-Apache 1.3.11 Released
+Apache 1.3.12 Released
======================
The Apache Software Foundation and The Apache Server Project are
-pleased to announce the release of version 1.3.11 of the Apache HTTP server.
-Apache 1.3.10 was not released due to a last-minute bug found and
-fixed after the source was tagged and tested.
+pleased to announce the release of version 1.3.12 of the Apache HTTP server.
-This new Apache version incorporates numerous significant improvements
-to the server. Apart from portability and security fixes, documentation
-enhancements, performance improvements, and assorted other minor
-features or fixes notable changes are:
+The primary changes in this version of Apache are those related to
+the ``cross site scripting'' security alerts described at
- - Binary and shared builds on several platforms have been
- improved.
+ http://www.cert.org/advisories/CA-2000-02.html
+ - and -
+ http://www.apache.org/info/css-security/index.html
- - The time that a parent waits for its children to die
- after SIGKILL has been sent has been reduced.
-
- - Various suexec improvements.
-
- - More rigorous checking of Host: headers to fix security problems
- with mass name-based virtual hosting.
-
- - Addition of the %q logging format directive (logs "?" and the query
- string part of a query, or the empty string if no query).
-
- - Improvement of the OS390 port.
-
- - Several EBCDIC fixes.
-
- - Better error reporting during the "compiler sanity" check.
-
- - Fixed the `quad integer' (aka `long long') handling in ap_snprintf.c
-
- - mod_rewrite's general substitution function was overhauled.
-
- - Several WIN32 bugs have been fixed, including:
- - CGIs broken if script calls other programs which deliver on stdout
- (Search this file for "DETACHED")
- - 16 bit CGIs should work now
- - Server will not start if passed the -d option with spaces in the
- argument.
+Specifically, charset handling has been improved and reinforced
+(including a new directive: AddDefaultCharset) and server generated
+pages properly escape ``userland'' input.
A complete listing with detailed descriptions is provided in the
src/CHANGES file.
-We consider Apache 1.3.11 to be the best version of Apache available and
+We consider Apache 1.3.12 to be the best version of Apache available and
we strongly recommend that users of older versions, especially of the
1.1.x and 1.2.x family, upgrade as soon as possible. No further releases
will be made in the 1.2.x family.
-Apache 1.3.11 is available for download from
+Apache 1.3.12 is available for download from
http://www.apache.org/dist/
http://www.apache.org/dist/binaries/
-As of Apache 1.3.11 binary distributions contain all standard Apache
+As of Apache 1.3.12 binary distributions contain all standard Apache
modules as shared objects (if supported by the platform) and include
full source code. Installation is easily done by executing the
included install script. See the README.bindist and INSTALL.bindist
Type: MANDATORY
o Package: mod_ssl
- Version: 2.5.x
+ Version: 2.6.x
Description: The Apache Interface to OpenSSL
Reason: The interface module for Apache
Homepage: http://www.modssl.org/
Distribution: ftp://ftp.modssl.org/source/
- Tarball: mod_ssl-2.5.x-1.3.x.tar.gz
+ Tarball: mod_ssl-2.6.x-1.3.x.tar.gz
Location: Zurich, Switzerland, Europe
Author(s): Ralf S. Engelschall <rse@engelschall.com>
Type: MANDATORY
2. Extract the required packages:
$ gzip -d -c apache_1.3.x.tar.gz | tar xvf - ALL
- $ gzip -d -c mod_ssl-2.5.x-1.3.x.tar.gz | tar xvf - ALL
+ $ gzip -d -c mod_ssl-2.6.x-1.3.x.tar.gz | tar xvf - ALL
$ gzip -d -c openssl-0.9.x.tar.gz | tar xvf - ALL
$ gzip -d -c mm-1.0.x.tar.gz | tar xvf - OPTIONAL
$ mkdir rsaref-2.0 US
RSA_BASE variables but get no intermediate chance to add more
third-party Apache modules (e.g. mod_perl, PHP3, etc).
- $ cd mod_ssl-2.5.x-1.3.x ALL
+ $ cd mod_ssl-2.6.x-1.3.x ALL
$ ./configure \ ALL
--with-apache=../apache_1.3.x \ ALL
--with-ssl=../openssl-0.9.x \ ALL
EAPI_MM variables manually and either copy your existing certificate
manually to conf/ssl.crt/server.crt or use `make certificate':
- $ cd mod_ssl-2.5.x-1.3.x ALL
+ $ cd mod_ssl-2.6.x-1.3.x ALL
$ ./configure \ ALL
--with-apache=../apache_1.3.x \ ALL
--with-crt=/path/to/your/server.crt \ OPTIONAL
EAPI_MM variables manually and more important: you have to install the
Apache package manually, too. But feel free to be masochistic ;-)
- $ cd mod_ssl-2.5.x-1.3.x ALL
+ $ cd mod_ssl-2.6.x-1.3.x ALL
$ ./configure \ ALL
--with-apache=../apache_1.3.x \ ALL
--with-crt=/path/to/your/server.crt \ OPTIONAL
o Read the mod_ssl user manual very carefully to
understand the SSL-part of your Apache configuration:
- $ netscape http://www.modssl.org/docs/2.5/ (official)
+ $ netscape http://www.modssl.org/docs/2.6/ (official)
$ netscape http://localhost/manual/mod/mod_ssl/ (local copy)
o Adjust your Apache configuration to your personal requirements.
long as the Extended API (EAPI) didn't change and you've OpenSSL installed
somewhere. For this you can use the following procedure:
- $ cd mod_ssl-2.5.x-1.3.x ALL
+ $ cd mod_ssl-2.6.x-1.3.x ALL
$ ./configure \ ALL
--with-apxs[=/path/to/apache/sbin/apxs] \ ALL
--with-ssl=/path/to/openssl \ ALL
# extract the packages
$ gzip -d -c apache_1.3.x.tar.gz | tar xvf -
- $ gzip -d -c mod_ssl-2.5.x-1.3.x.tar.gz | tar xvf -
+ $ gzip -d -c mod_ssl-2.6.x-1.3.x.tar.gz | tar xvf -
$ gzip -d -c mod_perl-1.xx.tar.gz | tar xvf -
# apply mod_ssl to Apache source tree
- $ cd mod_ssl-2.5.x-1.3.x
+ $ cd mod_ssl-2.6.x-1.3.x
$ ./configure \
--with-apache=../apache_1.3.x
$ cd ..
# cleanup after work
$ rm -rf mod_perl-1.xx
- $ rm -rf mod_ssl-2.5.x-1.3.x
+ $ rm -rf mod_ssl-2.6.x-1.3.x
$ rm -rf apache_1.3.x
o Apache + mod_ssl/OpenSSL + PHP3/MySQL
# extract the packages
$ gzip -d -c apache_1.3.x.tar.gz | tar xvf -
- $ gzip -d -c mod_ssl-2.5.x-1.3.x.tar.gz | tar xvf -
+ $ gzip -d -c mod_ssl-2.6.x-1.3.x.tar.gz | tar xvf -
$ gzip -d -c php-3.0.x.tar.gz | tar xvf -
# apply mod_ssl to Apache source tree
- $ cd /mod_ssl-2.5.x-1.3.x
+ $ cd /mod_ssl-2.6.x-1.3.x
$ ./configure \
--with-apache=../apache_1.3.x
$ cd ..
# cleanup after work
$ rm -rf php-3.0.x
- $ rm -rf mod_ssl-2.5.x-1.3.x
+ $ rm -rf mod_ssl-2.6.x-1.3.x
$ rm -rf apache_1.3.x
# UserDir: The name of the directory which is appended onto a user's home
# directory if a ~user request is received.
#
-UserDir public_html
+<IfModule mod_userdir.c>
+ UserDir public_html
+</IfModule>
#
# Control access to UserDir directories. The following is an example
# DirectoryIndex: Name of the file or files to use as a pre-written HTML
# directory index. Separate multiple entries with spaces.
#
-DirectoryIndex index.html
+<IfModule mod_dir.c>
+ DirectoryIndex index.html
+</IfModule>
#
# AccessFileName: The name of the file to look for in each directory
# TypesConfig describes where the mime.types file (or equivalent) is
# to be found.
#
-TypesConfig conf/mime.types
+<IfModule mod_mime.c>
+ TypesConfig conf/mime.types
+</IfModule>
#
# DefaultType is the default MIME type the server will use for a document
# Aliases: Add here as many aliases as you need (with no limit). The format is
# Alias fakename realname
#
-# Note that if you include a trailing / on fakename then the server will
-# require it to be present in the URL. So "/icons" isn't aliased in this
-# example, only "/icons/"..
-#
-Alias /icons/ "@@ServerRoot@@/icons/"
-
-<Directory "@@ServerRoot@@/icons">
- Options Indexes MultiViews
- AllowOverride None
- Order allow,deny
- Allow from all
-</Directory>
-
-#
-# ScriptAlias: This controls which directories contain server scripts.
-# ScriptAliases are essentially the same as Aliases, except that
-# documents in the realname directory are treated as applications and
-# run by the server when requested rather than as documents sent to the client.
-# The same rules about trailing "/" apply to ScriptAlias directives as to
-# Alias.
-#
-ScriptAlias /cgi-bin/ "@@ServerRoot@@/cgi-bin/"
+<IfModule mod_alias.c>
+
+ #
+ # Note that if you include a trailing / on fakename then the server will
+ # require it to be present in the URL. So "/icons" isn't aliased in this
+ # example, only "/icons/"..
+ #
+ Alias /icons/ "@@ServerRoot@@/icons/"
+
+ <Directory "@@ServerRoot@@/icons">
+ Options Indexes MultiViews
+ AllowOverride None
+ Order allow,deny
+ Allow from all
+ </Directory>
+
+ #
+ # ScriptAlias: This controls which directories contain server scripts.
+ # ScriptAliases are essentially the same as Aliases, except that
+ # documents in the realname directory are treated as applications and
+ # run by the server when requested rather than as documents sent to the client.
+ # The same rules about trailing "/" apply to ScriptAlias directives as to
+ # Alias.
+ #
+ ScriptAlias /cgi-bin/ "@@ServerRoot@@/cgi-bin/"
+
+ #
+ # "@@ServerRoot@@/cgi-bin" should be changed to whatever your ScriptAliased
+ # CGI directory exists, if you have that configured.
+ #
+ <Directory "@@ServerRoot@@/cgi-bin">
+ AllowOverride None
+ Options None
+ Order allow,deny
+ Allow from all
+ </Directory>
-#
-# "@@ServerRoot@@/cgi-bin" should be changed to whatever your ScriptAliased
-# CGI directory exists, if you have that configured.
-#
-<Directory "@@ServerRoot@@/cgi-bin">
- AllowOverride None
- Options None
- Order allow,deny
- Allow from all
-</Directory>
+</IfModule>
+# End of aliases.
#
# Redirect allows you to tell clients about documents which used to exist in
#
# Directives controlling the display of server-generated directory listings.
#
+<IfModule mod_autoindex.c>
+
+ #
+ # FancyIndexing is whether you want fancy directory indexing or standard
+ #
+ IndexOptions FancyIndexing
+
+ #
+ # AddIcon* directives tell the server which icon to show for different
+ # files or filename extensions. These are only displayed for
+ # FancyIndexed directories.
+ #
+ AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
+
+ AddIconByType (TXT,/icons/text.gif) text/*
+ AddIconByType (IMG,/icons/image2.gif) image/*
+ AddIconByType (SND,/icons/sound2.gif) audio/*
+ AddIconByType (VID,/icons/movie.gif) video/*
+
+ AddIcon /icons/binary.gif .bin .exe
+ AddIcon /icons/binhex.gif .hqx
+ AddIcon /icons/tar.gif .tar
+ AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
+ AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
+ AddIcon /icons/a.gif .ps .ai .eps
+ AddIcon /icons/layout.gif .html .shtml .htm .pdf
+ AddIcon /icons/text.gif .txt
+ AddIcon /icons/c.gif .c
+ AddIcon /icons/p.gif .pl .py
+ AddIcon /icons/f.gif .for
+ AddIcon /icons/dvi.gif .dvi
+ AddIcon /icons/uuencoded.gif .uu
+ AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
+ AddIcon /icons/tex.gif .tex
+ AddIcon /icons/bomb.gif core
+
+ AddIcon /icons/back.gif ..
+ AddIcon /icons/hand.right.gif README
+ AddIcon /icons/folder.gif ^^DIRECTORY^^
+ AddIcon /icons/blank.gif ^^BLANKICON^^
+
+ #
+ # DefaultIcon is which icon to show for files which do not have an icon
+ # explicitly set.
+ #
+ DefaultIcon /icons/unknown.gif
+
+ #
+ # AddDescription allows you to place a short description after a file in
+ # server-generated indexes. These are only displayed for FancyIndexed
+ # directories.
+ # Format: AddDescription "description" filename
+ #
+ #AddDescription "GZIP compressed document" .gz
+ #AddDescription "tar archive" .tar
+ #AddDescription "GZIP compressed tar archive" .tgz
+
+ #
+ # ReadmeName is the name of the README file the server will look for by
+ # default, and append to directory listings.
+ #
+ # HeaderName is the name of a file which should be prepended to
+ # directory indexes.
+ #
+ # If MultiViews are amongst the Options in effect, the server will
+ # first look for name.html and include it if found. If name.html
+ # doesn't exist, the server will then look for name.txt and include
+ # it as plaintext if found.
+ #
+ ReadmeName README
+ HeaderName HEADER
+
+ #
+ # IndexIgnore is a set of filenames which directory indexing should ignore
+ # and not include in the listing. Shell-style wildcarding is permitted.
+ #
+ IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
-#
-# FancyIndexing is whether you want fancy directory indexing or standard
-#
-IndexOptions FancyIndexing
-
-#
-# AddIcon* directives tell the server which icon to show for different
-# files or filename extensions. These are only displayed for
-# FancyIndexed directories.
-#
-AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
-
-AddIconByType (TXT,/icons/text.gif) text/*
-AddIconByType (IMG,/icons/image2.gif) image/*
-AddIconByType (SND,/icons/sound2.gif) audio/*
-AddIconByType (VID,/icons/movie.gif) video/*
-
-AddIcon /icons/binary.gif .bin .exe
-AddIcon /icons/binhex.gif .hqx
-AddIcon /icons/tar.gif .tar
-AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
-AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
-AddIcon /icons/a.gif .ps .ai .eps
-AddIcon /icons/layout.gif .html .shtml .htm .pdf
-AddIcon /icons/text.gif .txt
-AddIcon /icons/c.gif .c
-AddIcon /icons/p.gif .pl .py
-AddIcon /icons/f.gif .for
-AddIcon /icons/dvi.gif .dvi
-AddIcon /icons/uuencoded.gif .uu
-AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
-AddIcon /icons/tex.gif .tex
-AddIcon /icons/bomb.gif core
-
-AddIcon /icons/back.gif ..
-AddIcon /icons/hand.right.gif README
-AddIcon /icons/folder.gif ^^DIRECTORY^^
-AddIcon /icons/blank.gif ^^BLANKICON^^
-
-#
-# DefaultIcon is which icon to show for files which do not have an icon
-# explicitly set.
-#
-DefaultIcon /icons/unknown.gif
-
-#
-# AddDescription allows you to place a short description after a file in
-# server-generated indexes. These are only displayed for FancyIndexed
-# directories.
-# Format: AddDescription "description" filename
-#
-#AddDescription "GZIP compressed document" .gz
-#AddDescription "tar archive" .tar
-#AddDescription "GZIP compressed tar archive" .tgz
-
-#
-# ReadmeName is the name of the README file the server will look for by
-# default, and append to directory listings.
-#
-# HeaderName is the name of a file which should be prepended to
-# directory indexes.
-#
-# The server will first look for name.html and include it if found.
-# If name.html doesn't exist, the server will then look for name.txt
-# and include it as plaintext if found.
-#
-ReadmeName README
-HeaderName HEADER
-
-#
-# IndexIgnore is a set of filenames which directory indexing should ignore
-# and not include in the listing. Shell-style wildcarding is permitted.
-#
-IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
-
-#
-# AddEncoding allows you to have certain browsers (Mosaic/X 2.1+) uncompress
-# information on the fly. Note: Not all browsers support this.
-# Despite the name similarity, the following Add* directives have nothing
-# to do with the FancyIndexing customization directives above.
-#
-AddEncoding x-compress Z
-AddEncoding x-gzip gz tgz
-
-#
-# AddLanguage allows you to specify the language of a document. You can
-# then use content negotiation to give a browser a file in a language
-# it can understand.
-#
-# Note 1: The suffix does not have to be the same as the language
-# keyword --- those with documents in Polish (whose net-standard
-# language code is pl) may wish to use "AddLanguage pl .po" to
-# avoid the ambiguity with the common suffix for perl scripts.
-#
-# Note 2: The example entries below illustrate that in quite
-# some cases the two character 'Language' abbriviation is not
-# identical to the two character 'Country' code for it's country,
-# E.g. 'Danmark/dk' versus 'Danish/da'.
-#
-# Note 3: In the case of 'ltz' we violate the RFC by using a three char
-# specifier. But there is 'work in progress' to fix this and get
-# the reference data for rfc1766 cleaned up.
-#
-# Danish (da) - Dutch (nl) - English (en) - Estonian (ee)
-# French (fr) - German (de) - Greek-Modern (el)
-# Italian (it) -Portugese (pt) - Luxembourgeois* (ltz)
-# Spanish (es) - Swedish (sv) - Catalan (ca) - Czech(cz)
-#
-AddLanguage da .dk
-AddLanguage nl .nl
-AddLanguage en .en
-AddLanguage et .ee
-AddLanguage fr .fr
-AddLanguage de .de
-AddLanguage el .el
-AddLanguage it .it
-AddLanguage pt .pt
-AddLanguage ltz .lu
-AddLanguage ca .ca
-AddLanguage es .es
-AddLanguage sv .se
-AddLanguage cz .cz
-
-# LanguagePriority allows you to give precedence to some languages
-# in case of a tie during content negotiation.
-#
-# Just list the languages in decreasing order of preference. We have
-# more or less alphabetized them here. You probably want to change this.
-#
-LanguagePriority en da nl et fr de el it pt ltz ca es sv
-
-#
-# AddType allows you to tweak mime.types without actually editing it, or to
-# make certain files to be certain types.
-#
-# For example, the PHP 3.x module (not part of the Apache distribution - see
-# http://www.php.net) will typically use:
-#
-#AddType application/x-httpd-php3 .php3
-#AddType application/x-httpd-php3-source .phps
-#
-# And for PHP 4.x, use:
-#
-#AddType application/x-httpd-php .php
-#AddType application/x-httpd-php-source .phps
-
-AddType application/x-tar .tgz
-
-#
-# AddHandler allows you to map certain file extensions to "handlers",
-# actions unrelated to filetype. These can be either built into the server
-# or added with the Action command (see below)
-#
-# If you want to use server side includes, or CGI outside
-# ScriptAliased directories, uncomment the following lines.
-#
-# To use CGI scripts:
-#
-#AddHandler cgi-script .cgi
-
-#
-# To use server-parsed HTML files
-#
-#AddType text/html .shtml
-#AddHandler server-parsed .shtml
-
-#
-# Uncomment the following line to enable Apache's send-asis HTTP file
-# feature
-#
-#AddHandler send-as-is asis
-
-#
-# If you wish to use server-parsed imagemap files, use
-#
-#AddHandler imap-file map
+</IfModule>
+# End of indexing directives.
+
+#
+# Document types.
+#
+<IfModule mod_mime.c>
+
+ #
+ # AddEncoding allows you to have certain browsers (Mosaic/X 2.1+) uncompress
+ # information on the fly. Note: Not all browsers support this.
+ # Despite the name similarity, the following Add* directives have nothing
+ # to do with the FancyIndexing customization directives above.
+ #
+ AddEncoding x-compress Z
+ AddEncoding x-gzip gz tgz
+
+ #
+ # AddLanguage allows you to specify the language of a document. You can
+ # then use content negotiation to give a browser a file in a language
+ # it can understand.
+ #
+ # Note 1: The suffix does not have to be the same as the language
+ # keyword --- those with documents in Polish (whose net-standard
+ # language code is pl) may wish to use "AddLanguage pl .po" to
+ # avoid the ambiguity with the common suffix for perl scripts.
+ #
+ # Note 2: The example entries below illustrate that in quite
+ # some cases the two character 'Language' abbriviation is not
+ # identical to the two character 'Country' code for its country,
+ # E.g. 'Danmark/dk' versus 'Danish/da'.
+ #
+ # Note 3: In the case of 'ltz' we violate the RFC by using a three char
+ # specifier. But there is 'work in progress' to fix this and get
+ # the reference data for rfc1766 cleaned up.
+ #
+ # Danish (da) - Dutch (nl) - English (en) - Estonian (ee)
+ # French (fr) - German (de) - Greek-Modern (el)
+ # Italian (it) - Portugese (pt) - Luxembourgeois* (ltz)
+ # Spanish (es) - Swedish (sv) - Catalan (ca) - Czech(cz)
+ # Polish (pl) - Brazilian Portuguese (pt-br) - Japanese (ja)
+ #
+ AddLanguage da .dk
+ AddLanguage nl .nl
+ AddLanguage en .en
+ AddLanguage et .ee
+ AddLanguage fr .fr
+ AddLanguage de .de
+ AddLanguage el .el
+ AddLanguage it .it
+ AddLanguage ja .ja
+ AddCharset ISO-2022-JP .jis
+ AddLanguage pl .po
+ AddCharset ISO-8859-2 .iso-pl
+ AddLanguage pt .pt
+ AddLanguage pt-br .pt-br
+ AddLanguage ltz .lu
+ AddLanguage ca .ca
+ AddLanguage es .es
+ AddLanguage sv .se
+ AddLanguage cz .cz
+
+ # LanguagePriority allows you to give precedence to some languages
+ # in case of a tie during content negotiation.
+ #
+ # Just list the languages in decreasing order of preference. We have
+ # more or less alphabetized them here. You probably want to change this.
+ #
+ <IfModule mod_negotiation.c>
+ LanguagePriority en da nl et fr de el it ja pl pt pt-br ltz ca es sv
+ </IfModule>
+
+ #
+ # AddType allows you to tweak mime.types without actually editing it, or to
+ # make certain files to be certain types.
+ #
+ # For example, the PHP 3.x module (not part of the Apache distribution - see
+ # http://www.php.net) will typically use:
+ #
+ #AddType application/x-httpd-php3 .php3
+ #AddType application/x-httpd-php3-source .phps
+ #
+ # And for PHP 4.x, use:
+ #
+ #AddType application/x-httpd-php .php
+ #AddType application/x-httpd-php-source .phps
+
+ AddType application/x-tar .tgz
+
+ #
+ # AddHandler allows you to map certain file extensions to "handlers",
+ # actions unrelated to filetype. These can be either built into the server
+ # or added with the Action command (see below)
+ #
+ # If you want to use server side includes, or CGI outside
+ # ScriptAliased directories, uncomment the following lines.
+ #
+ # To use CGI scripts:
+ #
+ #AddHandler cgi-script .cgi
+
+ #
+ # To use server-parsed HTML files
+ #
+ #AddType text/html .shtml
+ #AddHandler server-parsed .shtml
+
+ #
+ # Uncomment the following line to enable Apache's send-asis HTTP file
+ # feature
+ #
+ #AddHandler send-as-is asis
+
+ #
+ # If you wish to use server-parsed imagemap files, use
+ #
+ #AddHandler imap-file map
+
+ #
+ # To enable type maps, you might want to use
+ #
+ #AddHandler type-map var
-#
-# To enable type maps, you might want to use
-#
-#AddHandler type-map var
+</IfModule>
+# End of document types.
#
# Action lets you define media types that will execute a script whenever
# request will *not* be available to such a script.
#
-# The following directives modify normal HTTP response behavior.
-# The first directive disables keepalive for Netscape 2.x and browsers that
-# spoof it. There are known problems with these browser implementations.
-# The second directive is for Microsoft Internet Explorer 4.0b2
-# which has a broken HTTP/1.1 implementation and does not properly
-# support keepalive when it is used on 301 or 302 (redirect) responses.
+# Customize behaviour based on the browser
#
-BrowserMatch "Mozilla/2" nokeepalive
-BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
+<IfModule mod_setenvif.c>
-#
-# The following directive disables HTTP/1.1 responses to browsers which
-# are in violation of the HTTP/1.0 spec by not being able to grok a
-# basic 1.1 response.
-#
-BrowserMatch "RealPlayer 4\.0" force-response-1.0
-BrowserMatch "Java/1\.0" force-response-1.0
-BrowserMatch "JDK/1\.0" force-response-1.0
+ #
+ # The following directives modify normal HTTP response behavior.
+ # The first directive disables keepalive for Netscape 2.x and browsers that
+ # spoof it. There are known problems with these browser implementations.
+ # The second directive is for Microsoft Internet Explorer 4.0b2
+ # which has a broken HTTP/1.1 implementation and does not properly
+ # support keepalive when it is used on 301 or 302 (redirect) responses.
+ #
+ BrowserMatch "Mozilla/2" nokeepalive
+ BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
+
+ #
+ # The following directive disables HTTP/1.1 responses to browsers which
+ # are in violation of the HTTP/1.0 spec by not being able to grok a
+ # basic 1.1 response.
+ #
+ BrowserMatch "RealPlayer 4\.0" force-response-1.0
+ BrowserMatch "Java/1\.0" force-response-1.0
+ BrowserMatch "JDK/1\.0" force-response-1.0
+
+</IfModule>
#
# Allow server status reports, with the URL of http://servername/server-status
# enable the proxy server:
#
#<IfModule mod_proxy.c>
-#ProxyRequests On
-#
-#<Directory proxy:*>
-# Order deny,allow
-# Deny from all
-# Allow from .your_domain.com
-#</Directory>
-
-#
-# Enable/disable the handling of HTTP/1.1 "Via:" headers.
-# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
-# Set to one of: Off | On | Full | Block
-#
-#ProxyVia On
-
-#
-# To enable the cache as well, edit and uncomment the following lines:
-# (no cacheing without CacheRoot)
-#
-#CacheRoot "@@ServerRoot@@/proxy"
-#CacheSize 5
-#CacheGcInterval 4
-#CacheMaxExpire 24
-#CacheLastModifiedFactor 0.1
-#CacheDefaultExpire 1
-#NoCache a_domain.com another_domain.edu joes.garage_sale.com
+ #ProxyRequests On
+ #
+ #<Directory proxy:*>
+ # Order deny,allow
+ # Deny from all
+ # Allow from .your_domain.com
+ #</Directory>
+
+ #
+ # Enable/disable the handling of HTTP/1.1 "Via:" headers.
+ # ("Full" adds the server version; "Block" removes all outgoing Via: headers)
+ # Set to one of: Off | On | Full | Block
+ #
+ #ProxyVia On
+
+ #
+ # To enable the cache as well, edit and uncomment the following lines:
+ # (no cacheing without CacheRoot)
+ #
+ #CacheRoot "@@ServerRoot@@/proxy"
+ #CacheSize 5
+ #CacheGcInterval 4
+ #CacheMaxExpire 24
+ #CacheLastModifiedFactor 0.1
+ #CacheDefaultExpire 1
+ #NoCache a_domain.com another_domain.edu joes.garage_sale.com
#</IfModule>
# End of proxy directives.
n=0; \
while [ 1 ]; do \
hash="`$$ssl_program crl -noout -hash <$$file`"; \
- if [ -r "$$hash.$$n" ]; then \
+ if [ -r "$$hash.r$$n" ]; then \
n=`expr $$n + 1`; \
else \
echo dummy |\
##
## ca-bundle.crt -- Bundle of CA Root Certificates
-## Last Modified: Fri Oct 22 17:15:27 CEST 1999
+## Last Modified: Thu Mar 2 09:32:46 CET 2000
##
## This is a bundle of X.509 certificates of public
## Certificate Authorities (CA). These were automatically
-## extracted from Netscape Communicator's certificate database
+## extracted from Netscape Communicator 4.72's certificate database
## (the file `cert7.db'). It contains the certificates in both
## plain text and PEM format and therefore can be directly used
## with an Apache+mod_ssl webserver for SSL client authentication.
ABAecom (sub., Am. Bankers Assn.) Root CA
=========================================
-MD5 Fingerprint: BA:D9:60:04:63:E6:92:07:3C:C5:38:93:66:38:24:FE
+MD5 Fingerprint: 82:12:F7:89:E1:0B:91:60:A4:B6:22:9F:94:68:11:92
PEM Data:
-----BEGIN CERTIFICATE-----
-MIIDkjCCAnqgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBgzELMAkGA1UEBhMCVVMx
-CzAJBgNVBAgTAkRDMRMwEQYDVQQHEwpXYXNoaW5ndG9uMRcwFQYDVQQKEw5BQkEu
-RUNPTSwgSW5jLjEZMBcGA1UEAxMQQUJBLkVDT00gUm9vdCBDQTEeMBwGCSqGSIb3
-DQEJARYPa2RhZ3Vpb0BhYmEuY29tMB4XDTk4MDcyOTE2NTk1MloXDTA1MDcyNzE2
-NTk1MlowgYMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJEQzETMBEGA1UEBxMKV2Fz
-aGluZ3RvbjEXMBUGA1UEChMOQUJBLkVDT00sIEluYy4xGTAXBgNVBAMTEEFCQS5F
-Q09NIFJvb3QgQ0ExHjAcBgkqhkiG9w0BCQEWD2tkYWd1aW9AYWJhLmNvbTCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMae3L3cDgkaUcaSm5lrjGmJvhvF
-ohFOhGYNmfH/H5mhM9a0kouli57Wp5DEybSBGp6HUP9zVqdtEFsIE6asCKkaIHIa
-DzN0sVixVm81Nj0zXpPjmgK1obfxbzEFNQ3XoA/OMmexPUj2SYuisf5GgC4/7EQN
-FKfeuhDXvAn/VZZRF05luCegEpEA9bc7Ur2oNT4T0xhRvRb3fRIBiTc768GiYEK+
-QBzTd2hv+LQHfma542pUDaboHGDi7+6drWPsk2udrWMOno8jlhcF/Oh11hQ16i2D
-mvZVjpNNsYziQWJk0P1G0/kVeo5G1EjbNge1b3JlD3BHdBW87oNQzk72r90CAwEA
-AaMPMA0wCwYDVR0PBAQDAgLUMA0GCSqGSIb3DQEBBQUAA4IBAQBobiY2tbG5cy5Y
-88T6IXNua5n4739dw7v3GyaeotvxbzI/5NjejwuXiE6bNp3RhWABmMdovkPBBoBn
-JuMZwXZG3VfOxPa54d2cxyoEYZUpuXa/f93fs5fPmMsz5AXUyi3Z4xIpXhjoPwXM
-aN5mX6LB15EExfCQSEFgW6hC85lUL6s3FVwTyTasHxaTWV1vXjkToFrSvTAPeGg8
-ptYvOS8ME51zN+daqhu3HsGRKb+Z8lqYclOV9IAyznxRb7XNSpnc44MbwcGdchyU
-vjtfIwfoAWmL22SjjLIFKQFSfX5zrRHnLDVqCyMKGnnfcqLRR5/I61zt/szuAQkw
-sV/IDA62
+MIID+DCCAuCgAwIBAgIRANAeQJAAACdLAAAAAQAAAAQwDQYJKoZIhvcNAQEFBQAw
+gYwxCzAJBgNVBAYTAlVTMQ0wCwYDVQQIEwRVdGFoMRcwFQYDVQQHEw5TYWx0IExh
+a2UgQ2l0eTEYMBYGA1UEChMPWGNlcnQgRVogYnkgRFNUMRgwFgYDVQQDEw9YY2Vy
+dCBFWiBieSBEU1QxITAfBgkqhkiG9w0BCQEWEmNhQGRpZ3NpZ3RydXN0LmNvbTAe
+Fw05OTA3MTQxNjE0MThaFw0wOTA3MTExNjE0MThaMIGMMQswCQYDVQQGEwJVUzEN
+MAsGA1UECBMEVXRhaDEXMBUGA1UEBxMOU2FsdCBMYWtlIENpdHkxGDAWBgNVBAoT
+D1hjZXJ0IEVaIGJ5IERTVDEYMBYGA1UEAxMPWGNlcnQgRVogYnkgRFNUMSEwHwYJ
+KoZIhvcNAQkBFhJjYUBkaWdzaWd0cnVzdC5jb20wggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQCtVBjetL/3reh0qu2LfI/C1HUa1YS5tmL8ie/kl2GS+x24
+4VpHNJ6eBiL70+o4y7iLB/caoBd3B1owHNQpOCDXJ0DYUJNDv9IYoil2BXKqa7Zp
+mKt5Hhxl9WqL/MUWqqJy2mDtTm4ZJXoKHTDjUJtCPETrobAgHtsCfv49H7/QAIrb
+QHamGKUVp1e2UsIBF5h3j4qBxhq0airmr6nWAKzP2BVJfNsbof6B+of505DBAsD5
+0ELpkWglX8a/hznplQBgKL+DLMDnXrbXNhbnYId26OcnsiUNi3rlqh3lWc3OCw5v
+xsic4xDZhTnTt5v6xrp8dNJddVardKSiUb9SfO5xAgMBAAGjUzBRMA8GA1UdEwEB
+/wQFMAMBAf8wHwYDVR0jBBgwFoAUCCBsZuuBCmxc1bWmPEHdHJaRJ3cwHQYDVR0O
+BBYEFAggbGbrgQpsXNW1pjxB3RyWkSd3MA0GCSqGSIb3DQEBBQUAA4IBAQBah1iP
+Lat2IWtUDNnxQfZOzSue4x+boy1/2St9WMhnpCn16ezVvZY/o3P4xFs2fNBjLDQ5
+m0i4PW/2FMWeY+anNG7T6DOzxzwYbiOuQ5KZP5jFaTDxNjutuTCC1rZZFpYCCykS
+YbQRifcML5SQhZgonFNsfmPdc/QZ/0qB0bJSI/08SjTOWhvgUIrtT4GV2GDn5MQN
+u1g+WPdOaG8+Z8nLepcWJ+xCYRR2uwDF6wg9FX9LtiJdhzuQ9PPA/jez6dliDMDD
+Wa9gvR8N26E0HzDEPYutsB0Ek+1f1eS/IDAE9EjpMwHRLpAnUrOb3jocq6mXf5vr
+wo3CbezcE9NGxXl8
-----END CERTIFICATE-----
Certificate Ingredients:
Data:
Version: 3 (0x2)
- Serial Number: 0 (0x0)
+ Serial Number:
+ d0:1e:40:90:00:00:27:4b:00:00:00:01:00:00:00:04
Signature Algorithm: sha1WithRSAEncryption
- Issuer: C=US, ST=DC, L=Washington, O=ABA.ECOM, Inc., CN=ABA.ECOM Root CA/Email=kdaguio@aba.com
+ Issuer: C=US, ST=Utah, L=Salt Lake City, O=Xcert EZ by DST, CN=Xcert EZ by DST/Email=ca@digsigtrust.com
Validity
- Not Before: Jul 29 16:59:52 1998 GMT
- Not After : Jul 27 16:59:52 2005 GMT
- Subject: C=US, ST=DC, L=Washington, O=ABA.ECOM, Inc., CN=ABA.ECOM Root CA/Email=kdaguio@aba.com
+ Not Before: Jul 14 16:14:18 1999 GMT
+ Not After : Jul 11 16:14:18 2009 GMT
+ Subject: C=US, ST=Utah, L=Salt Lake City, O=Xcert EZ by DST, CN=Xcert EZ by DST/Email=ca@digsigtrust.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
- 00:c6:9e:dc:bd:dc:0e:09:1a:51:c6:92:9b:99:6b:
- 8c:69:89:be:1b:c5:a2:11:4e:84:66:0d:99:f1:ff:
- 1f:99:a1:33:d6:b4:92:8b:a5:8b:9e:d6:a7:90:c4:
- c9:b4:81:1a:9e:87:50:ff:73:56:a7:6d:10:5b:08:
- 13:a6:ac:08:a9:1a:20:72:1a:0f:33:74:b1:58:b1:
- 56:6f:35:36:3d:33:5e:93:e3:9a:02:b5:a1:b7:f1:
- 6f:31:05:35:0d:d7:a0:0f:ce:32:67:b1:3d:48:f6:
- 49:8b:a2:b1:fe:46:80:2e:3f:ec:44:0d:14:a7:de:
- ba:10:d7:bc:09:ff:55:96:51:17:4e:65:b8:27:a0:
- 12:91:00:f5:b7:3b:52:bd:a8:35:3e:13:d3:18:51:
- bd:16:f7:7d:12:01:89:37:3b:eb:c1:a2:60:42:be:
- 40:1c:d3:77:68:6f:f8:b4:07:7e:66:b9:e3:6a:54:
- 0d:a6:e8:1c:60:e2:ef:ee:9d:ad:63:ec:93:6b:9d:
- ad:63:0e:9e:8f:23:96:17:05:fc:e8:75:d6:14:35:
- ea:2d:83:9a:f6:55:8e:93:4d:b1:8c:e2:41:62:64:
- d0:fd:46:d3:f9:15:7a:8e:46:d4:48:db:36:07:b5:
- 6f:72:65:0f:70:47:74:15:bc:ee:83:50:ce:4e:f6:
- af:dd
+ 00:ad:54:18:de:b4:bf:f7:ad:e8:74:aa:ed:8b:7c:
+ 8f:c2:d4:75:1a:d5:84:b9:b6:62:fc:89:ef:e4:97:
+ 61:92:fb:1d:b8:e1:5a:47:34:9e:9e:06:22:fb:d3:
+ ea:38:cb:b8:8b:07:f7:1a:a0:17:77:07:5a:30:1c:
+ d4:29:38:20:d7:27:40:d8:50:93:43:bf:d2:18:a2:
+ 29:76:05:72:aa:6b:b6:69:98:ab:79:1e:1c:65:f5:
+ 6a:8b:fc:c5:16:aa:a2:72:da:60:ed:4e:6e:19:25:
+ 7a:0a:1d:30:e3:50:9b:42:3c:44:eb:a1:b0:20:1e:
+ db:02:7e:fe:3d:1f:bf:d0:00:8a:db:40:76:a6:18:
+ a5:15:a7:57:b6:52:c2:01:17:98:77:8f:8a:81:c6:
+ 1a:b4:6a:2a:e6:af:a9:d6:00:ac:cf:d8:15:49:7c:
+ db:1b:a1:fe:81:fa:87:f9:d3:90:c1:02:c0:f9:d0:
+ 42:e9:91:68:25:5f:c6:bf:87:39:e9:95:00:60:28:
+ bf:83:2c:c0:e7:5e:b6:d7:36:16:e7:60:87:76:e8:
+ e7:27:b2:25:0d:8b:7a:e5:aa:1d:e5:59:cd:ce:0b:
+ 0e:6f:c6:c8:9c:e3:10:d9:85:39:d3:b7:9b:fa:c6:
+ ba:7c:74:d2:5d:75:56:ab:74:a4:a2:51:bf:52:7c:
+ ee:71
Exponent: 65537 (0x10001)
X509v3 extensions:
- X509v3 Key Usage:
- ....
