Raible's Wiki: ApacheSSL

-       Raible's Wiki




    Raible Designs

Wiki Home

News

Recent Changes

AppFuse
Homepage

  -  Korean

  -  Chinese

  -  Italian

  -  Japanese

QuickStart Guide

  - Chinese
 
  - French

  - German

  - Italian

  - Korean

  - Portuguese

  - Spanish

  - Japanese


User Guide

  - Korean

  - Chinese
 

Tutorials

  -  Chinese

  -  German

  -  Italian

  -  Korean

  -  Portuguese

  -  Spanish


FAQ

  -  Korean


Latest Downloads

Other Applications
Struts Resume

Security Example

Struts Menu



    




    

    
         
        Set your name in

        UserPreferences
            
    





       
       
       
       




    

Referenced by

Articles
Articles_cn
Articles_de
Articles_pt
Articles_zh



    




   



   
   JSPWiki v2.2.33 
   



       
           

           

           
           
           


           Hide Menu
+            ApacheSSL
            



  
    Search Wiki:
    
    
  



         
         
            Your trail: 
         
      

      


      

      
         



      
          Difference between 
          version 4 
          and 
          version 3:
          

          
At line 1 added 44 lines.
<style type="text/css" media="all">
    span.highlight {background: yellow; color: black}
    div.highlight {background: #ffc; color: black; border: 1px solid black; padding: 10px}	
    p.testedBy {border-top: 1px dashed black; padding-top: 5px; color: #666; background: transparent; font-size: .9em;}
</style>
<div class="canvas">
    <!--
    
    $Id: ssl-howto.html,v 1.2 2002/09/27 20:50:37 mraible Exp $
    
    Changelog:
    1.6.7       2004-05-18      Moved to Wiki so users can edit when they find mistakes/updates
    1.6.6	2003-12-30	Added user comments
    1.6.5	2002-09-27	Added instructions for Linux
    1.6.4	2002-09-26	Added information for Apache 2.0 and added a little formatting
    1.6.3	2002-05-18	info about better not overwriting the configuration files
    1.6.2	2002-05-10	more info about "couldn't load..."; apache 2 warning
    1.6.1	2002-04-10	AddModule clarification, more debugging
    1.6		2001-12-28	Windows XP information, common problems section
    1.5.3	2001-11-27	Added link to French translation
    1.5.2	2001-11-06	Added AddModule
    1.5.1	2001-10-26	Added link to Spanish translation
    1.5		2001-10-20	Lots of clarifications based on input from many people
    1.4.4	2001-05-26	Added Peter Holm to the contributors
    1.4.3	2001-05-25	"Port" directive commented out, some fixes for current versions
    1.4.2	2001-04-06	Remark about .so files
    1.4.1	2001-02-20	Success on ME
    1.4  	2001-01-28	Information about debugging connect errors
    1.3.14	2000-12-28	Small fixes; right-click to download the openssl.cnf file
    1.3.13	2000-12-19	Added feedback section
    1.2.12	2000-11-21	Information about the languages I speak
    1.2.11	2000-11-15	Removed outdated information about M$ IIS
    1.2.10	2000-11-05	OpenSSL.exe fixes
    1.2.9.2	2000-09-11	Minor tweaks, corrected HTML
    1.2.9.1	2000-07-26	IfDefine Directive added, thanks to Torsten Stanienda
    1.2.8	2000-05-09	OpenSSL -config corrected
    1.2.7	2000-04-29	Peter Barany corrected my English
    1.2.6	2000-04-28	Added info on converting the certificate to DER format for MSIE 4
    1.2.5	2000-04-21	The HOWTO is now hosted on my on server. Updated the URL
    					Added -config parameter for openssl to work with the provided config file
    1.2		2000-01-24	Christoph Zich tested the HOWTO on Windows 98
    1.1		1999-10-22	Included Horst Brauner's openssl.conf file
    1.0					Initial release
    -->
At line 46 added 469 lines.
<div style="float: right; margin-top: 20px;">
<script type="text/javascript"><!--
google_ad_client = "pub-7968247362757416";
google_ad_width = 468;
google_ad_height = 60;1
google_ad_format = "468x60_as";
google_color_border = "990000";
google_color_bg = "FFFFFF";
google_color_link = "000000";
google_color_url = "CC0000";
google_color_text = "333333";
//--></script>
<script type="text/javascript"
  src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script>
</div>

<h1>The Apache + SSL HOWTO</h1>

<p>Version 1.6.7 (changelog: view source)</p>

<p>
<a href="http://www.geocities.com/sartigas/apachessl.html">Spanish
translation</a> maintained by <a href="mailto:[email protected]">Sergio
Artigas</a>
</p>
<p>
<a href="http://netsafe.free.fr/index.php?Chap=A1">French
translation</a> maintained by <a href="mailto:[email protected]">Jean-Francois 
Moreau</a>
</p>
<p>
Revised September 26, 2002 by <a href="mailto:[email protected]">Matt Raible</a> for Apache 2.0.42.
Original Article at <a href="http://tud.at/programm/apache-ssl-win32-howto.php3/">http://tud.at/programm/apache-ssl-win32-howto.php3</a>.

</p>
<h2>Overview</h2>

<p>This page describes the installation of the Win32 version of Apache with
the mod_ssl extension. The newest version should always be available from <a
href="http://tud.at/programm/apache-ssl-win32-howto.php3">http://tud.at/programm/apache-ssl-win32-howto.php3</a>.
</p>
    <p> This process worked for many people on Windows NT, 98, ME, 2000 and XP; 
        please <a href="mailto:[email protected]">mail me</a> your suggestions and 
        bug reports. You can even install Apache with SSL in addition to the Microsoft 
        Internet Information Server if you need to.</p>
<p>
	Note: sometimes, there are changes between the precompiled apache
	distributions so that this HOWTO is not correct anymore. In this case,
	if the current version does not work for you, download an older version -
	one that was published before the modification date of this HOWTO.
	Or, if you like adventures, try to make it run, and <a href="mailto:[email protected]">mail 
	me</a> if you needed to change anything.
</p>

<p>Apache with mod_ssl seems to be the only free (as in speech, not in beer)
solution for Win32. Please note that Apache on Win32 is considered beta
quality as it doesn&#39;t reach the stability and performance of Apache on
Un*x platforms.</p>

<h2>1.: <a name="install" id="install"></a>Installing Apache</h2>

<p>Get the Win32 version of the Apache web server from one of the <a 
href="http://www.apache.org/mirrors/">mirrors</a>. It is called something like


<code>apache_x_y_z_win32.exe</code>. This is a self-extracting archive that
contains the Apache base system and sample configuration files.</p>

<p>
	Don't mix Apache versions 1.3 and 2! It won't work. If you find 1.3.x on
	modssl.org, you cannot expect it to work with 2.0.x. 
</p>

    <p>Install Apache as described in <a href="http://www.apache.org/docs/windows.html">http://www.apache.org/docs/windows.html</a>.</p>
	
<a name="install-linux" id="install-linux"></a>
<div class="highlight">
For Linux, to install Apache 2.0.42 with mod_sll installed, I performed the following steps: 

I used <a href="http://httpd.apache.org/docs-2.0/install.html">http://httpd.apache.org/docs-2.0/install.html</a> as a reference.

