1
<?xml version="1.0" encoding="ISO-8859-1"?>
2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
3
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
4
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5
This file is generated from xml source: DO NOT EDIT
6
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8
<title>SSL/TLS Strong Encryption: FAQ - Apache HTTP Server</title>
9
<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
10
<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
11
<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" />
12
<link href="../images/favicon.ico" rel="shortcut icon" /></head>
13
<body id="manual-page"><div id="page-header">
14
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
15
<p class="apache">Apache HTTP Server Version 2.2</p>
16
<img alt="" src="../images/feather.gif" /></div>
17
<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div>
19
<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.2</a> > <a href="./">SSL/TLS</a></div><div id="page-content"><div id="preamble"><h1>SSL/TLS Strong Encryption: FAQ</h1>
21
<p><span>Available Languages: </span><a href="../en/ssl/ssl_faq.html" title="English"> en </a></p>
25
<p>The wise man doesn't give the right answers,
26
he poses the right questions.</p>
27
<p class="cite">-- <cite>Claude Levi-Strauss</cite></p>
30
<p>This chapter is a collection of frequently asked questions (FAQ) and
31
corresponding answers following the popular USENET tradition. Most of these
32
questions occurred on the Newsgroup <code><a href="news:comp.infosystems.www.servers.unix">comp.infosystems.www.servers.unix</a></code> or the mod_ssl Support
33
Mailing List <code><a href="mailto:modssl-users@modssl.org">modssl-users@modssl.org</a></code>. They are collected at this place
34
to avoid answering the same questions over and over.</p>
36
<p>Please read this chapter at least once when installing mod_ssl or at least
37
search for your problem here before submitting a problem report to the
40
<div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#about">About The Module</a></li>
41
<li><img alt="" src="../images/down.gif" /> <a href="#installation">Installation</a></li>
42
<li><img alt="" src="../images/down.gif" /> <a href="#aboutconfig">Configuration</a></li>
43
<li><img alt="" src="../images/down.gif" /> <a href="#aboutcerts">Certificates</a></li>
44
<li><img alt="" src="../images/down.gif" /> <a href="#aboutssl">The SSL Protocol</a></li>
45
<li><img alt="" src="../images/down.gif" /> <a href="#support">mod_ssl Support</a></li>
47
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
49
<h2><a name="about" id="about">About The Module</a></h2>
51
<li><a href="#history">What is the history of mod_ssl?</a></li>
52
<li><a href="#y2k">mod_ssl and Year 2000?</a></li>
53
<li><a href="#wassenaar">mod_ssl and Wassenaar Arrangement?</a></li>
56
<h3><a name="history" id="history">What is the history of mod_ssl?</a></h3>
57
<p>The mod_ssl v1 package was initially created in April 1998 by <a href="mailto:rse@engelschall.com">Ralf S. Engelschall</a> via porting <a href="mailto:ben@algroup.co.uk">Ben Laurie</a>'s <a href="http://www.apache-ssl.org/">Apache-SSL</a> 1.17 source patches for
58
Apache 1.2.6 to Apache 1.3b6. Because of conflicts with Ben
59
Laurie's development cycle it then was re-assembled from scratch for
60
Apache 1.3.0 by merging the old mod_ssl 1.x with the newer Apache-SSL
61
1.18. From this point on mod_ssl lived its own life as mod_ssl v2. The
62
first publicly released version was mod_ssl 2.0.0 from August 10th,
65
<p>After US export restrictions on cryptographic software were
66
loosened, <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> became part of the Apache HTTP
67
Server with the release of Apache httpd 2.</p>
70
<h3><a name="wassenaar" id="wassenaar">Is mod_ssl affected by the Wassenaar Arrangement?</a></h3>
71
<p>First, let us explain what <dfn>Wassenaar</dfn> and its <dfn>Arrangement on
72
Export Controls for Conventional Arms and Dual-Use Goods and
73
Technologies</dfn> is: This is a international regime, established in 1995, to
74
control trade in conventional arms and dual-use goods and technology. It
75
replaced the previous <dfn>CoCom</dfn> regime. Further details on
76
both the Arrangement and its signatories are available at <a href="http://www.wassenaar.org/">http://www.wassenaar.org/</a>.</p>
78
<p>In short, the aim of the Wassenaar Arrangement is to prevent the build up
79
of military capabilities that threaten regional and international security
80
and stability. The Wassenaar Arrangement controls the export of
81
cryptography as a dual-use good, that is, something that has both military and
82
civilian applications. However, the Wassenaar Arrangement also provides an
83
exemption from export controls for mass-market software and free software.</p>
85
<p>In the current Wassenaar <cite>List of Dual Use Goods and Technologies And
86
Munitions</cite>, under <q>GENERAL SOFTWARE NOTE (GSN)</q> it says
87
<q>The Lists do not control "software" which is either: 1. [...] 2. "in
88
the public domain".</q> And under <q>DEFINITIONS OF TERMS USED IN
89
THESE LISTS</q> we find <q>In the public
90
domain</q> defined as <q>"technology" or "software" which has been made
91
available without restrictions upon its further dissemination. Note:
92
Copyright restrictions do not remove "technology" or "software" from being
93
"in the public domain".</q></p>
95
<p>So, both mod_ssl and OpenSSL are <q>in the public domain</q> for the purposes
96
of the Wassenaar Arrangement and its <q>List of Dual Use Goods and
97
Technologies And Munitions List</q>, and thus not affected by its provisions.</p>
100
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
101
<div class="section">
102
<h2><a name="installation" id="installation">Installation</a></h2>
104
<li><a href="#mutex">Why do I get permission errors related to
105
SSLMutex when I start Apache?</a></li>
106
<li><a href="#entropy">Why does mod_ssl stop with the error "Failed to
107
generate temporary 512 bit RSA private key", when I start Apache?</a></li>
110
<h3><a name="mutex" id="mutex">Why do I get permission errors related to
111
SSLMutex when I start Apache?</a></h3>
112
<p>Errors such as ``<code>mod_ssl: Child could not open
113
SSLMutex lockfile /opt/apache/logs/ssl_mutex.18332 (System error follows)
114
[...] System: Permission denied (errno: 13)</code>'' are usually
115
caused by overly restrictive permissions on the <em>parent</em> directories.
