summaryrefslogtreecommitdiff
path: root/usr.sbin/httpd/htdocs/manual
diff options
context:
space:
mode:
Diffstat (limited to 'usr.sbin/httpd/htdocs/manual')
-rw-r--r--usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.html61
-rw-r--r--usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.wml69
-rw-r--r--usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.html4
-rw-r--r--usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.wml4
-rw-r--r--usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.html34
-rw-r--r--usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.wml34
6 files changed, 147 insertions, 59 deletions
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.html b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.html
index 94e743862f6..aedc52bd62c 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.html
@@ -325,8 +325,8 @@ author.
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC45"><strong>Why do I get 'no shared ciphers'?</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC46"><strong>HTTPS and name-based vhosts</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC47"><strong>The lock icon in Netscape locks very late</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC48"><strong>Why do I get I/O errors with my MSIE clients?</strong></a><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC49"><strong>Why do I get I/O errors with my NS clients?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC48"><strong>Why do I get I/O errors with MSIE clients?</strong></a><br>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC49"><strong>Why do I get I/O errors with NS clients?</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC50"><strong>About Support</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC51"><strong>Resources in case of problems?</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC52"><strong>Support in case of problems?</strong></a><br>
@@ -1263,20 +1263,55 @@ username/password is still transmitted unencrypted?</strong>&nbsp;&nbsp;
<p>
<li><a name="ToC48"></a>
<a name="io-ie"></a>
- <strong id="faq">When I connect via HTTPS to an Apache+mod_ssl server with Microsoft Internet
-Explorer (MSIE) I sometimes get I/O errors and the message "bad data from the
-server". What's the reason?</strong>&nbsp;&nbsp;
+ <strong id="faq">When I connect via HTTPS to an Apache+mod_ssl+OpenSSL server with Microsoft Internet
+Explorer (MSIE) I get various I/O errors. What is the reason?</strong>&nbsp;&nbsp;
[<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#io-ie"><b>L</b></a>]
<p>
- The reason is that MSIE's SSL implementation has some subtle bugs related
- to the HTTP keep-alive facility and the SSL close notify alerts on socket
- connection close. You've to work-around this by forcing Apache+mod_ssl to
- not use keep-alive connections and not sending the SSL close notify
- messages to MSIE clients. This can be done by using the following
- directive in your SSL-aware virtual host section:
+ The first reason is that the SSL implementation in some MSIE versions has
+ some subtle bugs related to the HTTP keep-alive facility and the SSL close
+ notify alerts on socket connection close. Additionally the interaction
+ between SSL and HTTP/1.1 features are problematic with some MSIE versions,
+ too. You've to work-around these problems by forcing
+ Apache+mod_ssl+OpenSSL to not use HTTP/1.1, keep-alive connections or
+ sending the SSL close notify messages to MSIE clients. This can be done by
+ using the following directive in your SSL-aware virtual host section:
<pre>
- SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
- </pre>
+ SetEnvIf User-Agent ".*MSIE.*" \
+ <b>nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0</b></pre>
+ Additionally it is known some MSIE versions have also problems
+ with particular ciphers. Unfortunately one cannot workaround these
+ bugs only for those MSIE particular clients, because the ciphers
+ are already used in the SSL handshake phase. So a MSIE-specific
+ <tt>SetEnvIf</tt> doesn't work to solve these problems. Instead one
+ has to do more drastic adjustments to the global parameters. But
+ before you decide to do this, make sure your clients really have
+ problems. If not, do not do this, because it affects all(!) your
+ clients, i.e., also your non-MSIE clients.
+ <p>
+ The next problem is that 56bit export versions of MSIE 5.x browsers have a
+ broken SSLv3 implementation which badly interacts with OpenSSL versions
+ greater than 0.9.4. You can either accept this and force your clients to
+ upgrade their browsers, or you downgrade to OpenSSL 0.9.4 (hmmm), or you
+ can decide to workaround it by accepting the drawback that your workaround
+ will horribly affect also other browsers:
+ <pre>
+ SSLProtocol all <b>-SSLv3</b></pre>
+ This completely disables the SSLv3 protocol and lets those browsers work.
+ But usually this is an even less acceptable workaround. A more reasonable
+ workaround is to address the problem more closely and disable only the
+ ciphers which cause trouble.
+ <pre>
+ SSLCipherSuite ALL:!ADH:<b>!EXPORT56</b>:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</pre>
+ This also lets the broken MSIE versions work, but only removes the
+ newer 56bit TLS ciphers.
