httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rj...@apache.org
Subject svn commit: r1682942 - in /httpd/httpd/branches/2.2.x: ./ docs/manual/mod/mod_ssl.xml docs/manual/ssl/ssl_faq.xml
Date Mon, 01 Jun 2015 16:01:49 GMT
Author: rjung
Date: Mon Jun  1 16:01:49 2015
New Revision: 1682942

URL: http://svn.apache.org/r1682942
Log:
Try to clarify extended uses of SSLCertificateFile.

Backport of r1682923 and r1682937 from trunk,
resp. r1682929 and r1682939 from 2.4.x.

Modified:
    httpd/httpd/branches/2.2.x/   (props changed)
    httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml
    httpd/httpd/branches/2.2.x/docs/manual/ssl/ssl_faq.xml

Propchange: httpd/httpd/branches/2.2.x/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Mon Jun  1 16:01:49 2015
@@ -1,2 +1,2 @@
-/httpd/httpd/branches/2.4.x:1555538,1555559,1648845,1649003,1681034
-/httpd/httpd/trunk:290940,395552,417988,451572,501364,583817,583830,611483,630858,639005,639010,647395,657354,657459,660461,660566,664330,678761,680082,681190,682369,683626,685112,686805,686809,687099,687754,693120,693392,693727-693728,696006,697093,706318,707163,708902,711421,713575,719357,720250,729316-729317,729586,732414,732504,732816,732832,733127,733134,733218-733219,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809,771587,771610,776325,777042,777091,778438-778439,778531,778942,780648,780655,780692,780697,780699,785457,785661,790587,803704,819480,823536,823563,834378,835046,891282,900022,932791,942209,952823,953311,955966,979120,981084,992625,1026743,1031551,1040304,1040373,1058192,1070096,1082189,1082196,1090645,1172732,1200040,1200372,1200374,1213380,1222335,1223048,1231446,1244211,1294306,1299738,1300171,1301111,1308862,1327036,1327080,1328133,1328325-1328326,1345319,1348656,1349905,1352912,1363183,1363186,1366344,1367778,1368131,136
 8396,1369568,1395225,1398066,1400700,1408402,1410681,1413732,1414094,1416889,1418752,1422234,1422253,1435178,1447426,1470940,1475878,1476604,1476621,1476642,1476644-1476645,1477530,1485409,1485668,1490994,1493330,1496429,1500323,1504276,1506714,1509872,1509875,1524192,1524770,1526168,1526189,1527291,1527295,1527925,1528718,1529559,1531505,1532816,1551685,1551714,1552227,1553204,1554276,1554281,1555240,1555555,1556428,1563420,1572092,1572198,1572543,1572611,1572630,1572655,1572663,1572668-1572671,1572896,1572911,1572967,1573224,1573229,1575400,1586745,1587594,1587639,1588851,1590509,1603156,1604353,1610207,1610311,1610491,1610501,1611165,1611169,1620932,1621453,1648840,1649001,1649043,1650310,1650320,1652929,1653997,1658765,1663647,1664205,1665215,1665218,1666363,1675533,1676654,1677462,1679182,1679470,1680895,1680900,1680942,1681037
+/httpd/httpd/branches/2.4.x:1555538,1555559,1648845,1649003,1681034,1682929,1682939
+/httpd/httpd/trunk:290940,395552,417988,451572,501364,583817,583830,611483,630858,639005,639010,647395,657354,657459,660461,660566,664330,678761,680082,681190,682369,683626,685112,686805,686809,687099,687754,693120,693392,693727-693728,696006,697093,706318,707163,708902,711421,713575,719357,720250,729316-729317,729586,732414,732504,732816,732832,733127,733134,733218-733219,734710,743589,755190,756671,756675,756678,756683,757741,761329,763394,764239,768535,769809,771587,771610,776325,777042,777091,778438-778439,778531,778942,780648,780655,780692,780697,780699,785457,785661,790587,803704,819480,823536,823563,834378,835046,891282,900022,932791,942209,952823,953311,955966,979120,981084,992625,1026743,1031551,1040304,1040373,1058192,1070096,1082189,1082196,1090645,1172732,1200040,1200372,1200374,1213380,1222335,1223048,1231446,1244211,1294306,1299738,1300171,1301111,1308862,1327036,1327080,1328133,1328325-1328326,1345319,1348656,1349905,1352912,1363183,1363186,1366344,1367778,1368131,136
 8396,1369568,1395225,1398066,1400700,1408402,1410681,1413732,1414094,1416889,1418752,1422234,1422253,1435178,1447426,1470940,1475878,1476604,1476621,1476642,1476644-1476645,1477530,1485409,1485668,1490994,1493330,1496429,1500323,1504276,1506714,1509872,1509875,1524192,1524770,1526168,1526189,1527291,1527295,1527925,1528718,1529559,1531505,1532816,1551685,1551714,1552227,1553204,1554276,1554281,1555240,1555555,1556428,1563420,1572092,1572198,1572543,1572611,1572630,1572655,1572663,1572668-1572671,1572896,1572911,1572967,1573224,1573229,1575400,1586745,1587594,1587639,1588851,1590509,1603156,1604353,1610207,1610311,1610491,1610501,1611165,1611169,1620932,1621453,1648840,1649001,1649043,1650310,1650320,1652929,1653997,1658765,1663647,1664205,1665215,1665218,1666363,1675533,1676654,1677462,1679182,1679470,1680895,1680900,1680942,1681037,1682923,1682937

Modified: httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml?rev=1682942&r1=1682941&r2=1682942&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml Mon Jun  1 16:01:49 2015
@@ -776,18 +776,32 @@ SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MED
 