116
Make sure that all parent directories (here <code>/opt</code>,
117
<code>/opt/apache</code> and <code>/opt/apache/logs</code>) have the x-bit
118
set for, at minimum, the UID under which Apache's children are running (see
119
the <code class="directive"><a href="../mod/mpm_common.html#user">User</a></code> directive).</p>
122
<h3><a name="entropy" id="entropy">Why does mod_ssl stop with the error
123
"Failed to generate temporary 512 bit RSA private key", when I start
125
<p>Cryptographic software needs a source of unpredictable data
126
to work correctly. Many open source operating systems provide
127
a "randomness device" that serves this purpose (usually named
128
<code>/dev/random</code>). On other systems, applications have to
129
seed the OpenSSL Pseudo Random Number Generator (PRNG) manually with
130
appropriate data before generating keys or performing public key
131
encryption. As of version 0.9.5, the OpenSSL functions that need
132
randomness report an error if the PRNG has not been seeded with
133
at least 128 bits of randomness.</p>
134
<p>To prevent this error, <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> has to provide
135
enough entropy to the PRNG to allow it to work correctly. This can
136
be done via the <code class="directive"><a href="../mod/mod_ssl.html#sslrandomseed">SSLRandomSeed</a></code>
139
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
140
<div class="section">
141
<h2><a name="aboutconfig" id="aboutconfig">Configuration</a></h2>
143
<li><a href="#parallel">Is it possible to provide HTTP and HTTPS from
144
the same server?</a></li>
145
<li><a href="#ports">Which port does HTTPS use?</a></li>
146
<li><a href="#httpstest">How do I speak HTTPS manually for testing
148
<li><a href="#hang">Why does the connection hang when I connect to my
149
SSL-aware Apache server</a></li>
150
<li><a href="#refused">Why do I get ``Connection Refused'' errors, when
151
trying to access my newly installed Apache+mod_ssl server via HTTPS?</a></li>
152
<li><a href="#envvars">Why are the <code>SSL_XXX</code> variables not
153
available to my CGI & SSI scripts?</a></li>
154
<li><a href="#relative">How can I switch between HTTP and HTTPS in
155
relative hyperlinks?</a></li>
158
<h3><a name="parallel" id="parallel">Is it possible to provide HTTP and HTTPS
159
from the same server?</a></h3>
160
<p>Yes. HTTP and HTTPS use different server ports (HTTP binds to
161
port 80, HTTPS to port 443), so there is no direct conflict between
162
them. You can either run two separate server instances bound to
163
these ports, or use Apache's elegant virtual hosting facility to
164
create two virtual servers over one instance of Apache - one
165
responding to requests on port 80 and speaking HTTP and the other
166
responding to requests on port 443 speaking HTTPS.</p>
169
<h3><a name="ports" id="ports">Which port does HTTPS use?</a></h3>
170
<p>You can run HTTPS on any port, but the standards specify port 443, which
171
is where any HTTPS compliant browser will look by default. You can force
172
your browser to look on a different port by specifying it in the URL like
173
this (for port 666): <code>https://secure.server.dom:666/</code></p>
176
<h3><a name="httpstest" id="httpstest">How do I speak HTTPS manually for testing purposes?</a></h3>
177
<p>While you usually just use</p>
179
<div class="example"><p><code>$ telnet localhost 80<br />
180
GET / HTTP/1.0</code></p></div>
182
<p>for simple testing of Apache via HTTP, it's not so easy for
183
HTTPS because of the SSL protocol between TCP and HTTP. With the
184
help of OpenSSL's <code>s_client</code> command, however, you can
185
do a similar check for HTTPS:</p>
187
<div class="example"><p><code>$ openssl s_client -connect localhost:443 -state -debug<br />
188
GET / HTTP/1.0</code></p></div>
190
<p>Before the actual HTTP response you will receive detailed
191
information about the SSL handshake. For a more general command
192
line client which directly understands both HTTP and HTTPS, can
193
perform GET and POST operations, can use a proxy, supports byte
194
ranges, etc. you should have a look at the nifty
195
<a href="http://curl.haxx.se/">cURL</a> tool. Using this, you can
196
check that Apache is responding correctly on ports 80 and 443 as
199
<div class="example"><p><code>$ curl http://localhost/<br />
200
$ curl https://localhost/</code></p></div>
203
<h3><a name="hang" id="hang">Why does the connection hang when I connect
204
to my SSL-aware Apache server?</a></h3>
205
<p>Because you connected with HTTP to the HTTPS port, i.e. you used an URL of
206
the form ``<code>http://</code>'' instead of ``<code>https://</code>''.
207
This also happens the other way round when you connect via HTTPS to a HTTP
208
port, i.e. when you try to use ``<code>https://</code>'' on a server that
209
doesn't support SSL (on this port). Make sure you are connecting to a
210
virtual server that supports SSL, which is probably the IP associated with
211
your hostname, not localhost (127.0.0.1).</p>
214
<h3><a name="refused" id="refused">Why do I get ``Connection Refused'' messages,
215
when trying to access my newly installed Apache+mod_ssl server via HTTPS?</a></h3>
216
<p>This can happen for various reasons. The most common mistakes
217
include starting Apache with just <code>apachectl start</code> (or
218
<code class="program"><a href="../programs/httpd.html">httpd</a></code>) instead of <code>apachectl startssl</code> (or
219
<code>httpd -DSSL</code>). Your configuration may also be incorrect.
