diff options
Diffstat (limited to 'usr.sbin/httpd/htdocs/manual')
6 files changed, 147 insertions, 59 deletions
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.html b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.html index 94e743862f6..aedc52bd62c 100644 --- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.html +++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.html @@ -325,8 +325,8 @@ author. <a href="#ToC45"><strong>Why do I get 'no shared ciphers'?</strong></a><br> <a href="#ToC46"><strong>HTTPS and name-based vhosts</strong></a><br> <a href="#ToC47"><strong>The lock icon in Netscape locks very late</strong></a><br> - <a href="#ToC48"><strong>Why do I get I/O errors with my MSIE clients?</strong></a><br> - <a href="#ToC49"><strong>Why do I get I/O errors with my NS clients?</strong></a><br> + <a href="#ToC48"><strong>Why do I get I/O errors with MSIE clients?</strong></a><br> + <a href="#ToC49"><strong>Why do I get I/O errors with NS clients?</strong></a><br> <a href="#ToC50"><strong>About Support</strong></a><br> <a href="#ToC51"><strong>Resources in case of problems?</strong></a><br> <a href="#ToC52"><strong>Support in case of problems?</strong></a><br> @@ -1263,20 +1263,55 @@ username/password is still transmitted unencrypted?</strong> <p> <li><a name="ToC48"></a> <a name="io-ie"></a> - <strong id="faq">When I connect via HTTPS to an Apache+mod_ssl server with Microsoft Internet -Explorer (MSIE) I sometimes get I/O errors and the message "bad data from the -server". What's the reason?</strong> + <strong id="faq">When I connect via HTTPS to an Apache+mod_ssl+OpenSSL server with Microsoft Internet +Explorer (MSIE) I get various I/O errors. What is the reason?</strong> [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#io-ie"><b>L</b></a>] <p> - The reason is that MSIE's SSL implementation has some subtle bugs related - to the HTTP keep-alive facility and the SSL close notify alerts on socket - connection close. You've to work-around this by forcing Apache+mod_ssl to - not use keep-alive connections and not sending the SSL close notify - messages to MSIE clients. This can be done by using the following - directive in your SSL-aware virtual host section: + The first reason is that the SSL implementation in some MSIE versions has + some subtle bugs related to the HTTP keep-alive facility and the SSL close + notify alerts on socket connection close. Additionally the interaction + between SSL and HTTP/1.1 features are problematic with some MSIE versions, + too. You've to work-around these problems by forcing + Apache+mod_ssl+OpenSSL to not use HTTP/1.1, keep-alive connections or + sending the SSL close notify messages to MSIE clients. This can be done by + using the following directive in your SSL-aware virtual host section: <pre> - SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown - </pre> + SetEnvIf User-Agent ".*MSIE.*" \ + <b>nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0</b></pre> + Additionally it is known some MSIE versions have also problems + with particular ciphers. Unfortunately one cannot workaround these + bugs only for those MSIE particular clients, because the ciphers + are already used in the SSL handshake phase. So a MSIE-specific + <tt>SetEnvIf</tt> doesn't work to solve these problems. Instead one + has to do more drastic adjustments to the global parameters. But + before you decide to do this, make sure your clients really have + problems. If not, do not do this, because it affects all(!) your + clients, i.e., also your non-MSIE clients. + <p> + The next problem is that 56bit export versions of MSIE 5.x browsers have a + broken SSLv3 implementation which badly interacts with OpenSSL versions + greater than 0.9.4. You can either accept this and force your clients to + upgrade their browsers, or you downgrade to OpenSSL 0.9.4 (hmmm), or you + can decide to workaround it by accepting the drawback that your workaround + will horribly affect also other browsers: + <pre> + SSLProtocol all <b>-SSLv3</b></pre> + This completely disables the SSLv3 protocol and lets those browsers work. + But usually this is an even less acceptable workaround. A more reasonable + workaround is to address the problem more closely and disable only the + ciphers which cause trouble. + <pre> + SSLCipherSuite ALL:!ADH:<b>!EXPORT56</b>:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</pre> + This also lets the broken MSIE