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Authority Key Identifier:
+ keyid:08:20:6C:66:EB:81:0A:6C:5C:D5:B5:A6:3C:41:DD:1C:96:91:27:77
+
+ X509v3 Subject Key Identifier:
+ 08:20:6C:66:EB:81:0A:6C:5C:D5:B5:A6:3C:41:DD:1C:96:91:27:77
Signature Algorithm: sha1WithRSAEncryption
- 68:6e:26:36:b5:b1:b9:73:2e:58:f3:c4:fa:21:73:6e:6b:99:
- f8:ef:7f:5d:c3:bb:f7:1b:26:9e:a2:db:f1:6f:32:3f:e4:d8:
- de:8f:0b:97:88:4e:9b:36:9d:d1:85:60:01:98:c7:68:be:43:
- c1:06:80:67:26:e3:19:c1:76:46:dd:57:ce:c4:f6:b9:e1:dd:
- 9c:c7:2a:04:61:95:29:b9:76:bf:7f:dd:df:b3:97:cf:98:cb:
- 33:e4:05:d4:ca:2d:d9:e3:12:29:5e:18:e8:3f:05:cc:68:de:
- 66:5f:a2:c1:d7:91:04:c5:f0:90:48:41:60:5b:a8:42:f3:99:
- 54:2f:ab:37:15:5c:13:c9:36:ac:1f:16:93:59:5d:6f:5e:39:
- 13:a0:5a:d2:bd:30:0f:78:68:3c:a6:d6:2f:39:2f:0c:13:9d:
- 73:37:e7:5a:aa:1b:b7:1e:c1:91:29:bf:99:f2:5a:98:72:53:
- 95:f4:80:32:ce:7c:51:6f:b5:cd:4a:99:dc:e3:83:1b:c1:c1:
- 9d:72:1c:94:be:3b:5f:23:07:e8:01:69:8b:db:64:a3:8c:b2:
- 05:29:01:52:7d:7e:73:ad:11:e7:2c:35:6a:0b:23:0a:1a:79:
- df:72:a2:d1:47:9f:c8:eb:5c:ed:fe:cc:ee:01:09:30:b1:5f:
- c8:0c:0e:b6
+ 5a:87:58:8f:2d:ab:76:21:6b:54:0c:d9:f1:41:f6:4e:cd:2b:
+ 9e:e3:1f:9b:a3:2d:7f:d9:2b:7d:58:c8:67:a4:29:f5:e9:ec:
+ d5:bd:96:3f:a3:73:f8:c4:5b:36:7c:d0:63:2c:34:39:9b:48:
+ b8:3d:6f:f6:14:c5:9e:63:e6:a7:34:6e:d3:e8:33:b3:c7:3c:
+ 18:6e:23:ae:43:92:99:3f:98:c5:69:30:f1:36:3b:ad:b9:30:
+ 82:d6:b6:59:16:96:02:0b:29:12:61:b4:11:89:f7:0c:2f:94:
+ 90:85:98:28:9c:53:6c:7e:63:dd:73:f4:19:ff:4a:81:d1:b2:
+ 52:23:fd:3c:4a:34:ce:5a:1b:e0:50:8a:ed:4f:81:95:d8:60:
+ e7:e4:c4:0d:bb:58:3e:58:f7:4e:68:6f:3e:67:c9:cb:7a:97:
+ 16:27:ec:42:61:14:76:bb:00:c5:eb:08:3d:15:7f:4b:b6:22:
+ 5d:87:3b:90:f4:f3:c0:fe:37:b3:e9:d9:62:0c:c0:c3:59:af:
+ 60:bd:1f:0d:db:a1:34:1f:30:c4:3d:8b:ad:b0:1d:04:93:ed:
+ 5f:d5:e4:bf:20:30:04:f4:48:e9:33:01:d1:2e:90:27:52:b3:
+ 9b:de:3a:1c:ab:a9:97:7f:9b:eb:c2:8d:c2:6d:ec:dc:13:d3:
+ 46:c5:79:7c
ANX Network CA by DST
=====================
Exponent: 3 (0x3)
X509v3 extensions:
Netscape Cert Type:
- ....
+ SSL CA, S/MIME CA, Object Signing CA
X509v3 CRL Distribution Points:
- 0k0i.g.e.c0a1.0...U....US1$0"..U.
-..Digital Signature Trust Co.1.0...U....DST (ANX Network) CA1\r0...U....CRL1
+ DirName:/C=US/O=Digital Signature Trust Co./OU=DST (ANX Network) CA/CN=CRL1
+
X509v3 Private Key Usage Period:
- 0"..19981209154648Z..20181209154648Z
+ Not Before: Dec 9 15:46:48 1998 GMT, Not After: Dec 9 15:46:48 2018 GMT
X509v3 Key Usage:
- ....
+ Certificate Sign, CRL Sign
X509v3 Authority Key Identifier:
- 0.....Up..
-Sd.....d.C?.6
+ keyid:8C:16:55:70:CC:16:0A:53:64:C2:A5:84:AA:B3:64:17:43:3F:82:36
+
X509v3 Subject Key Identifier:
- ....Up..
-Sd.....d.C?.6
+ 8C:16:55:70:CC:16:0A:53:64:C2:A5:84:AA:B3:64:17:43:3F:82:36
X509v3 Basic Constraints:
- 0....
+ CA:TRUE
1.2.840.113533.7.65.0:
0
..V4.0....
ef:26:94:5f:ad:31:0c:fe:29:1e:17:01:84:37:5b:e8:12:32:
a3:5d
-Access America by DST
-=====================
-MD5 Fingerprint: CD:3B:3D:62:5B:09:B8:09:36:87:9E:12:2F:71:64:BA
-PEM Data:
------BEGIN CERTIFICATE-----
-MIID2DCCAsACEQDQHkCLAAB3bQAAAAEAAAAEMA0GCSqGSIb3DQEBBQUAMIGpMQsw
-CQYDVQQGEwJ1czENMAsGA1UECBMEVXRhaDEXMBUGA1UEBxMOU2FsdCBMYWtlIENp
-dHkxJDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0IENvLjERMA8GA1UE
-CxMIRFNUQ0EgWDIxFjAUBgNVBAMTDURTVCBSb290Q0EgWDIxITAfBgkqhkiG9w0B
-CQEWEmNhQGRpZ3NpZ3RydXN0LmNvbTAeFw05ODExMzAyMjQ2MTZaFw0wODExMjcy
-MjQ2MTZaMIGpMQswCQYDVQQGEwJ1czENMAsGA1UECBMEVXRhaDEXMBUGA1UEBxMO
-U2FsdCBMYWtlIENpdHkxJDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0
-IENvLjERMA8GA1UECxMIRFNUQ0EgWDIxFjAUBgNVBAMTDURTVCBSb290Q0EgWDIx
-ITAfBgkqhkiG9w0BCQEWEmNhQGRpZ3NpZ3RydXN0LmNvbTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBANx18IzAdZaawGIfJvfE4Zrq4FZzW5nNAUSoCLbV
-p9oaBBg5kkp4o4HC9Xd6ULRw/5qrxsfKboNPQpj7Jgva3G3WqZlVUmfpKAOS3OWw
-BZoPFflrWXJW8vo5/Kpo7g8fEIMv/J36F5bdguPmRX3AS4BEH+0s4IT9kVySVGkl
-5WJp3OXuAFK9MwutdQKFp2RQLcUZGTDAJtvJ0/0uma1ZtQtN1EGuhUhDWdy3qOKi
-3sOP17ihYqZoUFLkzzGnlIXan0YyF1bl8utmPRL/Q9uY73fPy4GNNLHGUEom0eQ+
-QVCvbK4iNC7Va26Dunm4dmVI2gkpZGMiuftHdoWMhkTLCdsCAwEAATANBgkqhkiG
-9w0BAQUFAAOCAQEAtTYOXeFhKFoRZcA/gwN5Tb4opgsHAlKFzfiR0BBstWogWxyQ
-2TA8xkieil5k+aFxd+8EJx8H6+Qm93N0yUQYGmbT4EOvkTvRyyzYdFQ6HE3K1GjN
-I3wdEJ5F6fYAbqbNGf9PLCmPV03Ed5K+4EwJ+11EhmYhqLkyolbV6YyDfFk/xPEL
-553snr2cGA4+wjl5KLcDDQjLxufZATdQEOzMYRZA1K8xdHv8PzGn0EdzMzkbzE5q
-10mDEQb+64JYMzJM8FasHpwvVpp7wUocpf1VNs78lk30sPDst2yC7S8xmUJMqbIN
-uBVd8d+6ybVK1GSYsyapMMj9puyrliGtf8J4tg==
------END CERTIFICATE-----
-Certificate Ingredients:
- Data:
- Version: 1 (0x0)
- Serial Number:
- d0:1e:40:8b:00:00:77:6d:00:00:00:01:00:00:00:04
- Signature Algorithm: sha1WithRSAEncryption
- Issuer: C=us, ST=Utah, L=Salt Lake City, O=Digital Signature Trust Co., OU=DSTCA X2, CN=DST RootCA X2/Email=ca@digsigtrust.com
- Validity
- Not Before: Nov 30 22:46:16 1998 GMT
- Not After : Nov 27 22:46:16 2008 GMT
- Subject: C=us, ST=Utah, L=Salt Lake City, O=Digital Signature Trust Co., OU=DSTCA X2, CN=DST RootCA X2/Email=ca@digsigtrust.com
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public Key: (2048 bit)
- Modulus (2048 bit):
- 00:dc:75:f0:8c:c0:75:96:9a:c0:62:1f:26:f7:c4:
- e1:9a:ea:e0:56:73:5b:99:cd:01:44:a8:08:b6:d5:
- a7:da:1a:04:18:39:92:4a:78:a3:81:c2:f5:77:7a:
- 50:b4:70:ff:9a:ab:c6:c7:ca:6e:83:4f:42:98:fb:
- 26:0b:da:dc:6d:d6:a9:99:55:52:67:e9:28:03:92:
- dc:e5:b0:05:9a:0f:15:f9:6b:59:72:56:f2:fa:39:
- fc:aa:68:ee:0f:1f:10:83:2f:fc:9d:fa:17:96:dd:
- 82:e3:e6:45:7d:c0:4b:80:44:1f:ed:2c:e0:84:fd:
- 91:5c:92:54:69:25:e5:62:69:dc:e5:ee:00:52:bd:
- 33:0b:ad:75:02:85:a7:64:50:2d:c5:19:19:30:c0:
- 26:db:c9:d3:fd:2e:99:ad:59:b5:0b:4d:d4:41:ae:
- 85:48:43:59:dc:b7:a8:e2:a2:de:c3:8f:d7:b8:a1:
- 62:a6:68:50:52:e4:cf:31:a7:94:85:da:9f:46:32:
- 17:56:e5:f2:eb:66:3d:12:ff:43:db:98:ef:77:cf:
- cb:81:8d:34:b1:c6:50:4a:26:d1:e4:3e:41:50:af:
- 6c:ae:22:34:2e:d5:6b:6e:83:ba:79:b8:76:65:48:
- da:09:29:64:63:22:b9:fb:47:76:85:8c:86:44:cb:
- 09:db
- Exponent: 65537 (0x10001)
- Signature Algorithm: sha1WithRSAEncryption
- b5:36:0e:5d:e1:61:28:5a:11:65:c0:3f:83:03:79:4d:be:28:
- a6:0b:07:02:52:85:cd:f8:91:d0:10:6c:b5:6a:20:5b:1c:90:
- d9:30:3c:c6:48:9e:8a:5e:64:f9:a1:71:77:ef:04:27:1f:07:
- eb:e4:26:f7:73:74:c9:44:18:1a:66:d3:e0:43:af:91:3b:d1:
- cb:2c:d8:74:54:3a:1c:4d:ca:d4:68:cd:23:7c:1d:10:9e:45:
- e9:f6:00:6e:a6:cd:19:ff:4f:2c:29:8f:57:4d:c4:77:92:be:
- e0:4c:09:fb:5d:44:86:66:21:a8:b9:32:a2:56:d5:e9:8c:83:
- 7c:59:3f:c4:f1:0b:e7:9d:ec:9e:bd:9c:18:0e:3e:c2:39:79:
- 28:b7:03:0d:08:cb:c6:e7:d9:01:37:50:10:ec:cc:61:16:40:
- d4:af:31:74:7b:fc:3f:31:a7:d0:47:73:33:39:1b:cc:4e:6a:
- d7:49:83:11:06:fe:eb:82:58:33:32:4c:f0:56:ac:1e:9c:2f:
- 56:9a:7b:c1:4a:1c:a5:fd:55:36:ce:fc:96:4d:f4:b0:f0:ec:
- b7:6c:82:ed:2f:31:99:42:4c:a9:b2:0d:b8:15:5d:f1:df:ba:
- c9:b5:4a:d4:64:98:b3:26:a9:30:c8:fd:a6:ec:ab:96:21:ad:
- 7f:c2:78:b6
-
American Express CA
===================
MD5 Fingerprint: 1C:D5:8E:82:BE:70:55:8E:39:61:DF:AD:51:DB:6B:A0
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
- 0.......
+ CA:TRUE, pathlen:5
X509v3 Key Usage: critical
- ....
+ Certificate Sign, CRL Sign
X509v3 Certificate Policies:
- 0.0..
-*.H...
-...
+ Policy: 1.2.840.113807.10.1.5.1
+
X509v3 Subject Key Identifier:
- ..WG5{6'..../F%.$i
+ 57:47:35:7B:36:27:11:A8:08:FC:2F:46:25:EB:24:69
Signature Algorithm: sha1WithRSAEncryption
c7:61:45:a8:8a:71:b9:be:34:e9:21:7b:21:cd:56:13:98:d5:
30:63:e9:18:aa:4b:92:15:bf:0b:1d:bb:ec:92:69:c5:2e:c3:
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Cert Type:
- ....
+ SSL CA, S/MIME CA, Object Signing CA
Signature Algorithm: md5WithRSAEncryption
63:76:17:7c:96:f0:53:a5:5d:01:1c:53:ce:29:c2:7e:75:ac:
4c:0d:a2:08:73:b4:6a:31:fd:02:06:14:99:dc:54:04:a4:bf:
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Cert Type:
- ....
+ SSL Client, S/MIME
Signature Algorithm: md5WithRSAEncryption
6c:3d:99:c3:05:e2:1d:ca:e5:2d:aa:68:85:8b:40:31:20:66:
13:68:e6:58:3a:89:d0:8d:75:b2:c5:62:d8:7d:82:8f:f7:d9:
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
- 0.......
+ CA:TRUE, pathlen:5
X509v3 Key Usage: critical
- ....
+ Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
- ..,.Y........>.~X.
+ 2C:87:59:1F:8B:13:80:B2:F9:86:9D:3E:12:7E:58:96
Signature Algorithm: md5WithRSAEncryption
0f:fe:73:b5:07:88:6f:a0:0b:89:ea:ca:50:1f:94:de:94:2b:
0b:27:5e:4f:f5:1c:95:26:da:8c:96:54:ad:19:91:37:43:5d:
Exponent: 3 (0x3)
X509v3 extensions:
Netscape Cert Type:
- ....
+ SSL CA, S/MIME CA, Object Signing CA
X509v3 CRL Distribution Points:
- 0_0].[.Y.W0U1.0...U....US1$0"..U.
-..Digital Signature Trust Co.1.0...U....DSTCA E11\r0...U....CRL1
+ DirName:/C=US/O=Digital Signature Trust Co./OU=DSTCA E1/CN=CRL1
+
X509v3 Private Key Usage Period:
- 0"..19981210181023Z..20181210181023Z
+ Not Before: Dec 10 18:10:23 1998 GMT, Not After: Dec 10 18:10:23 2018 GMT
X509v3 Key Usage:
- ....
+ Certificate Sign, CRL Sign
X509v3 Authority Key Identifier:
- 0...jy~.iF..
-.w.Y[`.%...
+ keyid:6A:79:7E:91:69:46:18:13:0A:02:77:A5:59:5B:60:98:25:0E:A2:F8
+
X509v3 Subject Key Identifier:
- ..jy~.iF..
-.w.Y[`.%...
+ 6A:79:7E:91:69:46:18:13:0A:02:77:A5:59:5B:60:98:25:0E:A2:F8
X509v3 Basic Constraints:
- 0....
+ CA:TRUE
1.2.840.113533.7.65.0:
0
..V4.0....
4f:d2:08:da:93:dc:f0:92:11:7a:d0:dc:72:93:0c:73:93:62:
85:68:d0:f4
-Entrust Worldwide by DST
-========================
-MD5 Fingerprint: B4:65:22:0A:7C:AD:DF:41:B7:D5:44:D5:AD:FA:9A:75
+Digital Signature Trust Co. Global CA 3
+=======================================
+MD5 Fingerprint: 93:C2:8E:11:7B:D4:F3:03:19:BD:28:75:13:4A:45:4A
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIIDKTCCApKgAwIBAgIENm7TzjANBgkqhkiG9w0BAQUFADBGMQswCQYDVQQGEwJV
+UzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMREwDwYDVQQL
+EwhEU1RDQSBFMjAeFw05ODEyMDkxOTE3MjZaFw0xODEyMDkxOTQ3MjZaMEYxCzAJ
+BgNVBAYTAlVTMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4x
+ETAPBgNVBAsTCERTVENBIEUyMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQC/
+k48Xku8zExjrEH9OFr//Bo8qhbxe+SSmJIi2A7fBw18DW9Fvrn5C6mYjuGODVvso
+LeE4i7TuqAHhzhy2iCoiRoX7n6dwqUcUP87eZfCocfdPJmyMvMa1795JJ/9IKn3o
+TQPMx7JSxhcxEzu1TdvIxPbDDyQq2gyd55FbgM2UnQIBA6OCASQwggEgMBEGCWCG
+SAGG+EIBAQQEAwIABzBoBgNVHR8EYTBfMF2gW6BZpFcwVTELMAkGA1UEBhMCVVMx
+JDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0IENvLjERMA8GA1UECxMI
+RFNUQ0EgRTIxDTALBgNVBAMTBENSTDEwKwYDVR0QBCQwIoAPMTk5ODEyMDkxOTE3
+MjZagQ8yMDE4MTIwOTE5MTcyNlowCwYDVR0PBAQDAgEGMB8GA1UdIwQYMBaAFB6C
+TShlgDzJQW6sNS5ay97u+DlbMB0GA1UdDgQWBBQegk0oZYA8yUFurDUuWsve7vg5
+WzAMBgNVHRMEBTADAQH/MBkGCSqGSIb2fQdBAAQMMAobBFY0LjADAgSQMA0GCSqG
+SIb3DQEBBQUAA4GBAEeNg61i8tuwnkUiBbmi1gMOOHLnnvx75pO2mqWilMg0HZHR
+xdf0CiUPPXiBng+xZ8SQTGPdXqfiup/1902lMXucKS1M/mQ+7LZT/uqb7YLbdHVL
+B3luHtgZg3Pe9T7Qtd7nS2h9Qy4qIOF+oHhEngj1mPnHfxsb1gYgAlihw6ID
+-----END CERTIFICATE-----
+Certificate Ingredients:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 913232846 (0x366ed3ce)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: C=US, O=Digital Signature Trust Co., OU=DSTCA E2
+ Validity
+ Not Before: Dec 9 19:17:26 1998 GMT
+ Not After : Dec 9 19:47:26 2018 GMT
+ Subject: C=US, O=Digital Signature Trust Co., OU=DSTCA E2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (1024 bit)
+ Modulus (1024 bit):
+ 00:bf:93:8f:17:92:ef:33:13:18:eb:10:7f:4e:16:
+ bf:ff:06:8f:2a:85:bc:5e:f9:24:a6:24:88:b6:03:
+ b7:c1:c3:5f:03:5b:d1:6f:ae:7e:42:ea:66:23:b8:
+ 63:83:56:fb:28:2d:e1:38:8b:b4:ee:a8:01:e1:ce:
+ 1c:b6:88:2a:22:46:85:fb:9f:a7:70:a9:47:14:3f:
+ ce:de:65:f0:a8:71:f7:4f:26:6c:8c:bc:c6:b5:ef:
+ de:49:27:ff:48:2a:7d:e8:4d:03:cc:c7:b2:52:c6:
+ 17:31:13:3b:b5:4d:db:c8:c4:f6:c3:0f:24:2a:da:
+ 0c:9d:e7:91:5b:80:cd:94:9d
+ Exponent: 3 (0x3)
+ X509v3 extensions:
+ Netscape Cert Type:
+ SSL CA, S/MIME CA, Object Signing CA
+ X509v3 CRL Distribution Points:
+ DirName:/C=US/O=Digital Signature Trust Co./OU=DSTCA E2/CN=CRL1
+
+ X509v3 Private Key Usage Period:
+ Not Before: Dec 9 19:17:26 1998 GMT, Not After: Dec 9 19:17:26 2018 GMT
+ X509v3 Key Usage:
+ Certificate Sign, CRL Sign
+ X509v3 Authority Key Identifier:
+ keyid:1E:82:4D:28:65:80:3C:C9:41:6E:AC:35:2E:5A:CB:DE:EE:F8:39:5B
+
+ X509v3 Subject Key Identifier:
+ 1E:82:4D:28:65:80:3C:C9:41:6E:AC:35:2E:5A:CB:DE:EE:F8:39:5B
+ X509v3 Basic Constraints:
+ CA:TRUE
+ 1.2.840.113533.7.65.0:
+ 0
+..V4.0....
+ Signature Algorithm: sha1WithRSAEncryption
+ 47:8d:83:ad:62:f2:db:b0:9e:45:22:05:b9:a2:d6:03:0e:38:
+ 72:e7:9e:fc:7b:e6:93:b6:9a:a5:a2:94:c8:34:1d:91:d1:c5:
+ d7:f4:0a:25:0f:3d:78:81:9e:0f:b1:67:c4:90:4c:63:dd:5e:
+ a7:e2:ba:9f:f5:f7:4d:a5:31:7b:9c:29:2d:4c:fe:64:3e:ec:
+ b6:53:fe:ea:9b:ed:82:db:74:75:4b:07:79:6e:1e:d8:19:83:
+ 73:de:f5:3e:d0:b5:de:e7:4b:68:7d:43:2e:2a:20:e1:7e:a0:
+ 78:44:9e:08:f5:98:f9:c7:7f:1b:1b:d6:06:20:02:58:a1:c3:
+ a2:03
+
+Digital Signature Trust Co. Global CA 4
+=======================================
+MD5 Fingerprint: CD:3B:3D:62:5B:09:B8:09:36:87:9E:12:2F:71:64:BA
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIID2DCCAsACEQDQHkCLAAB3bQAAAAEAAAAEMA0GCSqGSIb3DQEBBQUAMIGpMQsw
+CQYDVQQGEwJ1czENMAsGA1UECBMEVXRhaDEXMBUGA1UEBxMOU2FsdCBMYWtlIENp
+dHkxJDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0IENvLjERMA8GA1UE
+CxMIRFNUQ0EgWDIxFjAUBgNVBAMTDURTVCBSb290Q0EgWDIxITAfBgkqhkiG9w0B
+CQEWEmNhQGRpZ3NpZ3RydXN0LmNvbTAeFw05ODExMzAyMjQ2MTZaFw0wODExMjcy
+MjQ2MTZaMIGpMQswCQYDVQQGEwJ1czENMAsGA1UECBMEVXRhaDEXMBUGA1UEBxMO
+U2FsdCBMYWtlIENpdHkxJDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0
+IENvLjERMA8GA1UECxMIRFNUQ0EgWDIxFjAUBgNVBAMTDURTVCBSb290Q0EgWDIx
+ITAfBgkqhkiG9w0BCQEWEmNhQGRpZ3NpZ3RydXN0LmNvbTCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBANx18IzAdZaawGIfJvfE4Zrq4FZzW5nNAUSoCLbV
+p9oaBBg5kkp4o4HC9Xd6ULRw/5qrxsfKboNPQpj7Jgva3G3WqZlVUmfpKAOS3OWw
+BZoPFflrWXJW8vo5/Kpo7g8fEIMv/J36F5bdguPmRX3AS4BEH+0s4IT9kVySVGkl
+5WJp3OXuAFK9MwutdQKFp2RQLcUZGTDAJtvJ0/0uma1ZtQtN1EGuhUhDWdy3qOKi
+3sOP17ihYqZoUFLkzzGnlIXan0YyF1bl8utmPRL/Q9uY73fPy4GNNLHGUEom0eQ+
+QVCvbK4iNC7Va26Dunm4dmVI2gkpZGMiuftHdoWMhkTLCdsCAwEAATANBgkqhkiG
+9w0BAQUFAAOCAQEAtTYOXeFhKFoRZcA/gwN5Tb4opgsHAlKFzfiR0BBstWogWxyQ
+2TA8xkieil5k+aFxd+8EJx8H6+Qm93N0yUQYGmbT4EOvkTvRyyzYdFQ6HE3K1GjN
+I3wdEJ5F6fYAbqbNGf9PLCmPV03Ed5K+4EwJ+11EhmYhqLkyolbV6YyDfFk/xPEL
+553snr2cGA4+wjl5KLcDDQjLxufZATdQEOzMYRZA1K8xdHv8PzGn0EdzMzkbzE5q
+10mDEQb+64JYMzJM8FasHpwvVpp7wUocpf1VNs78lk30sPDst2yC7S8xmUJMqbIN
+uBVd8d+6ybVK1GSYsyapMMj9puyrliGtf8J4tg==
+-----END CERTIFICATE-----
+Certificate Ingredients:
+ Data:
+ Version: 1 (0x0)
+ Serial Number:
+ d0:1e:40:8b:00:00:77:6d:00:00:00:01:00:00:00:04
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: C=us, ST=Utah, L=Salt Lake City, O=Digital Signature Trust Co., OU=DSTCA X2, CN=DST RootCA X2/Email=ca@digsigtrust.com
+ Validity
+ Not Before: Nov 30 22:46:16 1998 GMT
+ Not After : Nov 27 22:46:16 2008 GMT
+ Subject: C=us, ST=Utah, L=Salt Lake City, O=Digital Signature Trust Co., OU=DSTCA X2, CN=DST RootCA X2/Email=ca@digsigtrust.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:dc:75:f0:8c:c0:75:96:9a:c0:62:1f:26:f7:c4:
+ e1:9a:ea:e0:56:73:5b:99:cd:01:44:a8:08:b6:d5:
+ a7:da:1a:04:18:39:92:4a:78:a3:81:c2:f5:77:7a:
+ 50:b4:70:ff:9a:ab:c6:c7:ca:6e:83:4f:42:98:fb:
+ 26:0b:da:dc:6d:d6:a9:99:55:52:67:e9:28:03:92:
+ dc:e5:b0:05:9a:0f:15:f9:6b:59:72:56:f2:fa:39:
+ fc:aa:68:ee:0f:1f:10:83:2f:fc:9d:fa:17:96:dd:
+ 82:e3:e6:45:7d:c0:4b:80:44:1f:ed:2c:e0:84:fd:
+ 91:5c:92:54:69:25:e5:62:69:dc:e5:ee:00:52:bd:
+ 33:0b:ad:75:02:85:a7:64:50:2d:c5:19:19:30:c0:
+ 26:db:c9:d3:fd:2e:99:ad:59:b5:0b:4d:d4:41:ae:
+ 85:48:43:59:dc:b7:a8:e2:a2:de:c3:8f:d7:b8:a1:
+ 62:a6:68:50:52:e4:cf:31:a7:94:85:da:9f:46:32:
+ 17:56:e5:f2:eb:66:3d:12:ff:43:db:98:ef:77:cf:
+ cb:81:8d:34:b1:c6:50:4a:26:d1:e4:3e:41:50:af:
+ 6c:ae:22:34:2e:d5:6b:6e:83:ba:79:b8:76:65:48:
+ da:09:29:64:63:22:b9:fb:47:76:85:8c:86:44:cb:
+ 09:db
+ Exponent: 65537 (0x10001)
+ Signature Algorithm: sha1WithRSAEncryption
+ b5:36:0e:5d:e1:61:28:5a:11:65:c0:3f:83:03:79:4d:be:28:
+ a6:0b:07:02:52:85:cd:f8:91:d0:10:6c:b5:6a:20:5b:1c:90:
+ d9:30:3c:c6:48:9e:8a:5e:64:f9:a1:71:77:ef:04:27:1f:07:
+ eb:e4:26:f7:73:74:c9:44:18:1a:66:d3:e0:43:af:91:3b:d1:
+ cb:2c:d8:74:54:3a:1c:4d:ca:d4:68:cd:23:7c:1d:10:9e:45:
+ e9:f6:00:6e:a6:cd:19:ff:4f:2c:29:8f:57:4d:c4:77:92:be:
+ e0:4c:09:fb:5d:44:86:66:21:a8:b9:32:a2:56:d5:e9:8c:83:
+ 7c:59:3f:c4:f1:0b:e7:9d:ec:9e:bd:9c:18:0e:3e:c2:39:79:
+ 28:b7:03:0d:08:cb:c6:e7:d9:01:37:50:10:ec:cc:61:16:40:
+ d4:af:31:74:7b:fc:3f:31:a7:d0:47:73:33:39:1b:cc:4e:6a:
+ d7:49:83:11:06:fe:eb:82:58:33:32:4c:f0:56:ac:1e:9c:2f:
+ 56:9a:7b:c1:4a:1c:a5:fd:55:36:ce:fc:96:4d:f4:b0:f0:ec:
+ b7:6c:82:ed:2f:31:99:42:4c:a9:b2:0d:b8:15:5d:f1:df:ba:
+ c9:b5:4a:d4:64:98:b3:26:a9:30:c8:fd:a6:ec:ab:96:21:ad:
+ 7f:c2:78:b6
+
+Entrust Worldwide by DST
+========================
+MD5 Fingerprint: B4:65:22:0A:7C:AD:DF:41:B7:D5:44:D5:AD:FA:9A:75
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIIDRzCCArCgAwIBAgIENm3FGDANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJV
+UzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRswGQYDVQQL
+ExJEU1QtRW50cnVzdCBHVEkgQ0EwHhcNOTgxMjA5MDAwMjI0WhcNMTgxMjA5MDAz
+MjI0WjBQMQswCQYDVQQGEwJVUzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUg
+VHJ1c3QgQ28uMRswGQYDVQQLExJEU1QtRW50cnVzdCBHVEkgQ0EwgZ0wDQYJKoZI
+hvcNAQEBBQADgYsAMIGHAoGBALYd90uNDxPjEvUJ/gYyDq9MQfV91Ec9KgrfgwXe
+3n3mAxb2UTrLRxpKrX7E/R20vnSKeN0Lg460hBPE+/htKa6h4Q8PQ+O1XmBp+oOU
+/Hnm3Hbt0UQrjv0Su/4XdxcMie2n71F9xO04wzujevviTaBgtfL9E2XTxuw/vjWc
+PSLvAgEDo4IBLjCCASowEQYJYIZIAYb4QgEBBAQDAgAHMHIGA1UdHwRrMGkwZ6Bl
+oGOkYTBfMQswCQYDVQQGEwJVUzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUg
+VHJ1c3QgQ28uMRswGQYDVQQLExJEU1QtRW50cnVzdCBHVEkgQ0ExDTALBgNVBAMT
+BENSTDEwKwYDVR0QBCQwIoAPMTk5ODEyMDkwMDAyMjRagQ8yMDE4MTIwOTAwMDIy
+NFowCwYDVR0PBAQDAgEGMB8GA1UdIwQYMBaAFJOaRMrQeFOAKUkE38evMz+ZdV+u
+MB0GA1UdDgQWBBSTmkTK0HhTgClJBN/HrzM/mXVfrjAMBgNVHRMEBTADAQH/MBkG
+CSqGSIb2fQdBAAQMMAobBFY0LjADAgSQMA0GCSqGSIb3DQEBBQUAA4GBAGSJzAOn
+3AryWCDn/RegKHLNh7DNmLUkR2MzMRAQsu+KV3KuTAPgZ5+sYEOEIsGpo+Wxp94J
+1M8NeEYjW49Je/4TIpeU6nJI4SwgeJbpZkUZywllY2E/0UmYsXYQVdVjSmZLpAdr
+3nt/ueaTWxoCW4AO3Y0Y1Iqjwmjxo+AY0U5M
+-----END CERTIFICATE-----
+Certificate Ingredients:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 913163544 (0x366dc518)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: C=US, O=Digital Signature Trust Co., OU=DST-Entrust GTI CA
+ Validity
+ Not Before: Dec 9 00:02:24 1998 GMT
+ Not After : Dec 9 00:32:24 2018 GMT
+ Subject: C=US, O=Digital Signature Trust Co., OU=DST-Entrust GTI CA
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (1024 bit)
+ Modulus (1024 bit):
+ 00:b6:1d:f7:4b:8d:0f:13:e3:12:f5:09:fe:06:32:
+ 0e:af:4c:41:f5:7d:d4:47:3d:2a:0a:df:83:05:de:
+ de:7d:e6:03:16:f6:51:3a:cb:47:1a:4a:ad:7e:c4:
+ fd:1d:b4:be:74:8a:78:dd:0b:83:8e:b4:84:13:c4:
+ fb:f8:6d:29:ae:a1:e1:0f:0f:43:e3:b5:5e:60:69:
+ fa:83:94:fc:79:e6:dc:76:ed:d1:44:2b:8e:fd:12:
+ bb:fe:17:77:17:0c:89:ed:a7:ef:51:7d:c4:ed:38:
+ c3:3b:a3:7a:fb:e2:4d:a0:60:b5:f2:fd:13:65:d3:
+ c6:ec:3f:be:35:9c:3d:22:ef
+ Exponent: 3 (0x3)
+ X509v3 extensions:
+ Netscape Cert Type:
+ SSL CA, S/MIME CA, Object Signing CA
+ X509v3 CRL Distribution Points:
+ DirName:/C=US/O=Digital Signature Trust Co./OU=DST-Entrust GTI CA/CN=CRL1
+
+ X509v3 Private Key Usage Period:
+ Not Before: Dec 9 00:02:24 1998 GMT, Not After: Dec 9 00:02:24 2018 GMT
+ X509v3 Key Usage:
+ Certificate Sign, CRL Sign
+ X509v3 Authority Key Identifier:
+ keyid:93:9A:44:CA:D0:78:53:80:29:49:04:DF:C7:AF:33:3F:99:75:5F:AE
+
+ X509v3 Subject Key Identifier:
+ 93:9A:44:CA:D0:78:53:80:29:49:04:DF:C7:AF:33:3F:99:75:5F:AE
+ X509v3 Basic Constraints:
+ CA:TRUE
+ 1.2.840.113533.7.65.0:
+ 0
+..V4.0....