220
Please make sure that your <code class="directive"><a href="../mod/mpm_common.html#listen">Listen</a></code> directives match your
221
<code class="directive"><a href="../mod/core.html#virtualhost"><VirtualHost></a></code>
222
directives. If all else fails, please start afresh, using the default
223
configuration provided by <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>.</p>
226
<h3><a name="envvars" id="envvars">Why are the <code>SSL_XXX</code> variables
227
not available to my CGI & SSI scripts?</a></h3>
228
<p>Please make sure you have ``<code>SSLOptions +StdEnvVars</code>''
229
enabled for the context of your CGI/SSI requests.</p>
232
<h3><a name="relative" id="relative">How can I switch between HTTP and HTTPS in relative
235
<p>Usually, to switch between HTTP and HTTPS, you have to use
236
fully-qualified hyperlinks (because you have to change the URL
237
scheme). Using <code class="module"><a href="../mod/mod_rewrite.html">mod_rewrite</a></code> however, you can
238
manipulate relative hyperlinks, to achieve the same effect.</p>
239
<div class="example"><p><code>
240
RewriteEngine on<br />
241
RewriteRule ^/(.*):SSL$ https://%{SERVER_NAME}/$1 [R,L]<br />
242
RewriteRule ^/(.*):NOSSL$ http://%{SERVER_NAME}/$1 [R,L]
245
<p>This rewrite ruleset lets you use hyperlinks of the form
246
<code><a href="document.html:SSL"></code>, to switch to HTTPS
247
in a relative link.</p>
249
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
250
<div class="section">
251
<h2><a name="aboutcerts" id="aboutcerts">Certificates</a></h2>
253
<li><a href="#keyscerts">What are RSA Private Keys, CSRs and
254
Certificates?</a></li>
255
<li><a href="#startup">Is there a difference on startup between
256
the original Apache and an SSL-aware Apache?</a></li>
257
<li><a href="#selfcert">How do I create a self-signed SSL
258
Certificate for testing purposes?</a></li>
259
<li><a href="#realcert">How do I create a real SSL Certificate?</a></li>
260
<li><a href="#ownca">How do I create and use my own Certificate
261
Authority (CA)?</a></li>
262
<li><a href="#passphrase">How can I change the pass-phrase on my private
264
<li><a href="#removepassphrase">How can I get rid of the pass-phrase
265
dialog at Apache startup time?</a></li>
266
<li><a href="#verify">How do I verify that a private key matches its
267
Certificate?</a></li>
268
<li><a href="#badcert">Why do connections fail with an "alert bad
269
certificate" error?</a></li>
270
<li><a href="#keysize">Why does my 2048-bit private key not work?</a></li>
271
<li><a href="#hashsymlinks">Why is client authentication broken after
272
upgrading from SSLeay version 0.8 to 0.9?</a></li>
273
<li><a href="#pemder">How can I convert a certificate from PEM to DER
275
<li><a href="#verisign">Why can't I find the
276
<code>getca</code> or <code>getverisign</code> programs mentioned by
277
Verisign, for installing my Verisign certificate?</a></li>
278
<li><a href="#sgc">Can I use the Server Gated Cryptography (SGC)
279
facility (aka Verisign Global ID) with mod_ssl?</a></li>
280
<li><a href="#gid">Why do browsers complain that they cannot
281
verify my Verisign Global ID server certificate?</a></li>
284
<h3><a name="keyscerts" id="keyscerts">What are RSA Private Keys, CSRs and Certificates?</a></h3>
285
<p>An RSA private key file is a digital file that you can use to decrypt
286
messages sent to you. It has a public component which you distribute (via
287
your Certificate file) which allows people to encrypt those messages to
289
<p>A Certificate Signing Request (CSR) is a digital file which contains
290
your public key and your name. You send the CSR to a Certifying Authority
291
(CA), who will convert it into a real Certificate, by signing it.</p>
292
<p>A Certificate contains your
293
RSA public key, your name, the name of the CA, and is digitally signed by
294
the CA. Browsers that know the CA can verify the signature on that
295
Certificate, thereby obtaining your RSA public key. That enables them to
296
send messages which only you can decrypt.</p>
297
<p>See the <a href="ssl_intro.html">Introduction</a> chapter for a general
298
description of the SSL protocol.</p>
301
<h3><a name="startup" id="startup">Is there a difference on startup between
302
the original Apache and an SSL-aware Apache?</a></h3>
303
<p>Yes. In general, starting Apache with
304
<code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> built-in is just like starting Apache
305
without it. However, if you have a passphrase on your SSL private
306
key file, a startup dialog will pop up which asks you to enter the
309
<p>Having to manually enter the passphrase when starting the server
310
can be problematic - for example, when starting the server from the
311
system boot scripts. In this case, you can follow the steps
312
<a href="#removepassphrase">below</a> to remove the passphrase from
313
your private key.</p>
316
<h3><a name="selfcert" id="selfcert">How do I create a self-signed SSL
317
Certificate for testing purposes?</a></h3>
319
<li>Make sure OpenSSL is installed and in your <code>PATH</code>.<br />
322
<li>Run the following command, to create <code>server.key</code> and
323
<code>server.crt</code> files:<br />
324
<code><strong>$ openssl req -new -x509 -nodes -out server.crt
325
-keyout server.key</strong></code><br />
326
These can be used as follows in your <code>httpd.conf</code>
329
SSLCertificateFile /path/to/this/server.crt
330
SSLCertificateKeyFile /path/to/this/server.key
333
<li>It is important that you are aware that this
334
<code>server.key</code> does <em>not</em> have any passphrase.
335
To add a passphrase to the key, you should run the following
336
command, and enter & verify the passphrase as requested.<br />
337
<p><code><strong>$ openssl rsa -des3 -in server.key -out
338
server.key.new</strong></code><br />
339
<code><strong>$ mv server.key.new server.key</strong></code><br /></p>
340
Please backup the <code>server.key</code> file, and the passphrase
341
you entered, in a secure location.
346
<h3><a name="realcert" id="realcert">How do I create a real SSL Certificate?</a></h3>
347
<p>Here is a step-by-step description:</p>
349
<li>Make sure OpenSSL is installed and in your <code>PATH</code>.
353
<li>Create a RSA private key for your Apache server
354
(will be Triple-DES encrypted and PEM formatted):<br />
356
<code><strong>$ openssl genrsa -des3 -out server.key 1024</strong></code><br />
358
Please backup this <code>server.key</code> file and the
359
pass-phrase you entered in a secure location.
360
You can see the details of this RSA private key by using the command:<br />
363
<code><strong>$ openssl rsa -noout -text -in server.key</strong></code><br />
365
If necessary, you can also create a decrypted PEM version (not
366
recommended) of this RSA private key with:<br />
368
<code><strong>$ openssl rsa -in server.key -out server.key.unsecure</strong></code><br />
372
<li>Create a Certificate Signing Request (CSR) with the server RSA private
373
key (output will be PEM formatted):<br />
375
<code><strong>$ openssl req -new -key server.key -out server.csr</strong></code><br />
377
Make sure you enter the FQDN ("Fully Qualified Domain Name") of the
378
server when OpenSSL prompts you for the "CommonName", i.e. when you
379
generate a CSR for a website which will be later accessed via
380
<code>https://www.foo.dom/</code>, enter "www.foo.dom" here.