<code>$ lynx http://www.apache.org/dist/httpd/httpd-2.0.42.tar.gz</code><br />
<code>$ gzip -d httpd-2.0.42.tar.gz</code><br />
<code>$ tar xvf httpd-2.0.42.tar</code><br />
<code>$ ./configure --enable-mods-shared=most --enable-ssl=shared</code><br />
<code>$ make</code><br />
<code>$ make install</code> 

If you're using Apache 2.0.42 with Tomcat, you can download the binary mod_jk.so from<a href="http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk/release/v1.2.0/bin/linux/i386/mod_jk-2.0.42.so"> http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk/release/v1.2.0/bin/linux/i386/mod_jk-2.0.42.so</a>. 
After downloading, put this file into your <code>modules</code> directory 
and rename it <code>mod_jk.so</code>. <a href="http://www.raibledesigns.com/tomcat">Click 
here</a> for more information on configuring Apache and Tomcat.

</div>

<p>Note: You can skip this step and get a full Apache+SSL distribution from
modssl.org, as described below. There will be no fancy installation program but
you won't need to overwrite the stock Apache files. This is the better way if
you are experienced and don't fear editing configuration files (which you will
need to do anyway).</p>

<p>Change at least the following parameters in <code>
Apache-dir/conf/httpd.conf</code>:<br />
<b>[[Replace all occurences of <code>www.my-server.dom</code> with the real
domain name!]</b></p>

<ul>
<li><code>Port 80</code> to <code><b>#</b> Port 80</code> (Comment it out;

<code>Port</code> is not necessary, <code>Listen</code> overrides it
later.)</li>

<li>(if <b>not</b> in addition to IIS) <code>Listen 80</code></li>

<li><code>Listen 443</code> (So your server listens on the standard SSL
port)</li>

<li><code>ServerName</code> <b>www.my-server.dom</b></li>

<li>(if in addition to IIS) <code>DocumentRoot</code> and the corresponding
<code>&lt;Directory</code> some-dir<code>&gt;</code> to your <code>Inetpub\wwwroot</code></li>

</ul>

<p>Install the Apache service (NT only) and start the server. Verify that
everything works before proceeding to the SSL installation because this
limits the possible errors.</p>

<p>Try <u><b>http://www.my-server.dom:443/</b></u>. It won&#39;t be encrypted yet but if
this works then the port configuration (port 443) is right.</p>

<h2>2.: <a name="openssl" id="openssl"></a>Getting OpenSSL and mod_ssl</h2>

  <p>Go to <a href="http://www.modssl.org/contrib/">http://www.modssl.org/contrib/</a> 
    and find a file called like <code>Apache_X-mod_ssl_Y-openssl_Z-WIN32[[-i386].zip</code>. 
    (<span class="highlight">You can get the 2.0.42 version at <a href="http://hunter.campbus.com/Apache_2.0.42-OpenSSL_0.9.6g-Win32.zip">http://hunter.campbus.com/Apache_2.0.42-OpenSSL_0.9.6g-Win32.zip</a></span>, older packages 
	are also available at <a href="http://hunter.campbus.com">http://hunter.campbus.com</a>). 
    Download and unzip it to a new directory. </p>

<p>
If you need the newest version, you will have to compile it yourself if it is
not there. Don't ask me about it; I don't have it, I don't compile the versions
on modssl.org, and I don't have access to development tools on Win32.
</p>

<p><span class="highlight">Copy the files <code>ssleay32.dll</code> and <code>libeay32.dll</code>
from the Apache/modssl distribution directory to <code>WINNT\System32</code>.
This is important! About 70&nbsp;% of the e-mails I receive is because people
forget to do this.</span></p>

<p>Download and install <strong>Cygwin </strong>from <a href="http://www.cygwin.com">http://www.cygwin.com</a>.</p>

<p>You&#39;ll need a config file for <code>openssl.exe</code>. If you are using Cygwin, one will already
exist for you.  If you don't want to install Cygwin, there is an openssl.exe application in the OpenSSL distribution.

</p><h2>3.: <a name="create-cert" id="create-cert"></a>Creating a test certificate</h2>

    <p>The following instructions are from <a href="http://www.apache-ssl.org/#FAQ">http://www.apache-ssl.org/#FAQ</a>.</p>    
    <p><code>openssl req -new -out server.csr</code><br />
        This creates a certificate signing request and a private key. When asked 
        for <code>&quot;Common Name (eg, your websites domain name)&quot;</code>, 
        give the exact domain name of your web server (e.g. <b>www.my-server.dom</b>). 
        The certificate belongs to this server name and browsers complain if the 
        name doesn&#39;t match.</p>

    <p><code>openssl rsa -in privkey.pem -out server.key</code><br />
        This removes the passphrase from the private key. You MUST understand 
        what this means; <code>server.key</code> should be only readable by the 
        apache server and the administrator.<br />
        You should delete the <code>.rnd</code> file because it contains the entropy 
        information for creating the key and could be used for cryptographic attacks 
        against your private key.</p>
    <p><code>openssl x509 -in server.csr -out server.crt -req -signkey server.key 
        -days 365</code><br />

This creates a self-signed certificate that you can use until you get a
&quot;real&quot; one from a certificate authority. (Which is optional; if you
know your users, you can tell them to install the certificate into their
browsers.) Note that this certificate expires after one year, you can
increase <code>-days 365</code> if you don't want this.</p>