+ <p>
+ Another problem with MSIE 5.x clients is that they refuse to connect to
+ URLs of the form <tt>https://12.34.56.78/</tt> (IP-addresses are used
+ instead of the hostname), if the server is using the Server Gated
+ Cryptography (SGC) facility. This can only be avoided by using the fully
+ qualified domain name (FQDN) of the website in hyperlinks instead, because
+ MSIE 5.x has an error in the way it handles the SGC negotiation.
<p>
<li><a name="ToC49"></a>
<a name="io-ns"></a>
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.wml b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.wml
index 80681aa351b..52be25e5bb9 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.wml
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.wml
@@ -1026,24 +1026,69 @@ username/password is still transmitted unencrypted?
handshake phase and switched to encrypted communication. So, don't get
confused by this icon.
-<faq ref="io-ie" toc="Why do I get I/O errors with my MSIE clients?">
-When I connect via HTTPS to an Apache+mod_ssl server with Microsoft Internet
-Explorer (MSIE) I sometimes get I/O errors and the message "bad data from the
-server". What's the reason?
+<faq ref="io-ie" toc="Why do I get I/O errors with MSIE clients?">
+When I connect via HTTPS to an Apache+mod_ssl+OpenSSL server with Microsoft Internet
+Explorer (MSIE) I get various I/O errors. What is the reason?
</faq>
- The reason is that MSIE's SSL implementation has some subtle bugs related
- to the HTTP keep-alive facility and the SSL close notify alerts on socket
- connection close. You've to work-around this by forcing Apache+mod_ssl to
- not use keep-alive connections and not sending the SSL close notify
- messages to MSIE clients. This can be done by using the following
- directive in your SSL-aware virtual host section:
+ The first reason is that the SSL implementation in some MSIE versions has
+ some subtle bugs related to the HTTP keep-alive facility and the SSL close
+ notify alerts on socket connection close. Additionally the interaction
+ between SSL and HTTP/1.1 features are problematic with some MSIE versions,
+ too. You've to work-around these problems by forcing
+ Apache+mod_ssl+OpenSSL to not use HTTP/1.1, keep-alive connections or
+ sending the SSL close notify messages to MSIE clients. This can be done by
+ using the following directive in your SSL-aware virtual host section:
<pre>
- SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
+ SetEnvIf User-Agent ".*MSIE.*" \\
+ <b>nokeepalive ssl-unclean-shutdown \\
+ downgrade-1.0 force-response-1.0</b>\
</pre>
-<faq ref="io-ns" toc="Why do I get I/O errors with my NS clients?">
+ Additionally it is known some MSIE versions have also problems
+ with particular ciphers. Unfortunately one cannot workaround these
+ bugs only for those MSIE particular clients, because the ciphers
+ are already used in the SSL handshake phase. So a MSIE-specific
+ <tt>SetEnvIf</tt> doesn't work to solve these problems. Instead one
+ has to do more drastic adjustments to the global parameters. But
+ before you decide to do this, make sure your clients really have
+ problems. If not, do not do this, because it affects all(!) your
+ clients, i.e., also your non-MSIE clients.
+
+ <p>
+ The next problem is that 56bit export versions of MSIE 5.x browsers have a
+ broken SSLv3 implementation which badly interacts with OpenSSL versions
+ greater than 0.9.4. You can either accept this and force your clients to
+ upgrade their browsers, or you downgrade to OpenSSL 0.9.4 (hmmm), or you
+ can decide to workaround it by accepting the drawback that your workaround
+ will horribly affect also other browsers:
+
+ <pre>
+ SSLProtocol all <b>-SSLv3</b>\
+ </pre>
+
+ This completely disables the SSLv3 protocol and lets those browsers work.
+ But usually this is an even less acceptable workaround. A more reasonable
+ workaround is to address the problem more closely and disable only the
+ ciphers which cause trouble.
+
+ <pre>
+ SSLCipherSuite ALL:!ADH:<b>!EXPORT56</b>:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP\
+ </pre>
+
+ This also lets the broken MSIE versions work, but only removes the
+ newer 56bit TLS ciphers.
+
+ <p>
+ Another problem with MSIE 5.x clients is that they refuse to connect to
+ URLs of the form <tt>https://12.34.56.78/</tt> (IP-addresses are used
+ instead of the hostname), if the server is using the Server Gated
+ Cryptography (SGC) facility. This can only be avoided by using the fully
+ qualified domain name (FQDN) of the website in hyperlinks instead, because
+ MSIE 5.x has an error in the way it handles the SGC negotiation.
+
+<faq ref="io-ns" toc="Why do I get I/O errors with NS clients?">
When I connect via HTTPS to an Apache+mod_ssl server with Netscape Navigator I
get I/O errors and the message "Netscape has encountered bad data from the
server" What's the reason?