versions work, but only removes the + newer 56bit TLS ciphers. + <p> + Another problem with MSIE 5.x clients is that they refuse to connect to + URLs of the form <tt>https://12.34.56.78/</tt> (IP-addresses are used + instead of the hostname), if the server is using the Server Gated + Cryptography (SGC) facility. This can only be avoided by using the fully + qualified domain name (FQDN) of the website in hyperlinks instead, because + MSIE 5.x has an error in the way it handles the SGC negotiation. <p> <li><a name="ToC49"></a> <a name="io-ns"></a> diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.wml b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.wml index 80681aa351b..52be25e5bb9 100644 --- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.wml +++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.wml @@ -1026,24 +1026,69 @@ username/password is still transmitted unencrypted? handshake phase and switched to encrypted communication. So, don't get confused by this icon. -<faq ref="io-ie" toc="Why do I get I/O errors with my MSIE clients?"> -When I connect via HTTPS to an Apache+mod_ssl server with Microsoft Internet -Explorer (MSIE) I sometimes get I/O errors and the message "bad data from the -server". What's the reason? +<faq ref="io-ie" toc="Why do I get I/O errors with MSIE clients?"> +When I connect via HTTPS to an Apache+mod_ssl+OpenSSL server with Microsoft Internet +Explorer (MSIE) I get various I/O errors. What is the reason? </faq> - The reason is that MSIE's SSL implementation has some subtle bugs related - to the HTTP keep-alive facility and the SSL close notify alerts on socket - connection close. You've to work-around this by forcing Apache+mod_ssl to - not use keep-alive connections and not sending the SSL close notify - messages to MSIE clients. This can be done by using the following - directive in your SSL-aware virtual host section: + The first reason is that the SSL implementation in some MSIE versions has + some subtle bugs related to the HTTP keep-alive facility and the SSL close + notify alerts on socket connection close. Additionally the interaction + between SSL and HTTP/1.1 features are problematic with some MSIE versions, + too. You've to work-around these problems by forcing + Apache+mod_ssl+OpenSSL to not use HTTP/1.1, keep-alive connections or + sending the SSL close notify messages to MSIE clients. This can be done by + using the following directive in your SSL-aware virtual host section: <pre> - SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown + SetEnvIf User-Agent ".*MSIE.*" \\ + <b>nokeepalive ssl-unclean-shutdown \\ + downgrade-1.0 force-response-1.0</b>\ </pre> -<faq ref="io-ns" toc="Why do I get I/O errors with my NS clients?"> + Additionally it is known some MSIE versions have also problems + with particular ciphers. Unfortunately one cannot workaround these + bugs only for those MSIE particular clients, because the ciphers + are already used in the SSL handshake phase. So a MSIE-specific + <tt>SetEnvIf</tt> doesn't work to solve these problems. Instead one + has to do more drastic adjustments to the global parameters. But + before you decide to do this, make sure your clients really have + problems. If not, do not do this, because it affects all(!) your + clients, i.e., also your non-MSIE clients. + + <p> + The next problem is that 56bit export versions of MSIE 5.x browsers have a + broken SSLv3 implementation which badly interacts with OpenSSL versions + greater than 0.9.4. You can either accept this and force your clients to + upgrade their browsers, or you downgrade to OpenSSL 0.9.4 (hmmm), or you + can decide to workaround it by accepting the drawback that your workaround + will horribly affect also other browsers: + + <pre> + SSLProtocol all <b>-SSLv3</b>\ + </pre> + + This completely disables the SSLv3 protocol and lets those browsers work. + But usually this is an even less acceptable workaround. A more reasonable + workaround is to address the problem more closely and disable only the + ciphers which cause trouble. + + <pre> + SSLCipherSuite ALL:!ADH:<b>!EXPORT56</b>:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP\ + </pre> + + This also lets the broken MSIE versions work, but only removes the + newer 56bit TLS ciphers. + + <p> + Another problem with MSIE 5.x clients is that they refuse to connect to + URLs of the form <tt>https://12.34.56.78/</tt> (IP-addresses are used + instead of the hostname), if the server is using the Server Gated + Cryptography (SGC) facility. This can only be avoided by using the fully + qualified domain name (FQDN) of the website in hyperlinks instead, because + MSIE 5.x has an error in the way it handles the SGC negotiation. + +<faq ref="io-ns" toc="Why do I get I/O errors with NS clients?"