<p>If you have users with MS Internet Explorer 4.0+ and want them to be able
to install the certificate into their certificate storage (by downloading and
opening it), you need to create a DER-encoded version of the certificate:<br />
        <code>openssl x509 -in server.crt -out server.der.crt -outform DER</code></p>

    <p>Create an <code>Apache/conf/ssl</code> directory and move <code> server.key</code> 
        and <code>server.crt</code> into it. <strong>For Linux</strong> create 
        two directories: <code>ssl.key</code> and <code>ssl.crt</code>. Move <code>server.crt</code> 
        into <code>ssl.crt</code> and move <code>server.key</code> into <code>ssl.key</code>.</p>

<p style="margin-left: 20px; font-style: italic; color: green"><strong>Tip from Olivier Gambier</strong>:<br />
You can't create a certificate with openssl.exe without a config file 
(you get an error about distinguished names).
Thus if the variable OPENSSL_CONF is not defined (and I didn't find it 
in your doc, nor I found a conf file in the distrib I downloaded), you 
must add:
"-config configfile"
to the certificate creation command, and create a valid "configfile"

I found the information, among with the error message meaning, from 
<a href="http://www.openssl.org/docs/apps/req.html">http://www.openssl.org/docs/apps/req.html</a>.
</p>

<h2>4.: <a name="configuring" id="configuring"></a>Configuring Apache and mod_ssl</h2>

<p>Copy the executable files (*.exe, *.dll, *.so) from the downloaded
apache-mod_ssl distribution over your original Apache installation directory
(remember to stop Apache first and DO NOT overwrite your edited config files
etc.!).</p>

<p>Find the LoadModule directives in your <code>httpd.conf</code> file and
add this after the existing ones, according to the file you have found in the
distribution:</p>

<p><code>LoadModule ssl_module modules/ApacheModuleSSL.dll</code> <br /> or<br />
<code>LoadModule ssl_module modules/ApacheModuleSSL.so</code>  <br /> or<br />
<code>LoadModule ssl_module modules/mod_ssl.so</code> 
<br />
        in newer versions. (Use this for 2.0.42 on Windows, on Linux, this will 
        be done for you when you compile with <code>--enable-ssh=shared</code>)</p>

<p>In newer versions of the distribution, it could also be necessary to add<br />
<code>AddModule mod_ssl.c</code><br />
        after the AddModule lines that are already in the config file. 
		(Not necessary for 2.0.42)</p>

    <p>Copy <code>ssl.conf</code> from the OpenSSL distrution to Apache/conf/. 
        For Windows, you can download from <a href="http://www.raibledesigns.com/tomcat/ssl.conf">http://www.raibledesigns.com/tomcat/ssl.conf</a> 
        (Right click -> Save Target As...). <span class="highlight">Make sure 
        and change the <code>DocumentRoot</code> and <code>ServerName</code> values 
        on lines 93 and 94.</span></p>

<p>Add the following to the end of <code>httpd.conf</code>:</p>
    <pre>
<code><i># see <a 
href="http://www.modssl.org/docs/2.4/ssl_reference.html">http://www.modssl.org/docs/2.4/ssl_reference.html</a> for more info</i>
SSLMutex sem
SSLRandomSeed startup builtin
SSLSessionCache none

ErrorLog logs/ssl.log
LogLevel info
<i># You can later change &quot;info&quot; to &quot;warn&quot; if everything is OK</i>

&lt;VirtualHost <b>www.my-server.dom</b>:443&gt;
SSLEngine On
SSLCertificateFile conf/ssl/server.cert
SSLCertificateKeyFile conf/ssl/server.key
&lt;/VirtualHost&gt;</code></pre>

<p>Don't forget to call apache with <code>-D SSL</code> if the <code>IfDefine</code> 
    directive is active in the config file! <span class="highlight">In other words, 
    either start Apache from the command line with <code>-D SSL</code> or comment 
    out the <code>IfDefine</code> start/end tags in <code>ssl.conf</code>.</span></p>

<div class="highlight">
                        
        <p><span class="c1"><strong>NOTE</strong>:</span> When using SSL with 
            multiple Virtual Hosts, you must use an ip-based configuration. This 
            is because SSL requires you to configure a specific port (443), whereas 
            name-based specifies all ports (*). You might the following error 
            if you try to mix name-based virtual hosts with SSL.</p>
        <p><code>[[error] VirtualHost _default_:443 -- mixing * ports and non-* 
            ports with a NameVirtualHost address is not supported, proceeding 
            with undefined results</code></p>
    </div>

<p>You might need to use <code>regedit</code> to change the key <code>

HKEY_LOCAL_MACHINE\SOFTWARE\Apache&nbsp;Group\Apache\X.Y.Z</code> to the
correct number if the <code>apache.exe</code> from 
<code>modssl.org/contrib</code> is not the same version as the previously installed
one. (This seems not to be necessary with recent versions.)</p>

<p>Start the server, this time from the command prompt (not as a service) in order 
    to see the error messages that prevent Apache from starting. If everything 
    is OK, (optionally) press CTRL+C to stop the server and start it as a service 
    if you prefer.</p>
<p>
    If it doesn&#39;t work, Apache should write meaningful messages to the screen 
    and/or into the error.log and SSL.log files in the Apache/logs directory.<br />

    If something doesn&#39;t work, set all <code>LogLevel</code>s to the maximum 
    and <em>look into the logfiles</em>. They are very helpful.</p>

<p>DON'T e-mail me or the other contributors without having plain Apache
installed (Step 1). We will ignore your request; we are not the Free Apache
Helpdesk and there is enough good documentation on configuring Apache; if that
is not enough for you, you shouldn't run a secure server anyway. Also, DON'T
e-mail without having looked into the error.log and SSL.log with
<code>LogLevel</code> set to Debug.</p>

<h2><a name="debugging" id="debugging"></a>Debugging connect problems</h2>

<p>
	Problems connecting to the server with a browser can have many reasons, 
	many of them on the client (proxy, DNS, general IE dumbness).
</p>
<p>
	So, if you encounter problems connecting with SSL, try another browser
	and/or look into the settings. If even this doesn't work, you can use
	OpenSSL to debug the problem.
</p>
<pre><code>bb@www$ <b>openssl s_client -connect no-such-machine:443</b>
gethostbyname failure 	<i># Error resolving this DNS name. Connect with the IP address.</i>
connect:errno=2

bb@www$ <b>openssl s_client -connect www1.tud.at:443</b>

connect: Connection refused		
connect:errno=111
<i># No SSL server on this port. Double-check the <b>Listen</b> and <b>Port</b> directives.</i>

bb@www$ <b>openssl s_client -connect </b>apcenter.apcinteractive.net<b>:443</b>
<i># everything OK. OpenSSL shows the information it obtained from the server.</i>