+ Signature Algorithm: sha1WithRSAEncryption
+ 64:89:cc:03:a7:dc:0a:f2:58:20:e7:fd:17:a0:28:72:cd:87:
+ b0:cd:98:b5:24:47:63:33:31:10:10:b2:ef:8a:57:72:ae:4c:
+ 03:e0:67:9f:ac:60:43:84:22:c1:a9:a3:e5:b1:a7:de:09:d4:
+ cf:0d:78:46:23:5b:8f:49:7b:fe:13:22:97:94:ea:72:48:e1:
+ 2c:20:78:96:e9:66:45:19:cb:09:65:63:61:3f:d1:49:98:b1:
+ 76:10:55:d5:63:4a:66:4b:a4:07:6b:de:7b:7f:b9:e6:93:5b:
+ 1a:02:5b:80:0e:dd:8d:18:d4:8a:a3:c2:68:f1:a3:e0:18:d1:
+ 4e:4c
+
+Entrust.net Premium 2048 Secure Server CA
+=========================================
+MD5 Fingerprint: BA:21:EA:20:D6:DD:DB:8F:C1:57:8B:40:AD:A1:FC:FC
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIIEXDCCA0SgAwIBAgIEOGO5ZjANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
+RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBp
+bmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5
+IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRp
+ZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4KTAeFw05OTEyMjQxNzUwNTFaFw0xOTEy
+MjQxODIwNTFaMIG0MRQwEgYDVQQKEwtFbnRydXN0Lm5ldDFAMD4GA1UECxQ3d3d3
+LmVudHJ1c3QubmV0L0NQU18yMDQ4IGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxp
+YWIuKTElMCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEG
+A1UEAxMqRW50cnVzdC5uZXQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgKDIwNDgp
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArU1LqRKGsuqjIAcVFmQq
+K0vRvwtKTY7tgHalZ7d4QMBzQshowNtTK91euHaYNZOLGp18EzoOH1u3Hs/lJBQe
+sYGpjX24zGtLA/ECDNyrpUAkAH90lKGdCCmziAv1h3edVc3kw37XamSrhRSGlVuX
+MlBvPci6Zgzj/L24ScF2iUkZ/cCovYmjZy/Gn7xxGWC4LeksyZB2ZnuU4q941mVT
+XTzWnLLPKQP5L6RQstRIzgUyVYr9smRMDuSYB3Xbf9+5CFVghTAp+XtIpGmG4zU/
+HoZdenoVve8AjhUiVBcAkCaTvA5JaJG/+EfTnZVCwQ5N328mz8MYIWJmQ3DW1cAH
+4QIDAQABo3QwcjARBglghkgBhvhCAQEEBAMCAAcwHwYDVR0jBBgwFoAUVeSB0RGA
+vtiJuQijMfmhJAkWuXAwHQYDVR0OBBYEFFXkgdERgL7YibkIozH5oSQJFrlwMB0G
+CSqGSIb2fQdBAAQQMA4bCFY1LjA6NC4wAwIEkDANBgkqhkiG9w0BAQUFAAOCAQEA
+WUesIYSKF8mciVMeuoCFGsY8Tj6xnLZ8xpJdGGQC49MGCBFhfGPjK50xA3B20qMo
+oPS7mmNz7W3lKtvtFKkrxjYR0CvrB4ul2p5cGZ1WEvVUKcgF7bISKo30Axv/55IQ
+h7A6tcOdBTcSo8f0FbnVpDkWm1M6I5HxqIKiaohowXkCIryqptau37AUX7iH0N18
+f3v/rxzP5tsHrV7bhZ3QKw0z2wTR5klAEyt2+z7pnIkPFc4YsIV4IU9rTw76NmfN
+B/L/CNDi3tm/Kq+4h4YhPATKt5Rof8886ZjXOP/swNlQ8C5LWK5Gb9Auw2DaclVy
+vUxFnmG6v4SBkgPR0ml8xQ==
+-----END CERTIFICATE-----
+Certificate Ingredients:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 946059622 (0x3863b966)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)
+ Validity
+ Not Before: Dec 24 17:50:51 1999 GMT
+ Not After : Dec 24 18:20:51 2019 GMT
+ Subject: O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:ad:4d:4b:a9:12:86:b2:ea:a3:20:07:15:16:64:
+ 2a:2b:4b:d1:bf:0b:4a:4d:8e:ed:80:76:a5:67:b7:
+ 78:40:c0:73:42:c8:68:c0:db:53:2b:dd:5e:b8:76:
+ 98:35:93:8b:1a:9d:7c:13:3a:0e:1f:5b:b7:1e:cf:
+ e5:24:14:1e:b1:81:a9:8d:7d:b8:cc:6b:4b:03:f1:
+ 02:0c:dc:ab:a5:40:24:00:7f:74:94:a1:9d:08:29:
+ b3:88:0b:f5:87:77:9d:55:cd:e4:c3:7e:d7:6a:64:
+ ab:85:14:86:95:5b:97:32:50:6f:3d:c8:ba:66:0c:
+ e3:fc:bd:b8:49:c1:76:89:49:19:fd:c0:a8:bd:89:
+ a3:67:2f:c6:9f:bc:71:19:60:b8:2d:e9:2c:c9:90:
+ 76:66:7b:94:e2:af:78:d6:65:53:5d:3c:d6:9c:b2:
+ cf:29:03:f9:2f:a4:50:b2:d4:48:ce:05:32:55:8a:
+ fd:b2:64:4c:0e:e4:98:07:75:db:7f:df:b9:08:55:
+ 60:85:30:29:f9:7b:48:a4:69:86:e3:35:3f:1e:86:
+ 5d:7a:7a:15:bd:ef:00:8e:15:22:54:17:00:90:26:
+ 93:bc:0e:49:68:91:bf:f8:47:d3:9d:95:42:c1:0e:
+ 4d:df:6f:26:cf:c3:18:21:62:66:43:70:d6:d5:c0:
+ 07:e1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ Netscape Cert Type:
+ SSL CA, S/MIME CA, Object Signing CA
+ X509v3 Authority Key Identifier:
+ keyid:55:E4:81:D1:11:80:BE:D8:89:B9:08:A3:31:F9:A1:24:09:16:B9:70
+
+ X509v3 Subject Key Identifier:
+ 55:E4:81:D1:11:80:BE:D8:89:B9:08:A3:31:F9:A1:24:09:16:B9:70
+ 1.2.840.113533.7.65.0:
+ 0...V5.0:4.0....
+ Signature Algorithm: sha1WithRSAEncryption
+ 59:47:ac:21:84:8a:17:c9:9c:89:53:1e:ba:80:85:1a:c6:3c:
+ 4e:3e:b1:9c:b6:7c:c6:92:5d:18:64:02:e3:d3:06:08:11:61:
+ 7c:63:e3:2b:9d:31:03:70:76:d2:a3:28:a0:f4:bb:9a:63:73:
+ ed:6d:e5:2a:db:ed:14:a9:2b:c6:36:11:d0:2b:eb:07:8b:a5:
+ da:9e:5c:19:9d:56:12:f5:54:29:c8:05:ed:b2:12:2a:8d:f4:
+ 03:1b:ff:e7:92:10:87:b0:3a:b5:c3:9d:05:37:12:a3:c7:f4:
+ 15:b9:d5:a4:39:16:9b:53:3a:23:91:f1:a8:82:a2:6a:88:68:
+ c1:79:02:22:bc:aa:a6:d6:ae:df:b0:14:5f:b8:87:d0:dd:7c:
+ 7f:7b:ff:af:1c:cf:e6:db:07:ad:5e:db:85:9d:d0:2b:0d:33:
+ db:04:d1:e6:49:40:13:2b:76:fb:3e:e9:9c:89:0f:15:ce:18:
+ b0:85:78:21:4f:6b:4f:0e:fa:36:67:cd:07:f2:ff:08:d0:e2:
+ de:d9:bf:2a:af:b8:87:86:21:3c:04:ca:b7:94:68:7f:cf:3c:
+ e9:98:d7:38:ff:ec:c0:d9:50:f0:2e:4b:58:ae:46:6f:d0:2e:
+ c3:60:da:72:55:72:bd:4c:45:9e:61:ba:bf:84:81:92:03:d1:
+ d2:69:7c:c5
+
+Entrust.net Secure Personal CA
+==============================
+MD5 Fingerprint: 0C:41:2F:13:5B:A0:54:F5:96:66:2D:7E:CD:0E:03:F4
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIIE7TCCBFagAwIBAgIEOAOR7jANBgkqhkiG9w0BAQQFADCByTELMAkGA1UEBhMC
+VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MUgwRgYDVQQLFD93d3cuZW50cnVzdC5u
+ZXQvQ2xpZW50X0NBX0luZm8vQ1BTIGluY29ycC4gYnkgcmVmLiBsaW1pdHMgbGlh
+Yi4xJTAjBgNVBAsTHChjKSAxOTk5IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNV
+BAMTKkVudHJ1c3QubmV0IENsaWVudCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAe
+Fw05OTEwMTIxOTI0MzBaFw0xOTEwMTIxOTU0MzBaMIHJMQswCQYDVQQGEwJVUzEU
+MBIGA1UEChMLRW50cnVzdC5uZXQxSDBGBgNVBAsUP3d3dy5lbnRydXN0Lm5ldC9D
+bGllbnRfQ0FfSW5mby9DUFMgaW5jb3JwLiBieSByZWYuIGxpbWl0cyBsaWFiLjEl
+MCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEGA1UEAxMq
+RW50cnVzdC5uZXQgQ2xpZW50IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGdMA0G
+CSqGSIb3DQEBAQUAA4GLADCBhwKBgQDIOpleMRffrCdvkHvkGf9FozTC28GoT/Bo
+6oT9n3V5z8GKUZSvx1cDR2SerYIbWtp/N3hHuzeYEpbOxhN979IMMFGpOZ5V+Pux
+5zDeg7K6PvHViTs7hbqqdCz+PzFur5GVbgbUB01LLFZHGARS2g4Qk79jkJvh34zm
+AqTmT173iwIBA6OCAeAwggHcMBEGCWCGSAGG+EIBAQQEAwIABzCCASIGA1UdHwSC
+ARkwggEVMIHkoIHhoIHepIHbMIHYMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLRW50
+cnVzdC5uZXQxSDBGBgNVBAsUP3d3dy5lbnRydXN0Lm5ldC9DbGllbnRfQ0FfSW5m
+by9DUFMgaW5jb3JwLiBieSByZWYuIGxpbWl0cyBsaWFiLjElMCMGA1UECxMcKGMp
+IDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEGA1UEAxMqRW50cnVzdC5uZXQg
+Q2xpZW50IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMCyg
+KqAohiZodHRwOi8vd3d3LmVudHJ1c3QubmV0L0NSTC9DbGllbnQxLmNybDArBgNV
+HRAEJDAigA8xOTk5MTAxMjE5MjQzMFqBDzIwMTkxMDEyMTkyNDMwWjALBgNVHQ8E
+BAMCAQYwHwYDVR0jBBgwFoAUxPucKXuXzUyW/O5bs8qZdIuV6kwwHQYDVR0OBBYE
+FMT7nCl7l81MlvzuW7PKmXSLlepMMAwGA1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EA
+BAwwChsEVjQuMAMCBJAwDQYJKoZIhvcNAQEEBQADgYEAP66K8ddmAwWePvrqHEa7
+pFuPeJoSSJn59DXeDDYHAmsQOokUgZwxpnyyQbJq5wcBoUv5nyU7lsqZwz6hURzz
+wy5E97BnRqqS5TvaHBkUODDV4qIxJS7x7EU47fgGWANzYrAQMY9Av2TgXD7FTx/a
+EkP/TOYGJqibGapEPHayXOw=
+-----END CERTIFICATE-----
+Certificate Ingredients:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 939758062 (0x380391ee)
+ Signature Algorithm: md5WithRSAEncryption
+ Issuer: C=US, O=Entrust.net, OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab., OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Client Certification Authority
+ Validity
+ Not Before: Oct 12 19:24:30 1999 GMT
+ Not After : Oct 12 19:54:30 2019 GMT
+ Subject: C=US, O=Entrust.net, OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab., OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Client Certification Authority
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (1024 bit)
+ Modulus (1024 bit):
+ 00:c8:3a:99:5e:31:17:df:ac:27:6f:90:7b:e4:19:
+ ff:45:a3:34:c2:db:c1:a8:4f:f0:68:ea:84:fd:9f:
+ 75:79:cf:c1:8a:51:94:af:c7:57:03:47:64:9e:ad:
+ 82:1b:5a:da:7f:37:78:47:bb:37:98:12:96:ce:c6:
+ 13:7d:ef:d2:0c:30:51:a9:39:9e:55:f8:fb:b1:e7:
+ 30:de:83:b2:ba:3e:f1:d5:89:3b:3b:85:ba:aa:74:
+ 2c:fe:3f:31:6e:af:91:95:6e:06:d4:07:4d:4b:2c:
+ 56:47:18:04:52:da:0e:10:93:bf:63:90:9b:e1:df:
+ 8c:e6:02:a4:e6:4f:5e:f7:8b
+ Exponent: 3 (0x3)
+ X509v3 extensions:
+ Netscape Cert Type:
+ SSL CA, S/MIME CA, Object Signing CA
+ X509v3 CRL Distribution Points:
+ DirName:/C=US/O=Entrust.net/OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab./OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Client Certification Authority/CN=CRL1
+ URI:http://www.entrust.net/CRL/Client1.crl
+
+ X509v3 Private Key Usage Period:
+ Not Before: Oct 12 19:24:30 1999 GMT, Not After: Oct 12 19:24:30 2019 GMT
+ X509v3 Key Usage:
+ Certificate Sign, CRL Sign
+ X509v3 Authority Key Identifier:
+ keyid:C4:FB:9C:29:7B:97:CD:4C:96:FC:EE:5B:B3:CA:99:74:8B:95:EA:4C
+
+ X509v3 Subject Key Identifier:
+ C4:FB:9C:29:7B:97:CD:4C:96:FC:EE:5B:B3:CA:99:74:8B:95:EA:4C
+ X509v3 Basic Constraints:
+ CA:TRUE
+ 1.2.840.113533.7.65.0:
+ 0
+..V4.0....
+ Signature Algorithm: md5WithRSAEncryption
+ 3f:ae:8a:f1:d7:66:03:05:9e:3e:fa:ea:1c:46:bb:a4:5b:8f:
+ 78:9a:12:48:99:f9:f4:35:de:0c:36:07:02:6b:10:3a:89:14:
+ 81:9c:31:a6:7c:b2:41:b2:6a:e7:07:01:a1:4b:f9:9f:25:3b:
+ 96:ca:99:c3:3e:a1:51:1c:f3:c3:2e:44:f7:b0:67:46:aa:92:
+ e5:3b:da:1c:19:14:38:30:d5:e2:a2:31:25:2e:f1:ec:45:38:
+ ed:f8:06:58:03:73:62:b0:10:31:8f:40:bf:64:e0:5c:3e:c5:
+ 4f:1f:da:12:43:ff:4c:e6:06:26:a8:9b:19:aa:44:3c:76:b2:
+ 5c:ec
+
+Entrust.net Secure Server CA
+============================
+MD5 Fingerprint: DF:F2:80:73:CC:F1:E6:61:73:FC:F5:42:E9:C5:7C:EE
PEM Data:
-----BEGIN CERTIFICATE-----
-MIIDRzCCArCgAwIBAgIENm3FGDANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJV
-UzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRswGQYDVQQL
-ExJEU1QtRW50cnVzdCBHVEkgQ0EwHhcNOTgxMjA5MDAwMjI0WhcNMTgxMjA5MDAz
-MjI0WjBQMQswCQYDVQQGEwJVUzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUg
-VHJ1c3QgQ28uMRswGQYDVQQLExJEU1QtRW50cnVzdCBHVEkgQ0EwgZ0wDQYJKoZI
-hvcNAQEBBQADgYsAMIGHAoGBALYd90uNDxPjEvUJ/gYyDq9MQfV91Ec9KgrfgwXe
-3n3mAxb2UTrLRxpKrX7E/R20vnSKeN0Lg460hBPE+/htKa6h4Q8PQ+O1XmBp+oOU
-/Hnm3Hbt0UQrjv0Su/4XdxcMie2n71F9xO04wzujevviTaBgtfL9E2XTxuw/vjWc
-PSLvAgEDo4IBLjCCASowEQYJYIZIAYb4QgEBBAQDAgAHMHIGA1UdHwRrMGkwZ6Bl
-oGOkYTBfMQswCQYDVQQGEwJVUzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUg
-VHJ1c3QgQ28uMRswGQYDVQQLExJEU1QtRW50cnVzdCBHVEkgQ0ExDTALBgNVBAMT
-BENSTDEwKwYDVR0QBCQwIoAPMTk5ODEyMDkwMDAyMjRagQ8yMDE4MTIwOTAwMDIy
-NFowCwYDVR0PBAQDAgEGMB8GA1UdIwQYMBaAFJOaRMrQeFOAKUkE38evMz+ZdV+u
-MB0GA1UdDgQWBBSTmkTK0HhTgClJBN/HrzM/mXVfrjAMBgNVHRMEBTADAQH/MBkG
-CSqGSIb2fQdBAAQMMAobBFY0LjADAgSQMA0GCSqGSIb3DQEBBQUAA4GBAGSJzAOn
-3AryWCDn/RegKHLNh7DNmLUkR2MzMRAQsu+KV3KuTAPgZ5+sYEOEIsGpo+Wxp94J
-1M8NeEYjW49Je/4TIpeU6nJI4SwgeJbpZkUZywllY2E/0UmYsXYQVdVjSmZLpAdr
-3nt/ueaTWxoCW4AO3Y0Y1Iqjwmjxo+AY0U5M
+MIIE2DCCBEGgAwIBAgIEN0rSQzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC
+VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u
+ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc
+KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u
+ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05OTA1
+MjUxNjA5NDBaFw0xOTA1MjUxNjM5NDBaMIHDMQswCQYDVQQGEwJVUzEUMBIGA1UE
+ChMLRW50cnVzdC5uZXQxOzA5BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5j
+b3JwLiBieSByZWYuIChsaW1pdHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBF
+bnRydXN0Lm5ldCBMaW1pdGVkMTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUg
+U2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGdMA0GCSqGSIb3DQEBAQUA
+A4GLADCBhwKBgQDNKIM0VBuJ8w+vN5Ex/68xYMmo6LIQaO2f55M28Qpku0f1BBc/
+I0dNxScZgSYMVHINiC3ZH5oSn7yzcdOAGT9HZnuMNSjSuQrfJNqc1lB5gXpa0zf3
+wkrYKZImZNHkmGw6AIr1NJtl+O3jEP/9uElY3KDegjlrgbEWGWG5VLbmQwIBA6OC
+AdcwggHTMBEGCWCGSAGG+EIBAQQEAwIABzCCARkGA1UdHwSCARAwggEMMIHeoIHb
+oIHYpIHVMIHSMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLRW50cnVzdC5uZXQxOzA5
+BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5jb3JwLiBieSByZWYuIChsaW1p
+dHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBFbnRydXN0Lm5ldCBMaW1pdGVk
+MTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUgU2VydmVyIENlcnRpZmljYXRp
+b24gQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMCmgJ6AlhiNodHRwOi8vd3d3LmVu
+dHJ1c3QubmV0L0NSTC9uZXQxLmNybDArBgNVHRAEJDAigA8xOTk5MDUyNTE2MDk0
+MFqBDzIwMTkwNTI1MTYwOTQwWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAU8Bdi
+E1U9s/8KAGv7UISX8+1i0BowHQYDVR0OBBYEFPAXYhNVPbP/CgBr+1CEl/PtYtAa
+MAwGA1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EABAwwChsEVjQuMAMCBJAwDQYJKoZI
+hvcNAQEFBQADgYEAkNwwAvpkdMKnCqV8IY00F6j7Rw7/JXyNEwr75Ji174z4xRAN
+95K+8cPV1ZVqBLssziY2ZcgxxufuP+NXdYR6Ee9GTxj005i7qIcyunL2POI9n9cd
+2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G+bI=
-----END CERTIFICATE-----
Certificate Ingredients:
Data:
Version: 3 (0x2)
- Serial Number: 913163544 (0x366dc518)
+ Serial Number: 927650371 (0x374ad243)
Signature Algorithm: sha1WithRSAEncryption
- Issuer: C=US, O=Digital Signature Trust Co., OU=DST-Entrust GTI CA
+ Issuer: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification Authority
Validity
- Not Before: Dec 9 00:02:24 1998 GMT
- Not After : Dec 9 00:32:24 2018 GMT
- Subject: C=US, O=Digital Signature Trust Co., OU=DST-Entrust GTI CA
+ Not Before: May 25 16:09:40 1999 GMT
+ Not After : May 25 16:39:40 2019 GMT
+ Subject: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
- 00:b6:1d:f7:4b:8d:0f:13:e3:12:f5:09:fe:06:32:
- 0e:af:4c:41:f5:7d:d4:47:3d:2a:0a:df:83:05:de:
- de:7d:e6:03:16:f6:51:3a:cb:47:1a:4a:ad:7e:c4:
- fd:1d:b4:be:74:8a:78:dd:0b:83:8e:b4:84:13:c4:
- fb:f8:6d:29:ae:a1:e1:0f:0f:43:e3:b5:5e:60:69:
- fa:83:94:fc:79:e6:dc:76:ed:d1:44:2b:8e:fd:12:
- bb:fe:17:77:17:0c:89:ed:a7:ef:51:7d:c4:ed:38:
- c3:3b:a3:7a:fb:e2:4d:a0:60:b5:f2:fd:13:65:d3:
- c6:ec:3f:be:35:9c:3d:22:ef
+ 00:cd:28:83:34:54:1b:89:f3:0f:af:37:91:31:ff:
+ af:31:60:c9:a8:e8:b2:10:68:ed:9f:e7:93:36:f1:
+ 0a:64:bb:47:f5:04:17:3f:23:47:4d:c5:27:19:81:
+ 26:0c:54:72:0d:88:2d:d9:1f:9a:12:9f:bc:b3:71:
+ d3:80:19:3f:47:66:7b:8c:35:28:d2:b9:0a:df:24:
+ da:9c:d6:50:79:81:7a:5a:d3:37:f7:c2:4a:d8:29:
+ 92:26:64:d1:e4:98:6c:3a:00:8a:f5:34:9b:65:f8:
+ ed:e3:10:ff:fd:b8:49:58:dc:a0:de:82:39:6b:81:
+ b1:16:19:61:b9:54:b6:e6:43
Exponent: 3 (0x3)
X509v3 extensions:
Netscape Cert Type:
- ....
+ SSL CA, S/MIME CA, Object Signing CA
X509v3 CRL Distribution Points:
- 0i0g.e.c.a0_1.0...U....US1$0"..U.
-..Digital Signature Trust Co.1.0...U....DST-Entrust GTI CA1\r0...U....CRL1
+ DirName:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority/CN=CRL1
+ URI:http://www.entrust.net/CRL/net1.crl
+
X509v3 Private Key Usage Period:
- 0"..19981209000224Z..20181209000224Z
+ Not Before: May 25 16:09:40 1999 GMT, Not After: May 25 16:09:40 2019 GMT
X509v3 Key Usage:
- ....
+ Certificate Sign, CRL Sign
X509v3 Authority Key Identifier:
- 0.....D..xS.)I....3?.u_.
+ keyid:F0:17:62:13:55:3D:B3:FF:0A:00:6B:FB:50:84:97:F3:ED:62:D0:1A
+
X509v3 Subject Key Identifier:
- ....D..xS.)I....3?.u_.
+ F0:17:62:13:55:3D:B3:FF:0A:00:6B:FB:50:84:97:F3:ED:62:D0:1A
X509v3 Basic Constraints:
- 0....
+ CA:TRUE
1.2.840.113533.7.65.0:
0
..V4.0....
Signature Algorithm: sha1WithRSAEncryption
- 64:89:cc:03:a7:dc:0a:f2:58:20:e7:fd:17:a0:28:72:cd:87:
- b0:cd:98:b5:24:47:63:33:31:10:10:b2:ef:8a:57:72:ae:4c:
- 03:e0:67:9f:ac:60:43:84:22:c1:a9:a3:e5:b1:a7:de:09:d4:
- cf:0d:78:46:23:5b:8f:49:7b:fe:13:22:97:94:ea:72:48:e1:
- 2c:20:78:96:e9:66:45:19:cb:09:65:63:61:3f:d1:49:98:b1:
- 76:10:55:d5:63:4a:66:4b:a4:07:6b:de:7b:7f:b9:e6:93:5b:
- 1a:02:5b:80:0e:dd:8d:18:d4:8a:a3:c2:68:f1:a3:e0:18:d1:
- 4e:4c
+ 90:dc:30:02:fa:64:74:c2:a7:0a:a5:7c:21:8d:34:17:a8:fb:
+ 47:0e:ff:25:7c:8d:13:0a:fb:e4:98:b5:ef:8c:f8:c5:10:0d:
+ f7:92:be:f1:c3:d5:d5:95:6a:04:bb:2c:ce:26:36:65:c8:31:
+ c6:e7:ee:3f:e3:57:75:84:7a:11:ef:46:4f:18:f4:d3:98:bb:
+ a8:87:32:ba:72:f6:3c:e2:3d:9f:d7:1d:d9:c3:60:43:8c:58:
+ 0e:22:96:2f:62:a3:2c:1f:ba:ad:05:ef:ab:32:78:87:a0:54:
+ 73:19:b5:5c:05:f9:52:3e:6d:2d:45:0b:f7:0a:93:ea:ed:06:
+ f9:b2
Equifax Premium CA
==================
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 CRL Distribution Points:
- 0h0f.d.b.`0^1.0...U....US1.0...U.
-..Equifax1.0,..U...%Equifax Premium Certificate Authority1\r0...U....CRL1
+ DirName:/C=US/O=Equifax/OU=Equifax Premium Certificate Authority/CN=CRL1
+
X509v3 Private Key Usage Period:
- 0...20180824225423Z
+ Not After: Aug 24 22:54:23 2018 GMT
X509v3 Key Usage:
- ....
+ Certificate Sign, CRL Sign
X509v3 Authority Key Identifier:
- 0......(Y.n......$..?u..
+ keyid:15:EE:B2:28:59:AB:6E:E5:F8:CF:8B:81:F4:24:E1:AE:3F:75:1B:98
+
X509v3 Subject Key Identifier:
- .....(Y.n......$..?u..
+ 15:EE:B2:28:59:AB:6E:E5:F8:CF:8B:81:F4:24:E1:AE:3F:75:1B:98
X509v3 Basic Constraints:
- 0....
+ CA:TRUE
1.2.840.113533.7.65.0:
0...V3.0c....
Signature Algorithm: sha1WithRSAEncryption
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 CRL Distribution Points:
- 0g0e.c.a._0]1.0...U....US1.0...U.
-..Equifax1-0+..U...$Equifax Secure Certificate Authority1\r0...U....CRL1
+ DirName:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority/CN=CRL1
+
X509v3 Private Key Usage Period:
- 0...20180822164151Z
+ Not After: Aug 22 16:41:51 2018 GMT
X509v3 Key Usage:
- ....
+ Certificate Sign, CRL Sign
X509v3 Authority Key Identifier:
- 0...H.h.+....G.# .O3....
+ keyid:48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4
+
X509v3 Subject Key Identifier:
- ..H.h.+....G.# .O3....
+ 48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4
X509v3 Basic Constraints:
- 0....
+ CA:TRUE
1.2.840.113533.7.65.0:
0...V3.0c....
Signature Algorithm: sha1WithRSAEncryption
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
- 0.......
+ CA:TRUE, pathlen:5
X509v3 Key Usage: critical
- ....
+ Certificate Sign, CRL Sign
X509v3 Certificate Policies:
- 0.0..
-*.H..c....
+ Policy: 1.2.840.113763.1.2.1.3
+
X509v3 Subject Key Identifier:
- ..v
-I!8L....I.qq..
+ 76:0A:49:21:38:4C:9F:DE:F8:C4:49:C7:71:71:91:9D
Signature Algorithm: sha1WithRSAEncryption
41:3a:d4:18:5b:da:b8:de:21:1c:e1:8e:09:e5:f1:68:34:ff:
de:96:f4:07:f5:a7:3c:f3:ac:4a:b1:9b:fa:92:fa:9b:ed:e6:
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
- ....
+ Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
- ..C$.p..bU.O.@.].^..L.
+ 43:24:8D:70:15:08:62:55:9C:4F:0C:40:17:5D:86:5E:0F:A2:4C:FB
X509v3 Authority Key Identifier:
- 0...`{f.E\r...P/}..4....K
+ keyid:60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B
+
X509v3 Basic Constraints: critical
- 0....
+ CA:TRUE
Signature Algorithm: md5WithRSAEncryption
66:ed:b4:88:69:11:99:82:21:83:ac:a1:6d:8b:9b:84:ad:0f:
2d:c8:1e:8c:ca:7b:7e:ad:aa:d4:8e:de:07:d6:9e:45:c7:a5:
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
- ....
+ Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
- ....f.Z5..@....C......
+ FC:E0:66:F6:5A:35:99:EB:40:1E:D2:B8:1E:43:BC:98:8E:1F:8A:C3
X509v3 Authority Key Identifier:
- 0...`{f.E\r...P/}..4....K
+ keyid:60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B
+
X509v3 Basic Constraints: critical
- 0....
+ CA:TRUE
Signature Algorithm: md5WithRSAEncryption
9b:a3:08:44:ce:f2:90:9d:71:f3:32:b3:05:6a:b5:ea:cf:29:
98:de:55:3e:a0:16:7d:06:7a:44:d6:af:d2:fa:13:58:8c:f8:
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
- ....
+ Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
- ..|...,...k.v....Nl...
+ 7C:E7:B2:B1:2C:DE:B1:A7:6B:E9:76:0C:E1:A3:FD:4E:6C:C7:B9:F6
X509v3 Authority Key Identifier:
- 0...`{f.E\r...P/}..4....K
+ keyid:60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B
+
X509v3 Basic Constraints: critical
- 0....