> When I connect via HTTPS to an Apache+mod_ssl server with Netscape Navigator I get I/O errors and the message "Netscape has encountered bad data from the server" What's the reason? diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.html b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.html index fe1c1326bb9..382cc739dd6 100644 --- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.html +++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.html @@ -774,7 +774,7 @@ host (so it applies to both HTTPS and HTTP): <Directory /usr/local/apache/htdocs> # Outside the subarea only Intranet access is granted Order deny,allow -Deny all +Deny from all Allow 192.160.1.0/24 </Directory> @@ -802,7 +802,7 @@ Satisfy any # Network Access Control Order deny,allow -Deny all +Deny from all Allow 192.160.1.0/24 # HTTP Basic Authentication diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.wml b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.wml index 20cdd633040..9d9a3799a7f 100644 --- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.wml +++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.wml @@ -281,7 +281,7 @@ host (so it applies to both HTTPS and HTTP): <Directory /usr/local/apache/htdocs> \# Outside the subarea only Intranet access is granted Order deny,allow -Deny all +Deny from all Allow 192.160.1.0/24 </Directory> @@ -309,7 +309,7 @@ Satisfy any \# Network Access Control Order deny,allow -Deny all +Deny from all Allow 192.160.1.0/24 \# HTTP Basic Authentication diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.html b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.html index 779dc7950d5..3d0ea2169d3 100644 --- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.html +++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.html @@ -1084,26 +1084,30 @@ specify the preference and order for the ciphers (see <a href="#table1">Table <tr id="H"><td colspan="2"><em>Aliases:</em></td></tr> <tr id="D"><td><code>SSLv2</code></td> <td>all SSL version 2.0 ciphers</td></tr> <tr id="H"><td><code>SSLv3</code></td> <td>all SSL version 3.0 ciphers</td> </tr> -<tr id="D"><td><code>EXP</code></td> <td>all export ciphers</td> </tr> -<tr id="H"><td><code>LOW</code></td> <td>all low strength ciphers (no export, single DES)</td></tr> -<tr id="D"><td><code>MEDIUM</code></td> <td>all ciphers with 128 bit encryption</td> </tr> -<tr id="H"><td><code>HIGH</code></td> <td>all ciphers using Triple-DES</td> </tr> -<tr id="D"><td><code>RSA</code></td> <td>all ciphers using RSA key exchange</td> </tr> -<tr id="H"><td><code>DH</code></td> <td>all ciphers using Diffie-Hellman key exchange</td> </tr> -<tr id="D"><td><code>EDH</code></td> <td>all ciphers using Ephemeral Diffie-Hellman key exchange</td> </tr> -<tr id="H"><td><code>ADH</code></td> <td>all ciphers using Anonymous Diffie-Hellman key exchange</td> </tr> -<tr id="D"><td><code>DSS</code></td> <td>all ciphers using DSS authentication</td> </tr> -<tr id="H"><td><code>NULL</code></td> <td>all ciphers using no encryption</td> </tr> +<tr id="D"><td><code>TLSv1</code></td> <td>all TLS version 1.0 ciphers</td> </tr> +<tr id="H"><td><code>EXP</code></td> <td>all export ciphers</td> </tr> +<tr id="D"><td><code>EXP40</code></td> <td>all 40-bit export ciphers only</td> </tr> +<tr id="H"><td><code>EXP56</code></td> <td>all 56-bit export ciphers only</td> </tr> +<tr id="D"><td><code>LOW</code></td> <td>all low strength ciphers (no export, single DES)</td></tr> +<tr id="H"><td><code>MEDIUM</code></td> <td>all ciphers with 128 bit encryption</td> </tr> +<tr id="D"><td><code>HIGH</code></td> <td>all ciphers using Triple-DES</td> </tr> +<tr id="H"><td><code>RSA</code></td> <td>all ciphers using RSA key exchange</td> </tr> +<tr id="D"><td><code>DH</code></td> <td>all ciphers using Diffie-Hellman key exchange</td> </tr> +<tr id="H"><td><code>EDH</code></td> <td>all ciphers using Ephemeral Diffie-Hellman key exchange</td> </tr> +<tr id="D"><td><code>ADH</code></td> <td>all ciphers using Anonymous Diffie-Hellman key exchange</td> </tr> +<tr id="H"><td><code>DSS</code></td> <td>all