CONNECTED(00000003)
depth=0 /C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected]
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected]
verify return:1
---
Certificate chain
 0 s:/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected]
   i:/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected]
---
Server certificate
---BEGIN CERTIFICATE---
MIIC0TCCAjoCAQAwDQYJKoZIhvcNAQEEBQAwgbAxCzAJBgNVBAYTAmF0MQ0wCwYDV
[[...]
9ucXUnk=
---END CERTIFICATE---
subject=/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected]
issuer=/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected]
---
No client certificate CA names sent
---
SSL handshake has read 1281 bytes and written 320 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : EDH-RSA-DES-CBC3-SHA
    Session-ID: 49ACE1CF484A67D2C476B923D52110A6FCA1A7CE53D76DF7F233DEBF2333D4FB
    Session-ID-ctx:
    Master-Key: 00E9FA964253752294ECD69C18ADBA527B7170C112E2B3BCB25EA8F4FD847EC46E1FF0194EF8E16985B5E38BF6F12131
    Key-Arg   : None
    Start Time: 980696025
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
<b>[Enter: 
GET / HTTP/1.0
and press RETURN twice]</b>
HTTP/1.1 200 OK
Date: Sun, 28 Jan 2001 15:34:58 GMT
Server: Apache/1.3.9 (Win32) mod_ssl/2.4.9 OpenSSL/0.9.4
Cache-Control: no-cache, no-store, must-revalidate, private
Expires: 0
Pragma: no-cache
X-Powered-By: PHP/4.0.4
Last-Modified: Sun, 28 Jan 2001 15:35:00 GMT
Connection: close
Content-Type: text/html

&lt;!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"&gt;
&lt;html&gt;
<i># the server shows its main document</i>
</code></pre>

<h2>Common problems</h2>

<p>Q: I see the following when starting Apache:
</p><pre>Syntax error on line [[some number] of ...httpd.conf
Cannot load apache/modules/mod_ssl.so into server 
(126) The module could not be found:
</pre>
<br />
A: Did you copy the openssl DLLs to WINNT/SYSTEM32 (or WINDOWS/SYSTEM on
Win9x/ME)? <br />
You can verify this by copying <code>openssl.exe</code> into a directory of its
own and executing it. If it complains about not being able to find some DLLs,
then you haven't copied them into the correct directory.
<br />
One user told me that he had this problem even when he did everything right. He
then found the problem: corrupt openssl DLLs. So if you get this error despite
having done everything correctly, try the openssl DLLs from another version from
modssl.org/contrib.
<p></p>

<p>Q: I see the following when starting Apache:
</p><pre>Syntax error on line [[some number] of apache/conf/httpd.conf:
Cannot load apache/modules/apachemodulessl.dll into server:
(127) The specified procedure could not be found:</pre>
or: 

<pre>Syntax error on line [[some number] of apache/conf/httpd.conf:
Invalid command 'SSLMutex', perhaps mis-spelled or defined by a module not
included in the server configuration</pre>
<br />
A: You didn't add the AddModule line (or not where it belongs, it belongs below
the other AddModule lines).
<p></p>

<p>Q: SSL doesn't work in the browser and I see the following in some logfile:
</p><pre>
[Fri Nov 16 15:46:30 2001] [[error] OpenSSL: error:1407609C:SSL
routines:SSL23_GET_CLIENT_HELLO:http request [[Hint: speaking HTTP to
HTTPS port!?]
</pre>
A: How much clearer can an error message get? Your VirtualHost or Listen
configuration is wrong.
<p></p>

<h3>Questions about Java servlets, OpenSSL compilation etc.</h3>

<p>
	Don't ask us about installing servlet extensions, recompiling mod_ssl or
	Apache with EAPI, recompiled versions etc. We have no idea and won't be able
	help you. We are just users and not programmers.<br />
	If your needs are so special, you are better off with a 
	<a href="http://www.debian.org/">Debian GNU/Linux</a> or 
	<a href="http://www.openbsd.org/">OpenBSD</a> server. It will save you lots
	of trouble. Really. </p>

<h2>Links</h2>

<p>
Apache Web Server: <a href="http://www.apache.org">http://www.apache.org</a><br />
mod_ssl: <a href="http://www.modssl.org">http://www.modssl.org</a><br />
mod_ssl configuration: <a 
href="http://www.modssl.org/docs/2.4/ssl_reference.html">http://www.modssl.org/docs/2.4/ssl_reference.html</a><br />
OpenSSL: <a href="http://www.openssl.org">http://www.openssl.org</a><br />
PHP Hypertext preprocessor: <a href="http://www.php.net">http://www.php.net</a> 
</p>

<p>Author of this document: <a href="mailto:[email protected]">Bal&aacute;zs
B&aacute;r&aacute;ny</a> (<a href="http://tud.at">http://tud.at</a>) <br />
(mail me your questions, but only after having looked into the error logs with 
<code>LogLevel debug</code>. You can mail me in English, German and Hungarian.
<br />
If I am constantly ignoring your e-mail, read all the hints in the HOWTO about
how to e-mail me.)</p>

<p>
Contributor: <a href="mailto:[email protected]">Horst
Br&auml;uner</a> (OpenSSL configuration on NT)<br />
Contributor: <a href="mailto:[email protected]">Christoph Zich</a>
(Windows 98)<br />
Contributor: <a href="mailto:[email protected]">Torsten Stanienda</a>
(Test with 1.3.12, IfDefine directive)<br />

Contributor: <a href="mailto:[email protected]">Peter Holm</a> (Listen and Port directives)
</p>

<p>Last change: 2002-05-18</p>
<p>This document can be redistributed under the 
<a href="http://www.gnu.org/copyleft/fdl.html">GNU Free
Documentation License</a>. &copy; Bal&aacute;zs B&aacute;r&aacute;ny 1999-2002</p>

<p class="testedBy">
  These instructions where tested by <a href="mailto:[email protected]">Matt Raible</a> 
  on Windows XP (SP1) and Red Hat Linux 7.3 with Apache 2.0.42.   
</p>

</div>


          

      

      

      
      Back to ApacheSSL,
       or to the Page History.
       