381
You can see the details of this CSR by using<br />
384
<code><strong>$ openssl req -noout -text -in server.csr</strong></code><br />
387
<li>You now have to send this Certificate Signing Request (CSR) to
388
a Certifying Authority (CA) to be signed. Once the CSR has been
389
signed, you will have a real Certificate, which can be used by
390
Apache. You can have a CSR signed by a commercial CA, or you can
391
create your own CA to sign it.<br />
392
Commercial CAs usually ask you to post the CSR into a web form,
393
pay for the signing, and then send a signed Certificate, which
394
you can store in a server.crt file. For more information about
395
commercial CAs see the following locations:<br />
399
<a href="http://digitalid.verisign.com/server/apacheNotice.htm">
400
http://digitalid.verisign.com/server/apacheNotice.htm
404
<a href="http://www.thawte.com/">http://www.thawte.com/</a>
406
<li> CertiSign Certificadora Digital Ltda.<br />
407
<a href="http://www.certisign.com.br">
408
http://www.certisign.com.br
412
<a href="http://www.iks-jena.de/leistungen/ca/">
413
http://www.iks-jena.de/leistungen/ca/
416
<li> Uptime Commerce Ltd.<br />
417
<a href="http://www.uptimecommerce.com">
418
http://www.uptimecommerce.com
421
<li> BelSign NV/SA<br />
422
<a href="http://www.belsign.be">
423
http://www.belsign.be
428
For details on how to create your own CA, and use this to sign
429
a CSR, see <a href="#ownca">below</a>.<br />
431
Once your CSR has been signed, you can see the details of the
432
Certificate as follows:<br />
434
<code><strong>$ openssl x509 -noout -text -in server.crt</strong></code><br />
437
<li>You should now have two files: <code>server.key</code> and
438
<code>server.crt</code>. These can be used as follows in your
439
<code>httpd.conf</code> file:
441
SSLCertificateFile /path/to/this/server.crt
442
SSLCertificateKeyFile /path/to/this/server.key
444
The <code>server.csr</code> file is no longer needed.
450
<h3><a name="ownca" id="ownca">How do I create and use my own Certificate Authority (CA)?</a></h3>
451
<p>The short answer is to use the <code>CA.sh</code> or <code>CA.pl</code>
452
script provided by OpenSSL. Unless you have a good reason not to,
453
you should use these for preference. If you cannot, you can create a
454
self-signed Certificate as follows:</p>
457
<li>Create a RSA private key for your server
458
(will be Triple-DES encrypted and PEM formatted):<br />
460
<code><strong>$ openssl genrsa -des3 -out server.key 1024</strong></code><br />
462
Please backup this <code>host.key</code> file and the
463
pass-phrase you entered in a secure location.
464
You can see the details of this RSA private key by using the
466
<code><strong>$ openssl rsa -noout -text -in server.key</strong></code><br />
468
If necessary, you can also create a decrypted PEM version (not
469
recommended) of this RSA private key with:<br />
471
<code><strong>$ openssl rsa -in server.key -out server.key.unsecure</strong></code><br />
474
<li>Create a self-signed Certificate (X509 structure)
475
with the RSA key you just created (output will be PEM formatted):<br />
477
<code><strong>$ openssl req -new -x509 -nodes -sha1 -days 365
478
-key server.key -out server.crt</strong></code><br />
480
This signs the server CSR and results in a <code>server.crt</code> file.<br />
481
You can see the details of this Certificate using:<br />
483
<code><strong>$ openssl x509 -noout -text -in server.crt</strong></code><br />
489
<h3><a name="passphrase" id="passphrase">How can I change the pass-phrase on my private key file?</a></h3>
490
<p>You simply have to read it with the old pass-phrase and write it again,
491
specifying the new pass-phrase. You can accomplish this with the following
495
<p><code><strong>$ openssl rsa -des3 -in server.key -out server.key.new</strong></code><br />
496
<code><strong>$ mv server.key.new server.key</strong></code><br /></p>
498
<p>The first time you're asked for a PEM pass-phrase, you should
499
enter the old pass-phrase. After that, you'll be asked again to
500
enter a pass-phrase - this time, use the new pass-phrase. If you
501
are asked to verify the pass-phrase, you'll need to enter the new
502
pass-phrase a second time.</p>
505
<h3><a name="removepassphrase" id="removepassphrase">How can I get rid of the pass-phrase dialog at Apache startup time?</a></h3>
506
<p>The reason this dialog pops up at startup and every re-start
507
is that the RSA private key inside your server.key file is stored in
508
encrypted format for security reasons. The pass-phrase is needed decrypt
509
this file, so it can be read and parsed. Removing the pass-phrase
510
removes a layer of security from your server - proceed with caution!</p>
512
<li>Remove the encryption from the RSA private key (while
513
keeping a backup copy of the original file):<br />
515
<code><strong>$ cp server.key server.key.org</strong></code><br />
516
<code><strong>$ openssl rsa -in server.key.org -out server.key</strong></code><br />
520
<li>Make sure the server.key file is only readable by root:<br />
522
<code><strong>$ chmod 400 server.key</strong></code><br />
527
<p>Now <code>server.key</code> contains an unencrypted copy of the key.
528
If you point your server at this file, it will not prompt you for a
529
pass-phrase. HOWEVER, if anyone gets this key they will be able to
530
impersonate you on the net. PLEASE make sure that the permissions on this
531
file are such that only root or the web server user can read it
532
(preferably get your web server to start as root but run as another
533
user, and have the key readable only by root).</p>
535
<p>As an alternative approach you can use the ``<code>SSLPassPhraseDialog
536
exec:/path/to/program</code>'' facility. Bear in mind that this is
537
neither more nor less secure, of course.</p>
540
<h3><a name="verify" id="verify">How do I verify that a private key matches its Certificate?</a></h3>
541
<p>A private key contains a series of numbers. Two of these numbers form
542
the "public key", the others are part of the "private key". The "public
543
key" bits are included when you generate a CSR, and subsequently form
544
part of the associated Certificate.</p>
545
<p>To check that the public key in your Certificate matches the public
546
portion of your private key, you simply need to compare these numbers.