 <usage>
 <p>
-This directive points to the file with the PEM-encoded certificate,
-optionally also the corresponding private key, and - beginning with
-version 2.2.30 - DH parameters and/or an EC curve name
-for ephemeral keys (as generated by <code>openssl dhparam</code>
-and <code>openssl ecparam</code>, respectively). If the private key
-is encrypted, the pass phrase dialog is forced at startup time.
+This directive points to a file with certificate data in PEM format.
+At a minimum, the file must include an end-entity (leaf) certificate.
+The directive can be used up to three times (referencing different filenames)
+when an RSA, a DSA, and an ECC based server certificate is used in parallel.
 </p>
+
 <p>
-This directive can be used up to three times (referencing different filenames)
-when both an RSA, a DSA, and an ECC based server certificate is used in
-parallel. Note that DH and ECDH parameters are only read from the first
-<directive>SSLCertificateFile</directive> directive.</p>
+Custom DH parameters and an EC curve name for ephemeral keys,
+can be added to end of the first file configured using
+<directive module="mod_ssl">SSLCertificateFile</directive>.
+This is supported in version 2.2.30 or later.
+Such parameters can be generated using the commands
+<code>openssl dhparam</code> and <code>openssl ecparam</code>.
+The parameters can be added as-is to the end of the first
+certificate file. Only the first file can be used for custom
+parameters, as they are applied independently of the authentication
+algorithm type.
+</p>
+
+<p>
+Finally the the end-entity certificate's private key can also be
+added to the certificate file instead of using a separate
+<directive module="mod_ssl">SSLCertificateKeyFile</directive>
+directive. This practice is highly discouraged. If the private
+key is encrypted, the pass phrase dialog is forced at startup time.
+</p>
 
 <note>
 <title>DH parameter interoperability with primes > 1024 bit</title>
@@ -820,18 +834,22 @@ SSLCertificateFile /usr/local/apache2/co
 
 <usage>
 <p>
-This directive points to the PEM-encoded Private Key file for the
-server. If the Private Key is not combined with the Certificate in the
-<directive>SSLCertificateFile</directive>, use this additional directive to
-point to the file with the stand-alone Private Key. When
-<directive>SSLCertificateFile</directive> is used and the file
-contains both the Certificate and the Private Key this directive need
-not be used. But we strongly discourage this practice.  Instead we
-recommend you to separate the Certificate and the Private Key. If the
-contained Private Key is encrypted, the Pass Phrase dialog is forced
-at startup time. This directive can be used up to three times
-(referencing different filenames) when both a RSA, a DSA, and an ECC based
-private key is used in parallel.</p>
+This directive points to the PEM-encoded private key file for the
+server. If the contained private key is encrypted, the pass phrase
+dialog is forced at startup time.</p>
+
+<p>
+The directive can be used up to three times (referencing different filenames)
+when an RSA, a DSA, and an ECC based private key is used in parallel. For each
+<directive module="mod_ssl">SSLCertificateKeyFile</directive>
+directive, there must be a matching <directive>SSLCertificateFile</directive>
+directive.</p>
+
+<p>
+The private key may also be combined with the certificate in the file given by
+<directive module="mod_ssl">SSLCertificateFile</directive>, but this practice
+is highly discouraged.</p>
+
 <example><title>Example</title>
 SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key
 </example>

Modified: httpd/httpd/branches/2.2.x/docs/manual/ssl/ssl_faq.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/manual/ssl/ssl_faq.xml?rev=1682942&r1=1682941&r2=1682942&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/ssl/ssl_faq.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/ssl/ssl_faq.xml Mon Jun  1 16:01:49 2015
@@ -946,20 +946,22 @@ HTTPS to an Apache+mod_ssl server with N
     or higher), you can either rearrange mod_ssl's cipher list with
     <directive module="mod_ssl">SSLCipherSuite</directive>
     (possibly in conjunction with <directive module="mod_ssl">SSLHonorCipherOrder</directive>),
-    or you can use the <directive module="mod_ssl">SSLCertificateFile</directive>
-    directive to configure custom DH parameters with a 1024-bit prime, which
+    or you can use custom DH parameters with a 1024-bit prime, which
     will always have precedence over any of the built-in DH parameters.</p>
 
-    <p>To generate custom DH parameters, use the <code>openssl dhparam</code>
-    command. Alternatively, you can append the following standard 1024-bit DH
+    <p>To generate custom DH parameters, use the <code>openssl dhparam 1024</code>
+    command. Alternatively, you can use the following standard 1024-bit DH
     parameters from <a href="http://www.ietf.org/rfc/rfc2409.txt">RFC 2409</a>,
-    section 6.2 to the respective
-    <directive module="ssl">SSLCertificateFile</directive> file:</p>
+    section 6.2:</p>
     <example><pre>-----BEGIN DH PARAMETERS-----
 MIGHAoGBAP//////////yQ/aoiFowjTExmKLgNwc0SkCTgiKZ8x0Agu+pjsTmyJR
 Sgh5jjQE3e+VGbPNOkMbMCsKbfJfFDdP4TVtbVHCReSFtXZiXn7G9ExC6aY37WsL
 /1y29Aa37e44a/taiZ+lrp8kEXxLH+ZJKGZR7OZTgf//////////AgEC
 -----END DH PARAMETERS-----</pre></example>
+    <p>Add the custom parameters including the "BEGIN DH PARAMETERS" and
+    "END DH PARAMETERS" lines to the end of the first certificate file
+    you have configured using the
+    <directive module="mod_ssl">SSLCertificateFile</directive> directive.</p>
 </section>
 
 </section>



Mime
View raw message