      

      

      

      

      

      

      

      Show Menu
-ApacheSSL
+    Search Wiki:
 At line 1 added 44 lines.
+<style type="text/css" media="all">
+    span.highlight {background: yellow; color: black}
+    div.highlight {background: #ffc; color: black; border: 1px solid black; padding: 10px}
+    p.testedBy {border-top: 1px dashed black; padding-top: 5px; color: #666; background: transparent; font-size: .9em;}
+</style>
+<div class="canvas">
+    <!--
+    $Id: ssl-howto.html,v 1.2 2002/09/27 20:50:37 mraible Exp $
+    Changelog:
+.6.7       2004-05-18      Moved to Wiki so users can edit when they find mistakes/updates
+.6.6	2003-12-30	Added user comments
+.6.5	2002-09-27	Added instructions for Linux
+.6.4	2002-09-26	Added information for Apache 2.0 and added a little formatting
+.6.3	2002-05-18	info about better not overwriting the configuration files
+.6.2	2002-05-10	more info about "couldn't load..."; apache 2 warning
+.6.1	2002-04-10	AddModule clarification, more debugging
+.6		2001-12-28	Windows XP information, common problems section
+.5.3	2001-11-27	Added link to French translation
+.5.2	2001-11-06	Added AddModule
+.5.1	2001-10-26	Added link to Spanish translation
+.5		2001-10-20	Lots of clarifications based on input from many people
+.4.4	2001-05-26	Added Peter Holm to the contributors
+.4.3	2001-05-25	"Port" directive commented out, some fixes for current versions
+.4.2	2001-04-06	Remark about .so files
+.4.1	2001-02-20	Success on ME
+.4  	2001-01-28	Information about debugging connect errors
+.3.14	2000-12-28	Small fixes; right-click to download the openssl.cnf file
+.3.13	2000-12-19	Added feedback section
+.2.12	2000-11-21	Information about the languages I speak
+.2.11	2000-11-15	Removed outdated information about M$ IIS
+.2.10	2000-11-05	OpenSSL.exe fixes
+.2.9.2	2000-09-11	Minor tweaks, corrected HTML
+.2.9.1	2000-07-26	IfDefine Directive added, thanks to Torsten Stanienda
+.2.8	2000-05-09	OpenSSL -config corrected
+.2.7	2000-04-29	Peter Barany corrected my English
+.2.6	2000-04-28	Added info on converting the certificate to DER format for MSIE 4
+.2.5	2000-04-21	The HOWTO is now hosted on my on server. Updated the URL
+    					Added -config parameter for openssl to work with the provided config file
+.2		2000-01-24	Christoph Zich tested the HOWTO on Windows 98
+.1		1999-10-22	Included Horst Brauner's openssl.conf file
+.0					Initial release
+    -->
 At line 46 added 469 lines.
+<div style="float: right; margin-top: 20px;">
+<script type="text/javascript"><!--
+google_ad_client = "pub-7968247362757416";
+google_ad_width = 468;
+google_ad_height = 60;1
+google_ad_format = "468x60_as";
+google_color_border = "990000";
+google_color_bg = "FFFFFF";
+google_color_link = "000000";
+google_color_url = "CC0000";
+google_color_text = "333333";
+//--></script>
+<script type="text/javascript"
+  src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script>
+</div>
+<h1>The Apache + SSL HOWTO</h1>
+<p>Version 1.6.7 (changelog: view source)</p>
+<p>
+<a href="http://www.geocities.com/sartigas/apachessl.html">Spanish
+translation</a> maintained by <a href="mailto:[email protected]">Sergio
+Artigas</a>
+</p>
+<p>
+<a href="http://netsafe.free.fr/index.php?Chap=A1">French
+translation</a> maintained by <a href="mailto:[email protected]">Jean-Francois
+Moreau</a>
+</p>
+<p>
+Revised September 26, 2002 by <a href="mailto:[email protected]">Matt Raible</a> for Apache 2.0.42.
+Original Article at <a href="http://tud.at/programm/apache-ssl-win32-howto.php3/">http://tud.at/programm/apache-ssl-win32-howto.php3</a>.
+</p>
+<h2>Overview</h2>
+<p>This page describes the installation of the Win32 version of Apache with
+the mod_ssl extension. The newest version should always be available from <a
+href="http://tud.at/programm/apache-ssl-win32-howto.php3">http://tud.at/programm/apache-ssl-win32-howto.php3</a>.
+</p>
+    <p> This process worked for many people on Windows NT, 98, ME, 2000 and XP;
+        please <a href="mailto:[email protected]">mail me</a> your suggestions and
+        bug reports. You can even install Apache with SSL in addition to the Microsoft
+        Internet Information Server if you need to.</p>
+<p>
+	Note: sometimes, there are changes between the precompiled apache
+	distributions so that this HOWTO is not correct anymore. In this case,
+	if the current version does not work for you, download an older version -
+	one that was published before the modification date of this HOWTO.
+	Or, if you like adventures, try to make it run, and <a href="mailto:[email protected]">mail
+	me</a> if you needed to change anything.
+</p>
+<p>Apache with mod_ssl seems to be the only free (as in speech, not in beer)
+solution for Win32. Please note that Apache on Win32 is considered beta
+quality as it doesn&#39;t reach the stability and performance of Apache on
+Un*x platforms.</p>
+<h2>1.: <a name="install" id="install"></a>Installing Apache</h2>
+<p>Get the Win32 version of the Apache web server from one of the <a
+href="http://www.apache.org/mirrors/">mirrors</a>. It is called something like
+<code>apache_x_y_z_win32.exe</code>. This is a self-extracting archive that
+contains the Apache base system and sample configuration files.</p>
+<p>
+	Don't mix Apache versions 1.3 and 2! It won't work. If you find 1.3.x on
+	modssl.org, you cannot expect it to work with 2.0.x.
+</p>
+    <p>Install Apache as described in <a href="http://www.apache.org/docs/windows.html">http://www.apache.org/docs/windows.html</a>.</p>
+<a name="install-linux" id="install-linux"></a>
+<div class="highlight">
+For Linux, to install Apache 2.0.42 with mod_sll installed, I performed the following steps:
+I used <a href="http://httpd.apache.org/docs-2.0/install.html">http://httpd.apache.org/docs-2.0/install.html</a> as a reference.
+<code>$ lynx http://www.apache.org/dist/httpd/httpd-2.0.42.tar.gz</code><br />
+<code>$ gzip -d httpd-2.0.42.tar.gz</code><br />