547
To view the Certificate and the key run the commands:</p>
549
<p><code><strong>$ openssl x509 -noout -text -in server.crt</strong></code><br />
550
<code><strong>$ openssl rsa -noout -text -in server.key</strong></code></p>
552
<p>The `modulus' and the `public exponent' portions in the key and the
553
Certificate must match. As the public exponent is usually 65537
554
and it's difficult to visually check that the long modulus numbers
555
are the same, you can use the following approach:</p>
557
<p><code><strong>$ openssl x509 -noout -modulus -in server.crt | openssl md5</strong></code><br />
558
<code><strong>$ openssl rsa -noout -modulus -in server.key | openssl md5</strong></code></p>
560
<p>This leaves you with two rather shorter numbers to compare. It is,
561
in theory, possible that these numbers may be the same, without the
562
modulus numbers being the same, but the chances of this are
563
overwhelmingly remote.</p>
564
<p>Should you wish to check to which key or certificate a particular
565
CSR belongs you can perform the same calculation on the CSR as
568
<p><code><strong>$ openssl req -noout -modulus -in server.csr | openssl md5</strong></code></p>
571
<h3><a name="badcert" id="badcert">Why do connections fail with an "alert
572
bad certificate" error?</a></h3>
573
<p>Errors such as <code>OpenSSL: error:14094412: SSL
574
routines:SSL3_READ_BYTES:sslv3 alert bad certificate</code> in the SSL
575
logfile, are usually caused a browser which is unable to handle the server
576
certificate/private-key. For example, Netscape Navigator 3.x is
577
unable to handle RSA key lengths not equal to 1024 bits.</p>
580
<h3><a name="keysize" id="keysize">Why does my 2048-bit private key not work?</a></h3>
581
<p>The private key sizes for SSL must be either 512 or 1024 bits, for compatibility
582
with certain web browsers. A keysize of 1024 bits is recommended because
583
keys larger than 1024 bits are incompatible with some versions of Netscape
584
Navigator and Microsoft Internet Explorer, and with other browsers that
585
use RSA's BSAFE cryptography toolkit.</p>
588
<h3><a name="hashsymlinks" id="hashsymlinks">Why is client authentication broken after upgrading from
589
SSLeay version 0.8 to 0.9?</a></h3>
590
<p>The CA certificates under the path you configured with
591
<code>SSLCACertificatePath</code> are found by SSLeay through hash
592
symlinks. These hash values are generated by the `<code>openssl x509 -noout
593
-hash</code>' command. However, the algorithm used to calculate the hash for a
594
certificate changed between SSLeay 0.8 and 0.9. You will need to remove
595
all old hash symlinks and create new ones after upgrading. Use the
596
<code>Makefile</code> provided by <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>.</p>
599
<h3><a name="pemder" id="pemder">How can I convert a certificate from PEM to DER format?</a></h3>
600
<p>The default certificate format for SSLeay/OpenSSL is PEM, which is simply
601
Base64 encoded DER, with header and footer lines. For some applications
602
(e.g. Microsoft Internet Explorer) you need the certificate in plain DER
603
format. You can convert a PEM file <code>cert.pem</code> into the
604
corresponding DER file <code>cert.der</code> using the following command:
605
<code><strong>$ openssl x509 -in cert.pem -out cert.der -outform DER</strong></code></p>
608
<h3><a name="verisign" id="verisign">Why can't I find the
609
<code>getca</code> or <code>getverisign</code> programs mentioned by
610
Verisign, for installing my Verisign certificate?</a></h3>
611
<p>Verisign has never provided specific instructions
612
for Apache+mod_ssl. The instructions provided are for C2Net's
613
Stronghold (a commercial Apache based server with SSL support).</p>
614
<p>To install your certificate, all you need to do is to save the
615
certificate to a file, and give the name of that file to the
616
<code class="directive"><a href="../mod/mod_ssl.html#sslcertificatefile">SSLCertificateFile</a></code> directive.
617
You will also need to give it the key file. For more information,
618
see the <code class="directive"><a href="../mod/mod_ssl.html#sslcertificatekeyfile">SSLCertificateKeyFile</a></code>
622
<h3><a name="sgc" id="sgc">Can I use the Server Gated Cryptography (SGC)
623
facility (aka Verisign Global ID) with mod_ssl?</a></h3>
624
<p>Yes. <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> has included support for the SGC
625
facility since version 2.1. No special configuration is required -
626
just use the Global ID as your server certificate. The
627
<em>step up</em> of the clients is then automatically handled by
628
<code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> at run-time.</p>
631
<h3><a name="gid" id="gid">Why do browsers complain that they cannot
632
verify my Verisign Global ID server certificate?</a></h3>
633
<p>Verisign uses an intermediate CA certificate between the root CA
634
certificate (which is installed in the browsers) and the server
635
certificate (which you installed on the server). You should have
636
received this additional CA certificate from Verisign.
637
If not, complain to them. Then, configure this certificate with the
638
<code class="directive"><a href="../mod/mod_ssl.html#sslcertificatechainfile">SSLCertificateChainFile</a></code>
639
directive. This ensures that the intermediate CA certificate is
640
sent to the browser, filling the gap in the certificate chain.</p>
642
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
643
<div class="section">
644
<h2><a name="aboutssl" id="aboutssl">The SSL Protocol</a></h2>
646
<li><a href="#random">Why do I get lots of random SSL protocol
647
errors under heavy server load?</a></li>
648
<li><a href="#load">Why does my webserver have a higher load, now
649
that it serves SSL encrypted traffic?</a></li>
650
<li><a href="#establishing">Why do HTTPS connections to my server
651
sometimes take up to 30 seconds to establish a connection?</a></li>
652
<li><a href="#ciphers">What SSL Ciphers are supported by mod_ssl?</a></li>
653
<li><a href="#adh">Why do I get ``no shared cipher'' errors, when
654
trying to use Anonymous Diffie-Hellman (ADH) ciphers?</a></li>
655
<li><a href="#sharedciphers">Why do I get a 'no shared ciphers'
656
error when connecting to my newly installed server?</a></li>
657
<li><a href="#vhosts">Why can't I use SSL with name-based/non-IP-based
658
virtual hosts?</a></li>
659
<li><a href="#vhosts2">Why is it not possible to use Name-Based Virtual
660
Hosting to identify different SSL virtual hosts?</a></li>
661
<li><a href="#comp">How do I get SSL compression working?</a></li>
662
<li><a href="#lockicon">When I use Basic Authentication over HTTPS
663
the lock icon in Netscape browsers stays unlocked when the dialog pops up.