ciphers using DSS authentication</td> </tr> +<tr id="D"><td><code>NULL</code></td> <td>all ciphers using no encryption</td> </tr> </table></td> </tr></table> </td></tr></table> </div> <p> -Now where this becomes interesting is that these can be put together to -specify the order and ciphers you wish to use. To speed this up there are -also aliases (<code>SSLv2, SSLv3, EXP, LOW, MEDIUM, HIGH</code>) for certain -groups of ciphers. These tags can be joined together with prefixes to form -the <em>cipher-spec</em>. Available prefixes are: +Now where this becomes interesting is that these can be put together +to specify the order and ciphers you wish to use. To speed this up +there are also aliases (<code>SSLv2, SSLv3, TLSv1, EXP, LOW, MEDIUM, +HIGH</code>) for certain groups of ciphers. These tags can be joined +together with prefixes to form the <em>cipher-spec</em>. Available +prefixes are: <ul> <li>none: add cipher to list <li><code>+</code>: add ciphers to list and pull them to current location in list diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.wml b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.wml index 0ebebfab536..a1be5bbb4c2 100644 --- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.wml +++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.wml @@ -616,26 +616,30 @@ specify the preference and order for the ciphers (see <a href="#table1">Table <tr id=H><td colspan=2><em>Aliases:</em></td></tr> <tr id=D><td><code>SSLv2</code></td> <td>all SSL version 2.0 ciphers</td></tr> <tr id=H><td><code>SSLv3</code></td> <td>all SSL version 3.0 ciphers</td> </tr> -<tr id=D><td><code>EXP</code></td> <td>all export ciphers</td> </tr> -<tr id=H><td><code>LOW</code></td> <td>all low strength ciphers (no export, single DES)</td></tr> -<tr id=D><td><code>MEDIUM</code></td> <td>all ciphers with 128 bit encryption</td> </tr> -<tr id=H><td><code>HIGH</code></td> <td>all ciphers using Triple-DES</td> </tr> -<tr id=D><td><code>RSA</code></td> <td>all ciphers using RSA key exchange</td> </tr> -<tr id=H><td><code>DH</code></td> <td>all ciphers using Diffie-Hellman key exchange</td> </tr> -<tr id=D><td><code>EDH</code></td> <td>all ciphers using Ephemeral Diffie-Hellman key exchange</td> </tr> -<tr id=H><td><code>ADH</code></td> <td>all ciphers using Anonymous Diffie-Hellman key exchange</td> </tr> -<tr id=D><td><code>DSS</code></td> <td>all ciphers using DSS authentication</td> </tr> -<tr id=H><td><code>NULL</code></td> <td>all ciphers using no encryption</td> </tr> +<tr id=D><td><code>TLSv1</code></td> <td>all TLS version 1.0 ciphers</td> </tr> +<tr id=H><td><code>EXP</code></td> <td>all export ciphers</td> </tr> +<tr id=D><td><code>EXP40</code></td> <td>all 40-bit export ciphers only</td> </tr> +<tr id=H><td><code>EXP56</code></td> <td>all 56-bit export ciphers only</td> </tr> +<tr id=D><td><code>LOW</code></td> <td>all low strength ciphers (no export, single DES)</td></tr> +<tr id=H><td><code>MEDIUM</code></td> <td>all ciphers with 128 bit encryption</td> </tr> +<tr id=D><td><code>HIGH</code></td> <td>all ciphers using Triple-DES</td> </tr> +<tr id=H><td><code>RSA</code></td> <td>all ciphers using RSA key exchange</td> </tr> +<tr id=D><td><code>DH</code></td> <td>all ciphers using Diffie-Hellman key exchange</td> </tr> +<tr id=H><td><code>EDH</code></td> <td>all ciphers using Ephemeral Diffie-Hellman key exchange</td> </tr> +<tr id=D><td><code>ADH</code></td> <td>all ciphers using Anonymous Diffie-Hellman key exchange</td> </tr> +<tr id=H><td><code>DSS</code></td> <td>all ciphers using DSS authentication</td> </tr> +<tr id=D><td><code>NULL</code></td> <td>all ciphers using no encryption</td> </tr> </table> </float> <p> -Now where this becomes interesting is that these can be put together to -specify the order and ciphers you wish to use. To speed this up there are -also aliases (<code>SSLv2, SSLv3, EXP, LOW, MEDIUM, HIGH</code>) for certain -groups of ciphers. These tags can be joined together with prefixes to form -the <em>cipher-spec</em>. Available prefixes are: +Now where this becomes interesting is that these can be put together +to specify the order and ciphers you wish to use. To speed this up +there are also aliases (<code>SSLv2, SSLv3, TLSv1, EXP, LOW, MEDIUM, +HIGH</code>) for certain groups of ciphers. These tags can be joined +together with prefixes to form the <em>cipher-spec</em>. Available +prefixes are: <ul> <li>none: add cipher to list |