Apache-SSL

Last updated: January 15, 2009


IMPORTANT! Please read this Security Advisory - June 20, 2002
IMPORTANT! Please read this Security Advisory - March 1, 2002
IMPORTANT! Please read this Security Advisory - February 6, 2004

Contents


Main Features

What is Apache-SSL?

Apache-SSL is a secure Webserver, based on Apache and SSLeay/OpenSSL. It is licensed under a BSD-style licence, which means, in short, that you are free to use it for commercial or non-commercial purposes, so long as you retain the copyright notices. This is the same licence as used by Apache from version 0.8.15.

Download

Current release: apache_1.3.41+ssl_1.60
Release date: January 15, 2009

You will also need openssl-0.9.8a or better, which you can find here.

Apache-SSL source patches can be found on the following UK master distribution sites:

and additional FTP mirrors at:

or HTTP mirrors at:

O/S specific versions:

What do I get?

What you get is a set of patches for Apache (available for versions 1.2.0+ and 1.3.0+), some extra source files, a few READMEs and example configuration files. The patches must be applied to the Apache source, and the result compiled and linked with SSLeay (version 0.5.1b+) or OpenSSL. The modified source will still compile a standard Apache as well as Apache-SSL.

Keeping up to date

The best way to become aware of upgrades is to join the announce Mailing List, where new version are announced.

Bug fixes and patches

Send any bug fixes or enhancements to ben@links.org.

Feel free to report bugs or problems to the same place, but I make no promises (unless you want to pay me).

Commercial support

Commercial support is available for both Apache and Apache-SSL. Email me at ben@links.org if you are interested.

Digital Certificates

The following companies have requested links to their pages. I do not endorse, recommend, or in any way associate myself with these organisations. They are listed in the order they made the requests.

Digital certificates are available for Apache-SSL from:

PGP key

Should you wish to send me private mail, my PGP key can be found here. Please only use it if it is needed; I hate typing my pass phrase.

FAQ

Apache-SSL hasn't been updated for a while - does that mean its out-of-date?

No, it means it works and does what people want. We only update it when there's a bug to be fixed, a new version of Apache comes out, or someone needs a new feature supported.

Why does my browser just hang when I connect to Apache-SSL?

Because you used http: instead of https:. Really.

Also, if you see:

SSL_Accept failed error:140760EB:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
in your error log, it's for the same reason.

The patches don't apply, what's wrong?

If you get:

$ patch < SSLpatch
  Looks like a new-style context diff.
File to patch:

and not much else, then you've probably got an old version of patch. Go and find 2.1 or better, and try again, or, you may have a new "improved" version of patch (for example, 2.5), in which case do "patch -p1 < SSLpatch".

I know that HTTP is on port 80, but where is HTTPS?

You can run HTTPS on any port, but the standard specifies port 443, which is where any compliant browser will look by default. You can force your browser to look on a different port by specifying it in the URL like this:

https://secure.server.hell:666

I want to run secure and non-secure servers on the same machine. Is that possible?

There are two ways to do this: run two server daemons, or run both services from the same daemon. Unless there is a good reason to run two (like using a different product for secure/non-secure), it's usually simplest to run a single daemon and disable SSL on those virtual hosts that don't need it. If you wish to run two daemons you must make sure that they each only try to bind to their alloted ports (normally port 80 for non-secure and 443 for secure). If you wish to run a single daemon, here's an example config file showing how you might do it.

Now I've got my server installed, how do I create a test certificate?

Step one - create the key and request:

  openssl req -new > new.cert.csr
Step two - remove the passphrase from the key (optional):

  openssl rsa -in privkey.pem -out new.cert.key
Step three - convert request into signed cert:

   openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365
The Apache-SSL directives that you need to use the resulting cert are:

  SSLCertificateFile /path/to/certs/new.cert.cert
  SSLCertificateKeyFile /path/to/certs/new.cert.key

How do I create a client certificate?

Step one - create a CA certificate/key pair, as above.

Step two - sign the client request with the CA key:

  openssl x509 -req -in client.cert.csr -out client.cert.cert -signkey my.CA.key -CA my.CA.cert -CAkey my.CA.key -CAcreateserial -days 365
Step three - issue the file 'client.cert.cert' to the requester.

The Apache-SSL directives that you need to validate against this cert are:

  SSLCACertificateFile /path/to/certs/my.CA.cert
  SSLVerifyClient 2

How do I access client certs from my CGI?

In release apache_1.3.2+ssl_1.27 and above, you can use the directive:

  SSLExportClientCertificates
Which will create environment variables containing the contents of client certs. For more details, see the SSLExportClientCertificates section in the docs.There is also a working example at: https://www.apache-ssl.org/cgi/cert-export

How do I install FrontPage98 Extensions with Apache-SSL?

Bertrand Renuart has details of how to do this on his web site at http://www.itma.lu/howto/apache.