664
Does this mean the username/password is being sent unencrypted?</a></li>
665
<li><a href="#msie">Why do I get I/O errors when connecting via
666
HTTPS to an Apache+mod_ssl server with Microsoft Internet Explorer
668
<li><a href="#nn">Why do I get I/O errors, or the message "Netscape has
669
encountered bad data from the server", when connecting via
670
HTTPS to an Apache+mod_ssl server with Netscape Navigator?</a></li>
673
<h3><a name="random" id="random">Why do I get lots of random SSL protocol
674
errors under heavy server load?</a></h3>
675
<p>There can be a number of reasons for this, but the main one
676
is problems with the SSL session Cache specified by the
677
<code class="directive"><a href="../mod/mod_ssl.html#sslsessioncache">SSLSessionCache</a></code> directive. The DBM session
678
cache is the most likely source of the problem, so using the SHM session cache (or
679
no cache at all) may help.</p>
682
<h3><a name="load" id="load">Why does my webserver have a higher load, now
683
that it serves SSL encrypted traffic?</a></h3>
684
<p>SSL uses strong cryptographic encryption, which necessitates a lot of
685
number crunching. When you request a webpage via HTTPS, everything (even
686
the images) is encrypted before it is transferred. So increased HTTPS
687
traffic leads to load increases.</p>
690
<h3><a name="establishing" id="establishing">Why do HTTPS connections to my server
691
sometimes take up to 30 seconds to establish a connection?</a></h3>
692
<p>This is usually caused by a <code>/dev/random</code> device for
693
<code class="directive"><a href="../mod/mod_ssl.html#sslrandomseed">SSLRandomSeed</a></code> which blocks the
694
read(2) call until enough entropy is available to service the
695
request. More information is available in the reference
696
manual for the <code class="directive"><a href="../mod/mod_ssl.html#sslrandomseed">SSLRandomSeed</a></code>
700
<h3><a name="ciphers" id="ciphers">What SSL Ciphers are supported by mod_ssl?</a></h3>
701
<p>Usually, any SSL ciphers supported by the version of OpenSSL in use,
702
are also supported by <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>. Which ciphers are
703
available can depend on the way you built OpenSSL. Typically, at
704
least the following ciphers are supported:</p>
707
<li>RC4 with MD5</li>
708
<li>RC4 with MD5 (export version restricted to 40-bit key)</li>
709
<li>RC2 with MD5</li>
710
<li>RC2 with MD5 (export version restricted to 40-bit key)</li>
711
<li>IDEA with MD5</li>
712
<li>DES with MD5</li>
713
<li>Triple-DES with MD5</li>
716
<p>To determine the actual list of ciphers available, you should run
718
<div class="example"><p><code>$ openssl ciphers -v</code></p></div>
721
<h3><a name="adh" id="adh">Why do I get ``no shared cipher'' errors, when
722
trying to use Anonymous Diffie-Hellman (ADH) ciphers?</a></h3>
723
<p>By default, OpenSSL does <em>not</em> allow ADH ciphers, for security
724
reasons. Please be sure you are aware of the potential side-effects
725
if you choose to enable these ciphers.</p>
726
<p>In order to use Anonymous Diffie-Hellman (ADH) ciphers, you must
727
build OpenSSL with ``<code>-DSSL_ALLOW_ADH</code>'', and then add
728
``<code>ADH</code>'' into your <code class="directive"><a href="../mod/mod_ssl.html#sslciphersuite">SSLCipherSuite</a></code>.</p>
731
<h3><a name="sharedciphers" id="sharedciphers">Why do I get a 'no shared ciphers'
732
error when connecting to my newly installed server?</a></h3>
733
<p>Either you have made a mistake with your
734
<code class="directive"><a href="../mod/mod_ssl.html#sslciphersuite">SSLCipherSuite</a></code>
735
directive (compare it with the pre-configured example in
736
<code>httpd.conf-dist</code>) or you chose to use DSA/DH
737
algorithms instead of RSA when you generated your private key
738
and ignored or overlooked the warnings. If you have chosen
739
DSA/DH, then your server cannot communicate using RSA-based SSL
740
ciphers (at least until you configure an additional RSA-based
741
certificate/key pair). Modern browsers like NS or IE can only
742
communicate over SSL using RSA ciphers. The result is the
743
"no shared ciphers" error. To fix this, regenerate your server
744
certificate/key pair, using the RSA algorithm.</p>
747
<h3><a name="vhosts" id="vhosts">Why can't I use SSL with name-based/non-IP-based virtual hosts?</a></h3>
748
<p>The reason is very technical, and a somewhat "chicken and egg" problem.
749
The SSL protocol layer stays below the HTTP protocol layer and
750
encapsulates HTTP. When an SSL connection (HTTPS) is established
751
Apache/mod_ssl has to negotiate the SSL protocol parameters with the
752
client. For this, mod_ssl has to consult the configuration of the virtual
753
server (for instance it has to look for the cipher suite, the server
754
certificate, etc.). But in order to go to the correct virtual server
755
Apache has to know the <code>Host</code> HTTP header field. To do this, the
756
HTTP request header has to be read. This cannot be done before the SSL
757
handshake is finished, but the information is needed in order to
758
complete the SSL handshake phase. Bingo!</p>
761
<h3><a name="vhosts2" id="vhosts2">Why is it not possible to use Name-Based
762
Virtual Hosting to identify different SSL virtual hosts?</a></h3>
763
<p>Name-Based Virtual Hosting is a very popular method of identifying
764
different virtual hosts. It allows you to use the same IP address and
765
the same port number for many different sites. When people move on to
766
SSL, it seems natural to assume that the same method can be used to have
767
lots of different SSL virtual hosts on the same server.</p>
769
<p>It comes as rather a shock to learn that it is impossible.</p>
771
<p>The reason is that the SSL protocol is a separate layer which
772
encapsulates the HTTP protocol. So the SSL session is a separate
773
transaction, that takes place before the HTTP session has begun.
