Abimaran Kugathasan Robert Robert 2, 18 18 silver badges 11 11 bronze badges. SharpC 5, 3 3 gold badges 41 41 silver badges 37 37 bronze badges. If you install Apache from source, then yum will not be able to detect it. Oscar Gallardo Oscar Gallardo 1, 3 3 gold badges 17 17 silver badges 38 38 bronze badges.
Sign up or log in Sign up using Google. Sign up using Facebook. Sign up using Email and Password. Post as a guest Name. Email Required, but never shown. The Overflow Blog. Podcast Making Agile work for data science. Steffen Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored. View previous topic :: View next topic. Hi, I have a problem and require help from Froum members. I have installed Apache 2.
Thanks in advance. Back to top. Posted: Sun 20 Jan '13 Post subject:. In versions 2. The intent is that this external program first runs security checks to make sure that the system is not compromised by an attacker, and only when these checks were passed successfully it provides the Pass Phrase.
Both these security checks, and the way the Pass Phrase is determined, can be as complex as you like. Nothing more or less! So, if you're really paranoid about security, here is your interface.
Anything else has to be left as an exercise to the administrator, because local security requirements are so different. The reuse-algorithm above is used here, too. In other words: The external program is called only once per unique Pass Phrase. It is supported by nearly every client. A revision of the TLS 1. Before OpenSSL 1. For compatibility with previous versions, if no SSLProtocol is configured in a name-based virtual host, the one from the base virtual host still applies, unless SSLProtocol is configured globally in which case the global value applies this latter exception is more sensible than compatible, though.
This directive sets the all-in-one file where you can assemble the Certificates of Certification Authorities CA whose remote servers you deal with. These are used for Remote Server Authentication. This directive sets the directory where you keep the Certificates of Certification Authorities CAs whose remote servers you deal with.
These are used to verify the remote server certificate on Remote Server Authentication. Enables certificate revocation list CRL checking for the remote servers you deal with. With the introduction of this directive, the behavior has been changed: when checking is enabled, CRLs must be present for the validation to succeed - otherwise it will fail with an "unable to get certificate CRL" error.
These are used to revoke the remote server certificate on Remote Server Authentication. This directive sets whether the remote server certificate's CN field is compared against the hostname of the request URL.
If both are not equal a status code Bad Gateway is sent. In all releases 2. In these releases, both directives must be set to off to completely avoid remote server certificate name validation. Many users reported this to be very confusing.
As of release 2. Only the following configuration will trigger the legacy certificate CN comparison in 2. This directive sets whether it is checked if the remote server certificate is expired or not. If the check fails a status code Bad Gateway is sent.
The check will succeed if the host name from the request URI matches one of the CN attribute s of the certificate's subject, or matches the subjectAltName extension. This feature was introduced in 2. This directive sets the all-in-one file where you keep the certificate chain for all of the client certs in use. This directive will be needed if the remote server presents a list of CA certificates that are not direct signers of one of the configured client certificates.
This referenced file is simply the concatenation of the various PEM-encoded certificate files. Upon startup, each client certificate configured will be examined and a chain of trust will be constructed. This directive sets the all-in-one file where you keep the certificates and keys used for authentication of the proxy server to remote servers. The referenced file can contain any number of pairs of client certificate and associated private key. Each pair can be specified in either certificate, key or key, certificate order.
If the file includes any non-leaf certificate, or any unmatched key and certificate pair, a configuration error will be issued at startup. When challenged to provide a client certificate by a remote server, the server should provide a list of acceptable certificate authority names in the challenge. The first configured matching certificate will then be supplied in response to the challenge. Keys encoded in PKCS8 format, ie.
This directive sets the directory where you keep the client certificates and keys used for authentication of the proxy server to remote servers. It will only connect to servers using one of the provided protocols. Please refer to SSLProtocol for additional information. When a proxy is configured to forward requests to a remote SSL server, this directive can be used to configure certificate verification of the remote server. The depth actually is the maximum number of intermediate certificate issuers, i.
A depth of 0 means that self-signed remote server certificates are accepted only, the default depth of 1 means the remote server certificate can be self-signed or has to be signed by a CA which is directly known to the server i.
This directive can only be used in the global server context because the PRNG is a global facility. This is the always available builtin seeding source. Its usage consumes minimum CPU cycles under runtime and hence can be always used without drawbacks. The source used for seeding the PRNG contains of the current time, the current process id and a randomly chosen bytes extract of the stack. The drawback is that this is not really a strong source and at startup time where the scoreboard is still not available this source just produces a few bytes of entropy.
So you should always, at least for the startup, use an additional seeding source. The drawback is just that the quality of the received data may not be the best. When bytes is specified, only the first bytes number of bytes of its stdout contents form the entropy. When bytes is not specified, the entirety of the data produced on stdout form the entropy.
Using this in the connection context slows down the server too dramatically, of course. So usually you should avoid using external programs in that context. Use this if no random device exists on your platform.
This directive can be used to set the amount of memory that will be used for this buffer. Note that in many configurations, the client sending the request body will be untrusted so a denial of service attack by consumption of memory must be considered when changing this configuration setting. SSLRequire is deprecated and should in general be replaced by Require expr. For the latter, there are also aliases without the leading dashes: lt , le , The -winxopenssl- version.
Please review the Cryptographic Software Notice carefully before downloading, using or redistributing this package. Looking for an older version?
Please, don't. There have been a number of essential bug and security fixes with the evolving support for Apache under Win Most critically, there were several denial of service, arbitrary code execution and other vulnerabilities affecting Win32 in previous releases.
Please, avoid all earlier versions. That said;. Only current, recommended releases are available from www. Older releases, and their corresponding debugging -symbols.
0コメント