+ CA:TRUE
Signature Algorithm: md5WithRSAEncryption
63:dd:59:ce:8a:79:aa:98:9d:4e:c5:89:64:37:7e:8a:93:67:
2f:10:ea:6f:27:c3:8d:77:6d:f2:5c:56:94:19:1a:69:60:30:
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
- ....
+ Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
- ...6...E./..;0Hw......
+ CC:36:CC:17:B4:45:91:2F:ED:CF:3B:30:48:77:FB:B5:14:99:BE:E3
X509v3 Authority Key Identifier:
- 0...`{f.E\r...P/}..4....K
+ keyid:60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B
+
X509v3 Basic Constraints: critical
- 0....
+ CA:TRUE
Signature Algorithm: md5WithRSAEncryption
57:b2:54:cc:bd:95:17:64:60:89:b6:53:91:0c:45:92:c3:3d:
a8:6c:c3:cc:b2:18:f5:78:41:74:d8:7d:a3:27:af:77:0d:59:
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
- ....
+ Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
- ..`{f.E\r...P/}..4....K
+ 60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B
X509v3 Basic Constraints: critical
- 0....
+ CA:TRUE
Signature Algorithm: md5WithRSAEncryption
ae:aa:9f:fc:b7:d2:cb:1f:5f:39:29:28:18:9e:34:c9:6c:4f:
6f:1a:f0:64:a2:70:4a:4f:13:86:9b:60:28:9e:e8:81:49:98:
ec:b9:94:6a:aa:12:4f:1a:dd:f5:77:b5:25:8c:f2:8a:0a:f1:
fc:52:5b:58
-Novell E-Commerce Community by DST
-==================================
-MD5 Fingerprint: 93:C2:8E:11:7B:D4:F3:03:19:BD:28:75:13:4A:45:4A
-PEM Data:
------BEGIN CERTIFICATE-----
-MIIDKTCCApKgAwIBAgIENm7TzjANBgkqhkiG9w0BAQUFADBGMQswCQYDVQQGEwJV
-UzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMREwDwYDVQQL
-EwhEU1RDQSBFMjAeFw05ODEyMDkxOTE3MjZaFw0xODEyMDkxOTQ3MjZaMEYxCzAJ
-BgNVBAYTAlVTMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4x
-ETAPBgNVBAsTCERTVENBIEUyMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQC/
-k48Xku8zExjrEH9OFr//Bo8qhbxe+SSmJIi2A7fBw18DW9Fvrn5C6mYjuGODVvso
-LeE4i7TuqAHhzhy2iCoiRoX7n6dwqUcUP87eZfCocfdPJmyMvMa1795JJ/9IKn3o
-TQPMx7JSxhcxEzu1TdvIxPbDDyQq2gyd55FbgM2UnQIBA6OCASQwggEgMBEGCWCG
-SAGG+EIBAQQEAwIABzBoBgNVHR8EYTBfMF2gW6BZpFcwVTELMAkGA1UEBhMCVVMx
-JDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0IENvLjERMA8GA1UECxMI
-RFNUQ0EgRTIxDTALBgNVBAMTBENSTDEwKwYDVR0QBCQwIoAPMTk5ODEyMDkxOTE3
-MjZagQ8yMDE4MTIwOTE5MTcyNlowCwYDVR0PBAQDAgEGMB8GA1UdIwQYMBaAFB6C
-TShlgDzJQW6sNS5ay97u+DlbMB0GA1UdDgQWBBQegk0oZYA8yUFurDUuWsve7vg5
-WzAMBgNVHRMEBTADAQH/MBkGCSqGSIb2fQdBAAQMMAobBFY0LjADAgSQMA0GCSqG
-SIb3DQEBBQUAA4GBAEeNg61i8tuwnkUiBbmi1gMOOHLnnvx75pO2mqWilMg0HZHR
-xdf0CiUPPXiBng+xZ8SQTGPdXqfiup/1902lMXucKS1M/mQ+7LZT/uqb7YLbdHVL
-B3luHtgZg3Pe9T7Qtd7nS2h9Qy4qIOF+oHhEngj1mPnHfxsb1gYgAlihw6ID
------END CERTIFICATE-----
-Certificate Ingredients:
- Data:
- Version: 3 (0x2)
- Serial Number: 913232846 (0x366ed3ce)
- Signature Algorithm: sha1WithRSAEncryption
- Issuer: C=US, O=Digital Signature Trust Co., OU=DSTCA E2
- Validity
- Not Before: Dec 9 19:17:26 1998 GMT
- Not After : Dec 9 19:47:26 2018 GMT
- Subject: C=US, O=Digital Signature Trust Co., OU=DSTCA E2
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public Key: (1024 bit)
- Modulus (1024 bit):
- 00:bf:93:8f:17:92:ef:33:13:18:eb:10:7f:4e:16:
- bf:ff:06:8f:2a:85:bc:5e:f9:24:a6:24:88:b6:03:
- b7:c1:c3:5f:03:5b:d1:6f:ae:7e:42:ea:66:23:b8:
- 63:83:56:fb:28:2d:e1:38:8b:b4:ee:a8:01:e1:ce:
- 1c:b6:88:2a:22:46:85:fb:9f:a7:70:a9:47:14:3f:
- ce:de:65:f0:a8:71:f7:4f:26:6c:8c:bc:c6:b5:ef:
- de:49:27:ff:48:2a:7d:e8:4d:03:cc:c7:b2:52:c6:
- 17:31:13:3b:b5:4d:db:c8:c4:f6:c3:0f:24:2a:da:
- 0c:9d:e7:91:5b:80:cd:94:9d
- Exponent: 3 (0x3)
- X509v3 extensions:
- Netscape Cert Type:
- ....
- X509v3 CRL Distribution Points:
- 0_0].[.Y.W0U1.0...U....US1$0"..U.
-..Digital Signature Trust Co.1.0...U....DSTCA E21\r0...U....CRL1
- X509v3 Private Key Usage Period:
- 0"..19981209191726Z..20181209191726Z
- X509v3 Key Usage:
- ....
- X509v3 Authority Key Identifier:
- 0.....M(e.<.An.5.Z....9[
- X509v3 Subject Key Identifier:
- ....M(e.<.An.5.Z....9[
- X509v3 Basic Constraints:
- 0....
- 1.2.840.113533.7.65.0:
- 0
-..V4.0....
- Signature Algorithm: sha1WithRSAEncryption
- 47:8d:83:ad:62:f2:db:b0:9e:45:22:05:b9:a2:d6:03:0e:38:
- 72:e7:9e:fc:7b:e6:93:b6:9a:a5:a2:94:c8:34:1d:91:d1:c5:
- d7:f4:0a:25:0f:3d:78:81:9e:0f:b1:67:c4:90:4c:63:dd:5e:
- a7:e2:ba:9f:f5:f7:4d:a5:31:7b:9c:29:2d:4c:fe:64:3e:ec:
- b6:53:fe:ea:9b:ed:82:db:74:75:4b:07:79:6e:1e:d8:19:83:
- 73:de:f5:3e:d0:b5:de:e7:4b:68:7d:43:2e:2a:20:e1:7e:a0:
- 78:44:9e:08:f5:98:f9:c7:7f:1b:1b:d6:06:20:02:58:a1:c3:
- a2:03
-
TC TrustCenter, Germany, Class 0 CA
===================================
MD5 Fingerprint: 35:85:49:8E:6E:57:FE:BD:97:F1:C9:46:23:3A:B6:7D
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Revocation Url:
- .1https://www.trustcenter.de/cgi-bin/check-rev.cgi?
+ https://www.trustcenter.de/cgi-bin/check-rev.cgi?
Netscape CA Revocation Url:
- .1https://www.trustcenter.de/cgi-bin/check-rev.cgi?
+ https://www.trustcenter.de/cgi-bin/check-rev.cgi?
Netscape Renewal Url:
- .-https://www.trustcenter.de/cgi-bin/Renew.cgi?
+ https://www.trustcenter.de/cgi-bin/Renew.cgi?
Netscape CA Policy Url:
- ./http://www.trustcenter.de/guidelines/index.html
+ http://www.trustcenter.de/guidelines/index.html
Netscape Comment:
- ..TC TrustCenter Class 0 CA
+ TC TrustCenter Class 0 CA
Netscape Cert Type:
- ....
+ SSL CA, S/MIME CA, Object Signing CA
Signature Algorithm: md5WithRSAEncryption
4d:07:7f:5f:09:30:19:92:aa:05:47:7a:94:75:54:2a:ae:cf:
fc:d8:0c:42:e1:45:38:2b:24:95:b2:ca:87:ca:79:c4:c3:97:
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Revocation Url:
- .1https://www.trustcenter.de/cgi-bin/check-rev.cgi?
+ https://www.trustcenter.de/cgi-bin/check-rev.cgi?
Netscape CA Revocation Url:
- .1https://www.trustcenter.de/cgi-bin/check-rev.cgi?
+ https://www.trustcenter.de/cgi-bin/check-rev.cgi?
Netscape Renewal Url:
- .-https://www.trustcenter.de/cgi-bin/Renew.cgi?
+ https://www.trustcenter.de/cgi-bin/Renew.cgi?
Netscape CA Policy Url:
- ./http://www.trustcenter.de/guidelines/index.html
+ http://www.trustcenter.de/guidelines/index.html
Netscape Comment:
- ..TC TrustCenter Class 1 CA
+ TC TrustCenter Class 1 CA
Netscape Cert Type:
- ....
+ SSL CA, S/MIME CA, Object Signing CA
Signature Algorithm: md5WithRSAEncryption
05:42:52:26:a4:0c:27:01:44:ac:5c:25:28:c2:44:42:54:08:
b9:1d:c5:3e:6c:59:66:c4:b3:4e:50:a7:f8:f8:96:75:a1:96:
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Revocation Url:
- .1https://www.trustcenter.de/cgi-bin/check-rev.cgi?
+ https://www.trustcenter.de/cgi-bin/check-rev.cgi?
Netscape CA Revocation Url:
- .1https://www.trustcenter.de/cgi-bin/check-rev.cgi?
+ https://www.trustcenter.de/cgi-bin/check-rev.cgi?
Netscape Renewal Url:
- .-https://www.trustcenter.de/cgi-bin/Renew.cgi?
+ https://www.trustcenter.de/cgi-bin/Renew.cgi?
Netscape CA Policy Url:
- ./http://www.trustcenter.de/guidelines/index.html
+ http://www.trustcenter.de/guidelines/index.html
Netscape Comment:
- ..TC TrustCenter Class 2 CA
+ TC TrustCenter Class 2 CA
Netscape Cert Type:
- ....
+ SSL CA, S/MIME CA, Object Signing CA
Signature Algorithm: md5WithRSAEncryption
89:1b:f4:ef:e9:38:e2:6c:0c:f6:cd:6f:49:ce:29:cc:fb:a6:
0f:f9:8d:3e:95:46:d6:fc:47:32:89:b2:c8:06:61:7a:d2:e7:
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Revocation Url:
- .1https://www.trustcenter.de/cgi-bin/check-rev.cgi?
+ https://www.trustcenter.de/cgi-bin/check-rev.cgi?
Netscape CA Revocation Url:
- .1https://www.trustcenter.de/cgi-bin/check-rev.cgi?
+ https://www.trustcenter.de/cgi-bin/check-rev.cgi?
Netscape Renewal Url:
- .-https://www.trustcenter.de/cgi-bin/Renew.cgi?
+ https://www.trustcenter.de/cgi-bin/Renew.cgi?
Netscape CA Policy Url:
- ./http://www.trustcenter.de/guidelines/index.html
+ http://www.trustcenter.de/guidelines/index.html
Netscape Comment:
- ..TC TrustCenter Class 3 CA
+ TC TrustCenter Class 3 CA
Netscape Cert Type:
- ....
+ SSL CA, S/MIME CA, Object Signing CA
Signature Algorithm: md5WithRSAEncryption
84:86:50:62:79:a0:27:e1:25:ba:09:b1:34:0f:13:09:ed:2d:
ca:a3:e6:95:f9:30:ac:cd:17:a5:ce:3d:97:9d:ec:7c:8f:26:
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Revocation Url:
- .1https://www.trustcenter.de/cgi-bin/check-rev.cgi?
+ https://www.trustcenter.de/cgi-bin/check-rev.cgi?
Netscape CA Revocation Url:
- .1https://www.trustcenter.de/cgi-bin/check-rev.cgi?
+ https://www.trustcenter.de/cgi-bin/check-rev.cgi?
Netscape Renewal Url:
- .-https://www.trustcenter.de/cgi-bin/Renew.cgi?
+ https://www.trustcenter.de/cgi-bin/Renew.cgi?
Netscape CA Policy Url:
- ./http://www.trustcenter.de/guidelines/index.html
+ http://www.trustcenter.de/guidelines/index.html
Netscape Comment:
- ..TC TrustCenter Class 4 CA
+ TC TrustCenter Class 4 CA
Netscape Cert Type:
- ....
+ SSL CA, S/MIME CA, Object Signing CA
Signature Algorithm: md5WithRSAEncryption
94:68:14:1b:25:9e:29:99:b1:b2:23:d2:44:b3:95:9f:d1:9e:
55:04:dd:e3:2f:82:33:55:96:77:19:9d:2b:9e:65:1c:fa:8a:
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
- 0....
+ CA:TRUE
Signature Algorithm: md5WithRSAEncryption
2d:e2:99:6b:b0:3d:7a:89:d7:59:a2:94:01:1f:2b:dd:12:4b:
53:c2:ad:7f:aa:a7:00:5c:91:40:57:25:4a:38:aa:84:70:b9:
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
- 0....
+ CA:TRUE
Signature Algorithm: md5WithRSAEncryption
c7:ec:92:7e:4e:f8:f5:96:a5:67:62:2a:a4:f0:4d:11:60:d0:
6f:8d:60:58:61:ac:26:bb:52:35:5c:08:cf:30:fb:a8:4a:96:
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
- 0....
+ CA:TRUE
Signature Algorithm: md5WithRSAEncryption
69:36:89:f7:34:2a:33:72:2f:6d:3b:d4:22:b2:b8:6f:9a:c5:
36:66:0e:1b:3c:a1:b1:75:5a:e6:fd:35:d3:f8:a8:f2:07:6f:
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
- 0....
+ CA:TRUE
Signature Algorithm: md5WithRSAEncryption
26:48:2c:16:c2:58:fa:e8:16:74:0c:aa:aa:5f:54:3f:f2:d7:
c9:78:60:5e:5e:6e:37:63:22:77:36:7e:b2:17:c4:34:b9:f5:
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
- 0....
+ CA:TRUE
Signature Algorithm: md5WithRSAEncryption
07:fa:4c:69:5c:fb:95:cc:46:ee:85:83:4d:21:30:8e:ca:d9:
a8:6f:49:1a:e6:da:51:e3:60:70:6c:84:61:11:a1:1a:c8:48:
b2:75:1b:f6:42:f2:ef:c7:f2:18:f9:89:bc:a3:ff:8a:23:2e:
70:47
+Thawte Universal CA Root
+========================
+MD5 Fingerprint: 17:AF:71:16:52:7B:73:65:22:05:29:28:84:71:9D:13
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIIRIjCCCQoCAQAwDQYJKoZIhvcNAQEFBQAwVzEPMA0GA1UEChMGVGhhd3RlMSEw
+HwYDVQQLExhUaGF3dGUgVW5pdmVyc2FsIENBIFJvb3QxITAfBgNVBAMTGFRoYXd0
+ZSBVbml2ZXJzYWwgQ0EgUm9vdDAeFw05OTEyMDUxMzU2MDVaFw0zNzA0MDMxMzU2
+MDVaMFcxDzANBgNVBAoTBlRoYXd0ZTEhMB8GA1UECxMYVGhhd3RlIFVuaXZlcnNh
+bCBDQSBSb290MSEwHwYDVQQDExhUaGF3dGUgVW5pdmVyc2FsIENBIFJvb3Qwgggi
+MA0GCSqGSIb3DQEBAQUAA4IIDwAwgggKAoIIAQDiiQVtw3+tpok6/7vHzZ03seHS
+IR6bYSoV53tXT1U80Lv52T0+przstK1TmhYC6wty/Yryj0QFxevT5b22RDnm+0e/
+ap4KlRjiaOLWltYhrYj99Rf109pCpZDtKZWWdTrah6HU9dOH3gVipuNmdJLPpby7
+32j/cXVWQVk16zNaZlHy0qMKwYzOc1wRby2MlYyRsf3P5a1WlcyFkoOQVUHJwnft
++aN0QgpoCPPQ0WX9Zyw0/yR/53nIBzslV92kDJg9vuDMGWXb8lSir0LUneKuhCMl
+CTMStWoedsSL2UkAbF66H/Ib2mfKJ6qjRCMbg4LO8qsz7VSk3MmrWWXROA7BPhtn
+j9Z1AeBVIt12d+yO3fTPeSJtuVcD9ZkIpzw+NPvEF64jWM0k8yPKagIolAGBNLRs
+a66LGsOj0gk8FlT1Nl8k459KoeJkxhbDpoF6JDZHjsFeDvv5FXgE1g5Z2Z1YZmLS
+lCkyMsh4uWb2tVbhbMYUS5ZSWZECJGpVR9c/tiMaYHeXLuJAr54EV56tEcXJQ3Dv
+SLRerBxpLi6C1VuLvoK+GRRe5w0ix1Eb/x6b8TCPcTEGszQnj196ZoJPii0Tq0LP
+IVael45mNg+Wm+Ur9AKpKmqMLMTDuHAsLSkeP1B3Hm0qVORVCpE4ocW1ZqJ2Wu4P
+v7Rn4ShuD+E2oYLRv9R34cRnMpN4yOdUU/4jeeZozCaQ9hBjXSpvkS2kczJRIfK7
+Fd+qJAhIBt6hnia/uoO/fKTIoIy90v+8hGknEyQYxEUYIyZeGBTKLoiHYqNT5iG3
+uIV7moW7FSZy+Ln3anQPST+SvqkFt5knv78JF0uZTK0REHzfdDH2jyZfqoiuOFfI
+VS3T+9gbUZm+JRs6usB9G+3O0km5z/PFfYmQgdhpSCAQo/jvklEYMosRGMA/G4VW
+zlfJ8oJkxt8CCS5KES+xJ203UvDwFmHxZ43fh3Kvh9rP+1CUbtSUheuKLOoh9ZZK
+RNXgzmp0RE3QBdOHFe020KSLZlVwk+5HBsF+LqUYeWfzKIXxcPcOg6R+VJ5adjLL
+ZRu4zfvIKAPSVJHRp8WFQwgXdqXmL2cI2KGigi0M+MGvY9RQd21rRkpBhdWQX3kt
+xOzXEYdAiuFo4mT4VTL7b5Ms2nfZIcEX5TYsTn6Qf6yUKzJnvjhQdriuQbnXIcUJ
+TGDIo1HENJtXN9/LyTNXi+v7dp8ZTcVqHypFrivtL42npQDLBPolYi50SBvKKoy6
+27Z+9rsCfKnD21h4ob/w/hoQVRHO6GlOlmXGFwPWB2iMVIKuHCJVP/H0CZcowEb3
+TgslHfcH1wkdOhhXODvoMwbnj3hGHlv1BrbsuKYN8boTS9YYIN1pM0ozFa64yJiK
+JyyTvC377jO/ZuZNurabBlVgl0u8RM1+9KHYqi/AAighFmJ42whU8vz0NOPGjxxD
+V86QGkvcLjsokYk/eto1HY4s7kns9DOtyVOojJ8EUz4kHFLJEvliV6O87izrQHwg
+I3ArlflzF4rRwRxpprc4mmf3cB16WgxAz2IPhTzCAk5+tfbFKimEsx83KuGqckLE
+7Wsaj5IcXb7R8lvyq6qp0vW4pEErK5FuEkjKmNg3jcjtADC1tgROfpzahOzA+nvl
+HYikU0awlORcG6ElLA9IUneXCWzsWxgzgwLlgn7NhSEwEf0nT8/kHuw/pVds6Sow
+GSqI5cNpOKtvOXF/hOFBw+HMKokgUi6DD2w5P0stFqwt8CSsAHP0m7MGPwW4FIUf
+q55cPJ5inQ5tO4AJ/ALqopd0ysf541bhw8qlpprAkOAkElPSwovavu0CQ15n4YmY
+ee7LqsrDG9znpUalfGsWh7ZaKNfbJzxepb22Ud0fQ887Jsg6jSVhwUn0PBvJROqv
+HMIrlAEqDjDRW4srR+XD0QQDmw45LNYn1OZwWtl1zyrYyQAF5BOI7MM5+4dhMDZD
+A8ienKIGwi/F/PCAY7FUBKBMqS7G9XZ62NDk1JQR5RW1eAbcuICPmakgMz0QhUxl
+Cco+WF5gk5qqYl3AUQYcXWCgDZxLQ/anFiGkh6rywS7ukjC4nt/fEAGLhglw2Gyo
+t1AeFpa092f9NTohkCoyxwB7TQcQCbkvc9gYfmeZBE8G/FDHhZudQJ2zljf6pdyy
+ck7vTgks/ZH9Tfe7pqE+q3uiA0CmqVUn4vr5Gc6HdarxdTbz87iR+JHDi3UTjkxl
+mhY5auU06HqWWX81sAD9W2n8Qyb69Shu/ofZfiT7tKCCblSi/66/YrT0cgHCy5hH
+mOFMtReAgM6PpijuHkVq+9/xHfxaO9bq9GwdYklXO4qPhurwUwTOnBZo/7q5/IgP
+R/cCRHJAuMo7LVOd3DxWjFl7aBosjXG7bADHGs5vQJKxoy8P2UTyo3Aunu4OrjLQ
+Oz6LB+rmebNcKeJ9a6he+Vox6AiWoowDmEbxuH2QVCbtdmL+numabl7JScdcNFMp
+VNns5EbhgDt12d/7edWH8bqe6xnOTFJz5luHriVPOXnMxrj5EHvs8JtxpAWg0ynT
+Tn8f9C0oeMxVlXsekS/MVhhzi7LbvGkH5tDYT+2i/1iFo23gSlO3Z32NDFxbe3co
+AjVEegTTKEPIazAXXTK4KTW6dto7FEp2GFik+JI8nk0zb0ZrCNkxSGjd9PskVjSy
+z2lmvkjSimYizfJpzcJTE0UpQSLWXZgftqSyo8LuAi9RG9yDpOxwJajUCGEyb+Sh
+gS58Y3L6KWW8cETPXQIDAQABMA0GCSqGSIb3DQEBBQUAA4IIAQBVmjRqIgZpCUUz
+x66pXMcJTpuGvEGQ1JRS9s0jKZRLIs3ovf6dzVLyve2rh8mrq0YEtL2iPyIwR1DA
+S4x2DwP1ktKxLcR6NZzJc4frpp/eD3ON03+Z2LqPb8Tzvhqui6KUNpDi5euNBfT8
+Zd+V8cSUTRdW1588j1A853e/lYYmZPtq/8ba6YyuQrtp5TPG2OkNxlUhScEMtKP5
+m0tc3oNPQQPOKnloOH3wVEkg9bYQ/wjcM2aWm/8G3gCe185WQ5pR/HDN9vBRo7fN
+tFyFYs1xt8YrIyvdw25AQvo3/zcc9npXlIeFI9fUycdfwU0vyQ3XXOycJe6eMIKR
+lnK4dR34CWhXl7ItS+4l7HokKe5y1JwT26vcAwrYShTJCFdEXaG1U4A08hSXz1Le
+og6KEOkU79BgvmGh8SVd1RhzP5MQypbus0DS26NVz1dapQ5PdUff6veQmm31cC4d
+FBw3ZARZULDccoZvnDc9XSivc1Xv0u4kdHQT79zbMUn7P2P10wg+M6XnnQreUyxR
+jmfbm0FlQVC91KSWbIe8EuCUx9PA5MtzWACD4awnhdadU51cvQo+A0OcDJH1bXv4
+QHJ1qxF2kSvhxqofcGl2cBUJ/pPQ1i23FWqbZ1y0aZ8lpn2K+30iqXHyzk6MuCEt
+3v5BcQ3/nexzprsHT4gOWEcufqnCx3jdunqeTuAwTmNvhdQgQen6/kNF5/uverLO
+pAUdIppYht/kzkyp/tgWpW/72M5We/XWIO/kR81jJP+5vvFIo8EBcua9wK3tJg3K
+NJ/8Ai0gTwUgriE9DMIgPD/wBITcz4n9uSWRjtBD5rMgq1wt1UCeoEvY9LLMffFY
+Co6H7YisNpbkVqARivKa0LNXozS7Gas44XRrIsQxzgHVGzbjHjhMM5PfQONZV06s
+bnseWj3FHVusyBCCNQIisvx16BCRjcR9eJNHnhydrGtiAliM1hwj1q94woCcpKok
+VBS1FJjG+CsaJMtxMgrimw5pa91+jGTRLmPvDn+xPohMnVXlyW4XBLdB/72KQcsl
+MW9Edz9HsfyBiAeOBUkgtxHZaQMqA525M4Sa399640Zzo9iijFMZiFVMdLj2RIQr
+0RQtTjkukmj/afyFYhvrVU/vJYRiRZnW2E5vP1MIfR0GlYGAf09OdDaYteKHcJjc
+1/XcUhXmxtZ5ljl/j5XPq4BTrRsLRUAO1Bi9LN6Kd3b98kRHxiHQ5HTw2BgFyHww
+csff8bv8AjCp9EImWQ2TBYKhc+005ThdzVCQ/pT8E7y9/KiiiKdzxLKo0V2IxAKi
+evEEyf6MdMnvHWRBn6welmdkrKsoQced98CYG24HwmR9WoNmVig2nOf7HHcOKKDE
+92t5OQQghMdXk7wboOq860LlqBH+/KxlzP34KIj0pZrlc1HgqJsNA3dO5eCYs4ja
+febGnnwUZsEuU0qSBzegfuk9CeQVfM/9uEGl755mncReBx2H+EGt6ucv0kFjGDf5
+FONN0OX3Q/0V4/k2cwYm3wFPqcNO3iBGd5i0eiQrO3UrTliNm12kxxagvDKIP6GD
+8wDI+NhY6WNdTCu18HJB2Kt3N9ZydK62NpzIpoNJS+DJVgspvgAwy93WyEKKANns
+FdE0cfJbZIf2J9K364awkL8p2yGeNozjIC+VI1FsG8Kk1ebYAkNnoP6bUANEf7vk
+ctXR5NqPkhRk+10UEBJKlQbJZQgpyiGjJjgRySffcGcE/cpIMn9jskV0MVBPh9kg
+cNIhcLHWEJ0zXXiDkW1Vguza5GJjx4FG1xllcipDGZC41yNNTBzgRKlmZ6zucXkn
+Jnhtcg71XUsjtXx8ZekXxjoLDd1eHlHDhrjsf8cnSqVG6GotGcGHo8uZk4dkolUU
+TLdDpZPX59JOeUDKZZlGPT96gHqIaswe5WszRvRQwNUfCbjNii6hJ+tdc6foawrl
+V4IqsPziVFJW8KupEsYjlgcknOC8RqW0IATaCZNj5dQuwn7FMe21FXSGF7mz8yaK
+HQJq2ho/6LrxBG2UUVTiWrRZgx1g0C1zzAe1Joz518aIke+Az10PoWDLRdRCItGx
+cB390LcwkDrGSG1n5TLaj9vjqOMdICWiHOFMuaT2xj9cWA27xrJ3ARaRnxcGDbdA
+PsyPjpxL4J1+mx4Fq4gi+tMoG1cUZEo+JCw4TSFpAHMu0FUtdPIV6JRDPkAqxsa5
+alveoswYUFRdTiqFbPaSiykZfufqSuAiKyW892bPd5pBdPI8FA10afVQg83NLyHb
+IkaK0PdRGpVX8gWLGhntO0XoNsJufvtXIgAfBlOprpPGj3EqMUWS545t5pkiwIP8
+79xXZndPojYx+6ETjeXKo5V9AQxkcDtTQmiAx7udqAA1aZgMqGfYQ+Wqz5XgUZWk
+Fz9CnbgEztN5ecjTihYykuDXou7XN0wvrLh7vkX28RgznHs3piTZvECrAOnDN4ur
+2LbzXoFOsBRrBz4f7ML2RCKVu7Pmb9b5cGW6CoNlqg4TL4MTI1OLQBb6zi/8TQT4
+69isxTbCFVdIOOxVs7Qeuq3SQgYXDXPIV6a+lk2p8sD7eiEc9clwqYKQtfEM1HkQ
+voGm6VxhnHd5mqTDNyZXN8lSLPoI/9BfxmHA9Ha+/N5Oz6tRmXHH33701s8GVhkT
+UwttdFlIGZtTBS2dMlTT5SxTi2Q+1GR744AJFMz+FkZja3Fp+PnLJ/aIVLxFs84C
+yJTuQFv5QgLC/7DYLOsof17JJgGZpw==
+-----END CERTIFICATE-----
+Certificate Ingredients:
+ Data:
+ Version: 1 (0x0)
+ Serial Number: 0 (0x0)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: O=Thawte, OU=Thawte Universal CA Root, CN=Thawte Universal CA Root
+ Validity
+ Not Before: Dec 5 13:56:05 1999 GMT
+ Not After : Apr 3 13:56:05 2037 GMT
+ Subject: O=Thawte, OU=Thawte Universal CA Root, CN=Thawte Universal CA Root
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (16384 bit)
+ Modulus (16384 bit):
+ 00:e2:89:05:6d:c3:7f:ad:a6:89:3a:ff:bb:c7:cd:
+ 9d:37:b1:e1:d2:21:1e:9b:61:2a:15:e7:7b:57:4f:
+ 55:3c:d0:bb:f9:d9:3d:3e:a6:bc:ec:b4:ad:53:9a:
+ 16:02:eb:0b:72:fd:8a:f2:8f:44:05:c5:eb:d3:e5:
+ bd:b6:44:39:e6:fb:47:bf:6a:9e:0a:95:18:e2:68:
+ e2:d6:96:d6:21:ad:88:fd:f5:17:f5:d3:da:42:a5:
+ 90:ed:29:95:96:75:3a:da:87:a1:d4:f5:d3:87:de:
+ 05:62:a6:e3:66:74:92:cf:a5:bc:bb:df:68:ff:71:
+ 75:56:41:59:35:eb:33:5a:66:51:f2:d2:a3:0a:c1:
+ 8c:ce:73:5c:11:6f:2d:8c:95:8c:91:b1:fd:cf:e5:
+ ad:56:95:cc:85:92:83:90:55:41:c9:c2:77:ed:f9:
+ a3:74:42:0a:68:08:f3:d0:d1:65:fd:67:2c:34:ff:
+ 24:7f:e7:79:c8:07:3b:25:57:dd:a4:0c:98:3d:be:
+ e0:cc:19:65:db:f2:54:a2:af:42:d4:9d:e2:ae:84:
+ 23:25:09:33:12:b5:6a:1e:76:c4:8b:d9:49:00:6c:
+ 5e:ba:1f:f2:1b:da:67:ca:27:aa:a3:44:23:1b:83:
+ 82:ce:f2:ab:33:ed:54:a4:dc:c9:ab:59:65:d1:38:
+ 0e:c1:3e:1b:67:8f:d6:75:01:e0:55:22:dd:76:77:
+ ec:8e:dd:f4:cf:79:22:6d:b9:57:03:f5:99:08:a7:
+ 3c:3e:34:fb:c4:17:ae:23:58:cd:24:f3:23:ca:6a:
+ 02:28:94:01:81:34:b4:6c:6b:ae:8b:1a:c3:a3:d2:
+ 09:3c:16:54:f5:36:5f:24:e3:9f:4a:a1:e2:64:c6:
+ 16:c3:a6:81:7a:24:36:47:8e:c1:5e:0e:fb:f9:15:
+ 78:04:d6:0e:59:d9:9d:58:66:62:d2:94:29:32:32:
+ c8:78:b9:66:f6:b5:56:e1:6c:c6:14:4b:96:52:59:
+ 91:02:24:6a:55:47:d7:3f:b6:23:1a:60:77:97:2e:
+ e2:40:af:9e:04:57:9e:ad:11:c5:c9:43:70:ef:48:
+ b4:5e:ac:1c:69:2e:2e:82:d5:5b:8b:be:82:be:19:
+ 14:5e:e7:0d:22:c7:51:1b:ff:1e:9b:f1:30:8f:71:
+ 31:06:b3:34:27:8f:5f:7a:66:82:4f:8a:2d:13:ab:
+ 42:cf:21:56:9e:97:8e:66:36:0f:96:9b:e5:2b:f4:
+ 02:a9:2a:6a:8c:2c:c4:c3:b8:70:2c:2d:29:1e:3f:
+ 50:77:1e:6d:2a:54:e4:55:0a:91:38:a1:c5:b5:66:
+ a2:76:5a:ee:0f:bf:b4:67:e1:28:6e:0f:e1:36:a1:
+ 82:d1:bf:d4:77:e1:c4:67:32:93:78:c8:e7:54:53:
+ fe:23:79:e6:68:cc:26:90:f6:10:63:5d:2a:6f:91:
+ 2d:a4:73:32:51:21:f2:bb:15:df:aa:24:08:48:06:
+ de:a1:9e:26:bf:ba:83:bf:7c:a4:c8:a0:8c:bd:d2:
+ ff:bc:84:69:27:13:24:18:c4:45:18:23:26:5e:18:
+ 14:ca:2e:88:87:62:a3:53:e6:21:b7:b8:85:7b:9a:
+ 85:bb:15:26:72:f8:b9:f7:6a:74:0f:49:3f:92:be:
+ a9:05:b7:99:27:bf:bf:09:17:4b:99:4c:ad:11:10:
+ 7c:df:74:31:f6:8f:26:5f:aa:88:ae:38:57:c8:55:
+ 2d:d3:fb:d8:1b:51:99:be:25:1b:3a:ba:c0:7d:1b:
+ ed:ce:d2:49:b9:cf:f3:c5:7d:89:90:81:d8:69:48:
+ 20:10:a3:f8:ef:92:51:18:32:8b:11:18:c0:3f:1b:
+ 85:56:ce:57:c9:f2:82:64:c6:df:02:09:2e:4a:11:
+ 2f:b1:27:6d:37:52:f0:f0:16:61:f1:67:8d:df:87:
+ 72:af:87:da:cf:fb:50:94:6e:d4:94:85:eb:8a:2c:
+ ea:21:f5:96:4a:44:d5:e0:ce:6a:74:44:4d:d0:05:
+ d3:87:15:ed:36:d0:a4:8b:66:55:70:93:ee:47:06:
+ c1:7e:2e:a5:18:79:67:f3:28:85:f1:70:f7:0e:83:
+ a4:7e:54:9e:5a:76:32:cb:65:1b:b8:cd:fb:c8:28:
+ 03:d2:54:91:d1:a7:c5:85:43:08:17:76:a5:e6:2f:
+ 67:08:d8:a1:a2:82:2d:0c:f8:c1:af:63:d4:50:77:
+ 6d:6b:46:4a:41:85:d5:90:5f:79:2d:c4:ec:d7:11:
+ 87:40:8a:e1:68:e2:64:f8:55:32:fb:6f:93:2c:da:
+ 77:d9:21:c1:17:e5:36:2c:4e:7e:90:7f:ac:94:2b:
+ 32:67:be:38:50:76:b8:ae:41:b9:d7:21:c5:09:4c:
+ 60:c8:a3:51:c4:34:9b:57:37:df:cb:c9:33:57:8b:
+ eb:fb:76:9f:19:4d:c5:6a:1f:2a:45:ae:2b:ed:2f:
+ 8d:a7:a5:00:cb:04:fa:25:62:2e:74:48:1b:ca:2a:
+ 8c:ba:db:b6:7e:f6:bb:02:7c:a9:c3:db:58:78:a1:
+ bf:f0:fe:1a:10:55:11:ce:e8:69:4e:96:65:c6:17:
+ 03:d6:07:68:8c:54:82:ae:1c:22:55:3f:f1:f4:09:
+ 97:28:c0:46:f7:4e:0b:25:1d:f7:07:d7:09:1d:3a:
+ 18:57:38:3b:e8:33:06:e7:8f:78:46:1e:5b:f5:06:
+ b6:ec:b8:a6:0d:f1:ba:13:4b:d6:18:20:dd:69:33:
+ 4a:33:15:ae:b8:c8:98:8a:27:2c:93:bc:2d:fb:ee:
+ 33:bf:66:e6:4d:ba:b6:9b:06:55:60:97:4b:bc:44:
+ cd:7e:f4:a1:d8:aa:2f:c0:02:28:21:16:62:78:db:
+ 08:54:f2:fc:f4:34:e3:c6:8f:1c:43:57:ce:90:1a:
+ 4b:dc:2e:3b:28:91:89:3f:7a:da:35:1d:8e:2c:ee:
+ 49:ec:f4:33:ad:c9:53:a8:8c:9f:04:53:3e:24:1c:
+ 52:c9:12:f9:62:57:a3:bc:ee:2c:eb:40:7c:20:23:
+ 70:2b:95:f9:73:17:8a:d1:c1:1c:69:a6:b7:38:9a:
+ 67:f7:70:1d:7a:5a:0c:40:cf:62:0f:85:3c:c2:02:
+ 4e:7e:b5:f6:c5:2a:29:84:b3:1f:37:2a:e1:aa:72:
+ 42:c4:ed:6b:1a:8f:92:1c:5d:be:d1:f2:5b:f2:ab:
+ aa:a9:d2:f5:b8:a4:41:2b:2b:91:6e:12:48:ca:98:
+ d8:37:8d:c8:ed:00:30:b5:b6:04:4e:7e:9c:da:84:
+ ec:c0:fa:7b:e5:1d:88:a4:53:46:b0:94:e4:5c:1b:
+ a1:25:2c:0f:48:52:77:97:09:6c:ec:5b:18:33:83:
+ 02:e5:82:7e:cd:85:21:30:11:fd:27:4f:cf:e4:1e:
+ ec:3f:a5:57:6c:e9:2a:30:19:2a:88:e5:c3:69:38:
+ ab:6f:39:71:7f:84:e1:41:c3:e1:cc:2a:89:20:52:
+ 2e:83:0f:6c:39:3f:4b:2d:16:ac:2d:f0:24:ac:00:
+ 73:f4:9b:b3:06:3f:05:b8:14:85:1f:ab:9e:5c:3c:
+ 9e:62:9d:0e:6d:3b:80:09:fc:02:ea:a2:97:74:ca:
+ c7:f9:e3:56:e1:c3:ca:a5:a6:9a:c0:90:e0:24:12:
+ 53:d2:c2:8b:da:be:ed:02:43:5e:67:e1:89:98:79:
+ ee:cb:aa:ca:c3:1b:dc:e7:a5:46:a5:7c:6b:16:87:
+ b6:5a:28:d7:db:27:3c:5e:a5:bd:b6:51:dd:1f:43:
+ cf:3b:26:c8:3a:8d:25:61:c1:49:f4:3c:1b:c9:44:
+ ea:af:1c:c2:2b:94:01:2a:0e:30:d1:5b:8b:2b:47:
+ e5:c3:d1:04:03:9b:0e:39:2c:d6:27:d4:e6:70:5a:
+ d9:75:cf:2a:d8:c9:00:05:e4:13:88:ec:c3:39:fb:
+ 87:61:30:36:43:03:c8:9e:9c:a2:06:c2:2f:c5:fc:
+ f0:80:63:b1:54:04:a0:4c:a9:2e:c6:f5:76:7a:d8:
+ d0:e4:d4:94:11:e5:15:b5:78:06:dc:b8:80:8f:99:
+ a9:20:33:3d:10:85:4c:65:09:ca:3e:58:5e:60:93:
+ 9a:aa:62:5d:c0:51:06:1c:5d:60:a0:0d:9c:4b:43:
+ f6:a7:16:21:a4:87:aa:f2:c1:2e:ee:92:30:b8:9e:
+ df:df:10:01:8b:86:09:70:d8:6c:a8:b7:50:1e:16:
+ 96:b4:f7:67:fd:35:3a:21:90:2a:32:c7:00:7b:4d:
+ 07:10:09:b9:2f:73:d8:18:7e:67:99:04:4f:06:fc:
+ 50:c7:85:9b:9d:40:9d:b3:96:37:fa:a5:dc:b2:72:
+ 4e:ef:4e:09:2c:fd:91:fd:4d:f7:bb:a6:a1:3e:ab:
+ 7b:a2:03:40:a6:a9:55:27:e2:fa:f9:19:ce:87:75:
+ aa:f1:75:36:f3:f3:b8:91:f8:91:c3:8b:75:13:8e:
+ 4c:65:9a:16:39:6a:e5:34:e8:7a:96:59:7f:35:b0:
+ 00:fd:5b:69:fc:43:26:fa:f5:28:6e:fe:87:d9:7e:
+ 24:fb:b4:a0:82:6e:54:a2:ff:ae:bf:62:b4:f4:72:
+ 01:c2:cb:98:47:98:e1:4c:b5:17:80:80:ce:8f:a6:
+ 28:ee:1e:45:6a:fb:df:f1:1d:fc:5a:3b:d6:ea:f4:
+ 6c:1d:62:49:57:3b:8a:8f:86:ea:f0:53:04:ce:9c:
+ 16:68:ff:ba:b9:fc:88:0f:47:f7:02:44:72:40:b8:
+ ca:3b:2d:53:9d:dc:3c:56:8c:59:7b:68:1a:2c:8d:
+ 71:bb:6c:00:c7:1a:ce:6f:40:92:b1:a3:2f:0f:d9:
+ 44:f2:a3:70:2e:9e:ee:0e:ae:32:d0:3b:3e:8b:07:
+ ea:e6:79:b3:5c:29:e2:7d:6b:a8:5e:f9:5a:31:e8:
+ 08:96:a2:8c:03:98:46:f1:b8:7d:90:54:26:ed:76:
+ 62:fe:9e:e9:9a:6e:5e:c9:49:c7:5c:34:53:29:54:
+ d9:ec:e4:46:e1:80:3b:75:d9:df:fb:79:d5:87:f1:
+ ba:9e:eb:19:ce:4c:52:73:e6:5b:87:ae:25:4f:39:
+ 79:cc:c6:b8:f9:10:7b:ec:f0:9b:71:a4:05:a0:d3:
+ 29:d3:4e:7f:1f:f4:2d:28:78:cc:55:95:7b:1e:91:
+ 2f:cc:56:18:73:8b:b2:db:bc:69:07:e6:d0:d8:4f:
+ ed:a2:ff:58:85:a3:6d:e0:4a:53:b7:67:7d:8d:0c:
+ 5c:5b:7b:77:28:02:35:44:7a:04:d3:28:43:c8:6b:
+ 30:17:5d:32:b8:29:35:ba:76:da:3b:14:4a:76:18:
+ 58:a4:f8:92:3c:9e:4d:33:6f:46:6b:08:d9:31:48:
+ 68:dd:f4:fb:24:56:34:b2:cf:69:66:be:48:d2:8a:
+ 66:22:cd:f2:69:cd:c2:53:13:45:29:41:22:d6:5d:
+ 98:1f:b6:a4:b2:a3:c2:ee:02:2f:51:1b:dc:83:a4:
+ ec:70:25:a8:d4:08:61:32:6f:e4:a1:81:2e:7c:63:
+ 72:fa:29:65:bc:70:44:cf:5d
+ Exponent: 65537 (0x10001)
+ Signature Algorithm: sha1WithRSAEncryption
+ 55:9a:34:6a:22:06:69:09:45:33:c7:ae:a9:5c:c7:09:4e:9b:
+ 86:bc:41:90:d4:94:52:f6:cd:23:29:94:4b:22:cd:e8:bd:fe:
+ 9d:cd:52:f2:bd:ed:ab:87:c9:ab:ab:46:04:b4:bd:a2:3f:22:
+ 30:47:50:c0:4b:8c:76:0f:03:f5:92:d2:b1:2d:c4:7a:35:9c:
+ c9:73:87:eb:a6:9f:de:0f:73:8d:d3:7f:99:d8:ba:8f:6f:c4:
+ f3:be:1a:ae:8b:a2:94:36:90:e2:e5:eb:8d:05:f4:fc:65:df:
+ 95:f1:c4:94:4d:17:56:d7:9f:3c:8f:50:3c:e7:77:bf:95:86:
+ 26:64:fb:6a:ff:c6:da:e9:8c:ae:42:bb:69:e5:33:c6:d8:e9:
+ 0d:c6:55:21:49:c1:0c:b4:a3:f9:9b:4b:5c:de:83:4f:41:03:
+ ce:2a:79:68:38:7d:f0:54:49:20:f5:b6:10:ff:08:dc:33:66:
+ 96:9b:ff:06:de:00:9e:d7:ce:56:43:9a:51:fc:70:cd:f6:f0:
+ 51:a3:b7:cd:b4:5c:85:62:cd:71:b7:c6:2b:23:2b:dd:c3:6e:
+ 40:42:fa:37:ff:37:1c:f6:7a:57:94:87:85:23:d7:d4:c9:c7:
+ 5f:c1:4d:2f:c9:0d:d7:5c:ec:9c:25:ee:9e:30:82:91:96:72:
+ b8:75:1d:f8:09:68:57:97:b2:2d:4b:ee:25:ec:7a:24:29:ee:
+ 72:d4:9c:13:db:ab:dc:03:0a:d8:4a:14:c9:08:57:44:5d:a1:
+ b5:53:80:34:f2:14:97:cf:52:de:a2:0e:8a:10:e9:14:ef:d0:
+ 60:be:61:a1:f1:25:5d:d5:18:73:3f:93:10:ca:96:ee:b3:40:
+ d2:db:a3:55:cf:57:5a:a5:0e:4f:75:47:df:ea:f7:90:9a:6d:
+ f5:70:2e:1d:14:1c:37:64:04:59:50:b0:dc:72:86:6f:9c:37:
+ 3d:5d:28:af:73:55:ef:d2:ee:24:74:74:13:ef:dc:db:31:49:
+ fb:3f:63:f5:d3:08:3e:33:a5:e7:9d:0a:de:53:2c:51:8e:67:
+ db:9b:41:65:41:50:bd:d4:a4:96:6c:87:bc:12:e0:94:c7:d3:
+ c0:e4:cb:73:58:00:83:e1:ac:27:85:d6:9d:53:9d:5c:bd:0a:
+ 3e:03:43:9c:0c:91:f5:6d:7b:f8:40:72:75:ab:11:76:91:2b:
+ e1:c6:aa:1f:70:69:76:70:15:09:fe:93:d0:d6:2d:b7:15:6a:
+ 9b:67:5c:b4:69:9f:25:a6:7d:8a:fb:7d:22:a9:71:f2:ce:4e:
+ 8c:b8:21:2d:de:fe:41:71:0d:ff:9d:ec:73:a6:bb:07:4f:88:
+ 0e:58:47:2e:7e:a9:c2:c7:78:dd:ba:7a:9e:4e:e0:30:4e:63:
+ 6f:85:d4:20:41:e9:fa:fe:43:45:e7:fb:af:7a:b2:ce:a4:05:
+ 1d:22:9a:58:86:df:e4:ce:4c:a9:fe:d8:16:a5:6f:fb:d8:ce:
+ 56:7b:f5:d6:20:ef:e4:47:cd:63:24:ff:b9:be:f1:48:a3:c1:
+ 01:72:e6:bd:c0:ad:ed:26:0d:ca:34:9f:fc:02:2d:20:4f:05:
+ 20:ae:21:3d:0c:c2:20:3c:3f:f0:04:84:dc:cf:89:fd:b9:25:
+ 91:8e:d0:43:e6:b3:20:ab:5c:2d:d5:40:9e:a0:4b:d8:f4:b2:
+ cc:7d:f1:58:0a:8e:87:ed:88:ac:36:96:e4:56:a0:11:8a:f2:
+ 9a:d0:b3:57:a3:34:bb:19:ab:38:e1:74:6b:22:c4:31:ce:01:
+ d5:1b:36:e3:1e:38:4c:33:93:df:40:e3:59:57:4e:ac:6e:7b:
+ 1e:5a:3d:c5:1d:5b:ac:c8:10:82:35:02:22:b2:fc:75:e8:10:
+ 91:8d:c4:7d:78:93:47:9e:1c:9d:ac:6b:62:02:58:8c:d6:1c:
+ 23:d6:af:78:c2:80:9c:a4:aa:24:54:14:b5:14:98:c6:f8:2b:
+ 1a:24:cb:71:32:0a:e2:9b:0e:69:6b:dd:7e:8c:64:d1:2e:63:
+ ef:0e:7f:b1:3e:88:4c:9d:55:e5:c9:6e:17:04:b7:41:ff:bd:
+ 8a:41:cb:25:31:6f:44:77:3f:47:b1:fc:81:88:07:8e:05:49:
+ 20:b7:11:d9:69:03:2a:03:9d:b9:33:84:9a:df:df:7a:e3:46:
+ 73:a3:d8:a2:8c:53:19:88:55:4c:74:b8:f6:44:84:2b:d1:14:
+ 2d:4e:39:2e:92:68:ff:69:fc:85:62:1b:eb:55:4f:ef:25:84:
+ 62:45:99:d6:d8:4e:6f:3f:53:08:7d:1d:06:95:81:80:7f:4f:
+ 4e:74:36:98:b5:e2:87:70:98:dc:d7:f5:dc:52:15:e6:c6:d6:
+ 79:96:39:7f:8f:95:cf:ab:80:53:ad:1b:0b:45:40:0e:d4:18:
+ bd:2c:de:8a:77:76:fd:f2:44:47:c6:21:d0:e4:74:f0:d8:18:
+ 05:c8:7c:30:72:c7:df:f1:bb:fc:02:30:a9:f4:42:26:59:0d:
+ 93:05:82:a1:73:ed:34:e5:38:5d:cd:50:90:fe:94:fc:13:bc:
+ bd:fc:a8:a2:88:a7:73:c4:b2:a8:d1:5d:88:c4:02:a2:7a:f1:
+ 04:c9:fe:8c:74:c9:ef:1d:64:41:9f:ac:1e:96:67:64:ac:ab:
+ 28:41:c7:9d:f7:c0:98:1b:6e:07:c2:64:7d:5a:83:66:56:28:
+ 36:9c:e7:fb:1c:77:0e:28:a0:c4:f7:6b:79:39:04:20:84:c7:
+ 57:93:bc:1b:a0:ea:bc:eb:42:e5:a8:11:fe:fc:ac:65:cc:fd:
+ f8:28:88:f4:a5:9a:e5:73:51:e0:a8:9b:0d:03:77:4e:e5:e0:
+ 98:b3:88:da:7d:e6:c6:9e:7c:14:66:c1:2e:53:4a:92:07:37:
+ a0:7e:e9:3d:09:e4:15:7c:cf:fd:b8:41:a5:ef:9e:66:9d:c4:
+ 5e:07:1d:87:f8:41:ad:ea:e7:2f:d2:41:63:18:37:f9:14:e3:
+ 4d:d0:e5:f7:43:fd:15:e3:f9:36:73:06:26:df:01:4f:a9:c3:
+ 4e:de:20:46:77:98:b4:7a:24:2b:3b:75:2b:4e:58:8d:9b:5d:
+ a4:c7:16:a0:bc:32:88:3f:a1:83:f3:00:c8:f8:d8:58:e9:63:
+ 5d:4c:2b:b5:f0:72:41:d8:ab:77:37:d6:72:74:ae:b6:36:9c:
+ c8:a6:83:49:4b:e0:c9:56:0b:29:be:00:30:cb:dd:d6:c8:42:
+ 8a:00:d9:ec:15:d1:34:71:f2:5b:64:87:f6:27:d2:b7:eb:86:
+ b0:90:bf:29:db:21:9e:36:8c:e3:20:2f:95:23:51:6c:1b:c2:
+ a4:d5:e6:d8:02:43:67:a0:fe:9b:50:03:44:7f:bb:e4:72:d5:
+ d1:e4:da:8f:92:14:64:fb:5d:14:10:12:4a:95:06:c9:65:08:
+ 29:ca:21:a3:26:38:11:c9:27:df:70:67:04:fd:ca:48:32:7f:
+ 63:b2:45:74:31:50:4f:87:d9:20:70:d2:21:70:b1:d6:10:9d:
+ 33:5d:78:83:91:6d:55:82:ec:da:e4:62:63:c7:81:46:d7:19:
+ 65:72:2a:43:19:90:b8:d7:23:4d:4c:1c:e0:44:a9:66:67:ac:
+ ee:71:79:27:26:78:6d:72:0e:f5:5d:4b:23:b5:7c:7c:65:e9:
+ 17:c6:3a:0b:0d:dd:5e:1e:51:c3:86:b8:ec:7f:c7:27:4a:a5:
+ 46:e8:6a:2d:19:c1:87:a3:cb:99:93:87:64:a2:55:14:4c:b7:
+ 43:a5:93:d7:e7:d2:4e:79:40:ca:65:99:46:3d:3f:7a:80:7a:
+ 88:6a:cc:1e:e5:6b:33:46:f4:50:c0:d5:1f:09:b8:cd:8a:2e:
+ a1:27:eb:5d:73:a7:e8:6b:0a:e5:57:82:2a:b0:fc:e2:54:52:
+ 56:f0:ab:a9:12:c6:23:96:07:24:9c:e0:bc:46:a5:b4:20:04:
+ da:09:93:63:e5:d4:2e:c2:7e:c5:31:ed:b5:15:74:86:17:b9:
+ b3:f3:26:8a:1d:02:6a:da:1a:3f:e8:ba:f1:04:6d:94:51:54:
+ e2:5a:b4:59:83:1d:60:d0:2d:73:cc:07:b5:26:8c:f9:d7:c6:
+ 88:91:ef:80:cf:5d:0f:a1:60:cb:45:d4:42:22:d1:b1:70:1d:
+ fd:d0:b7:30:90:3a:c6:48:6d:67:e5:32:da:8f:db:e3:a8:e3:
+ 1d:20:25:a2:1c:e1:4c:b9:a4:f6:c6:3f:5c:58:0d:bb:c6:b2:
+ 77:01:16:91:9f:17:06:0d:b7:40:3e:cc:8f:8e:9c:4b:e0:9d:
+ 7e:9b:1e:05:ab:88:22:fa:d3:28:1b:57:14:64:4a:3e:24:2c:
+ 38:4d:21:69:00:73:2e:d0:55:2d:74:f2:15:e8:94:43:3e:40:
+ 2a:c6:c6:b9:6a:5b:de:a2:cc:18:50:54:5d:4e:2a:85:6c:f6:
+ 92:8b:29:19:7e:e7:ea:4a:e0:22:2b:25:bc:f7:66:cf:77:9a:
+ 41:74:f2:3c:14:0d:74:69:f5:50:83:cd:cd:2f:21:db:22:46:
+ 8a:d0:f7:51:1a:95:57:f2:05:8b:1a:19:ed:3b:45:e8:36:c2:
+ 6e:7e:fb:57:22:00:1f:06:53:a9:ae:93:c6:8f:71:2a:31:45:
+ 92:e7:8e:6d:e6:99:22:c0:83:fc:ef:dc:57:66:77:4f:a2:36:
+ 31:fb:a1:13:8d:e5:ca:a3:95:7d:01:0c:64:70:3b:53:42:68:
+ 80:c7:bb:9d:a8:00:35:69:98:0c:a8:67:d8:43:e5:aa:cf:95:
+ e0:51:95:a4:17:3f:42:9d:b8:04:ce:d3:79:79:c8:d3:8a:16:
+ 32:92:e0:d7:a2:ee:d7:37:4c:2f:ac:b8:7b:be:45:f6:f1:18:
+ 33:9c:7b:37:a6:24:d9:bc:40:ab:00:e9:c3:37:8b:ab:d8:b6:
+ f3:5e:81:4e:b0:14:6b:07:3e:1f:ec:c2:f6:44:22:95:bb:b3:
+ e6:6f:d6:f9:70:65:ba:0a:83:65:aa:0e:13:2f:83:13:23:53:
+ 8b:40:16:fa:ce:2f:fc:4d:04:f8:eb:d8:ac:c5:36:c2:15:57:
+ 48:38:ec:55:b3:b4:1e:ba:ad:d2:42:06:17:0d:73:c8:57:a6:
+ be:96:4d:a9:f2:c0:fb:7a:21:1c:f5:c9:70:a9:82:90:b5:f1:
+ 0c:d4:79:10:be:81:a6:e9:5c:61:9c:77:79:9a:a4:c3:37:26:
+ 57:37:c9:52:2c:fa:08:ff:d0:5f:c6:61:c0:f4:76:be:fc:de:
+ 4e:cf:ab:51:99:71:c7:df:7e:f4:d6:cf:06:56:19:13:53:0b:
+ 6d:74:59:48:19:9b:53:05:2d:9d:32:54:d3:e5:2c:53:8b:64:
+ 3e:d4:64:7b:e3:80:09:14:cc:fe:16:46:63:6b:71:69:f8:f9:
+ cb:27:f6:88:54:bc:45:b3:ce:02:c8:94:ee:40:5b:f9:42:02:
+ c2:ff:b0:d8:2c:eb:28:7f:5e:c9:26:01:99:a7
+
UPS Document Exchange by DST
============================
MD5 Fingerprint: 78:A5:FB:10:4B:E4:63:2E:D2:6B:FB:F2:B6:C2:4B:8E
1b:38:71:9f:2c:07:90:ea:1d:e0:d3:89:5f:cb:ef:14:8d:27:
54:a5:bd:46
+ValiCert Class 1 VA
+===================
+MD5 Fingerprint: 65:58:AB:15:AD:57:6C:1E:A8:A7:B5:69:AC:BF:FF:EB
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIIC5zCCAlACAQEwDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0
+IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAz
+BgNVBAsTLFZhbGlDZXJ0IENsYXNzIDEgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9y
+aXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG
+9w0BCQEWEWluZm9AdmFsaWNlcnQuY29tMB4XDTk5MDYyNTIyMjM0OFoXDTE5MDYy
+NTIyMjM0OFowgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0IFZhbGlkYXRpb24gTmV0d29y
+azEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENs
+YXNzIDEgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9yaXR5MSEwHwYDVQQDExhodHRw
+Oi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG9w0BCQEWEWluZm9AdmFsaWNl
+cnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYWYJ6ibiWuqYvaG9Y
+LqdUHAZu9OqNSLwxlBfw8068srg1knaw0KWlAdcAAxIiGQj4/xEjm84H9b9pGib+
+TunRf50sQB1ZaG6m+FiwnRqP0z/x3BkGgagO4DrdyFNFCQbmD3DD+kCmDuJWBQ8Y
+TfwggtFzVXSNdnKgHZ0dwN0/cQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAFBoPUn0
+LBwGlN+VYH+Wexf+T3GtZMjdd9LvWVXoP+iOBSoh8gfStadS/pyxtuJbdxdA6nLW
+I8sogTLDAHkY7FkXicnGah5xyf23dKUlRWnFSKsZ4UWKJWsZ7uW7EvV/96aNUcPw
+nXS3qT6gpf+2SQMT2iLM7XGCK5nPOrf1LXLI
+-----END CERTIFICATE-----
+Certificate Ingredients:
+ Data:
+ Version: 1 (0x0)
+ Serial Number: 1 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Class 1 Policy Validation Authority, CN=http://www.valicert.com//Email=info@valicert.com
+ Validity
+ Not Before: Jun 25 22:23:48 1999 GMT
+ Not After : Jun 25 22:23:48 2019 GMT
+ Subject: L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Class 1 Policy Validation Authority, CN=http://www.valicert.com//Email=info@valicert.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (1024 bit)
+ Modulus (1024 bit):
+ 00:d8:59:82:7a:89:b8:96:ba:a6:2f:68:6f:58:2e:
+ a7:54:1c:06:6e:f4:ea:8d:48:bc:31:94:17:f0:f3:
+ 4e:bc:b2:b8:35:92:76:b0:d0:a5:a5:01:d7:00:03:
+ 12:22:19:08:f8:ff:11:23:9b:ce:07:f5:bf:69:1a:
+ 26:fe:4e:e9:d1:7f:9d:2c:40:1d:59:68:6e:a6:f8:
+ 58:b0:9d:1a:8f:d3:3f:f1:dc:19:06:81:a8:0e:e0:
+ 3a:dd:c8:53:45:09:06:e6:0f:70:c3:fa:40:a6:0e:
+ e2:56:05:0f:18:4d:fc:20:82:d1:73:55:74:8d:76:
+ 72:a0:1d:9d:1d:c0:dd:3f:71
+ Exponent: 65537 (0x10001)
+ Signature Algorithm: sha1WithRSAEncryption
+ 50:68:3d:49:f4:2c:1c:06:94:df:95:60:7f:96:7b:17:fe:4f:
+ 71:ad:64:c8:dd:77:d2:ef:59:55:e8:3f:e8:8e:05:2a:21:f2:
+ 07:d2:b5:a7:52:fe:9c:b1:b6:e2:5b:77:17:40:ea:72:d6:23:
+ cb:28:81:32:c3:00:79:18:ec:59:17:89:c9:c6:6a:1e:71:c9:
+ fd:b7:74:a5:25:45:69:c5:48:ab:19:e1:45:8a:25:6b:19:ee:
+ e5:bb:12:f5:7f:f7:a6:8d:51:c3:f0:9d:74:b7:a9:3e:a0:a5:
+ ff:b6:49:03:13:da:22:cc:ed:71:82:2b:99:cf:3a:b7:f5:2d:
+ 72:c8
+
+ValiCert Class 2 VA
+===================
+MD5 Fingerprint: A9:23:75:9B:BA:49:36:6E:31:C2:DB:F2:E7:66:BA:87
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIIC5zCCAlACAQEwDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0
+IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAz
+BgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9y
+aXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG
+9w0BCQEWEWluZm9AdmFsaWNlcnQuY29tMB4XDTk5MDYyNjAwMTk1NFoXDTE5MDYy
+NjAwMTk1NFowgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0IFZhbGlkYXRpb24gTmV0d29y
+azEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENs
+YXNzIDIgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9yaXR5MSEwHwYDVQQDExhodHRw
+Oi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG9w0BCQEWEWluZm9AdmFsaWNl
+cnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOOnHK5avIWZJV16vY
+dA757tn2VUdZZUcOBVXc65g2PFxTXdMwzzjsvUGJ7SVCCSRrCl6zfN1SLUzm1NZ9
+WlmpZdRJEy0kTRxQb7XBhVQ7/nHk01xC+YDgkRoKWzk2Z/M/VXwbP7RfZHM047QS
+v4dk+NoS/zcnwbNDu+97bi5p9wIDAQABMA0GCSqGSIb3DQEBBQUAA4GBADt/UG9v
+UJSZSWI4OB9L+KXIPqeCgfYrx+jFzug6EILLGACOTb2oWH+heQC1u+mNr0HZDzTu
+IYEZoDJJKPTEjlbVUjP9UNV+mWwD5MlM/Mtsq2azSiGM5bUMMj4QssxsodyamEwC
+W/POuZ6lcg5Ktz885hZo+L7tdEy8W9ViH0Pd
+-----END CERTIFICATE-----
+Certificate Ingredients:
+ Data:
+ Version: 1 (0x0)
+ Serial Number: 1 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Class 2 Policy Validation Authority, CN=http://www.valicert.com//Email=info@valicert.com
+ Validity
+ Not Before: Jun 26 00:19:54 1999 GMT
+ Not After : Jun 26 00:19:54 2019 GMT
+ Subject: L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Class 2 Policy Validation Authority, CN=http://www.valicert.com//Email=info@valicert.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (1024 bit)
+ Modulus (1024 bit):
+ 00:ce:3a:71:ca:e5:ab:c8:59:92:55:d7:ab:d8:74:
+ 0e:f9:ee:d9:f6:55:47:59:65:47:0e:05:55:dc:eb:
+ 98:36:3c:5c:53:5d:d3:30:cf:38:ec:bd:41:89:ed:
+ 25:42:09:24:6b:0a:5e:b3:7c:dd:52:2d:4c:e6:d4:
+ d6:7d:5a:59:a9:65:d4:49:13:2d:24:4d:1c:50:6f:
+ b5:c1:85:54:3b:fe:71:e4:d3:5c:42:f9:80:e0:91:
+ 1a:0a:5b:39:36:67:f3:3f:55:7c:1b:3f:b4:5f:64:
+ 73:34:e3:b4:12:bf:87:64:f8:da:12:ff:37:27:c1:
+ b3:43:bb:ef:7b:6e:2e:69:f7
+ Exponent: 65537 (0x10001)
+ Signature Algorithm: sha1WithRSAEncryption
+ 3b:7f:50:6f:6f:50:94:99:49:62:38:38:1f:4b:f8:a5:c8:3e:
+ a7:82:81:f6:2b:c7:e8:c5:ce:e8:3a:10:82:cb:18:00:8e:4d:
+ bd:a8:58:7f:a1:79:00:b5:bb:e9:8d:af:41:d9:0f:34:ee:21:
+ 81:19:a0:32:49:28:f4:c4:8e:56:d5:52:33:fd:50:d5:7e:99:
+ 6c:03:e4:c9:4c:fc:cb:6c:ab:66:b3:4a:21:8c:e5:b5:0c:32:
+ 3e:10:b2:cc:6c:a1:dc:9a:98:4c:02:5b:f3:ce:b9:9e:a5:72:
+ 0e:4a:b7:3f:3c:e6:16:68:f8:be:ed:74:4c:bc:5b:d5:62:1f:
+ 43:dd
+
+ValiCert Class 3 VA
+===================
+MD5 Fingerprint: A2:6F:53:B7:EE:40:DB:4A:68:E7:FA:18:D9:10:4B:72
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIIC5zCCAlACAQEwDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0
+IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAz
+BgNVBAsTLFZhbGlDZXJ0IENsYXNzIDMgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9y
+aXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG
+9w0BCQEWEWluZm9AdmFsaWNlcnQuY29tMB4XDTk5MDYyNjAwMjIzM1oXDTE5MDYy
+NjAwMjIzM1owgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0IFZhbGlkYXRpb24gTmV0d29y
+azEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENs
+YXNzIDMgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9yaXR5MSEwHwYDVQQDExhodHRw
+Oi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG9w0BCQEWEWluZm9AdmFsaWNl
+cnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDjmFGWHOjVsQaBalfD
+cnWTq8+epvzzFlLWLU2fNUSoLgRNB0mKOCn1dzfnt6td3zZxFJmP3MKS8edgkpfs
+2Ejcv8ECIMYkpChMMFp2bbFc893enhBxoYjHW5tBbcqwuI4V7q0zK89HBFx1cQqY
+JJgpp0lZpd34t0NiYfPT4tBVPwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAFa7AliE
+Zwgs3x/be0kz9dNnnfS0ChCzycUs4pJqcXgn8nCDQtM+z6lU9PHYkhaM0QTLS6vJ
+n0WuPIqpsHEzXcjFV9+vqDWzf4mH6eglkrh/hXqu1rweN1gqZ8mRzyqBPu3GOd/A
+PhmcGcwTTYJBtYze4D1gCCAPRX5ron+jjBXu
+-----END CERTIFICATE-----
+Certificate Ingredients:
+ Data:
+ Version: 1 (0x0)
+ Serial Number: 1 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Class 3 Policy Validation Authority, CN=http://www.valicert.com//Email=info@valicert.com
+ Validity
+ Not Before: Jun 26 00:22:33 1999 GMT
+ Not After : Jun 26 00:22:33 2019 GMT
+ Subject: L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Class 3 Policy Validation Authority, CN=http://www.valicert.com//Email=info@valicert.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (1024 bit)
+ Modulus (1024 bit):
+ 00:e3:98:51:96:1c:e8:d5:b1:06:81:6a:57:c3:72:
+ 75:93:ab:cf:9e:a6:fc:f3:16:52:d6:2d:4d:9f:35:
+ 44:a8:2e:04:4d:07:49:8a:38:29:f5:77:37:e7:b7:
+ ab:5d:df:36:71:14:99:8f:dc:c2:92:f1:e7:60:92:
+ 97:ec:d8:48:dc:bf:c1:02:20:c6:24:a4:28:4c:30:
+ 5a:76:6d:b1:5c:f3:dd:de:9e:10:71:a1:88:c7:5b:
+ 9b:41:6d:ca:b0:b8:8e:15:ee:ad:33:2b:cf:47:04:
+ 5c:75:71:0a:98:24:98:29:a7:49:59:a5:dd:f8:b7:
+ 43:62:61:f3:d3:e2:d0:55:3f
+ Exponent: 65537 (0x10001)
+ Signature Algorithm: sha1WithRSAEncryption
+ 56:bb:02:58:84:67:08:2c:df:1f:db:7b:49:33:f5:d3:67:9d:
+ f4:b4:0a:10:b3:c9:c5:2c:e2:92:6a:71:78:27:f2:70:83:42:
+ d3:3e:cf:a9:54:f4:f1:d8:92:16:8c:d1:04:cb:4b:ab:c9:9f:
+ 45:ae:3c:8a:a9:b0:71:33:5d:c8:c5:57:df:af:a8:35:b3:7f:
+ 89:87:e9:e8:25:92:b8:7f:85:7a:ae:d6:bc:1e:37:58:2a:67:
+ c9:91:cf:2a:81:3e:ed:c6:39:df:c0:3e:19:9c:19:cc:13:4d:
+ 82:41:b5:8c:de:e0:3d:60:08:20:0f:45:7e:6b:a2:7f:a3:8c:
+ 15:ee
+
VeriSign Class 4 Primary CA
===========================
MD5 Fingerprint: 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10
57:08:6a:d0:a0:42:42:42:1e:f4:20:cc:a5:78:82:95:26:38:
8a:47
+Verisign Class 1 Public Primary Certification Authority - G3
+============================================================
+MD5 Fingerprint: B1:47:BC:18:57:D1:18:A0:78:2D:EC:71:E8:2A:95:73
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIIEGjCCAwICEQCLW3VWhFSFCwDPrzhIzrGkMA0GCSqGSIb3DQEBBQUAMIHKMQsw
+CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZl
+cmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWdu
+LCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlT
+aWduIENsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
+dHkgLSBHMzAeFw05OTEwMDEwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMIHKMQswCQYD
+VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT
+aWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWduLCBJ
+bmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlTaWdu
+IENsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg
+LSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN2E1Lm0+afY8wR4
+nN493GwTFtl63SRRZsDHJlkNrAYIwpTRMx/wgzUfbhvI3qpuFU5UJ+/EbRrsC+MO
+8ESlV8dAWB6jRx9x7GD2bZTIGDnt/kIYVt/kTEkQeE4BdjVjEjbdZrwBBDajVWjV
+ojYJrKshJlQGrT/KFOCsyq0GHZXi+J3x4GD/wn91K0zM2v6HmSHquv4+VNfSWXjb
+PG7PoBMAGrgnoeS+Z5bKoMWznN3JdZ7rMJpfo83ZrngZPyPpXNspva1VyBtUjGP2
+6KbqxzcSXKMpHgLZ2x87tNcPVkeBFQRKr4Mn0cVYiMHd9qqnoxjaaKptEVHhv2Vr
+n5Z20T0CAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAq2aN17O6x5q25lXQBfGfMY1a
+qtmqRiYPce2lrVNWYgFHKkTp/j90CxObufRNG7LRX7K20ohcs5/Ny9Sn2WCVhDr4
+wTcdYcrnsMXlkdpUpqwxga6X3s0IrLjAl4B/bnKk52kTlWUfxJM8/XmPBNQ+T+r3
+ns7NZ3xPZQL/kYVUc8f/NveGLezQXk//EZ9yBta4GvFMDSZl4kSAHsef493oCtrs
+pSCAaWihT37ha88HQfqDjrw43bAuEbFrskLMmrz5SCJ5ShkPshw+IHTZasO+8ih4
+E1Z5T21Q6huwtVexN2ZYI/PcD98Kh8TvhgXVOBRgmaNL3gaWcSzy27YfpO8/7g==
+-----END CERTIFICATE-----
+Certificate Ingredients:
+ Data:
+ Version: 1 (0x0)
+ Serial Number:
+ 8b:5b:75:56:84:54:85:0b:00:cf:af:38:48:ce:b1:a4
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 1999 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 1 Public Primary Certification Authority - G3
+ Validity
+ Not Before: Oct 1 00:00:00 1999 GMT
+ Not After : Jul 16 23:59:59 2036 GMT
+ Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 1999 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 1 Public Primary Certification Authority - G3
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:dd:84:d4:b9:b4:f9:a7:d8:f3:04:78:9c:de:3d:
+ dc:6c:13:16:d9:7a:dd:24:51:66:c0:c7:26:59:0d:
+ ac:06:08:c2:94:d1:33:1f:f0:83:35:1f:6e:1b:c8:
+ de:aa:6e:15:4e:54:27:ef:c4:6d:1a:ec:0b:e3:0e:
+ f0:44:a5:57:c7:40:58:1e:a3:47:1f:71:ec:60:f6:
+ 6d:94:c8:18:39:ed:fe:42:18:56:df:e4:4c:49:10:
+ 78:4e:01:76:35:63:12:36:dd:66:bc:01:04:36:a3:
+ 55:68:d5:a2:36:09:ac:ab:21:26:54:06:ad:3f:ca:
+ 14:e0:ac:ca:ad:06:1d:95:e2:f8:9d:f1:e0:60:ff:
+ c2:7f:75:2b:4c:cc:da:fe:87:99:21:ea:ba:fe:3e:
+ 54:d7:d2:59:78:db:3c:6e:cf:a0:13:00:1a:b8:27:
+ a1:e4:be:67:96:ca:a0:c5:b3:9c:dd:c9:75:9e:eb:
+ 30:9a:5f:a3:cd:d9:ae:78:19:3f:23:e9:5c:db:29:
+ bd:ad:55:c8:1b:54:8c:63:f6:e8:a6:ea:c7:37:12:
+ 5c:a3:29:1e:02:d9:db:1f:3b:b4:d7:0f:56:47:81:
+ 15:04:4a:af:83:27:d1:c5:58:88:c1:dd:f6:aa:a7:
+ a3:18:da:68:aa:6d:11:51:e1:bf:65:6b:9f:96:76:
+ d1:3d
+ Exponent: 65537 (0x10001)
+ Signature Algorithm: sha1WithRSAEncryption
+ ab:66:8d:d7:b3:ba:c7:9a:b6:e6:55:d0:05:f1:9f:31:8d:5a:
+ aa:d9:aa:46:26:0f:71:ed:a5:ad:53:56:62:01:47:2a:44:e9:
+ fe:3f:74:0b:13:9b:b9:f4:4d:1b:b2:d1:5f:b2:b6:d2:88:5c:
+ b3:9f:cd:cb:d4:a7:d9:60:95:84:3a:f8:c1:37:1d:61:ca:e7:
+ b0:c5:e5:91:da:54:a6:ac:31:81:ae:97:de:cd:08:ac:b8:c0:
+ 97:80:7f:6e:72:a4:e7:69:13:95:65:1f:c4:93:3c:fd:79:8f:
+ 04:d4:3e:4f:ea:f7:9e:ce:cd:67:7c:4f:65:02:ff:91:85:54:
+ 73:c7:ff:36:f7:86:2d:ec:d0:5e:4f:ff:11:9f:72:06:d6:b8:
+ 1a:f1:4c:0d:26:65:e2:44:80:1e:c7:9f:e3:dd:e8:0a:da:ec:
+ a5:20:80:69:68:a1:4f:7e:e1:6b:cf:07:41:fa:83:8e:bc:38:
+ dd:b0:2e:11:b1:6b:b2:42:cc:9a:bc:f9:48:22:79:4a:19:0f:
+ b2:1c:3e:20:74:d9:6a:c3:be:f2:28:78:13:56:79:4f:6d:50:
+ ea:1b:b0:b5:57:b1:37:66:58:23:f3:dc:0f:df:0a:87:c4:ef:
+ 86:05:d5:38:14:60:99:a3:4b:de:06:96:71:2c:f2:db:b6:1f:
+ a4:ef:3f:ee
+
Verisign Class 2 Public Primary Certification Authority
=======================================================
MD5 Fingerprint: B3:9C:25:B1:C3:2E:32:53:80:15:30:9D:4D:02:77:3E
12:df:67:a0:f4:ad:32:64:5e:b1:46:72:27:8c:12:7b:c5:44:
b4:ae
+Verisign Class 2 Public Primary Certification Authority - G3
+============================================================
+MD5 Fingerprint: F8:BE:C4:63:22:C9:A8:46:74:8B:B8:1D:1E:4A:2B:F6
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIIEGTCCAwECEGFwy0mMX5hFKeewptlQW3owDQYJKoZIhvcNAQEFBQAwgcoxCzAJ
+BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVy
+aVNpZ24gVHJ1c3QgTmV0d29yazE6MDgGA1UECxMxKGMpIDE5OTkgVmVyaVNpZ24s
+IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTFFMEMGA1UEAxM8VmVyaVNp
+Z24gQ2xhc3MgMiBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
+eSAtIEczMB4XDTk5MTAwMTAwMDAwMFoXDTM2MDcxNjIzNTk1OVowgcoxCzAJBgNV
+BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNp
+Z24gVHJ1c3QgTmV0d29yazE6MDgGA1UECxMxKGMpIDE5OTkgVmVyaVNpZ24sIElu
+Yy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTFFMEMGA1UEAxM8VmVyaVNpZ24g
+Q2xhc3MgMiBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAt
+IEczMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArwoNwtUs22e5LeWU
+J92lvuCwTY+zYVY81nzD9M0+hsuiiOLh2KRpxbXiv8GmR1BeRjmL1Za6tW8UvxDO
+JxOeBUebMXoT2B/Z0wI3i60sR/COgQanDTAM6/c8DyAd3HJG7qUCyFvDyVZpTMUY
+wZF7C9UTAJu878NIPkZgIIUq1ZC2zYugzDLdt/1AVbJQHFauzI13TccgTacxdu9o
+koqQHgiBVrKtaaNS0MscxCM9H5n+TOgWY47GCI72MfbS+uV23bUckqNJzc0BzWjN
+qWm6o+sdDZykIKbBoMXRRkwXbdKsZj+WjOCE1Db/IlnF+RFgqF8EffIa9iVCYQ/E
+Srg+iQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQA0JhU8wI1NQ0kdvekhktdmnLfe
+xbjQ5F1fdiLAJvmEOjr5jLX77GDx6M4EsMjdpwOPMPOY36TmpDHf0xwLRtxyID+u
+7gU8pDM/CzmscHhzS5kr3zDCVLCoO1Wh/hYozUK9dG6A2ydEp85EXdQbkJgNHkKU
+sQAsBNB0owIFImNjzYO1+8FtYmtpdf1dcEG59b98377BMnMiIYtYgXsVkXq642RI
+sH/7NiXaldDxJBQX3RiAa0YjOVT1jmIJBB2UkKab5iXiQkWquJCtvgiPqQtCGJTP
+cjnhsUPgKM+351psE2tJs//jGHyJizNdrDPXp/naOlXJWBD5qu9ats9LS98q
+-----END CERTIFICATE-----
+Certificate Ingredients:
+ Data:
+ Version: 1 (0x0)
+ Serial Number:
+ 61:70:cb:49:8c:5f:98:45:29:e7:b0:a6:d9:50:5b:7a
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 1999 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 2 Public Primary Certification Authority - G3
+ Validity
+ Not Before: Oct 1 00:00:00 1999 GMT
+ Not After : Jul 16 23:59:59 2036 GMT
+ Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 1999 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 2 Public Primary Certification Authority - G3
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:af:0a:0d:c2:d5:2c:db:67:b9:2d:e5:94:27:dd:
+ a5:be:e0:b0:4d:8f:b3:61:56:3c:d6:7c:c3:f4:cd:
+ 3e:86:cb:a2:88:e2:e1:d8:a4:69:c5:b5:e2:bf:c1:
+ a6:47:50:5e:46:39:8b:d5:96:ba:b5:6f:14:bf:10:
+ ce:27:13:9e:05:47:9b:31:7a:13:d8:1f:d9:d3:02:
+ 37:8b:ad:2c:47:f0:8e:81:06:a7:0d:30:0c:eb:f7:
+ 3c:0f:20:1d:dc:72:46:ee:a5:02:c8:5b:c3:c9:56:
+ 69:4c:c5:18:c1:91:7b:0b:d5:13:00:9b:bc:ef:c3:
+ 48:3e:46:60:20:85:2a:d5:90:b6:cd:8b:a0:cc:32:
+ dd:b7:fd:40:55:b2:50:1c:56:ae:cc:8d:77:4d:c7:
+ 20:4d:a7:31:76:ef:68:92:8a:90:1e:08:81:56:b2:
+ ad:69:a3:52:d0:cb:1c:c4:23:3d:1f:99:fe:4c:e8:
+ 16:63:8e:c6:08:8e:f6:31:f6:d2:fa:e5:76:dd:b5:
+ 1c:92:a3:49:cd:cd:01:cd:68:cd:a9:69:ba:a3:eb:
+ 1d:0d:9c:a4:20:a6:c1:a0:c5:d1:46:4c:17:6d:d2:
+ ac:66:3f:96:8c:e0:84:d4:36:ff:22:59:c5:f9:11:
+ 60:a8:5f:04:7d:f2:1a:f6:25:42:61:0f:c4:4a:b8:
+ 3e:89
+ Exponent: 65537 (0x10001)
+ Signature Algorithm: sha1WithRSAEncryption
+ 34:26:15:3c:c0:8d:4d:43:49:1d:bd:e9:21:92:d7:66:9c:b7:
+ de:c5:b8:d0:e4:5d:5f:76:22:c0:26:f9:84:3a:3a:f9:8c:b5:
+ fb:ec:60:f1:e8:ce:04:b0:c8:dd:a7:03:8f:30:f3:98:df:a4:
+ e6:a4:31:df:d3:1c:0b:46:dc:72:20:3f:ae:ee:05:3c:a4:33:
+ 3f:0b:39:ac:70:78:73:4b:99:2b:df:30:c2:54:b0:a8:3b:55:
+ a1:fe:16:28:cd:42:bd:74:6e:80:db:27:44:a7:ce:44:5d:d4:
+ 1b:90:98:0d:1e:42:94:b1:00:2c:04:d0:74:a3:02:05:22:63:
+ 63:cd:83:b5:fb:c1:6d:62:6b:69:75:fd:5d:70:41:b9:f5:bf:
+ 7c:df:be:c1:32:73:22:21:8b:58:81:7b:15:91:7a:ba:e3:64:
+ 48:b0:7f:fb:36:25:da:95:d0:f1:24:14:17:dd:18:80:6b:46:
+ 23:39:54:f5:8e:62:09:04:1d:94:90:a6:9b:e6:25:e2:42:45:
+ aa:b8:90:ad:be:08:8f:a9:0b:42:18:94:cf:72:39:e1:b1:43:
+ e0:28:cf:b7:e7:5a:6c:13:6b:49:b3:ff:e3:18:7c:89:8b:33:
+ 5d:ac:33:d7:a7:f9:da:3a:55:c9:58:10:f9:aa:ef:5a:b6:cf:
+ 4b:4b:df:2a
+
Verisign Class 3 Public Primary Certification Authority
=======================================================
MD5 Fingerprint: 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
57:26:79:00:f6:f8:0d:a2:33:30:28:d4:aa:58:a0:9d:9d:69:
91:fd
+Verisign Class 3 Public Primary Certification Authority - G3
+============================================================
+MD5 Fingerprint: CD:68:B6:A7:C7:C4:CE:75:E0:1D:4F:57:44:61:92:09
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIIEGjCCAwICEQCbfgZJoz5iudXukEhxKe9XMA0GCSqGSIb3DQEBBQUAMIHKMQsw
+CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZl
+cmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWdu
+LCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlT
+aWduIENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
+dHkgLSBHMzAeFw05OTEwMDEwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMIHKMQswCQYD
+VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT
+aWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWduLCBJ
+bmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlTaWdu
+IENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg
+LSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMu6nFL8eB8aHm8b
+N3O9+MlrlBIwT/A2R/XQkQr1F8ilYcEWQE37imGQ5XYgwREGfassbqb1EUGO+i2t
+KmFZpGcmTNDovFJbcCAEWNF6yaRpvIMXZK0Fi7zQWM6NjPXr8EJJC52XJ2cybuGu
+kxUccLwgTS8Y3pKI6GyFVxEa6X7jJhFUokWWVYPKMIno3Nij7SqAP395ZVc+FSBm
+CC+Vk7+qRy+oRpfwEuL+wgorUeZ25rdGt+INpsyow0xZVYnm6FNcHOqd8GIWC6fJ
+Xwzw3sJ2zq/3avL6QaaiMxTJ5Xpj055iN9WFZZ4O5lMkdBteHRJTW8cs54NJOxWu
+imi5V5cCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAERSWwauSCPc/L8my/uRan2Te
+2yFPhpk0djZX3dAVL8WtfxUfN2JzPtTnX84XA9s1+ivbrmAJXx5fj267Cz3qWhMe
+DGBvtcC1IyIuBwvLqXTLR7sdwdela8wv0kL9Sd2nic9TutoAWii/gt/4uhMdUIaC
+/Y4wjylGsB49Ndo4YhYYSq3mtlFs3q9i6wHQHiT+eo8SGhJouPtmmRQURVyu565p
+F4ErWjfJXir0xuKhXFSbplQAz/DxwceYMBo7Nhbbo27q/a2ywtrvAkcTisDxszGt
+TxzhT5yvDwyd93gN2PQ1VoDat20Xj50egWTh/sVFuq1ruQp6Tk9LhO5L8X3dEQ==
+-----END CERTIFICATE-----
+Certificate Ingredients:
+ Data:
+ Version: 1 (0x0)
+ Serial Number:
+ 9b:7e:06:49:a3:3e:62:b9:d5:ee:90:48:71:29:ef:57
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 1999 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G3
+ Validity
+ Not Before: Oct 1 00:00:00 1999 GMT
+ Not After : Jul 16 23:59:59 2036 GMT
+ Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 1999 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G3
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:cb:ba:9c:52:fc:78:1f:1a:1e:6f:1b:37:73:bd:
+ f8:c9:6b:94:12:30:4f:f0:36:47:f5:d0:91:0a:f5:
+ 17:c8:a5:61:c1:16:40:4d:fb:8a:61:90:e5:76:20:
+ c1:11:06:7d:ab:2c:6e:a6:f5:11:41:8e:fa:2d:ad:
+ 2a:61:59:a4:67:26:4c:d0:e8:bc:52:5b:70:20:04:
+ 58:d1:7a:c9:a4:69:bc:83:17:64:ad:05:8b:bc:d0:
+ 58:ce:8d:8c:f5:eb:f0:42:49:0b:9d:97:27:67:32:
+ 6e:e1:ae:93:15:1c:70:bc:20:4d:2f:18:de:92:88:
+ e8:6c:85:57:11:1a:e9:7e:e3:26:11:54:a2:45:96:
+ 55:83:ca:30:89:e8:dc:d8:a3:ed:2a:80:3f:7f:79:
+ 65:57:3e:15:20:66:08:2f:95:93:bf:aa:47:2f:a8:
+ 46:97:f0:12:e2:fe:c2:0a:2b:51:e6:76:e6:b7:46:
+ b7:e2:0d:a6:cc:a8:c3:4c:59:55:89:e6:e8:53:5c:
+ 1c:ea:9d:f0:62:16:0b:a7:c9:5f:0c:f0:de:c2:76:
+ ce:af:f7:6a:f2:fa:41:a6:a2:33:14:c9:e5:7a:63:
+ d3:9e:62:37:d5:85:65:9e:0e:e6:53:24:74:1b:5e:
+ 1d:12:53:5b:c7:2c:e7:83:49:3b:15:ae:8a:68:b9:
+ 57:97
+ Exponent: 65537 (0x10001)
+ Signature Algorithm: sha1WithRSAEncryption
+ 11:14:96:c1:ab:92:08:f7:3f:2f:c9:b2:fe:e4:5a:9f:64:de:
+ db:21:4f:86:99:34:76:36:57:dd:d0:15:2f:c5:ad:7f:15:1f:
+ 37:62:73:3e:d4:e7:5f:ce:17:03:db:35:fa:2b:db:ae:60:09:
+ 5f:1e:5f:8f:6e:bb:0b:3d:ea:5a:13:1e:0c:60:6f:b5:c0:b5:
+ 23:22:2e:07:0b:cb:a9:74:cb:47:bb:1d:c1:d7:a5:6b:cc:2f:
+ d2:42:fd:49:dd:a7:89:cf:53:ba:da:00:5a:28:bf:82:df:f8:
+ ba:13:1d:50:86:82:fd:8e:30:8f:29:46:b0:1e:3d:35:da:38:
+ 62:16:18:4a:ad:e6:b6:51:6c:de:af:62:eb:01:d0:1e:24:fe:
+ 7a:8f:12:1a:12:68:b8:fb:66:99:14:14:45:5c:ae:e7:ae:69:
+ 17:81:2b:5a:37:c9:5e:2a:f4:c6:e2:a1:5c:54:9b:a6:54:00:
+ cf:f0:f1:c1:c7:98:30:1a:3b:36:16:db:a3:6e:ea:fd:ad:b2:
+ c2:da:ef:02:47:13:8a:c0:f1:b3:31:ad:4f:1c:e1:4f:9c:af:
+ 0f:0c:9d:f7:78:0d:d8:f4:35:56:80:da:b7:6d:17:8f:9d:1e:
+ 81:64:e1:fe:c5:45:ba:ad:6b:b9:0a:7a:4e:4f:4b:84:ee:4b:
+ f1:7d:dd:11
+
Verisign Class 4 Public Primary Certification Authority - G2
============================================================
MD5 Fingerprint: 26:6D:2C:19:98:B6:70:68:38:50:54:19:EC:90:34:60
3f:22:8d:a1:c1:66:50:81:72:4c:ed:22:64:4f:4f:ca:80:91:
b6:29
+Verisign Class 4 Public Primary Certification Authority - G3
+============================================================
+MD5 Fingerprint: DB:C8:F2:27:2E:B1:EA:6A:29:23:5D:FE:56:3E:33:DF
+PEM Data:
+-----BEGIN CERTIFICATE-----
+MIIEGjCCAwICEQDsoKeLbnVqAc/EfMwvlF7XMA0GCSqGSIb3DQEBBQUAMIHKMQsw
+CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZl
+cmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWdu
+LCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlT
+aWduIENsYXNzIDQgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
+dHkgLSBHMzAeFw05OTEwMDEwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMIHKMQswCQYD
+VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT
+aWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWduLCBJ
+bmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlTaWdu
+IENsYXNzIDQgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg
+LSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK3LpRFpxlmr8Y+1
+GQ9Wzsy1HyDkniYlS+BzZYlZ3tCD5PUPtbut8XzoIfzk6AzufEUiGXaStBO3IFsJ
++mGuqPKljYXCKtbeZjbSmwL0qJJgfJxptI8kHtCGUvYynEFYHiK9zUVilQhu0Gbd
+U6LM8BDcVHOLBKFGMzNcF0C5nk3T875Vg+ixiY5afJqWIpA7iCXy0lOIAgwLePLm
+NxdLMEYH5IBtptiWLugs+BGzOA1mppvqySNb247i8xOOGlktqgLw7KSHZtzBP/XY
+ufTsgsbSPZUd5cBPhMnZo0QoBmrXRazwa2rvTl/4EYIeOGM0ZlDUPpNz+jDDZq3/
+ky2X7wMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAj/ola09b5KROJ1WrIhVZPMq1
+CtRK26vdoV9TxaBXOcLORyu+OshWv8LZJxA6sQU8wHcxuzrTBXttmhwwjIDLk5Mq
+g6sFUYICABFna/OIYUdfA5PVWw3g8dShMjWFsjrbsIKr0csKvE+MW8VLADsfKoKm
+fjaF3H48ZwC15DtS4KjrXRX5xm3wrR0OhbepmnMUWluPQSjA1egtTaRezarZ7c7c
+2NU8Qh0XwRJdRTjDOPP8hS6DRkiy1yBfkjaP53kPmF6Z6PDQpLv1U70qzlmwr25/
+bLvSHgCwIe34QWKCudiyxLtGUPMxxY8BqHTr9Xgn2uf3ZkPznoM+IKrDNWCRzg==
+-----END CERTIFICATE-----
+Certificate Ingredients:
+ Data:
+ Version: 1 (0x0)
+ Serial Number:
+ ec:a0:a7:8b:6e:75:6a:01:cf:c4:7c:cc:2f:94:5e:d7
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 1999 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 4 Public Primary Certification Authority - G3
+ Validity
+ Not Before: Oct 1 00:00:00 1999 GMT
+ Not After : Jul 16 23:59:59 2036 GMT
+ Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 1999 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 4 Public Primary Certification Authority - G3
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:ad:cb:a5:11:69:c6:59:ab:f1:8f:b5:19:0f:56:
+ ce:cc:b5:1f:20:e4:9e:26:25:4b:e0:73:65:89:59:
+ de:d0:83:e4:f5:0f:b5:bb:ad:f1:7c:e8:21:fc:e4:
+ e8:0c:ee:7c:45:22:19:76:92:b4:13:b7:20:5b:09:
+ fa:61:ae:a8:f2:a5:8d:85:c2:2a:d6:de:66:36:d2:
+ 9b:02:f4:a8:92:60:7c:9c:69:b4:8f:24:1e:d0:86:
+ 52:f6:32:9c:41:58:1e:22:bd:cd:45:62:95:08:6e:
+ d0:66:dd:53:a2:cc:f0:10:dc:54:73:8b:04:a1:46:
+ 33:33:5c:17:40:b9:9e:4d:d3:f3:be:55:83:e8:b1:
+ 89:8e:5a:7c:9a:96:22:90:3b:88:25:f2:d2:53:88:
+ 02:0c:0b:78:f2:e6:37:17:4b:30:46:07:e4:80:6d:
+ a6:d8:96:2e:e8:2c:f8:11:b3:38:0d:66:a6:9b:ea:
+ c9:23:5b:db:8e:e2:f3:13:8e:1a:59:2d:aa:02:f0:
+ ec:a4:87:66:dc:c1:3f:f5:d8:b9:f4:ec:82:c6:d2:
+ 3d:95:1d:e5:c0:4f:84:c9:d9:a3:44:28:06:6a:d7:
+ 45:ac:f0:6b:6a:ef:4e:5f:f8:11:82:1e:38:63:34:
+ 66:50:d4:3e:93:73:fa:30:c3:66:ad:ff:93:2d:97:
+ ef:03
+ Exponent: 65537 (0x10001)
+ Signature Algorithm: sha1WithRSAEncryption
+ 8f:fa:25:6b:4f:5b:e4:a4:4e:27:55:ab:22:15:59:3c:ca:b5:
+ 0a:d4:4a:db:ab:dd:a1:5f:53:c5:a0:57:39:c2:ce:47:2b:be:
+ 3a:c8:56:bf:c2:d9:27:10:3a:b1:05:3c:c0:77:31:bb:3a:d3:
+ 05:7b:6d:9a:1c:30:8c:80:cb:93:93:2a:83:ab:05:51:82:02:
+ 00:11:67:6b:f3:88:61:47:5f:03:93:d5:5b:0d:e0:f1:d4:a1:
+ 32:35:85:b2:3a:db:b0:82:ab:d1:cb:0a:bc:4f:8c:5b:c5:4b:
+ 00:3b:1f:2a:82:a6:7e:36:85:dc:7e:3c:67:00:b5:e4:3b:52:
+ e0:a8:eb:5d:15:f9:c6:6d:f0:ad:1d:0e:85:b7:a9:9a:73:14:
+ 5a:5b:8f:41:28:c0:d5:e8:2d:4d:a4:5e:cd:aa:d9:ed:ce:dc:
+ d8:d5:3c:42:1d:17:c1:12:5d:45:38:c3:38:f3:fc:85:2e:83:
+ 46:48:b2:d7:20:5f:92:36:8f:e7:79:0f:98:5e:99:e8:f0:d0:
+ a4:bb:f5:53:bd:2a:ce:59:b0:af:6e:7f:6c:bb:d2:1e:00:b0:
+ 21:ed:f8:41:62:82:b9:d8:b2:c4:bb:46:50:f3:31:c5:8f:01:
+ a8:74:eb:f5:78:27:da:e7:f7:66:43:f3:9e:83:3e:20:aa:c3:
+ 35:60:91:ce
+
Verisign/RSA Commercial CA
==========================
MD5 Fingerprint: 5A:0B:DD:42:9E:B2:B4:62:97:32:7F:7F:0A:AA:9A:39
##
## avoid brain dead shells on Ultrix and friends
##
-test -f /bin/sh5 && exec /bin/sh5 $0 "$@"
+if [ -f /bin/sh5 ]; then
+ if [ ".$APACI_SH5_UPGRADE_STEP" != .done ]; then
+ APACI_SH5_UPGRADE_STEP=done
+ export APACI_SH5_UPGRADE_STEP
+ exec /bin/sh5 $0 "$@"
+ fi
+fi
##
## the paths to the Apache source tree
echo " --libexecdir=DIR install program executables in DIR"
echo " --mandir=DIR install manual pages in DIR"
echo " --sysconfdir=DIR install configuration files in DIR"
- echo " --datadir=DIR install read-only data files in DIR"
+ echo " --datadir=DIR install read-only data files in DIR"
+ echo " --iconsdir=DIR install read-only icon files in DIR"
+ echo " --htdocsdir=DIR install read-only document files in DIR"
+ echo " --cgidir=DIR install read-only cgi files in DIR"
echo " --includedir=DIR install includes files in DIR"
echo " --localstatedir=DIR install modifiable data files in DIR"
echo " --runtimedir=DIR install runtime data in DIR"
echo " --without-confadjust disable the user/situation adjustments in config"
echo " --without-execstrip disable the stripping of executables on installation"
echo " --server-uid=UID set the user ID the web server should run as [nobody]"
- echo " --server-gid=GID set the group ID the web server UID is a memeber of [-1]"
+ echo " --server-gid=GID set the group ID the web server UID is a memeber of [#-1]"
echo ""
echo "suEXEC options:"
echo " --enable-suexec enable the suEXEC feature"
<H1 ALIGN="CENTER">Apache Server Frequently Asked Questions</H1>
<P>
- $Revision: 1.5 $ ($Date: 2000/01/25 18:29:23 $)
+ $Revision: 1.6 $ ($Date: 2000/03/19 11:16:29 $)
</P>
<P>
The latest version of this FAQ is always available from the main
</LI>
<LI><A HREF="#regex">What are "regular expressions"?</A>
</LI>
+ <li><a href="#binaries">Why isn't there a binary for my platform?</a></li>
</OL>
</LI>
</P>
<HR>
</LI>
+
+ <li><a name="binaries">
+ <b>Why isn't there a binary for my platform?</b></a>
+ <p>
+ The developers make sure that the software builds and works
+ correctly on the platforms available to them; this does
+ <i>not</i> necessarily mean that <i>your</i> platform
+ is one of them. In addition, the Apache HTTP server project
+ is primarily source oriented, meaning that distributing
+ valid and buildable source code is the purpose of a release,
+ not making sure that there is a binary package for all of the
+ supported platforms.
+ </p>
+ <p>
+ If you don't see a kit for your platform listed in the
+ binary distribution area
+ (<URL:<a href="http://www.apache.org/dist/binaries/"
+ >http://www.apache.org/dist/binaries/</a>>),
+ it means either that the platform isn't available to any of
+ the developers, or that they just haven't gotten around to
+ preparing a binary for it. As this is a voluntary project,
+ they are under no obligation to do so. Users are encouraged
+ and expected to build the software themselves.
+ </p>
+ <p>
+ The sole exception to these practices is the Windows package.
+ Unlike most Unix and Unix-like platforms, Windows systems
+ do not come with a bundled software development environment,
+ so we <i>do</i> prepare binary kits for Windows when we make
+ a release. Again, however, it's a voluntary thing and only
+ a limited number of the developers have the capability to build
+ the InstallShield package, so the Windows release may lag
+ somewhat behind the source release. This lag should be
+ no more than a few days at most.
+ </p>
+ <hr>
+ </li>
+
</OL>
several third party modules available through the <A
HREF="http://modules.apache.org/">Apache Module Registry</A> which
will add footers to documents. These include mod_trailer, PHP
- (<SAMP>php3_auto_append_file</SAMP>), and mod_perl
+ (<SAMP>php3_auto_append_file</SAMP>), mod_layout, and mod_perl
(<SAMP>Apache::Sandwich</SAMP>).
</P>
<HR>
</DIV>
<P>
-This document supplements the mod_rewrite <a
-href="../mod/mod_rewrite.html">reference documentation</a>. It describes
+This document supplements the mod_rewrite <A
+HREF="../mod/mod_rewrite.html">reference documentation</A>. It describes
how one can use Apache's mod_rewrite to solve typical URL-based problems
webmasters are usually confronted with in practice. I give detailed
descriptions on how to solve each problem by configuring URL rewriting
rulesets.
-<H2><a name="ToC1">Introduction to mod_rewrite</a></H2>
+<H2><A name="ToC1">Introduction to mod_rewrite</A></H2>
The Apache module mod_rewrite is a killer one, i.e. it is a really
sophisticated module which provides a powerful way to do URL manipulations.
of its power. This paper tries to give you a few initial success events to
avoid the first case by presenting already invented solutions to you.
-<H2><a name="ToC2">Practical Solutions</a></H2>
+<H2><A name="ToC2">Practical Solutions</A></H2>
Here come a lot of practical solutions I've either invented myself or
collected from other peoples solutions in the past. Feel free to learn the
black magic of URL rewriting from these examples.
<P>
+<TABLE BGCOLOR="#FFE0E0" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD>
ATTENTION: Depending on your server-configuration it can be necessary to
slightly change the examples for your situation, e.g. adding the [PT] flag
when additionally using mod_alias and mod_userdir, etc. Or rewriting a ruleset
-to fit in <tt>.htaccess</tt> context instead of per-server context. Always try
+to fit in <CODE>.htaccess</CODE> context instead of per-server context. Always try
to understand what a particular ruleset really does before you use it. It
avoid problems.
+</TD></TR></TABLE>
<H1>URL Layout</H1>
<DD>
We do an external HTTP redirect for all non-canonical URLs to fix them in the
location view of the Browser and for all subsequent requests. In the example
-ruleset below we replace <tt>/~user</tt> by the canonical <tt>/u/user</tt> and
-fix a missing trailing slash for <tt>/u/user</tt>.
+ruleset below we replace <CODE>/~user</CODE> by the canonical <CODE>/u/user</CODE> and
+fix a missing trailing slash for <CODE>/u/user</CODE>.
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
-RewriteRule ^/<b>~</b>([^/]+)/?(.*) /<b>u</b>/$1/$2 [<b>R</b>]
-RewriteRule ^/([uge])/(<b>[^/]+</b>)$ /$1/$2<b>/</b> [<b>R</b>]
+RewriteRule ^/<STRONG>~</STRONG>([^/]+)/?(.*) /<STRONG>u</STRONG>/$1/$2 [<STRONG>R</STRONG>]
+RewriteRule ^/([uge])/(<STRONG>[^/]+</STRONG>)$ /$1/$2<STRONG>/</STRONG> [<STRONG>R</STRONG>]
</PRE></TD></TR></TABLE>
</DL>
<DT><STRONG>Description:</STRONG>
<DD>
Usually the DocumentRoot of the webserver directly relates to the URL
-``<tt>/</tt>''. But often this data is not really of top-level priority, it is
+``<CODE>/</CODE>''. But often this data is not really of top-level priority, it is
perhaps just one entity of a lot of data pools. For instance at our Intranet
-sites there are <tt>/e/www/</tt> (the homepage for WWW), <tt>/e/sww/</tt> (the
+sites there are <CODE>/e/www/</CODE> (the homepage for WWW), <CODE>/e/sww/</CODE> (the
homepage for the Intranet) etc. Now because the data of the DocumentRoot stays
-at <tt>/e/www/</tt> we had to make sure that all inlined images and other
+at <CODE>/e/www/</CODE> we had to make sure that all inlined images and other
stuff inside this data pool work for subsequent requests.