774
The server receives an SSL request on IP address X and port Y
775
(usually 443). Since the SSL request does not contain any Host:
776
field, the server has no way to decide which SSL virtual host to use.
777
Usually, it will just use the first one it finds, which matches the
778
port and IP address specified.</p>
780
<p>You can, of course, use Name-Based Virtual Hosting to identify many
781
non-SSL virtual hosts (all on port 80, for example) and then
782
have a single SSL virtual host (on port 443). But if you do this,
783
you must make sure to put the non-SSL port number on the NameVirtualHost
786
<div class="example"><p><code>
787
NameVirtualHost 192.168.1.1:80
790
<p>Other workaround solutions include: </p>
792
<p>Using separate IP addresses for different SSL hosts.
793
Using different port numbers for different SSL hosts.</p>
796
<h3><a name="comp" id="comp">How do I get SSL compression working?</a></h3>
797
<p>Although SSL compression negotiation was defined in the specification
798
of SSLv2 and TLS, it took until May 2004 for RFC 3749 to define DEFLATE as
799
a negotiable standard compression method.
801
<p>OpenSSL 0.9.8 started to support this by default when compiled with the
802
<code>zlib</code> option. If both the client and the server support compression,
803
it will be used. However, most clients still try to initially connect with an
804
SSLv2 Hello. As SSLv2 did not include an array of prefered compression algorithms
805
in its handshake, compression cannot be negotiated with these clients.
806
If the client disables support for SSLv2, either an SSLv3 or TLS Hello
807
may be sent, depending on which SSL library is used, and compression may
808
be set up. You can verify whether clients make use of SSL compression by
809
logging the <code>%{SSL_COMPRESS_METHOD}x</code> variable.
813
<h3><a name="lockicon" id="lockicon">When I use Basic Authentication over HTTPS
814
the lock icon in Netscape browsers stays unlocked when the dialog pops up.
815
Does this mean the username/password is being sent unencrypted?</a></h3>
816
<p>No, the username/password is transmitted encrypted. The icon in
817
Netscape browsers is not actually synchronized with the SSL/TLS layer.
818
It only toggles to the locked state when the first part of the actual
819
webpage data is transferred, which may confuse people. The Basic
820
Authentication facility is part of the HTTP layer, which is above
821
the SSL/TLS layer in HTTPS. Before any HTTP data communication takes
822
place in HTTPS, the SSL/TLS layer has already completed its handshake
823
phase, and switched to encrypted communication. So don't be
824
confused by this icon.</p>
827
<h3><a name="msie" id="msie">Why do I get I/O errors when connecting via
828
HTTPS to an Apache+mod_ssl server with Microsoft Internet Explorer (MSIE)?</a></h3>
829
<p>The first reason is that the SSL implementation in some MSIE versions has
830
some subtle bugs related to the HTTP keep-alive facility and the SSL close
831
notify alerts on socket connection close. Additionally the interaction
832
between SSL and HTTP/1.1 features are problematic in some MSIE versions.
833
You can work around these problems by forcing Apache not to use HTTP/1.1,
834
keep-alive connections or send the SSL close notify messages to MSIE clients.
835
This can be done by using the following directive in your SSL-aware
836
virtual host section:</p>
837
<div class="example"><p><code>
838
SetEnvIf User-Agent ".*MSIE.*" \<br />
839
nokeepalive ssl-unclean-shutdown \<br />
840
downgrade-1.0 force-response-1.0
842
<p>Further, some MSIE versions have problems with particular ciphers.
843
Unfortunately, it is not possible to implement a MSIE-specific
844
workaround for this, because the ciphers are needed as early as the
845
SSL handshake phase. So a MSIE-specific
846
<code class="directive"><a href="../mod/mod_setenvif.html#setenvif">SetEnvIf</a></code> won't solve these
847
problems. Instead, you will have to make more drastic
848
adjustments to the global parameters. Before you decide to do
849
this, make sure your clients really have problems. If not, do not
850
make these changes - they will affect <em>all</em> your clients, MSIE
853
<p>The next problem is that 56bit export versions of MSIE 5.x
854
browsers have a broken SSLv3 implementation, which interacts badly
855
with OpenSSL versions greater than 0.9.4. You can accept this and
856
require your clients to upgrade their browsers, you can downgrade to
857
OpenSSL 0.9.4 (not advised), or you can work around this, accepting
858
that your workaround will affect other browsers too:</p>
859
<div class="example"><p><code>SSLProtocol all -SSLv3</code></p></div>
860
<p>will completely disables the SSLv3 protocol and allow those
861
browsers to work. A better workaround is to disable only those
862
ciphers which cause trouble.</p>
863
<div class="example"><p><code>SSLCipherSuite
864
ALL:!ADH:<strong>!EXPORT56</strong>:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</code>
867
<p>This also allows the broken MSIE versions to work, but only removes the
868
newer 56bit TLS ciphers.</p>
870
<p>Another problem with MSIE 5.x clients is that they refuse to connect to
871
URLs of the form <code>https://12.34.56.78/</code> (where IP-addresses are used
872
instead of the hostname), if the server is using the Server Gated
873
Cryptography (SGC) facility. This can only be avoided by using the fully
874
qualified domain name (FQDN) of the website in hyperlinks instead, because
875
MSIE 5.x has an error in the way it handles the SGC negotiation.</p>
877
<p>And finally there are versions of MSIE which seem to require that
878
an SSL session can be reused (a totally non standard-conforming
879
behaviour, of course). Connecting with those MSIE versions only work
880
if a SSL session cache is used. So, as a work-around, make sure you
881
are using a session cache (see the <code class="directive"><a href="../mod/mod_ssl.html#sslsessioncache">SSLSessionCache</a></code> directive).</p>
884
<h3><a name="nn" id="nn">Why do I get I/O errors, or the message "Netscape has
885
encountered bad data from the server", when connecting via
886
HTTPS to an Apache+mod_ssl server with Netscape Navigator?</a></h3>
888
This usually occurs when you have created a new server certificate for
889
a given domain, but had previously told your browser to always accept
890
the old server certificate. Once you clear the entry for the old
891
certificate from your browser, everything should be fine. Netscape's SSL
892
implementation is correct, so when you encounter I/O errors with Netscape
893
Navigator it is usually caused by the configured certificates.</p>
895
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
896
<div class="section">
897
<h2><a name="support" id="support">mod_ssl Support</a></h2>
899
<li><a href="#resources">What information resources are available in
900
case of mod_ssl problems?</a></li>
901
<li><a href="#contact">What support contacts are available in case of
902
mod_ssl problems?</a></li>
903
<li><a href="#reportdetails">What information should I
904
provide when writing a bug report?</a></li>
905
<li><a href="#coredumphelp">I had a core dump, can you help me?</a></li>
906
<li><a href="#backtrace">How do I get a backtrace, to help find the reason
907
for my core dump?</a></li>
910
<h3><a name="resources" id="resources">What information resources are available in case of mod_ssl problems?</a></h3>
911
<p>The following information resources are available.