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.html b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.html
index fe1c1326bb9..382cc739dd6 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.html
@@ -774,7 +774,7 @@ host (so it applies to both HTTPS and HTTP):
&lt;Directory /usr/local/apache/htdocs&gt;
# Outside the subarea only Intranet access is granted
Order deny,allow
-Deny all
+Deny from all
Allow 192.160.1.0/24
&lt;/Directory&gt;
@@ -802,7 +802,7 @@ Satisfy any
# Network Access Control
Order deny,allow
-Deny all
+Deny from all
Allow 192.160.1.0/24
# HTTP Basic Authentication
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.wml b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.wml
index 20cdd633040..9d9a3799a7f 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.wml
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.wml
@@ -281,7 +281,7 @@ host (so it applies to both HTTPS and HTTP):
&lt;Directory /usr/local/apache/htdocs&gt;
\# Outside the subarea only Intranet access is granted
Order deny,allow
-Deny all
+Deny from all
Allow 192.160.1.0/24
&lt;/Directory&gt;
@@ -309,7 +309,7 @@ Satisfy any
\# Network Access Control
Order deny,allow
-Deny all
+Deny from all
Allow 192.160.1.0/24
\# HTTP Basic Authentication
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.html b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.html
index 779dc7950d5..3d0ea2169d3 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.html
@@ -1084,26 +1084,30 @@ specify the preference and order for the ciphers (see <a href="#table1">Table
<tr id="H"><td colspan="2"><em>Aliases:</em></td></tr>
<tr id="D"><td><code>SSLv2</code></td> <td>all SSL version 2.0 ciphers</td></tr>
<tr id="H"><td><code>SSLv3</code></td> <td>all SSL version 3.0 ciphers</td> </tr>
-<tr id="D"><td><code>EXP</code></td> <td>all export ciphers</td> </tr>
-<tr id="H"><td><code>LOW</code></td> <td>all low strength ciphers (no export, single DES)</td></tr>
-<tr id="D"><td><code>MEDIUM</code></td> <td>all ciphers with 128 bit encryption</td> </tr>
-<tr id="H"><td><code>HIGH</code></td> <td>all ciphers using Triple-DES</td> </tr>
-<tr id="D"><td><code>RSA</code></td> <td>all ciphers using RSA key exchange</td> </tr>
-<tr id="H"><td><code>DH</code></td> <td>all ciphers using Diffie-Hellman key exchange</td> </tr>
-<tr id="D"><td><code>EDH</code></td> <td>all ciphers using Ephemeral Diffie-Hellman key exchange</td> </tr>
-<tr id="H"><td><code>ADH</code></td> <td>all ciphers using Anonymous Diffie-Hellman key exchange</td> </tr>
-<tr id="D"><td><code>DSS</code></td> <td>all ciphers using DSS authentication</td> </tr>
-<tr id="H"><td><code>NULL</code></td> <td>all ciphers using no encryption</td> </tr>
+<tr id="D"><td><code>TLSv1</code></td> <td>all TLS version 1.0 ciphers</td> </tr>
+<tr id="H"><td><code>EXP</code></td> <td>all export ciphers</td> </tr>
+<tr id="D"><td><code>EXP40</code></td> <td>all 40-bit export ciphers only</td> </tr>
+<tr id="H"><td><code>EXP56</code></td> <td>all 56-bit export ciphers only</td> </tr>
+<tr id="D"><td><code>LOW</code></td> <td>all low strength ciphers (no export, single DES)</td></tr>
+<tr id="H"><td><code>MEDIUM</code></td> <td>all ciphers with 128 bit encryption</td> </tr>
+<tr id="D"><td><code>HIGH</code></td> <td>all ciphers using Triple-DES</td> </tr>
+<tr id="H"><td><code>RSA</code></td> <td>all ciphers using RSA key exchange</td> </tr>
+<tr id="D"><td><code>DH</code></td> <td>all ciphers using Diffie-Hellman key exchange</td> </tr>
+<tr id="H"><td><code>EDH</code></td> <td>all ciphers using Ephemeral Diffie-Hellman key exchange</td> </tr>
+<tr id="D"><td><code>ADH</code></td> <td>all ciphers using Anonymous Diffie-Hellman key exchange</td> </tr>
+<tr id="H"><td><code>DSS</code></td> <td>all ciphers using DSS authentication</td> </tr>
+<tr id="D"><td><code>NULL</code></td> <td>all ciphers using no encryption</td> </tr>
</table></td>
</tr></table>
</td></tr></table>
</div>
<p>
-Now where this becomes interesting is that these can be put together to
-specify the order and ciphers you wish to use. To speed this up there are