<P>
<DT><STRONG>Solution:</STRONG>
<DD>
-We just redirect the URL <tt>/</tt> to <tt>/e/www/</tt>. While is seems
+We just redirect the URL <CODE>/</CODE> to <CODE>/e/www/</CODE>. While is seems
trivial it is actually trivial with mod_rewrite, only. Because the typical
-old mechanisms of URL <i>Aliases</i> (as provides by mod_alias and friends)
-only used <i>prefix</i> matching. With this you cannot do such a redirection
+old mechanisms of URL <EM>Aliases</EM> (as provides by mod_alias and friends)
+only used <EM>prefix</EM> matching. With this you cannot do such a redirection
because the DocumentRoot is a prefix of all URLs. With mod_rewrite it is
really trivial:
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
RewriteEngine on
-RewriteRule <b>^/$</b> /e/www/ [<b>R</b>]
+RewriteRule <STRONG>^/$</STRONG> /e/www/ [<STRONG>R</STRONG>]
</PRE></TD></TR></TABLE>
</DL>
<DD>
Every webmaster can sing a song about the problem of the trailing slash on
URLs referencing directories. If they are missing, the server dumps an error,
-because if you say <tt>/~quux/foo</tt> instead of
-<tt>/~quux/foo/</tt> then the server searches for a <i>file</i> named
-<tt>foo</tt>. And because this file is a directory it complains. Actually
+because if you say <CODE>/~quux/foo</CODE> instead of
+<CODE>/~quux/foo/</CODE> then the server searches for a <EM>file</EM> named
+<CODE>foo</CODE>. And because this file is a directory it complains. Actually
is tries to fix it themself in most of the cases, but sometimes this mechanism
need to be emulated by you. For instance after you have done a lot of
complicated URL rewritings to CGI scripts etc.
internal rewrite, this would only work for the directory page, but would go
wrong when any images are included into this page with relative URLs, because
the browser would request an in-lined object. For instance, a request for
-<tt>image.gif</tt> in <tt>/~quux/foo/index.html</tt> would become
-<tt>/~quux/image.gif</tt> without the external redirect!
+<CODE>image.gif</CODE> in <CODE>/~quux/foo/index.html</CODE> would become
+<CODE>/~quux/image.gif</CODE> without the external redirect!
<P>
So, to do this trick we write:
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
RewriteEngine on
RewriteBase /~quux/
-RewriteRule ^foo<b>$</b> foo<b>/</b> [<b>R</b>]
+RewriteRule ^foo<STRONG>$</STRONG> foo<STRONG>/</STRONG> [<STRONG>R</STRONG>]
</PRE></TD></TR></TABLE>
<P>
The crazy and lazy can even do the following in the top-level
-<tt>.htaccess</tt> file of their homedir. But notice that this creates some
+<CODE>.htaccess</CODE> file of their homedir. But notice that this creates some
processing overhead.
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
RewriteEngine on
RewriteBase /~quux/
-RewriteCond %{REQUEST_FILENAME} <b>-d</b>
-RewriteRule ^(.+<b>[^/]</b>)$ $1<b>/</b> [R]
+RewriteCond %{REQUEST_FILENAME} <STRONG>-d</STRONG>
+RewriteRule ^(.+<STRONG>[^/]</STRONG>)$ $1<STRONG>/</STRONG> [R]
</PRE></TD></TR></TABLE>
</DL>
<DD>
We want to create a homogenous and consistent URL layout over all WWW servers
on a Intranet webcluster, i.e. all URLs (per definition server local and thus
-server dependent!) become actually server <i>independed</i>! What we want is
+server dependent!) become actually server <EM>independed</EM>! What we want is
to give the WWW namespace a consistent server-independend layout: no URL
should have to include any physically correct target server. The cluster
itself should drive us automatically to the physical target host.
: :
</PRE><P>
-We put them into files <tt>map.xxx-to-host</tt>. Second we need to instruct
+We put them into files <CODE>map.xxx-to-host</CODE>. Second we need to instruct
all servers to redirect URLs of the forms
<P><PRE>
RewriteMap group-to-host txt:/path/to/map.group-to-host
RewriteMap entity-to-host txt:/path/to/map.entity-to-host
-RewriteRule ^/u/<b>([^/]+)</b>/?(.*) http://<b>${user-to-host:$1|server0}</b>/u/$1/$2
-RewriteRule ^/g/<b>([^/]+)</b>/?(.*) http://<b>${group-to-host:$1|server0}</b>/g/$1/$2
-RewriteRule ^/e/<b>([^/]+)</b>/?(.*) http://<b>${entity-to-host:$1|server0}</b>/e/$1/$2
+RewriteRule ^/u/<STRONG>([^/]+)</STRONG>/?(.*) http://<STRONG>${user-to-host:$1|server0}</STRONG>/u/$1/$2
+RewriteRule ^/g/<STRONG>([^/]+)</STRONG>/?(.*) http://<STRONG>${group-to-host:$1|server0}</STRONG>/g/$1/$2
+RewriteRule ^/e/<STRONG>([^/]+)</STRONG>/?(.*) http://<STRONG>${entity-to-host:$1|server0}</STRONG>/e/$1/$2
RewriteRule ^/([uge])/([^/]+)/?$ /$1/$2/.www/
RewriteRule ^/([uge])/([^/]+)/([^.]+.+) /$1/$2/.www/$3\
<DT><STRONG>Solution:</STRONG>
<DD>
The solution is trivial with mod_rewrite. On the old webserver we just
-redirect all <tt>/~user/anypath</tt> URLs to
-<tt>http://newserver/~user/anypath</tt>.
+redirect all <CODE>/~user/anypath</CODE> URLs to
+<CODE>http://newserver/~user/anypath</CODE>.
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
RewriteEngine on
-RewriteRule ^/~(.+) http://<b>newserver</b>/~$1 [R,L]
+RewriteRule ^/~(.+) http://<STRONG>newserver</STRONG>/~$1 [R,L]
</PRE></TD></TR></TABLE>
</DL>
<DD>
Some sites with thousend of users usually use a structured homedir layout,
i.e. each homedir is in a subdirectory which begins for instance with the
-first character of the username. So, <tt>/~foo/anypath</tt> is
-<tt>/home/<b>f</b>/foo/.www/anypath</tt> while <tt>/~bar/anypath</tt> is
-<tt>/home/<b>b</b>/bar/.www/anypath</tt>.
+first character of the username. So, <CODE>/~foo/anypath</CODE> is
+<CODE>/home/<STRONG>f</STRONG>/foo/.www/anypath</CODE> while <CODE>/~bar/anypath</CODE> is
+<CODE>/home/<STRONG>b</STRONG>/bar/.www/anypath</CODE>.
<P>
<DT><STRONG>Solution:</STRONG>
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
RewriteEngine on
-RewriteRule ^/~(<b>([a-z])</b>[a-z0-9]+)(.*) /home/<b>$2</b>/$1/.www$3
+RewriteRule ^/~(<STRONG>([a-z])</STRONG>[a-z0-9]+)(.*) /home/<STRONG>$2</STRONG>/$1/.www$3
</PRE></TD></TR></TABLE>
</DL>
<DT><STRONG>Description:</STRONG>
<DD>
This really is a hardcore example: a killer application which heavily uses
-per-directory <tt>RewriteRules</tt> to get a smooth look and feel on the Web
+per-directory <CODE>RewriteRules</CODE> to get a smooth look and feel on the Web
while its data structure is never touched or adjusted.
-Background: <b><i>net.sw</i></b> is my archive of freely available Unix
+Background: <STRONG><EM>net.sw</EM></STRONG> is my archive of freely available Unix
software packages, which I started to collect in 1992. It is both my hobby and
job to to this, because while I'm studying computer science I have also worked
for many years as a system and network administrator in my spare time. Every
drwxrwxr-x 10 netsw users 512 Jul 9 14:08 X11/
</PRE><P>
-In July 1996 I decided to make this 350 MB archive public to the world via a
-nice Web interface (<a href="http://net.sw.engelschall.com/net.sw/"><tt>
-http://net.sw.engelschall.com/net.sw/</tt></a>). "Nice" means that I wanted to
-offer a interface where you can browse directly through the archive hierarchy.
+In July 1996 I decided to make this archive public to the world via a
+nice Web interface. "Nice" means that I wanted to
+offer an interface where you can browse directly through the archive hierarchy.
And "nice" means that I didn't wanted to change anything inside this hierarchy
- not even by putting some CGI scripts at the top of it. Why? Because the
above structure should be later accessible via FTP as well, and I didn't
-want any Web or CGI stuuf to be there.
+want any Web or CGI stuff to be there.
<P>
<DT><STRONG>Solution:</STRONG>
<DD>
The solution has two parts: The first is a set of CGI scripts which create all
the pages at all directory levels on-the-fly. I put them under
-<tt>/e/netsw/.www/</tt> as follows:
+<CODE>/e/netsw/.www/</CODE> as follows:
<P><PRE>
-rw-r--r-- 1 netsw users 1318 Aug 1 18:10 .wwwacl
-rw-r--r-- 1 netsw users 234 Jul 30 16:35 netsw-unlimit.lst
</PRE><P>
-The <tt>DATA/</tt> subdirectory holds the above directory structure, i.e. the
-real <b><i>net.sw</i></b> stuff and gets automatically updated via
-<tt>rdist</tt> from time to time.
+The <CODE>DATA/</CODE> subdirectory holds the above directory structure, i.e. the
+real <STRONG><EM>net.sw</EM></STRONG> stuff and gets automatically updated via
+<CODE>rdist</CODE> from time to time.
- The second part of the problem remains: how to link these two structures
-together into one smooth-looking URL tree? We want to hide the <tt>DATA/</tt>
+The second part of the problem remains: how to link these two structures
+together into one smooth-looking URL tree? We want to hide the <CODE>DATA/</CODE>
directory from the user while running the appropriate CGI scripts for the
various URLs.
Here is the solution: first I put the following into the per-directory
configuration file in the Document Root of the server to rewrite the announced
-URL <tt>/net.sw/</tt> to the internal path <tt>/e/netsw</tt>:
+URL <CODE>/net.sw/</CODE> to the internal path <CODE>/e/netsw</CODE>:
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
RewriteRule ^net.sw$ net.sw/ [R]
<P>
The first rule is for requests which miss the trailing slash! The second rule
does the real thing. And then comes the killer configuration which stays in
-the per-directory config file <tt>/e/netsw/.www/.wwwacl</tt>:
+the per-directory config file <CODE>/e/netsw/.www/.wwwacl</CODE>:
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
Options ExecCGI FollowSymLinks Includes MultiViews
<DD>
When switching from the NCSA webserver to the more modern Apache webserver a
lot of people want a smooth transition. So they want pages which use their old
-NCSA <tt>imagemap</tt> program to work under Apache with the modern
-<tt>mod_imap</tt>. The problem is that there are a lot of
-hyperlinks around which reference the <tt>imagemap</tt> program via
-<tt>/cgi-bin/imagemap/path/to/page.map</tt>. Under Apache this
-has to read just <tt>/path/to/page.map</tt>.
+NCSA <CODE>imagemap</CODE> program to work under Apache with the modern
+<CODE>mod_imap</CODE>. The problem is that there are a lot of
+hyperlinks around which reference the <CODE>imagemap</CODE> program via
+<CODE>/cgi-bin/imagemap/path/to/page.map</CODE>. Under Apache this
+has to read just <CODE>/path/to/page.map</CODE>.
<P>
<DT><STRONG>Solution:</STRONG>
# first try to find it in custom/...
# ...and if found stop and be happy:
-RewriteCond /your/docroot/<b>dir1</b>/%{REQUEST_FILENAME} -f
-RewriteRule ^(.+) /your/docroot/<b>dir1</b>/$1 [L]
+RewriteCond /your/docroot/<STRONG>dir1</STRONG>/%{REQUEST_FILENAME} -f
+RewriteRule ^(.+) /your/docroot/<STRONG>dir1</STRONG>/$1 [L]
# second try to find it in pub/...
# ...and if found stop and be happy:
-RewriteCond /your/docroot/<b>dir2</b>/%{REQUEST_FILENAME} -f
-RewriteRule ^(.+) /your/docroot/<b>dir2</b>/$1 [L]
+RewriteCond /your/docroot/<STRONG>dir2</STRONG>/%{REQUEST_FILENAME} -f
+RewriteRule ^(.+) /your/docroot/<STRONG>dir2</STRONG>/$1 [L]
# else go on for other Alias or ScriptAlias directives,
# etc.
<DD>
We use a rewrite rule to strip out the status information and remember it via
an environment variable which can be later dereferenced from within XSSI or
-CGI. This way a URL <tt>/foo/S=java/bar/</tt> gets translated to
-<tt>/foo/bar/</tt> and the environment variable named <tt>STATUS</tt> is set
+CGI. This way a URL <CODE>/foo/S=java/bar/</CODE> gets translated to
+<CODE>/foo/bar/</CODE> and the environment variable named <CODE>STATUS</CODE> is set
to the value "java".
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
RewriteEngine on
-RewriteRule ^(.*)/<b>S=([^/]+)</b>/(.*) $1/$3 [E=<b>STATUS:$2</b>]
+RewriteRule ^(.*)/<STRONG>S=([^/]+)</STRONG>/(.*) $1/$3 [E=<STRONG>STATUS:$2</STRONG>]
</PRE></TD></TR></TABLE>
</DL>
<DL>
<DT><STRONG>Description:</STRONG>
<DD>
-Assume that you want to provide <tt>www.<b>username</b>.host.domain.com</tt>
+Assume that you want to provide <CODE>www.<STRONG>username</STRONG>.host.domain.com</CODE>
for the homepage of username via just DNS A records to the same machine and
without any virtualhosts on this machine.
<DD>
For HTTP/1.0 requests there is no solution, but for HTTP/1.1 requests which
contain a Host: HTTP header we can use the following ruleset to rewrite
-<tt>http://www.username.host.com/anypath</tt> internally to
-<tt>/home/username/anypath</tt>:
+<CODE>http://www.username.host.com/anypath</CODE> internally to
+<CODE>/home/username/anypath</CODE>:
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
RewriteEngine on
-RewriteCond %{<b>HTTP_HOST</b>} ^www\.<b>[^.]+</b>\.host\.com$
+RewriteCond %{<STRONG>HTTP_HOST</STRONG>} ^www\.<STRONG>[^.]+</STRONG>\.host\.com$
RewriteRule ^(.+) %{HTTP_HOST}$1 [C]
-RewriteRule ^www\.<b>([^.]+)</b>\.host\.com(.*) /home/<b>$1</b>$2
+RewriteRule ^www\.<STRONG>([^.]+)</STRONG>\.host\.com(.*) /home/<STRONG>$1</STRONG>$2
</PRE></TD></TR></TABLE>
</DL>
<DT><STRONG>Description:</STRONG>
<DD>
We want to redirect homedir URLs to another webserver
-<tt>www.somewhere.com</tt> when the requesting user does not stay in the local
-domain <tt>ourdomain.com</tt>. This is sometimes used in virtual host
+<CODE>www.somewhere.com</CODE> when the requesting user does not stay in the local
+domain <CODE>ourdomain.com</CODE>. This is sometimes used in virtual host
contexts.
<P>
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
RewriteEngine on
-RewriteCond %{REMOTE_HOST} <b>!^.+\.ourdomain\.com$</b>
+RewriteCond %{REMOTE_HOST} <STRONG>!^.+\.ourdomain\.com$</STRONG>
RewriteRule ^(/~.+) http://www.somewhere.com/$1 [R,L]
</PRE></TD></TR></TABLE>
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
RewriteEngine on
-RewriteCond /your/docroot/%{REQUEST_FILENAME} <b>!-f</b>
-RewriteRule ^(.+) http://<b>webserverB</b>.dom/$1
+RewriteCond /your/docroot/%{REQUEST_FILENAME} <STRONG>!-f</STRONG>
+RewriteRule ^(.+) http://<STRONG>webserverB</STRONG>.dom/$1
</PRE></TD></TR></TABLE>
<P>
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
RewriteEngine on
-RewriteCond %{REQUEST_URI} <b>!-U</b>
-RewriteRule ^(.+) http://<b>webserverB</b>.dom/$1
+RewriteCond %{REQUEST_URI} <STRONG>!-U</STRONG>
+RewriteRule ^(.+) http://<STRONG>webserverB</STRONG>.dom/$1
</PRE></TD></TR></TABLE>
<P>
<DD>
We have to use a kludge by the use of a NPH-CGI script which does the redirect
itself. Because here no escaping is done (NPH=non-parseable headers). First
-we introduce a new URL scheme <tt>xredirect:</tt> by the following per-server
+we introduce a new URL scheme <CODE>xredirect:</CODE> by the following per-server
config-line (should be one of the last rewrite rules):
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
</PRE></TD></TR></TABLE>
<P>
-This forces all URLs prefixed with <tt>xredirect:</tt> to be piped through the
-<tt>nph-xredirect.cgi</tt> program. And this program just looks like:
+This forces all URLs prefixed with <CODE>xredirect:</CODE> to be piped through the
+<CODE>nph-xredirect.cgi</CODE> program. And this program just looks like:
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
<PRE>
print "</head>\n";
print "<body>\n";
print "<h1>Moved Temporarily (EXTENDED)</h1>\n";
-print "The document has moved <a href=\"$url\">here</a>.<p>\n";
+print "The document has moved <a HREF=\"$url\">here</a>.<p>\n";
print "</body>\n";
print "</html>\n";
<P>
This provides you with the functionality to do redirects to all URL schemes,
i.e. including the one which are not directly accepted by mod_rewrite. For
-instance you can now also redirect to <tt>news:newsgroup</tt> via
+instance you can now also redirect to <CODE>news:newsgroup</CODE> via
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
RewriteRule ^anyurl xredirect:news:newsgroup
<P>
Notice: You have not to put [R] or [R,L] to the above rule because the
-<tt>xredirect:</tt> need to be expanded later by our special "pipe through"
+<CODE>xredirect:</CODE> need to be expanded later by our special "pipe through"
rule above.
</DL>
<DL>
<DT><STRONG>Description:</STRONG>
<DD>
-Do you know the great CPAN (Comprehensive Perl Archive Network) under <a
-href="http://www.perl.com/CPAN">http://www.perl.com/CPAN</a>? This does a
+Do you know the great CPAN (Comprehensive Perl Archive Network) under <A
+HREF="http://www.perl.com/CPAN">http://www.perl.com/CPAN</A>? This does a
redirect to one of several FTP servers around the world which carry a CPAN
mirror and is approximately near the location of the requesting client.
Actually this can be called an FTP access multiplexing service. While CPAN
RewriteEngine on
RewriteMap multiplex txt:/path/to/map.cxan
RewriteRule ^/CxAN/(.*) %{REMOTE_HOST}::$1 [C]
-RewriteRule ^.+\.<b>([a-zA-Z]+)</b>::(.*)$ ${multiplex:<b>$1</b>|ftp.default.dom}$2 [R,L]
+RewriteRule ^.+\.<STRONG>([a-zA-Z]+)</STRONG>::(.*)$ ${multiplex:<STRONG>$1</STRONG>|ftp.default.dom}$2 [R,L]
</PRE></TD></TR></TABLE>
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
<P>
<DT><STRONG>Solution:</STRONG>
<DD>
-There are a lot of variables named <tt>TIME_xxx</tt> for rewrite conditions.
+There are a lot of variables named <CODE>TIME_xxx</CODE> for rewrite conditions.
In conjunction with the special lexicographic comparison patterns <STRING,
>STRING and =STRING we can do time-dependend redirects:
</PRE></TD></TR></TABLE>
<P>
-This provides the content of <tt>foo.day.html</tt> under the URL
-<tt>foo.html</tt> from 07:00-19:00 and at the remaining time the contents of
-<tt>foo.night.html</tt>. Just a nice feature for a homepage...
+This provides the content of <CODE>foo.day.html</CODE> under the URL
+<CODE>foo.html</CODE> from 07:00-19:00 and at the remaining time the contents of
+<CODE>foo.night.html</CODE>. Just a nice feature for a homepage...
</DL>
<DL>
<DT><STRONG>Description:</STRONG>
<DD>
-Assume we have recently renamed the page <tt>bar.html</tt> to
-<tt>foo.html</tt> and now want to provide the old URL for backward
+Assume we have recently renamed the page <CODE>bar.html</CODE> to
+<CODE>foo.html</CODE> and now want to provide the old URL for backward
compatibility. Actually we want that users of the old URL even not recognize
that the pages was renamed.
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
RewriteEngine on
RewriteBase /~quux/
-RewriteRule ^<b>foo</b>\.html$ <b>bar</b>.html
+RewriteRule ^<STRONG>foo</STRONG>\.html$ <STRONG>bar</STRONG>.html
</PRE></TD></TR></TABLE>
</DL>
<DL>
<DT><STRONG>Description:</STRONG>
<DD>
-Assume again that we have recently renamed the page <tt>bar.html</tt> to
-<tt>foo.html</tt> and now want to provide the old URL for backward
+Assume again that we have recently renamed the page <CODE>bar.html</CODE> to
+<CODE>foo.html</CODE> and now want to provide the old URL for backward
compatibility. But this time we want that the users of the old URL get hinted
to the new one, i.e. their browsers Location field should change, too.
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
RewriteEngine on
RewriteBase /~quux/
-RewriteRule ^<b>foo</b>\.html$ <b>bar</b>.html [<b>R</b>]
+RewriteRule ^<STRONG>foo</STRONG>\.html$ <STRONG>bar</STRONG>.html [<STRONG>R</STRONG>]
</PRE></TD></TR></TABLE>
</DL>
We cannot use content negotiation because the browsers do not provide their
type in that form. Instead we have to act on the HTTP header "User-Agent".
The following condig does the following: If the HTTP header "User-Agent"
-begins with "Mozilla/3", the page <tt>foo.html</tt> is rewritten to
-<tt>foo.NS.html</tt> and and the rewriting stops. If the browser is "Lynx" or
-"Mozilla" of version 1 or 2 the URL becomes <tt>foo.20.html</tt>. All other
-browsers receive page <tt>foo.32.html</tt>. This is done by the following
+begins with "Mozilla/3", the page <CODE>foo.html</CODE> is rewritten to
+<CODE>foo.NS.html</CODE> and and the rewriting stops. If the browser is "Lynx" or
+"Mozilla" of version 1 or 2 the URL becomes <CODE>foo.20.html</CODE>. All other
+browsers receive page <CODE>foo.32.html</CODE>. This is done by the following
ruleset:
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
-RewriteCond %{HTTP_USER_AGENT} ^<b>Mozilla/3</b>.*
-RewriteRule ^foo\.html$ foo.<b>NS</b>.html [<b>L</b>]
+RewriteCond %{HTTP_USER_AGENT} ^<STRONG>Mozilla/3</STRONG>.*
+RewriteRule ^foo\.html$ foo.<STRONG>NS</STRONG>.html [<STRONG>L</STRONG>]
-RewriteCond %{HTTP_USER_AGENT} ^<b>Lynx/</b>.* [OR]
-RewriteCond %{HTTP_USER_AGENT} ^<b>Mozilla/[12]</b>.*
-RewriteRule ^foo\.html$ foo.<b>20</b>.html [<b>L</b>]
+RewriteCond %{HTTP_USER_AGENT} ^<STRONG>Lynx/</STRONG>.* [OR]
+RewriteCond %{HTTP_USER_AGENT} ^<STRONG>Mozilla/[12]</STRONG>.*
+RewriteRule ^foo\.html$ foo.<STRONG>20</STRONG>.html [<STRONG>L</STRONG>]
-RewriteRule ^foo\.html$ foo.<b>32</b>.html [<b>L</b>]
+RewriteRule ^foo\.html$ foo.<STRONG>32</STRONG>.html [<STRONG>L</STRONG>]
</PRE></TD></TR></TABLE>
</DL>
<DT><STRONG>Description:</STRONG>
<DD>
Assume there are nice webpages on remote hosts we want to bring into our
-namespace. For FTP servers we would use the <tt>mirror</tt> program which
+namespace. For FTP servers we would use the <CODE>mirror</CODE> program which
actually maintains an explicit up-to-date copy of the remote data on the local
-machine. For a webserver we could use the program <tt>webcopy</tt> which acts
+machine. For a webserver we could use the program <CODE>webcopy</CODE> which acts
similar via HTTP. But both techniques have one major drawback: The local copy
is always just as up-to-date as often we run the program. It would be much
better if the mirror is not a static one we have to establish explicitly.
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
RewriteEngine on
RewriteBase /~quux/
-RewriteRule ^<b>hotsheet/</b>(.*)$ <b>http://www.tstimpreso.com/hotsheet/</b>$1 [<b>P</b>]
+RewriteRule ^<STRONG>hotsheet/</STRONG>(.*)$ <STRONG>http://www.tstimpreso.com/hotsheet/</STRONG>$1 [<STRONG>P</STRONG>]
</PRE></TD></TR></TABLE>
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
RewriteEngine on
RewriteBase /~quux/
-RewriteRule ^<b>usa-news\.html</b>$ <b>http://www.quux-corp.com/news/index.html</b> [<b>P</b>]
+RewriteRule ^<STRONG>usa-news\.html</STRONG>$ <STRONG>http://www.quux-corp.com/news/index.html</STRONG> [<STRONG>P</STRONG>]
</PRE></TD></TR></TABLE>
</DL>
<DT><STRONG>Description:</STRONG>
<DD>
This is a tricky way of virtually running a corporates (external) Internet
-webserver (<tt>www.quux-corp.dom</tt>), while actually keeping and maintaining
+webserver (<CODE>www.quux-corp.dom</CODE>), while actually keeping and maintaining
its data on a (internal) Intranet webserver
-(<tt>www2.quux-corp.dom</tt>) which is protected by a firewall. The
+(<CODE>www2.quux-corp.dom</CODE>) which is protected by a firewall. The
trick is that on the external webserver we retrieve the requested data
on-the-fly from the internal one.
firewall ruleset like the following:
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
-<b>ALLOW</b> Host www.quux-corp.dom Port >1024 --> Host www2.quux-corp.dom Port <b>80</b>
-<b>DENY</b> Host * Port * --> Host www2.quux-corp.dom Port <b>80</b>
+<STRONG>ALLOW</STRONG> Host www.quux-corp.dom Port >1024 --> Host www2.quux-corp.dom Port <STRONG>80</STRONG>
+<STRONG>DENY</STRONG> Host * Port * --> Host www2.quux-corp.dom Port <STRONG>80</STRONG>
</PRE></TD></TR></TABLE>
<P>
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
RewriteRule ^/~([^/]+)/?(.*) /home/$1/.www/$2
-RewriteCond %{REQUEST_FILENAME} <b>!-f</b>
-RewriteCond %{REQUEST_FILENAME} <b>!-d</b>
-RewriteRule ^/home/([^/]+)/.www/?(.*) http://<b>www2</b>.quux-corp.dom/~$1/pub/$2 [<b>P</b>]
+RewriteCond %{REQUEST_FILENAME} <STRONG>!-f</STRONG>
+RewriteCond %{REQUEST_FILENAME} <STRONG>!-d</STRONG>
+RewriteRule ^/home/([^/]+)/.www/?(.*) http://<STRONG>www2</STRONG>.quux-corp.dom/~$1/pub/$2 [<STRONG>P</STRONG>]
</PRE></TD></TR></TABLE>
</DL>
<DL>
<DT><STRONG>Description:</STRONG>
<DD>
-Suppose we want to load balance the traffic to <tt>www.foo.com</tt> over
-<tt>www[0-5].foo.com</tt> (a total of 6 servers). How can this be done?
+Suppose we want to load balance the traffic to <CODE>www.foo.com</CODE> over
+<CODE>www[0-5].foo.com</CODE> (a total of 6 servers). How can this be done?
<P>
<DT><STRONG>Solution:</STRONG>
a commonly known DNS-based variant and then the special one with mod_rewrite:
<ol>
-<li><b>DNS Round-Robin</b>
+<li><STRONG>DNS Round-Robin</STRONG>
<P>
The simplest method for load-balancing is to use the DNS round-robin feature
-of BIND. Here you just configure <tt>www[0-9].foo.com</tt> as usual in your
+of BIND. Here you just configure <CODE>www[0-9].foo.com</CODE> as usual in your
DNS with A(address) records, e.g.
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
<P>
Notice that this seems wrong, but is actually an intended feature of BIND and
-can be used in this way. However, now when <tt>www.foo.com</tt> gets resolved,
-BIND gives out <tt>www0-www6</tt> - but in a slightly permutated/rotated order
+can be used in this way. However, now when <CODE>www.foo.com</CODE> gets resolved,
+BIND gives out <CODE>www0-www6</CODE> - but in a slightly permutated/rotated order
every time. This way the clients are spread over the various servers.
But notice that this not a perfect load balancing scheme, because DNS resolve
information gets cached by the other nameservers on the net, so once a client
-has resolved <tt>www.foo.com</tt> to a particular <tt>wwwN.foo.com</tt>, all
-subsequent requests also go to this particular name <tt>wwwN.foo.com</tt>. But
+has resolved <CODE>www.foo.com</CODE> to a particular <CODE>wwwN.foo.com</CODE>, all
+subsequent requests also go to this particular name <CODE>wwwN.foo.com</CODE>. But
the final result is ok, because the total sum of the requests are really
spread over the various webservers.
<P>
-<li><b>DNS Load-Balancing</b>
+<li><STRONG>DNS Load-Balancing</STRONG>
<P>
A sophisticated DNS-based method for load-balancing is to use the program
-<tt>lbnamed</tt> which can be found at <a
-href="http://www.stanford.edu/~schemers/docs/lbnamed/lbnamed.html">http://www.stanford.edu/~schemers/docs/lbnamed/lbnamed.html</a>.
+<CODE>lbnamed</CODE> which can be found at <A
+HREF="http://www.stanford.edu/~schemers/docs/lbnamed/lbnamed.html">http://www.stanford.edu/~schemers/docs/lbnamed/lbnamed.html</A>.
It is a Perl 5 program in conjunction with auxilliary tools which provides a
real load-balancing for DNS.
<P>
-<li><b>Proxy Throughput Round-Robin</b>
+<li><STRONG>Proxy Throughput Round-Robin</STRONG>
<P>
In this variant we use mod_rewrite and its proxy throughput feature. First we
-dedicate <tt>www0.foo.com</tt> to be actually <tt>www.foo.com</tt> by using a
+dedicate <CODE>www0.foo.com</CODE> to be actually <CODE>www.foo.com</CODE> by using a
single
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
</PRE></TD></TR></TABLE>
<P>
-entry in the DNS. Then we convert <tt>www0.foo.com</tt> to a proxy-only
+entry in the DNS. Then we convert <CODE>www0.foo.com</CODE> to a proxy-only
server, i.e. we configure this machine so all arriving URLs are just pushed
-through the internal proxy to one of the 5 other servers (<tt>www1-www5</tt>).
+through the internal proxy to one of the 5 other servers (<CODE>www1-www5</CODE>).
To accomplish this we first establish a ruleset which contacts a load
-balancing script <tt>lb.pl</tt> for all URLs.
+balancing script <CODE>lb.pl</CODE> for all URLs.
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
RewriteEngine on
</PRE></TD></TR></TABLE>
<P>
-Then we write <tt>lb.pl</tt>:
+Then we write <CODE>lb.pl</CODE>:
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
#!/path/to/perl
</PRE></TD></TR></TABLE>
<P>
-A last notice: Why is this useful? Seems like <tt>www0.foo.com</tt> still is
+A last notice: Why is this useful? Seems like <CODE>www0.foo.com</CODE> still is
overloaded? The answer is yes, it is overloaded, but with plain proxy
throughput requests, only! All SSI, CGI, ePerl, etc. processing is completely
done on the other machines. This is the essential point.
<P>
-<li><b>Hardware/TCP Round-Robin</b>
+<li><STRONG>Hardware/TCP Round-Robin</STRONG>
<P>
There is a hardware solution available, too. Cisco has a beast called
feature for MIME-types is only appropriate when the CGI programs don't need
special URLs (actually PATH_INFO and QUERY_STRINGS) as their input.
-First, let us configure a new file type with extension <tt>.scgi</tt>
-(for secure CGI) which will be processed by the popular <tt>cgiwrap</tt>
+First, let us configure a new file type with extension <CODE>.scgi</CODE>
+(for secure CGI) which will be processed by the popular <CODE>cgiwrap</CODE>
program. The problem here is that for instance we use a Homogeneous URL Layout
(see above) a file inside the user homedirs has the URL
-<tt>/u/user/foo/bar.scgi</tt>. But <tt>cgiwrap</tt> needs the URL in the form
-<tt>/~user/foo/bar.scgi/</tt>. The following rule solves the problem:
+<CODE>/u/user/foo/bar.scgi</CODE>. But <CODE>cgiwrap</CODE> needs the URL in the form
+<CODE>/~user/foo/bar.scgi/</CODE>. The following rule solves the problem:
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
-RewriteRule ^/[uge]/<b>([^/]+)</b>/\.www/(.+)\.scgi(.*) ...
-... /internal/cgi/user/cgiwrap/~<b>$1</b>/$2.scgi$3 [NS,<b>T=application/x-http-cgi</b>]
+RewriteRule ^/[uge]/<STRONG>([^/]+)</STRONG>/\.www/(.+)\.scgi(.*) ...
+... /internal/cgi/user/cgiwrap/~<STRONG>$1</STRONG>/$2.scgi$3 [NS,<STRONG>T=application/x-http-cgi</STRONG>]
</PRE></TD></TR></TABLE>
<P>
Or assume we have some more nifty programs:
-<tt>wwwlog</tt> (which displays the <tt>access.log</tt> for a URL subtree and
-<tt>wwwidx</tt> (which runs Glimpse on a URL subtree). We have to
+<CODE>wwwlog</CODE> (which displays the <CODE>access.log</CODE> for a URL subtree and
+<CODE>wwwidx</CODE> (which runs Glimpse on a URL subtree). We have to
provide the URL area to these programs so they know on which area
they have to act on. But usually this ugly, because they are all the
times still requested from that areas, i.e. typically we would run
-the <tt>swwidx</tt> program from within <tt>/u/user/foo/</tt> via
+the <CODE>swwidx</CODE> program from within <CODE>/u/user/foo/</CODE> via
hyperlink to
<P><PRE>
/internal/cgi/user/swwidx?i=/u/user/foo/
</PRE><P>
-which is ugly. Because we have to hard-code <b>both</b> the location of the
-area <b>and</b> the location of the CGI inside the hyperlink. When we have to
+which is ugly. Because we have to hard-code <STRONG>both</STRONG> the location of the
+area <STRONG>and</STRONG> the location of the CGI inside the hyperlink. When we have to
reorganise or area, we spend a lot of time changing the various hyperlinks.