+<code>$ tar xvf httpd-2.0.42.tar</code><br />
+<code>$ ./configure --enable-mods-shared=most --enable-ssl=shared</code><br />
+<code>$ make</code><br />
+<code>$ make install</code>
+If you're using Apache 2.0.42 with Tomcat, you can download the binary mod_jk.so from<a href="http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk/release/v1.2.0/bin/linux/i386/mod_jk-2.0.42.so"> http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk/release/v1.2.0/bin/linux/i386/mod_jk-2.0.42.so</a>.
+After downloading, put this file into your <code>modules</code> directory
+and rename it <code>mod_jk.so</code>. <a href="http://www.raibledesigns.com/tomcat">Click
+here</a> for more information on configuring Apache and Tomcat.
+</div>
+<p>Note: You can skip this step and get a full Apache+SSL distribution from
+modssl.org, as described below. There will be no fancy installation program but
+you won't need to overwrite the stock Apache files. This is the better way if
+you are experienced and don't fear editing configuration files (which you will
+need to do anyway).</p>
+<p>Change at least the following parameters in <code>
+Apache-dir/conf/httpd.conf</code>:<br />
+<b>[[Replace all occurences of <code>www.my-server.dom</code> with the real
+domain name!]</b></p>
+<ul>
+<li><code>Port 80</code> to <code><b>#</b> Port 80</code> (Comment it out;
+<code>Port</code> is not necessary, <code>Listen</code> overrides it
+later.)</li>
+<li>(if <b>not</b> in addition to IIS) <code>Listen 80</code></li>
+<li><code>Listen 443</code> (So your server listens on the standard SSL
+port)</li>
+<li><code>ServerName</code> <b>www.my-server.dom</b></li>
+<li>(if in addition to IIS) <code>DocumentRoot</code> and the corresponding
+<code>&lt;Directory</code> some-dir<code>&gt;</code> to your <code>Inetpub\wwwroot</code></li>
+</ul>
+<p>Install the Apache service (NT only) and start the server. Verify that
+everything works before proceeding to the SSL installation because this
+limits the possible errors.</p>
+<p>Try <u><b>http://www.my-server.dom:443/</b></u>. It won&#39;t be encrypted yet but if
+this works then the port configuration (port 443) is right.</p>
+<h2>2.: <a name="openssl" id="openssl"></a>Getting OpenSSL and mod_ssl</h2>
+  <p>Go to <a href="http://www.modssl.org/contrib/">http://www.modssl.org/contrib/</a>
+    and find a file called like <code>Apache_X-mod_ssl_Y-openssl_Z-WIN32[[-i386].zip</code>.
+    (<span class="highlight">You can get the 2.0.42 version at <a href="http://hunter.campbus.com/Apache_2.0.42-OpenSSL_0.9.6g-Win32.zip">http://hunter.campbus.com/Apache_2.0.42-OpenSSL_0.9.6g-Win32.zip</a></span>, older packages
+	are also available at <a href="http://hunter.campbus.com">http://hunter.campbus.com</a>).
+    Download and unzip it to a new directory. </p>
+<p>
+If you need the newest version, you will have to compile it yourself if it is
+not there. Don't ask me about it; I don't have it, I don't compile the versions
+on modssl.org, and I don't have access to development tools on Win32.
+</p>
+<p><span class="highlight">Copy the files <code>ssleay32.dll</code> and <code>libeay32.dll</code>
+from the Apache/modssl distribution directory to <code>WINNT\System32</code>.
+This is important! About 70&nbsp;% of the e-mails I receive is because people
+forget to do this.</span></p>
+<p>Download and install <strong>Cygwin </strong>from <a href="http://www.cygwin.com">http://www.cygwin.com</a>.</p>
+<p>You&#39;ll need a config file for <code>openssl.exe</code>. If you are using Cygwin, one will already
+exist for you.  If you don't want to install Cygwin, there is an openssl.exe application in the OpenSSL distribution.
+</p><h2>3.: <a name="create-cert" id="create-cert"></a>Creating a test certificate</h2>
+    <p>The following instructions are from <a href="http://www.apache-ssl.org/#FAQ">http://www.apache-ssl.org/#FAQ</a>.</p>
+    <p><code>openssl req -new -out server.csr</code><br />
+        This creates a certificate signing request and a private key. When asked
+        for <code>&quot;Common Name (eg, your websites domain name)&quot;</code>,
+        give the exact domain name of your web server (e.g. <b>www.my-server.dom</b>).
+        The certificate belongs to this server name and browsers complain if the
+        name doesn&#39;t match.</p>
+    <p><code>openssl rsa -in privkey.pem -out server.key</code><br />
+        This removes the passphrase from the private key. You MUST understand
+        what this means; <code>server.key</code> should be only readable by the
+        apache server and the administrator.<br />
+        You should delete the <code>.rnd</code> file because it contains the entropy
+        information for creating the key and could be used for cryptographic attacks
+        against your private key.</p>
+    <p><code>openssl x509 -in server.csr -out server.crt -req -signkey server.key
+        -days 365</code><br />
+This creates a self-signed certificate that you can use until you get a
+&quot;real&quot; one from a certificate authority. (Which is optional; if you
+know your users, you can tell them to install the certificate into their
+browsers.) Note that this certificate expires after one year, you can
+increase <code>-days 365</code> if you don't want this.</p>
+<p>If you have users with MS Internet Explorer 4.0+ and want them to be able
+to install the certificate into their certificate storage (by downloading and
+opening it), you need to create a DER-encoded version of the certificate:<br />
+        <code>openssl x509 -in server.crt -out server.der.crt -outform DER</code></p>
+    <p>Create an <code>Apache/conf/ssl</code> directory and move <code> server.key</code>
+        and <code>server.crt</code> into it. <strong>For Linux</strong> create
+        two directories: <code>ssl.key</code> and <code>ssl.crt</code>. Move <code>server.crt</code>
+        into <code>ssl.crt</code> and move <code>server.key</code> into <code>ssl.key</code>.</p>