When installing a Verisign cert, why can't I find "getca" or "getverisign"?

Verisign's up to date apache-ssl cert instructions live here: http://www.verisign.com/support/install/apache/v01.html

How do I run Apache-SSL as a shareable (DSO) module?

First, configure the shared module support in the source tree:

  ./configure --enable-shared=apache_ssl
then enable the module in your httpd.conf:
  LoadModule apache_ssl_module modules/libssl.so

Common compile errors

  gcc -c  -I../os/unix -I../include -I/usr/local/ssl/include   -funsigned-char -DTARGET=\"httpsd\" -DAPACHE_SSL `../apaci` -DAPACHE_SSL buff.c
  buff.c: In function `ap_read':
  buff.c:259: structure has no member named `stats'
  buff.c:267: structure has no member named `stats'
  buff.c:268: structure has no member named `stats'
  buff.c:269: structure has no member named `stats'
  buff.c:271: structure has no member named `stats'
  buff.c: In function `ap_write':
  buff.c:346: warning: passing arg 2 of `SSL_write' discards `const' from pointer target type
  *** Error code 1

You need to upgrade to OpenSSL.

Common runtime errors

The error log says:

  error:0D067007:asn1 encoding routines:ASN1_COLLATE_PRIMITIVE:expecting an asn1 sequence
  httpsd: apache_ssl.c:1313: GetSessionFromServer: Assertion `pSession' failed.
You need to upgrade. There was a bug in Apache-SSL version 1.46 that caused this error.

Is Apache-SSL Y2K Compliant?

Apache-SSL does not add any date processing to the underlying components, so does not affect the overall compliance of your system. The main component, Apache, has this to say on the matter. You should also check your operating system, hardware and any other modules you include.

Apache starts OK, but I get errors when viewing secure pages

If you see something like this in your error log:

  [Fri Apr 28 16:24:08 2000] [error] SSL_accept failed
  [Fri Apr 28 16:24:08 2000] [error] error:24064064:random number generator:SSLEAY_RAND_BYTES:prng not seeded
  [Fri Apr 28 16:24:08 2000] [error] error:04069003:rsa routines:RSA_generate_key:BN lib
  [Fri Apr 28 16:24:08 2000] [error] error:1409B444:SSL routines:SSL3_SEND_SERVER_KEY_EXCHANGE:error generating tmp rsa key

You need to seed your random number generator. This is a feature of OpenSSL since version 0.9.5a. See http://www.apache-ssl.org/docs.html#SSLRandomFile for more details.

How do I use EGD with Apache-SSL?

Ben Srour explains how he did it on Mac OS/X here. The process should be very similar for other Unix variants.

Mailing Lists

There are two Apache-SSL mailing lists. For support and general help from the Apache-SSL community, send a blank email to apache-ssl-help@lists.aldigital.co.uk. This is probably the most direct route to getting arbitrary questions answered. However, BEFORE posting your question, please check that it hasn't already been answered by searching the archive.

If you simply wish to keep up to date, and to be made aware of new releases and important announcements, then apache-sslannounce-help@lists.aldigital.co.uk is the one for you.

Apache-SSL is not mod_ssl

There appears to be some confusion regarding Apache-SSL and mod_ssl. To set the record straight: mod_ssl is not a replacement for Apache-SSL - it is an alternative, in the same way that Apache is an alternative to Netscape/Microsoft servers, or Linux is an alternative to FreeBSD. It is a matter of personal choice as to which you run. mod_ssl is what is known as a 'split' - i.e. it was originally derived from Apache-SSL, but has been extensively redeveloped so the code now bears little relation to the original.

Apache-SSL continues to be developed and maintained, our main focus being on reliability, security and performance, rather than features and bells and whistles. I hope this makes things clear. (Adam Laurie).

Links

Other related web resources:

Mirror Web Sites

Credits

Apache-SSL was written by Ben Laurie, who is also an Apache core team and board member, and an OpenSSL core team member.
The development of Apache-SSL is sponsored by A.L. Digital Ltd., and this site is hosted by them in The Bunker.
Info on FTP mirror sites, CAs, Links, etc., should be sent to: The Web Slaves.
This server is , which is and

Apache-SSL graphics courtesy of Jamie Harrison and The WoW Foundation, based on the original feather by Randy Terbush. Animated graphic by Katherine Cleave of A.L. Digital. Minibutton by King Monty. Feel free to replicate.



Team A.L. Digital && Apache-SSL Distributed Computing

A.L. Digital Ltd. participate in the Distributed Net encryption cracking efforts, as do many of our friends. To see how our team is doing, click the team logo above. To read more about the project, click on the banner above. To join our team, affiliate yourself with team no. 5209. For your personal privacy, the team membership listing is not open to the public, and we promise not to use it ourselves. For anything.



Copyright © 1995,6,7,8,9;2000,1,2,3,4,5,6,7,8,9 Ben Laurie, Adam Laurie.