global ID server certificate, signed by a special CA certificate 
-    from Verisign. This enables strong encryption in 'export' versions of 
-    browsers, which traditionally could not support it (because of US export 
-    restrictions).</p>
-    <p>When a browser connects with an export cipher, the server sends its Global
-    ID certificate. The browser verifies this, and can then upgrade its
-    cipher suite before any HTTP communication takes place. The problem 
-    lies in allowing browsers to upgrade in this fashion, but still requiring
-    strong encryption. In other words, we want browsers to either start a 
-    connection with strong encryption, or to start with export ciphers but 
-    upgrade to strong encryption before beginning HTTP communication.</p>
-    <p>This can be done as follows:</p>
+    <p>While with the following configuration you enable two ciphers
+    which are resonably secure, and fast:</p>
+
     <example><title>httpd.conf</title>
-      # allow all ciphers for the initial handshake,<br />
-      # so export browsers can upgrade via SGC facility<br />
-      SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL<br />
-      <br />
-      &lt;Directory /usr/local/apache2/htdocs&gt;<br />
-      # but finally deny all browsers which haven't upgraded<br />
-      SSLRequire %{SSL_CIPHER_USEKEYSIZE} &gt;= 128<br />
-      &lt;/Directory&gt;
+      SSLProtocol all -SSLv3<br />
+      SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!ADH:!EXP:!MD5:!NULL<br />
+      SSLHonorCipherOrder on
     </example>
+
+    <p>This strongly reflects the default value of <directive module="mod_ssl"
+    >SSLCipherSuite</directive> and is the recommanded way to configure it.</p>
 </section>
 
 <section id="strongurl">
@@ -140,7 +113,7 @@ URL?</title>
       &lt;Location /strong/area&gt;<br />
       # but https://hostname/strong/area/ and below<br />
       # requires strong ciphers<br />
-      SSLCipherSuite HIGH:MEDIUM<br />
+      SSLCipherSuite HIGH:!ADH:!EXP:!MD5:!NULL<br />
       &lt;/Location&gt;
     </example>
 </section>



Mime
View raw message