+<p style="margin-left: 20px; font-style: italic; color: green"><strong>Tip from Olivier Gambier</strong>:<br />
+You can't create a certificate with openssl.exe without a config file
+(you get an error about distinguished names).
+Thus if the variable OPENSSL_CONF is not defined (and I didn't find it
+in your doc, nor I found a conf file in the distrib I downloaded), you
+must add:
+"-config configfile"
+to the certificate creation command, and create a valid "configfile"
+I found the information, among with the error message meaning, from
+<a href="http://www.openssl.org/docs/apps/req.html">http://www.openssl.org/docs/apps/req.html</a>.
+</p>
+<h2>4.: <a name="configuring" id="configuring"></a>Configuring Apache and mod_ssl</h2>
+<p>Copy the executable files (*.exe, *.dll, *.so) from the downloaded
+apache-mod_ssl distribution over your original Apache installation directory
+(remember to stop Apache first and DO NOT overwrite your edited config files
+etc.!).</p>
+<p>Find the LoadModule directives in your <code>httpd.conf</code> file and
+add this after the existing ones, according to the file you have found in the
+distribution:</p>
+<p><code>LoadModule ssl_module modules/ApacheModuleSSL.dll</code> <br /> or<br />
+<code>LoadModule ssl_module modules/ApacheModuleSSL.so</code>  <br /> or<br />
+<code>LoadModule ssl_module modules/mod_ssl.so</code>
+<br />
+        in newer versions. (Use this for 2.0.42 on Windows, on Linux, this will
+        be done for you when you compile with <code>--enable-ssh=shared</code>)</p>
+<p>In newer versions of the distribution, it could also be necessary to add<br />
+<code>AddModule mod_ssl.c</code><br />
+        after the AddModule lines that are already in the config file.
+		(Not necessary for 2.0.42)</p>
+    <p>Copy <code>ssl.conf</code> from the OpenSSL distrution to Apache/conf/.
+        For Windows, you can download from <a href="http://www.raibledesigns.com/tomcat/ssl.conf">http://www.raibledesigns.com/tomcat/ssl.conf</a>
+        (Right click -> Save Target As...). <span class="highlight">Make sure
+        and change the <code>DocumentRoot</code> and <code>ServerName</code> values
+        on lines 93 and 94.</span></p>
+<p>Add the following to the end of <code>httpd.conf</code>:</p>
+    <pre>
+<code><i># see <a
+href="http://www.modssl.org/docs/2.4/ssl_reference.html">http://www.modssl.org/docs/2.4/ssl_reference.html</a> for more info</i>
+SSLMutex sem
+SSLRandomSeed startup builtin
+SSLSessionCache none
+ErrorLog logs/ssl.log
+LogLevel info
+<i># You can later change &quot;info&quot; to &quot;warn&quot; if everything is OK</i>
+&lt;VirtualHost <b>www.my-server.dom</b>:443&gt;
+SSLEngine On
+SSLCertificateFile conf/ssl/server.cert
+SSLCertificateKeyFile conf/ssl/server.key
+&lt;/VirtualHost&gt;</code></pre>
+<p>Don't forget to call apache with <code>-D SSL</code> if the <code>IfDefine</code>
+    directive is active in the config file! <span class="highlight">In other words,
+    either start Apache from the command line with <code>-D SSL</code> or comment
+    out the <code>IfDefine</code> start/end tags in <code>ssl.conf</code>.</span></p>
+<div class="highlight">
+        <p><span class="c1"><strong>NOTE</strong>:</span> When using SSL with
+            multiple Virtual Hosts, you must use an ip-based configuration. This
+            is because SSL requires you to configure a specific port (443), whereas
+            name-based specifies all ports (*). You might the following error
+            if you try to mix name-based virtual hosts with SSL.</p>
+        <p><code>[[error] VirtualHost _default_:443 -- mixing * ports and non-*
+            ports with a NameVirtualHost address is not supported, proceeding
+            with undefined results</code></p>
+    </div>
+<p>You might need to use <code>regedit</code> to change the key <code>
+HKEY_LOCAL_MACHINE\SOFTWARE\Apache&nbsp;Group\Apache\X.Y.Z</code> to the
+correct number if the <code>apache.exe</code> from
+<code>modssl.org/contrib</code> is not the same version as the previously installed
+one. (This seems not to be necessary with recent versions.)</p>
+<p>Start the server, this time from the command prompt (not as a service) in order
+    to see the error messages that prevent Apache from starting. If everything
+    is OK, (optionally) press CTRL+C to stop the server and start it as a service
+    if you prefer.</p>
+<p>
+    If it doesn&#39;t work, Apache should write meaningful messages to the screen
+    and/or into the error.log and SSL.log files in the Apache/logs directory.<br />
+    If something doesn&#39;t work, set all <code>LogLevel</code>s to the maximum
+    and <em>look into the logfiles</em>. They are very helpful.</p>
+<p>DON'T e-mail me or the other contributors without having plain Apache
+installed (Step 1). We will ignore your request; we are not the Free Apache
+Helpdesk and there is enough good documentation on configuring Apache; if that
+is not enough for you, you shouldn't run a secure server anyway. Also, DON'T
+e-mail without having looked into the error.log and SSL.log with
+<code>LogLevel</code> set to Debug.</p>
+<h2><a name="debugging" id="debugging"></a>Debugging connect problems</h2>
+<p>
+	Problems connecting to the server with a browser can have many reasons,
+	many of them on the client (proxy, DNS, general IE dumbness).
+</p>
+<p>
+	So, if you encounter problems connecting with SSL, try another browser
+	and/or look into the settings. If even this doesn't work, you can use
+	OpenSSL to debug the problem.
+</p>
+<pre><code>bb@www$ <b>openssl s_client -connect no-such-machine:443</b>
+gethostbyname failure 	<i># Error resolving this DNS name. Connect with the IP address.</i>
+connect:errno=2
+bb@www$ <b>openssl s_client -connect www1.tud.at:443</b>
+connect: Connection refused
+connect:errno=111
+<i># No SSL server on this port. Double-check the <b>Listen</b> and <b>Port</b> directives.</i>
+bb@www$ <b>openssl s_client -connect </b>apcenter.apcinteractive.net<b>:443</b>