912
In case of problems you should search here first.</p>
915
<dt>Answers in the User Manual's F.A.Q. List (this)</dt>
916
<dd><a href="http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html">
917
http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html</a><br />
918
First check the F.A.Q. (this text). If your problem is a common
919
one, it may have been answered several times before, and been included
922
<dt>Postings from the modssl-users Support Mailing List
923
<a href="http://www.modssl.org/support/">http://www.modssl.org/support/</a></dt>
924
<dd>Search for your problem in the archives of the modssl-users mailing list.
925
You're probably not the first person to have had this problem!
930
<h3><a name="contact" id="contact">What support contacts are available in case
931
of mod_ssl problems?</a></h3>
932
<p>The following lists all support possibilities for mod_ssl, in order of
933
preference. Please go through these possibilities
934
<em>in this order</em> - don't just pick the one you like the look of. </p>
936
<li><em>Send a Problem Report to the modssl-users Support Mailing List</em><br />
937
<a href="mailto:modssl-users@modssl.org">
938
modssl-users@modssl.org</a><br />
939
This is the preferred way of submitting your problem report, because this way,
940
others can see the problem, and learn from any answers. You must subscribe to
941
the list first, but you can then easily discuss your problem with both the
942
author and the whole mod_ssl user community.
945
<li><em>Send a Problem Report to the Apache httpd Users Support Mailing List</em><br />
946
<a href="mailto:users@httpd.apache.org">
947
users@httpd.apache.org</a><br />
948
This is the second way of submitting your problem report. Again, you must
949
subscribe to the list first, but you can then easily discuss your problem
950
with the whole Apache httpd user community.
953
<li><em>Write a Problem Report in the Bug Database</em><br />
954
<a href="http://httpd.apache.org/bug_report.html">
955
http://httpd.apache.org/bug_report.html</a><br />
956
This is the last way of submitting your problem report. You should only
957
do this if you've already posted to the mailing lists, and had no success.
958
Please follow the instructions on the above page <em>carefully</em>.
963
<h3><a name="reportdetails" id="reportdetails">What information should I
964
provide when writing a bug report?</a></h3>
965
<p>You should always provide at least the following information:</p>
968
<dt>Apache and OpenSSL version information</dt>
969
<dd>The Apache version can be determined
970
by running <code>httpd -v</code>. The OpenSSL version can be
971
determined by running <code>openssl version</code>. Alternatively, if
972
you have Lynx installed, you can run the command <code>lynx -mime_header
973
http://localhost/ | grep Server</code> to gather this information in a
977
<dt>The details on how you built and installed Apache+mod_ssl+OpenSSL</dt>
978
<dd>For this you can provide a logfile of your terminal session which shows
979
the configuration and install steps. If this is not possible, you
980
should at least provide the <code class="program"><a href="../programs/configure.html">configure</a></code> command line you used.
983
<dt>In case of core dumps please include a Backtrace</dt>
984
<dd>If your Apache+mod_ssl+OpenSSL dumps its core, please attach
985
a stack-frame ``backtrace'' (see <a href="#backtrace">below</a>
986
for information on how to get this). Without this information, the
987
reason for your core dump cannot be found
990
<dt>A detailed description of your problem</dt>
991
<dd>Don't laugh, we really mean it! Many problem reports don't
992
include a description of what the actual problem is. Without this,
993
it's very difficult for anyone to help you. So, it's in your own
994
interest (you want the problem be solved, don't you?) to include as
995
much detail as possible, please. Of course, you should still include
996
all the essentials above too.
1001
<h3><a name="coredumphelp" id="coredumphelp">I had a core dump, can you help me?</a></h3>
1002
<p>In general no, at least not unless you provide more details about the code
1003
location where Apache dumped core. What is usually always required in
1004
order to help you is a backtrace (see next question). Without this
1005
information it is mostly impossible to find the problem and help you in
1009
<h3><a name="backtrace" id="backtrace">How do I get a backtrace, to help find
1010
the reason for my core dump?</a></h3>
1011
<p>Following are the steps you will need to complete, to get a backtrace:</p>
1013
<li>Make sure you have debugging symbols available, at least
1014
in Apache. On platforms where you use GCC/GDB, you will have to build
1015
Apache+mod_ssl with ``<code>OPTIM="-g -ggdb3"</code>'' to get this. On
1016
other platforms at least ``<code>OPTIM="-g"</code>'' is needed.
1019
<li>Start the server and try to reproduce the core-dump. For this you may
1020
want to use a directive like ``<code>CoreDumpDirectory /tmp</code>'' to
1021
make sure that the core-dump file can be written. This should result
1022
in a <code>/tmp/core</code> or <code>/tmp/httpd.core</code> file. If you
1023
don't get one of these, try running your server under a non-root UID.
1024
Many modern kernels do not allow a process to dump core after it has
1025
done a <code>setuid()</code> (unless it does an <code>exec()</code>) for
1026
security reasons (there can be privileged information left over in
1027
memory). If necessary, you can run <code>/path/to/httpd -X</code>
1028
manually to force Apache to not fork.
1031
<li>Analyze the core-dump. For this, run <code>gdb /path/to/httpd
1032
/tmp/httpd.core</code> or a similar command. In GDB, all you
1033
have to do then is to enter <code>bt</code>, and voila, you get the
1034
backtrace. For other debuggers consult your local debugger manual.
1039
<div class="bottomlang">
1040
<p><span>Available Languages: </span><a href="../en/ssl/ssl_faq.html" title="English"> en </a></p>
1041
</div><div id="footer">
1042
<p class="apache">Copyright 2006 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
1043
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div>
b'\\ No newline at end of file'