-also aliases (<code>SSLv2, SSLv3, EXP, LOW, MEDIUM, HIGH</code>) for certain
-groups of ciphers. These tags can be joined together with prefixes to form
-the <em>cipher-spec</em>. Available prefixes are:
+Now where this becomes interesting is that these can be put together
+to specify the order and ciphers you wish to use. To speed this up
+there are also aliases (<code>SSLv2, SSLv3, TLSv1, EXP, LOW, MEDIUM,
+HIGH</code>) for certain groups of ciphers. These tags can be joined
+together with prefixes to form the <em>cipher-spec</em>. Available
+prefixes are:
<ul>
<li>none: add cipher to list
<li><code>+</code>: add ciphers to list and pull them to current location in list
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.wml b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.wml
index 0ebebfab536..a1be5bbb4c2 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.wml
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.wml
@@ -616,26 +616,30 @@ specify the preference and order for the ciphers (see <a href="#table1">Table
<tr id=H><td colspan=2><em>Aliases:</em></td></tr>
<tr id=D><td><code>SSLv2</code></td> <td>all SSL version 2.0 ciphers</td></tr>
<tr id=H><td><code>SSLv3</code></td> <td>all SSL version 3.0 ciphers</td> </tr>
-<tr id=D><td><code>EXP</code></td> <td>all export ciphers</td> </tr>
-<tr id=H><td><code>LOW</code></td> <td>all low strength ciphers (no export, single DES)</td></tr>
-<tr id=D><td><code>MEDIUM</code></td> <td>all ciphers with 128 bit encryption</td> </tr>
-<tr id=H><td><code>HIGH</code></td> <td>all ciphers using Triple-DES</td> </tr>
-<tr id=D><td><code>RSA</code></td> <td>all ciphers using RSA key exchange</td> </tr>
-<tr id=H><td><code>DH</code></td> <td>all ciphers using Diffie-Hellman key exchange</td> </tr>
-<tr id=D><td><code>EDH</code></td> <td>all ciphers using Ephemeral Diffie-Hellman key exchange</td> </tr>
-<tr id=H><td><code>ADH</code></td> <td>all ciphers using Anonymous Diffie-Hellman key exchange</td> </tr>
-<tr id=D><td><code>DSS</code></td> <td>all ciphers using DSS authentication</td> </tr>
-<tr id=H><td><code>NULL</code></td> <td>all ciphers using no encryption</td> </tr>
+<tr id=D><td><code>TLSv1</code></td> <td>all TLS version 1.0 ciphers</td> </tr>
+<tr id=H><td><code>EXP</code></td> <td>all export ciphers</td> </tr>
+<tr id=D><td><code>EXP40</code></td> <td>all 40-bit export ciphers only</td> </tr>
+<tr id=H><td><code>EXP56</code></td> <td>all 56-bit export ciphers only</td> </tr>
+<tr id=D><td><code>LOW</code></td> <td>all low strength ciphers (no export, single DES)</td></tr>
+<tr id=H><td><code>MEDIUM</code></td> <td>all ciphers with 128 bit encryption</td> </tr>
+<tr id=D><td><code>HIGH</code></td> <td>all ciphers using Triple-DES</td> </tr>
+<tr id=H><td><code>RSA</code></td> <td>all ciphers using RSA key exchange</td> </tr>
+<tr id=D><td><code>DH</code></td> <td>all ciphers using Diffie-Hellman key exchange</td> </tr>
+<tr id=H><td><code>EDH</code></td> <td>all ciphers using Ephemeral Diffie-Hellman key exchange</td> </tr>
+<tr id=D><td><code>ADH</code></td> <td>all ciphers using Anonymous Diffie-Hellman key exchange</td> </tr>
+<tr id=H><td><code>DSS</code></td> <td>all ciphers using DSS authentication</td> </tr>
+<tr id=D><td><code>NULL</code></td> <td>all ciphers using no encryption</td> </tr>
</table>
</float>
<p>
-Now where this becomes interesting is that these can be put together to
-specify the order and ciphers you wish to use. To speed this up there are
-also aliases (<code>SSLv2, SSLv3, EXP, LOW, MEDIUM, HIGH</code>) for certain
-groups of ciphers. These tags can be joined together with prefixes to form
-the <em>cipher-spec</em>. Available prefixes are:
+Now where this becomes interesting is that these can be put together
+to specify the order and ciphers you wish to use. To speed this up
+there are also aliases (<code>SSLv2, SSLv3, TLSv1, EXP, LOW, MEDIUM,
+HIGH</code>) for certain groups of ciphers. These tags can be joined
+together with prefixes to form the <em>cipher-spec</em>. Available
+prefixes are:
<ul>
<li>none: add cipher to list