+<i># everything OK. OpenSSL shows the information it obtained from the server.</i>
+CONNECTED(00000003)
+depth=0 /C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected]
+verify error:num=18:self signed certificate
+verify return:1
+depth=0 /C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected]
+verify return:1
+---
+Certificate chain
+s:/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected]
+   i:/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected]
+---
+Server certificate
+---BEGIN CERTIFICATE---
+MIIC0TCCAjoCAQAwDQYJKoZIhvcNAQEEBQAwgbAxCzAJBgNVBAYTAmF0MQ0wCwYDV
+[[...]
+ucXUnk=
+---END CERTIFICATE---
+subject=/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected]
+issuer=/C=at/ST=Wien/L=Wien/O=APC interactive/OU=Lifecycle Management/CN=apcenter.apcinteractive.net/[email protected]
+---
+No client certificate CA names sent
+---
+SSL handshake has read 1281 bytes and written 320 bytes
+---
+New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
+Server public key is 1024 bit
+SSL-Session:
+    Protocol  : TLSv1
+    Cipher    : EDH-RSA-DES-CBC3-SHA
+    Session-ID: 49ACE1CF484A67D2C476B923D52110A6FCA1A7CE53D76DF7F233DEBF2333D4FB
+    Session-ID-ctx:
+    Master-Key: 00E9FA964253752294ECD69C18ADBA527B7170C112E2B3BCB25EA8F4FD847EC46E1FF0194EF8E16985B5E38BF6F12131
+    Key-Arg   : None
+    Start Time: 980696025
+    Timeout   : 300 (sec)
+    Verify return code: 0 (ok)
+---
+<b>[Enter:
+GET / HTTP/1.0
+and press RETURN twice]</b>
+HTTP/1.1 200 OK
+Date: Sun, 28 Jan 2001 15:34:58 GMT
+Server: Apache/1.3.9 (Win32) mod_ssl/2.4.9 OpenSSL/0.9.4
+Cache-Control: no-cache, no-store, must-revalidate, private
+Expires: 0
+Pragma: no-cache
+X-Powered-By: PHP/4.0.4
+Last-Modified: Sun, 28 Jan 2001 15:35:00 GMT
+Connection: close
+Content-Type: text/html
+&lt;!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"&gt;
+&lt;html&gt;
+<i># the server shows its main document</i>
+</code></pre>
+<h2>Common problems</h2>
+<p>Q: I see the following when starting Apache:
+</p><pre>Syntax error on line [[some number] of ...httpd.conf
+Cannot load apache/modules/mod_ssl.so into server
+(126) The module could not be found:
+</pre>
+<br />
+A: Did you copy the openssl DLLs to WINNT/SYSTEM32 (or WINDOWS/SYSTEM on
+Win9x/ME)? <br />
+You can verify this by copying <code>openssl.exe</code> into a directory of its
+own and executing it. If it complains about not being able to find some DLLs,
+then you haven't copied them into the correct directory.
+<br />
+One user told me that he had this problem even when he did everything right. He
+then found the problem: corrupt openssl DLLs. So if you get this error despite
+having done everything correctly, try the openssl DLLs from another version from
+modssl.org/contrib.
+<p></p>
+<p>Q: I see the following when starting Apache:
+</p><pre>Syntax error on line [[some number] of apache/conf/httpd.conf:
+Cannot load apache/modules/apachemodulessl.dll into server:
+(127) The specified procedure could not be found:</pre>
+or:
+<pre>Syntax error on line [[some number] of apache/conf/httpd.conf:
+Invalid command 'SSLMutex', perhaps mis-spelled or defined by a module not
+included in the server configuration</pre>
+<br />
+A: You didn't add the AddModule line (or not where it belongs, it belongs below
+the other AddModule lines).
+<p></p>
+<p>Q: SSL doesn't work in the browser and I see the following in some logfile:
+</p><pre>
+[Fri Nov 16 15:46:30 2001] [[error] OpenSSL: error:1407609C:SSL
+routines:SSL23_GET_CLIENT_HELLO:http request [[Hint: speaking HTTP to
+HTTPS port!?]
+</pre>
+A: How much clearer can an error message get? Your VirtualHost or Listen
+configuration is wrong.
+<p></p>
+<h3>Questions about Java servlets, OpenSSL compilation etc.</h3>
+<p>
+	Don't ask us about installing servlet extensions, recompiling mod_ssl or
+	Apache with EAPI, recompiled versions etc. We have no idea and won't be able
+	help you. We are just users and not programmers.<br />
+	If your needs are so special, you are better off with a
+	<a href="http://www.debian.org/">Debian GNU/Linux</a> or
+	<a href="http://www.openbsd.org/">OpenBSD</a> server. It will save you lots
+	of trouble. Really. </p>
+<h2>Links</h2>
+<p>
+Apache Web Server: <a href="http://www.apache.org">http://www.apache.org</a><br />
+mod_ssl: <a href="http://www.modssl.org">http://www.modssl.org</a><br />
+mod_ssl configuration: <a
+href="http://www.modssl.org/docs/2.4/ssl_reference.html">http://www.modssl.org/docs/2.4/ssl_reference.html</a><br />
+OpenSSL: <a href="http://www.openssl.org">http://www.openssl.org</a><br />
+PHP Hypertext preprocessor: <a href="http://www.php.net">http://www.php.net</a>
+</p>
+<p>Author of this document: <a href="mailto:[email protected]">Bal&aacute;zs
+B&aacute;r&aacute;ny</a> (<a href="http://tud.at">http://tud.at</a>) <br />
+(mail me your questions, but only after having looked into the error logs with
+<code>LogLevel debug</code>. You can mail me in English, German and Hungarian.
+<br />
+If I am constantly ignoring your e-mail, read all the hints in the HOWTO about
+how to e-mail me.)</p>
+<p>
+Contributor: <a href="mailto:[email protected]">Horst
+Br&auml;uner</a> (OpenSSL configuration on NT)<br />
+Contributor: <a href="mailto:[email protected]">Christoph Zich</a>
+(Windows 98)<br />
+Contributor: <a href="mailto:[email protected]">Torsten Stanienda</a>
+(Test with 1.3.12, IfDefine directive)<br />
+Contributor: <a href="mailto:[email protected]">Peter Holm</a> (Listen and Port directives)
+</p>
+<p>Last change: 2002-05-18</p>
+<p>This document can be redistributed under the
+<a href="http://www.gnu.org/copyleft/fdl.html">GNU Free
+Documentation License</a>. &copy; Bal&aacute;zs B&aacute;r&aacute;ny 1999-2002</p>
+<p class="testedBy">
+  These instructions where tested by <a href="mailto:[email protected]">Matt Raible</a>
+  on Windows XP (SP1) and Red Hat Linux 7.3 with Apache 2.0.42.
+</p>
+</div>