<P>
</PRE></TD></TR></TABLE>
<P>
-Now the hyperlink to search at <tt>/u/user/foo/</tt> reads only
+Now the hyperlink to search at <CODE>/u/user/foo/</CODE> reads only
<P><PRE>
-href="*"
+HREF="*"
</PRE><P>
which internally gets automatically transformed to
</PRE><P>
The same approach leads to an invocation for the access log CGI
-program when the hyperlink <tt>:log</tt> gets used.
+program when the hyperlink <CODE>:log</CODE> gets used.
</DL>
<DL>
<DT><STRONG>Description:</STRONG>
<DD>
-How can we transform a static page <tt>foo.html</tt> into a dynamic variant
-<tt>foo.cgi</tt> in a seemless way, i.e. without notice by the browser/user.
+How can we transform a static page <CODE>foo.html</CODE> into a dynamic variant
+<CODE>foo.cgi</CODE> in a seemless way, i.e. without notice by the browser/user.
<P>
<DT><STRONG>Solution:</STRONG>
<DD>
We just rewrite the URL to the CGI-script and force the correct MIME-type so
it gets really run as a CGI-script. This way a request to
-<tt>/~quux/foo.html</tt> internally leads to the invokation of
-<tt>/~quux/foo.cgi</tt>.
+<CODE>/~quux/foo.html</CODE> internally leads to the invokation of
+<CODE>/~quux/foo.cgi</CODE>.
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
RewriteEngine on
RewriteBase /~quux/
-RewriteRule ^foo\.<b>html</b>$ foo.<b>cgi</b> [T=<b>application/x-httpd-cgi</b>]
+RewriteRule ^foo\.<STRONG>html</STRONG>$ foo.<STRONG>cgi</STRONG> [T=<STRONG>application/x-httpd-cgi</STRONG>]
</PRE></TD></TR></TABLE>
</DL>
<DT><STRONG>Description:</STRONG>
<DD>
Here comes a really esoteric feature: Dynamically generated but statically
-served pages, i.e. pages should be delivered as pur static pages (read from
+served pages, i.e. pages should be delivered as pure static pages (read from
the filesystem and just passed through), but they have to be generated
dynamically by the webserver if missing. This way you can have CGI-generated
-pages which are statically unless one (or a cronjob) removes the static
+pages which are statically served unless one (or a cronjob) removes the static
contents. Then the contents gets refreshed.
<P>
This is done via the following ruleset:
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
-RewriteCond %{REQUEST_FILENAME} <b>!-s</b>
-RewriteCond ^page\.<b>html</b>$ page.<b>cgi</b> [T=application/x-httpd-cgi,L]
+RewriteCond %{REQUEST_FILENAME} <STRONG>!-s</STRONG>
+RewriteRule ^page\.<STRONG>html</STRONG>$ page.<STRONG>cgi</STRONG> [T=application/x-httpd-cgi,L]
</PRE></TD></TR></TABLE>
<P>
-Here a request to <tt>page.html</tt> leads to a internal run of a
-corresponding <tt>page.cgi</tt> if <tt>page.html</tt> is still missing or has
-filesize null. The trick here is that <tt>page.cgi</tt> is a usual CGI script
+Here a request to <CODE>page.html</CODE> leads to a internal run of a
+corresponding <CODE>page.cgi</CODE> if <CODE>page.html</CODE> is still missing or has
+filesize null. The trick here is that <CODE>page.cgi</CODE> is a usual CGI script
which (additionally to its STDOUT) writes its output to the file
-<tt>page.html</tt>. Once it was run, the server sends out the data of
-<tt>page.html</tt>. When the webmaster wants to force a refresh the contents,
-he just removes <tt>page.html</tt> (usually done by a cronjob).
+<CODE>page.html</CODE>. Once it was run, the server sends out the data of
+<CODE>page.html</CODE>. When the webmaster wants to force a refresh the contents,
+he just removes <CODE>page.html</CODE> (usually done by a cronjob).
</DL>
<DD>
No! We just combine the MIME multipart feature, the webserver NPH feature and
the URL manipulation power of mod_rewrite. First, we establish a new URL
-feature: Adding just <tt>:refresh</tt> to any URL causes this to be refreshed
+feature: Adding just <CODE>:refresh</CODE> to any URL causes this to be refreshed
every time it gets updated on the filesystem.
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
<DL>
<DT><STRONG>Description:</STRONG>
<DD>
-The <tt><VirtualHost></tt> feature of Apache is nice and works great
+The <CODE><VirtualHost></CODE> feature of Apache is nice and works great
when you just have a few dozens virtual hosts. But when you are an ISP and
have hundreds of virtual hosts to provide this feature is not the best choice.
<DT><STRONG>Description:</STRONG>
<DD>
How can we block a really annoying robot from retrieving pages of a specific
-webarea? A <tt>/robots.txt</tt> file containing entries of the "Robot
+webarea? A <CODE>/robots.txt</CODE> file containing entries of the "Robot
Exclusion Protocol" is typically not enough to get rid of such a robot.
<P>
<DT><STRONG>Solution:</STRONG>
<DD>
We use a ruleset which forbids the URLs of the webarea
-<tt>/~quux/foo/arc/</tt> (perhaps a very deep directory indexed area where the
+<CODE>/~quux/foo/arc/</CODE> (perhaps a very deep directory indexed area where the
robot traversal would create big server load). We have to make sure that we
forbid access only to the particular robot, i.e. just forbidding the host
where the robot runs is not enough. This would block users from this host,
information.
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
-RewriteCond %{HTTP_USER_AGENT} ^<b>NameOfBadRobot</b>.*
-RewriteCond %{REMOTE_ADDR} ^<b>123\.45\.67\.[8-9]</b>$
-RewriteRule ^<b>/~quux/foo/arc/</b>.+ - [<b>F</b>]
+RewriteCond %{HTTP_USER_AGENT} ^<STRONG>NameOfBadRobot</STRONG>.*
+RewriteCond %{REMOTE_ADDR} ^<STRONG>123\.45\.67\.[8-9]</STRONG>$
+RewriteRule ^<STRONG>/~quux/foo/arc/</STRONG>.+ - [<STRONG>F</STRONG>]
</PRE></TD></TR></TABLE>
</DL>
a HTTP Referer header.
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
-RewriteCond %{HTTP_REFERER} <b>!^$</b>
+RewriteCond %{HTTP_REFERER} <STRONG>!^$</STRONG>
RewriteCond %{HTTP_REFERER} !^http://www.quux-corp.de/~quux/.*$ [NC]
-RewriteRule <b>.*\.gif$</b> - [F]
+RewriteRule <STRONG>.*\.gif$</STRONG> - [F]
</PRE></TD></TR></TABLE>
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !.*/foo-with-gif\.html$
-RewriteRule <b>^inlined-in-foo\.gif$</b> - [F]
+RewriteRule <STRONG>^inlined-in-foo\.gif$</STRONG> - [F]
</PRE></TD></TR></TABLE>
</DL>
<DT><STRONG>Solution:</STRONG>
<DD>
We first have to make sure mod_rewrite is below(!) mod_proxy in the
-<tt>Configuration</tt> file when compiling the Apache webserver. This way it
+<CODE>Configuration</CODE> file when compiling the Apache webserver. This way it
gets called _before_ mod_proxy. Then we configure the following for a
host-dependend deny...
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
-RewriteCond %{REMOTE_HOST} <b>^badhost\.mydomain\.com$</b>
+RewriteCond %{REMOTE_HOST} <STRONG>^badhost\.mydomain\.com$</STRONG>
RewriteRule !^http://[^/.]\.mydomain.com.* - [F]
</PRE></TD></TR></TABLE>
<P>...and this one for a user@host-dependend deny:
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
-RewriteCond %{REMOTE_IDENT}@%{REMOTE_HOST} <b>^badguy@badhost\.mydomain\.com$</b>
+RewriteCond %{REMOTE_IDENT}@%{REMOTE_HOST} <STRONG>^badguy@badhost\.mydomain\.com$</STRONG>
RewriteRule !^http://[^/.]\.mydomain.com.* - [F]
</PRE></TD></TR></TABLE>
We use a list of rewrite conditions to exclude all except our friends:
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
-RewriteCond %{REMOTE_IDENT}@%{REMOTE_HOST} <b>!^friend1@client1.quux-corp\.com$</b>
-RewriteCond %{REMOTE_IDENT}@%{REMOTE_HOST} <b>!^friend2</b>@client2.quux-corp\.com$
-RewriteCond %{REMOTE_IDENT}@%{REMOTE_HOST} <b>!^friend3</b>@client3.quux-corp\.com$
+RewriteCond %{REMOTE_IDENT}@%{REMOTE_HOST} <STRONG>!^friend1@client1.quux-corp\.com$</STRONG>
+RewriteCond %{REMOTE_IDENT}@%{REMOTE_HOST} <STRONG>!^friend2</STRONG>@client2.quux-corp\.com$
+RewriteCond %{REMOTE_IDENT}@%{REMOTE_HOST} <STRONG>!^friend3</STRONG>@client3.quux-corp\.com$
RewriteRule ^/~quux/only-for-friends/ - [F]
</PRE></TD></TR></TABLE>
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
RewriteEngine on
-RewriteMap quux-map <b>prg:</b>/path/to/map.quux.pl
-RewriteRule ^/~quux/(.*)$ /~quux/<b>${quux-map:$1}</b>
+RewriteMap quux-map <STRONG>prg:</STRONG>/path/to/map.quux.pl
+RewriteRule ^/~quux/(.*)$ /~quux/<STRONG>${quux-map:$1}</STRONG>
</PRE></TD></TR></TABLE>
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0" CELLPADDING="5"><TR><TD><PRE>
<P>
This is a demonstration-only example and just rewrites all URLs
-<tt>/~quux/foo/...</tt> to <tt>/~quux/bar/...</tt>. Actually you can program
-whatever you like. But notice that while such maps can be <b>used</b> also by
-an average user, only the system administrator can <b>define</b> it.
+<CODE>/~quux/foo/...</CODE> to <CODE>/~quux/bar/...</CODE>. Actually you can program
+whatever you like. But notice that while such maps can be <STRONG>used</STRONG> also by
+an average user, only the system administrator can <STRONG>define</STRONG> it.
</DL>
<UL>
<LI><A HREF="#accessconfig">AccessConfig</A>
<LI><A HREF="#accessfilename">AccessFileName</A>
+<LI><A HREF="#adddefaultcharset">AddDefaultCharset</A>
<LI><A HREF="#addmodule">AddModule</A>
<LI><A HREF="#allowoverride">AllowOverride</A>
<LI><A HREF="#authname">AuthName</A>
AllowOverride None<BR>
</Directory></CODE></BLOCKQUOTE><P><HR>
+<H2><A NAME="adddefaultcharset">AddDefaultCharset directive</A></H2>
+<A HREF="directive-dict.html#Syntax" REL="Help"><STRONG>Syntax:</STRONG></A>
+AddDefaultCharset <EM>Off / On / charset</EM><BR>
+<A HREF="directive-dict.html#Context" REL="Help" ><STRONG>Context:</STRONG></A>
+all<BR>
+<A HREF="directive-dict.html#Status" REL="Help" ><STRONG>Status:</STRONG></A>
+core<BR>
+<A HREF="directive-dict.html#Default" REL="Help"><STRONG>Default:</STRONG></A>
+<CODE>AddDefaultCharset Off</CODE><BR>
+<A HREF="directive-dict.html#Compatibility" REL="Help"><STRONG>Compatibility:
+</STRONG></A> AddDefaultCharset is only available in Apache 1.3.12 and
+later<P>
+This directive specifies the name of the character set that will be added
+to any response that does not have any parameter on the content
+type in the HTTP headers. This will override any character set specified
+in the body of the document via a <CODE>META</CODE> tag. A setting
+of <CODE>AddDefaultCharset Off</CODE> disables this functionality.
+<CODE>AddDefaultCharset On</CODE> enables Apache's internal
+default charset of <code>iso-8859-1</code> as required by the
+directive. You can also specify an alternate charset to be used;
+e.g. <code>AddDefaultCharset utf-8</code>.
+<P><HR>
+
<H2><A NAME="addmodule">AddModule directive</A></H2>
<!--%plaintext <?INDEX {\tt AddModule} directive> -->
<A
<LI><A HREF="mod_autoindex.html#addalt">AddAlt</A>
<LI><A HREF="mod_autoindex.html#addaltbyencoding">AddAltByEncoding</A>
<LI><A HREF="mod_autoindex.html#addaltbytype">AddAltByType</A>
+<LI><A HREF="mod_mime.html#addcharset">AddCharset</A>
+<LI><A HREF="core.html#adddefaultcharset">AddDefaultCharset</A>
<LI><A HREF="mod_autoindex.html#adddescription">AddDescription</A>
<LI><A HREF="mod_mime.html#addencoding">AddEncoding</A>
<LI><A HREF="mod_mime.html#addhandler">AddHandler</A>
routine when printing dates.
</DL>
+<A NAME="echo">
<DT><STRONG>echo</STRONG>
<DD>
This command prints one of the include variables, defined below.
If the variable is unset, it is printed as <CODE>(none)</CODE>.
Any dates printed are subject to the currently configured <CODE>timefmt</CODE>.
+
Attributes:
<DL>
<DT>var
<DD>The value is the name of the variable to print.
+<DT>encoding
+<DD>Specifies how Apache should encode special characters contained
+in the variable before outputting them. If set to "none", no encoding
+will be done. If set to "url", then URL encoding (also known as
+%-encoding; this is appropriate for use within URLs in links, etc.)
+will be performed. At the start of an <CODE>echo</CODE> element,
+the default is set to "entity", resulting in entity encoding (which
+is appropriate in the context of a block-level HTML element, eg.
+a paragraph of text). This can be changed by adding an
+<CODE>encoding</CODE> attribute, which will remain in effect until
+the next <CODE>encoding</CODE> attribute is encountered or the
+element ends, whichever comes first. Note that the
+<CODE>encoding</CODE> attribute must <EM>precede</EM> the corresponding
+<CODE>var</CODE> attribute to be effective, and that only special
+characters as defined in the ISO-8859-1 character encoding will be
+encoded. This encoding process may not have the desired result if
+a different character encoding is in use.
+Apache 1.3.12 and above; previous versions do no encoding.
+
</DL>
<DT><STRONG>exec</STRONG>
<DT><STRONG>printenv</STRONG>
<DD>This prints out a listing of all existing variables and their values.
- No attributes.
+ Starting with Apache 1.3.12, special characters are entity encoded (see the
+ <A HREF="#echo"><CODE>echo</CODE></A> element for details) before being
+ output. No attributes.
<DD>For example: <CODE><!--#printenv --></CODE>
<DD>Apache 1.2 and above.
</pre>
<P>
-Then the document <samp>xxxx.ja.jis</samp> will be treated as being a
+Then the document <CODE>xxxx.ja.jis</CODE> will be treated as being a
Japanese document whose charset is ISO-2022-JP (as will the document
-<samp>xxxx.jis.ja</samp>). Although the content charset is reported to
-the client, the browser is unlikely to use this information. The
-AddCharset directive is more useful for
-<A HREF="../content-negotiation.html">content negotiation</A>, where
+<CODE>xxxx.jis.ja</CODE>). The AddCharset directive is useful for both
+to inform the client about the character encoding of the document so
+that the document can be interpreted and displayed appropriately, and
+
for <A HREF="../content-negotiation.html">content negotiation</A>, where
the server returns one from several documents based on the client's
charset preference.
</P>
<P>
This module operates on the full URLs (including the path-info part) both in
per-server context (<CODE>httpd.conf</CODE>) and per-directory context
-(<CODE>.htaccess</CODE>) and even can generate query-string parts on result.
+(<CODE>.htaccess</CODE>) and can even generate query-string parts on result.
The rewritten result can lead to internal sub-processing, external request
redirection or even to an internal proxy throughput.
<P>
But all this functionality and flexibility has its drawback: complexity. So
-don't expect to understand this module in its whole in just one day.
+don't expect to understand this entire module in just one day.
<P>
This module was invented and originally written in April 1996<BR>
First you have to understand that when Apache processes a HTTP request it does
this in phases. A hook for each of these phases is provided by the Apache API.
Mod_rewrite uses two of these hooks: the URL-to-filename translation hook
-which is used after the HTTP request was read and before any authorization
+which is used after the HTTP request has been read but before any authorization
starts and the Fixup hook which is triggered after the authorization phases
-and after the per-directory config files (<CODE>.htaccess</CODE>) where read,
-but before the content handler is activated.
+and after the per-directory config files (<CODE>.htaccess</CODE>) have been
+read, but before the content handler is activated.
<P>
So, after a request comes in and Apache has determined the corresponding
-server (or virtual server) the rewriting engine start processing of all
+server (or virtual server) the rewriting engine starts processing of all
mod_rewrite directives from the per-server configuration in the
URL-to-filename phase. A few steps later when the final data directories are
found, the per-directory configuration directives of mod_rewrite are triggered
-in the Fixup phase. In both situations mod_rewrite either rewrites URLs to new
+in the Fixup phase. In both situations mod_rewrite rewrites URLs either to new
URLs or to filenames, although there is no obvious distinction between them.
-This is a usage of the API which was not intended this way when the API
+This is a usage of the API which was not intended to be this way when the API
was designed, but as of Apache 1.x this is the only way mod_rewrite can
operate. To make this point more clear remember the following two points:
<OL>
-<LI>The API currently provides only a URL-to-filename hook. Although
- mod_rewrite rewrites URLs to URLs, URLs to filenames and even
- filenames to filenames. In Apache 2.0 the two missing hooks
- will be added to make the processing more clear. But this
- point has no drawbacks for the user, it is just a fact which
- should be remembered: Apache does more in the URL-to-filename hook
- then the API intends for it.
+<LI>Although mod_rewrite rewrites URLs to URLs, URLs to filenames and
+ even filenames to filenames, the API currently provides only a
+ URL-to-filename hook. In Apache 2.0 the two missing hooks will be
+ added to make the processing more clear. But this point has no
+ drawbacks for the user, it is just a fact which should be
+ remembered: Apache does more in the URL-to-filename hook than the
+ API intends for it.
<P>
<LI>Unbelievably mod_rewrite provides URL manipulations in per-directory
- context, <EM>i.e.</EM>, within <CODE>.htaccess</CODE> files, although
- these are
- reached a very long time after the URLs were translated to filenames (this
- has to be this way, because <CODE>.htaccess</CODE> files stay in the
- filesystem, so processing has already been reached this stage of
- processing). In other words: According to the API phases at this time it
- is too late for any URL manipulations. To overcome this chicken and egg
- problem mod_rewrite uses a trick: When you manipulate a URL/filename in
- per-directory context mod_rewrite first rewrites the filename back to its
- corresponding URL (which it usually impossible, but see the
- <CODE>RewriteBase</CODE> directive below for the trick to achieve this)
- and then initiates a new internal sub-request with the new URL. This leads
- to a new processing of the API phases from the beginning.
+ context, <EM>i.e.</EM>, within <CODE>.htaccess</CODE> files,
+ although these are reached a very long time after the URLs have
+ been translated to filenames. It has to be this way because
+ <CODE>.htaccess</CODE> files live in the filesystem, so processing
+ has already reached this stage. In other words: According to the
+ API phases at this time it is too late for any URL manipulations.
+ To overcome this chicken and egg problem mod_rewrite uses a trick:
+ When you manipulate a URL/filename in per-directory context
+ mod_rewrite first rewrites the filename back to its corresponding
+ URL (which is usually impossible, but see the <CODE>RewriteBase</CODE>
+ directive below for the trick to achieve this) and then initiates
+ a new internal sub-request with the new URL. This restarts
+ processing of the API phases.
<P>
Again mod_rewrite tries hard to make this complicated step totally
transparent to the user, but you should remember here: While URL
Now when mod_rewrite is triggered in these two API phases, it reads the
configured rulesets from its configuration structure (which itself was either
-created on startup for per-server context or while the directory walk of the
+created on startup for per-server context or during the directory walk of the
Apache kernel for per-directory context). Then the URL rewriting engine is
started with the contained ruleset (one or more rules together with their
conditions). The operation of the URL rewriting engine itself is exactly the
-same for both configuration contexts. Just the final result processing is
+same for both configuration contexts. Only the final result processing is
different.
<P>
The order of rules in the ruleset is important because the rewriting engine
-processes them in a special order. And this order is not very obvious. The
+processes them in a special (and not very obvious) order. The
rule is this: The rewriting engine loops through the ruleset rule by rule
-(<CODE>RewriteRule</CODE> directives!) and when a particular rule matched it
+(<CODE>RewriteRule</CODE> directives) and when a particular rule matches it
optionally loops through existing corresponding conditions
-(<CODE>RewriteCond</CODE> directives). Because of historical reasons the
-conditions are given first, the control flow is a little bit winded. See
+(<CODE>RewriteCond</CODE> directives). For historical reasons the conditions
+are given first, and so the control flow is a little bit long-winded. See
Figure 1 for more details.
<P>
<P>
As you can see, first the URL is matched against the <EM>Pattern</EM> of each
rule. When it fails mod_rewrite immediately stops processing this rule and
-continues with the next rule. If the <EM>Pattern</EM> matched, mod_rewrite
+continues with the next rule. If the <EM>Pattern</EM> matches, mod_rewrite
looks for corresponding rule conditions. If none are present, it just
substitutes the URL with a new value which is constructed from the string
-<EM>Substitution</EM> and goes on with its rule-looping. But
-if conditions exists, it starts an inner loop for processing them in order
-they are listed. For conditions the logic is different: We don't match a
+<EM>Substitution</EM> and goes on with its rule-looping. But if conditions
+exist, it starts an inner loop for processing them in the order that
+they are listed. For conditions the logic is different: we don't match a
pattern against the current URL. Instead we first create a string
<EM>TestString</EM> by expanding variables, back-references, map lookups,
<EM>etc.</EM> and then we try to match <EM>CondPattern</EM> against it. If the
pattern doesn't match, the complete set of conditions and the corresponding
rule fails. If the pattern matches, then the next condition is processed
-until no more condition is available. If all conditions matched processing is
-continued with the substitution of the URL with <EM>Substitution</EM>.
+until no more conditions are available. If all conditions match, processing
+is continued with the substitution of the URL with <EM>Substitution</EM>.
<H2><A NAME="InternalBackRefs">Regex Back-Reference Availability</A></H2>
One important thing here has to be remembered: Whenever you
-use parenthesis in <EM>Pattern</EM> or in one of the <EM>CondPattern</EM>
-back-reference are internally created which can be used with the
-strings <CODE>$N</CODE> and <CODE>%N</CODE> (see below). And these
+use parentheses in <EM>Pattern</EM> or in one of the <EM>CondPattern</EM>
+back-references are internally created which can be used with the
+strings <CODE>$N</CODE> and <CODE>%N</CODE> (see below). These
are available for creating the strings <EM>Substitution</EM> and
-<EM>TestCond</EM>. Figure 2 shows at which locations the back-references are
-transfered to for expansion.
+<EM>TestCond</EM>. Figure 2 shows to which locations the back-references are
+transfered for expansion.
<P>
<DIV ALIGN=CENTER>
</DIV>
<P>
-We know, this was a crash course of mod_rewrite's internal processing. But
+We know this was a crash course on mod_rewrite's internal processing. But
you will benefit from this knowledge when reading the following documentation
of the available directives.
<P>
Use this directive to disable the module instead of commenting out
-all <CODE>RewriteRule</CODE> directives!
+all the <CODE>RewriteRule</CODE> directives!
<P>
Note that, by default, rewrite configurations are not inherited.
This means that you need to have a <CODE>RewriteEngine on</CODE>
-directive for each virtual host you wish to use it in.
+directive for each virtual host in which you wish to use it.
<P>
<HR NOSHADE SIZE=1>
<LI>'<STRONG><CODE>inherit</CODE></STRONG>'<BR>
This forces the current configuration to inherit the configuration of the
parent. In per-virtual-server context this means that the maps,
- conditions and rules of the main server gets inherited. In per-directory
+ conditions and rules of the main server are inherited. In per-directory
context this means that conditions and rules of the parent directory's
- <CODE>.htaccess</CODE> configuration gets inherited.
+ <CODE>.htaccess</CODE> configuration are inherited.
</UL>
<P>
<P>
<TABLE WIDTH="70%" BORDER=0 BGCOLOR="#E0E0F0" CELLSPACING=0 CELLPADDING=10>
<TR><TD>
-<STRONG>Notice</STRONG>: To disable the logging of rewriting actions it is
+<STRONG>Note</STRONG>: To disable the logging of rewriting actions it is
not recommended to set <EM>Filename</EM>
to <CODE>/dev/null</CODE>, because although the rewriting engine does
-not create output to a logfile it still creates the logfile
+not then output to a logfile it still creates the logfile
output internally. <STRONG>This will slow down the server with no advantage
to the administrator!</STRONG>
To disable logging either remove or comment out the
><STRONG>Compatibility:</STRONG></A> Apache 1.2<BR>
<P>
-The <CODE>RewriteLogLevel</CODE> directive set the verbosity level of the
+The <CODE>RewriteLogLevel</CODE> directive sets the verbosity level of the
rewriting
logfile. The default level 0 means no logging, while 9 or more means
that practically all actions are logged.
<TABLE WIDTH="70%" BORDER=0 BGCOLOR="#E0E0F0" CELLSPACING=0 CELLPADDING=10>
<TR><TD>
<STRONG>Notice:</STRONG> Using a high value for <EM>Level</EM> will slow down
-your Apache
-server dramatically! Use the rewriting logfile only for debugging or at least
-at <EM>Level</EM> not greater than 2!
+your Apache server dramatically! Use the rewriting logfile at
+a <EM>Level</EM> greater than 2 only for debugging!
</TD></TR>
</TABLE>
mod_rewrite needs to communicate with <SAMP>RewriteMap</SAMP>
<EM>programs</EM>. Set this lockfile to a local path (not on a NFS-mounted
device) when you want to use a rewriting map-program. It is not required for
-all other types of rewriting maps.
+other types of rewriting maps.
<P>
<HR NOSHADE SIZE=1>
is consulted and the key <EM>LookupKey</EM> is looked-up. If the key is
found, the map-function construct is substituted by <EM>SubstValue</EM>. If
the key is not found then it is substituted by <EM>DefaultValue</EM> or
-the empty string if no <EM>DefaultValue</EM> was specified.
+by the empty string if no <EM>DefaultValue</EM> was specified.
<P>
The following combinations for <EM>MapType</EM> and <EM>MapSource</EM>
special
post-processing feature: After looking up a value it is parsed according
to contained ``<CODE>|</CODE>'' characters which have the meaning of
- ``or''. Or
- in other words: they indicate a set of alternatives from which the actual
+ ``or''.
+ In other words they indicate a set of alternatives from which the actual
returned value is chosen randomly. Although this sounds crazy and useless,
it
was actually designed for load balancing in a reverse proxy situation where
MapType: <CODE>prg</CODE>, MapSource: Unix filesystem path to valid
regular file
<P>
- Here the source is a Unix program, not a map file. To create it you can use
- the language of your choice, but the result has to be a run-able Unix
+ Here the source is a program, not a map file. To create it you
+ can use the language of your choice, but the result has to be a
executable (<EM>i.e.</EM>, either object-code or a script with the
- magic cookie trick '<CODE>#!/path/to/interpreter</CODE>' as the first
- line).
+ magic cookie trick '<CODE>#!/path/to/interpreter</CODE>' as the
+ first line).
<P>
- This program gets started once at startup of the Apache servers and then
+ This program is started once at startup of the Apache servers and then
communicates with the rewriting engine over its <CODE>stdin</CODE> and
<CODE>stdout</CODE> file-handles. For each map-function lookup it will
receive the key to lookup as a newline-terminated string on
#!/usr/bin/perl
$| = 1;
while (<STDIN>) {
- # ...here any transformations
- # or lookups should occur...
+ # ...put here any transformations or lookups...
print $_;
}
</PRE></TD></TR>
<P>
But be very careful:<BR>
<OL>
- <LI>``<EM>Keep the program simple, stupid</EM>'' (KISS), because
- if this program hangs it will lead to a hang of the Apache server
+ <LI>``<EM>Keep it simple, stupid</EM>'' (KISS), because
+ if this program hangs it will hang the Apache server
when the rule occurs.
<LI>Avoid one common mistake: never do buffered I/O on <CODE>stdout</CODE>!
This will cause a deadloop! Hence the ``<CODE>$|=1</CODE>'' in the
above example...
<LI>Use the <SAMP>RewriteLock</SAMP> directive to define a lockfile
mod_rewrite can use to synchronize the communication to the program.
- Per default no such synchronization takes place.
+ By default no such synchronization takes place.
</OL>
</UL>
<P>
<TABLE WIDTH="70%" BORDER=0 BGCOLOR="#E0E0F0" CELLSPACING=0 CELLPADDING=10>
<TR><TD>
-<STRONG>Notice:</STRONG> For plain text and DBM format files the looked-up
+<STRONG>Note:</STRONG> For plain text and DBM format files the looked-up
keys are cached in-core
until the <CODE>mtime</CODE> of the mapfile changes or the server does a
restart. This way you can have map-functions in rules which are used
used in per-directory config files (<CODE>.htaccess</CODE>). There it will act
locally, <EM>i.e.</EM>, the local directory prefix is stripped at this stage of
processing and your rewriting rules act only on the remainder. At the end
-it is automatically added.
+it is automatically added back to the path.
<P>
When a substitution occurs for a new URL, this module has to re-inject the URL
into the server processing. To be able to do this it needs to know what the
corresponding URL-prefix or URL-base is. By default this prefix is the
corresponding filepath itself. <STRONG>But at most websites URLs are
-<STRONG>NOT</STRONG> directly related to physical filename paths, so this
-assumption will be usually be wrong!</STRONG> There you have to use the
+NOT directly related to physical filename paths, so this
+assumption will usually be wrong!</STRONG> There you have to use the
<CODE>RewriteBase</CODE> directive to specify the correct URL-prefix.
<P>
RewriteEngine On
-# let the server know that we are reached via /xyz and not
+# let the server know that we were reached via /xyz and not
# via the physical path prefix /abc/def
RewriteBase /xyz
<TABLE WIDTH="70%" BORDER=0 BGCOLOR="#E0E0F0" CELLSPACING=0 CELLPADDING=10>
<TR><TD>
<FONT SIZE=-1>
-<STRONG>Notice - For the Apache hackers:</STRONG><BR>
+<STRONG>Note - For Apache hackers:</STRONG><BR>
The following list gives detailed information about the internal
processing steps:
because the per-directory rewriting comes too late in the process. So,
when it occurs the (rewritten) request has to be re-injected into the Apache
kernel! BUT: While this seems like a serious overhead, it really isn't, because
-this re-injection happens fully internal to the Apache server and the same
+this re-injection happens fully internally to the Apache server and the same
procedure is used by many other operations inside Apache. So, you can be
sure the design and implementation is correct.
</FONT>
<CODE>%N</CODE>
</STRONG></BLOCKQUOTE>
-(1 <= N <= 9) which provide access to the grouped parts (parenthesis!) of
+(1 <= N <= 9) which provide access to the grouped parts (parentheses!) of
the pattern from the last matched <CODE>RewriteCond</CODE> directive in the
current bunch of conditions.
</STRONG></BLOCKQUOTE>
where <EM>NAME_OF_VARIABLE</EM> can be a string
-of the following list:
+taken from the following list:
<P>
<TABLE BGCOLOR="#F0F0F0" CELLSPACING=0 CELLPADDING=5>
<P>
<TABLE WIDTH="70%" BORDER=0 BGCOLOR="#E0E0F0" CELLSPACING=0 CELLPADDING=10>
<TR><TD>
-<STRONG>Notice:</STRONG> These variables all correspond to the similar named
+<STRONG>Notice:</STRONG> These variables all correspond to the similarly named
HTTP MIME-headers, C variables of the Apache server or <CODE>struct tm</CODE>
fields of the Unix system.
</TD></TR>
<LI>There is the special format <CODE>%{LA-U:variable}</CODE> for look-aheads
which perform an internal (URL-based) sub-request to determine the final value
of <EM>variable</EM>. Use this when you want to use a variable for rewriting
-which actually is set later in an API phase and thus is not available at the
+which is actually set later in an API phase and thus is not available at the
current stage. For instance when you want to rewrite according to the
<CODE>REMOTE_USER</CODE> variable from within the per-server context
(<CODE>httpd.conf</CODE> file) you have to use <CODE>%{LA-U:REMOTE_USER}</CODE>
<CODE>%{REMOTE_USER}</CODE> there.
<P>
-<LI>There is the special format: <CODE>%{LA-F:variable}</CODE> which perform an
+<LI>There is the special format: <CODE>%{LA-F:variable}</CODE> which performs an
internal (filename-based) sub-request to determine the final value of
-<EM>variable</EM>. This is the most of the time the same as LA-U above.
+<EM>variable</EM>. Most of the time this is the same as LA-U above.
</OL>
<P>
<EM>CondPattern</EM> is the condition pattern, <EM>i.e.</EM>, a regular
expression
-which gets applied to the current instance of the <EM>TestString</EM>,
-<EM>i.e.</EM>, <EM>TestString</EM> gets evaluated and then matched against
+which is applied to the current instance of the <EM>TestString</EM>,
+<EM>i.e.</EM>, <EM>TestString</EM> is evaluated and then matched against
<EM>CondPattern</EM>.
<P>
<EM>Extended Regular Expression</EM> with some additions:
<OL>
-<LI>You can precede the pattern string with a '<CODE>!</CODE>' character
+<LI>You can prefix the pattern string with a '<CODE>!</CODE>' character
(exclamation mark) to specify a <STRONG>non</STRONG>-matching pattern.
<P>
regular expression strings you can also use one of the following:
<P>
<UL>
-<LI>'<STRONG><CondPattern</STRONG>' (is lexicographically lower)<BR>
+<LI>'<STRONG><CondPattern</STRONG>' (is lexically lower)<BR>
Treats the <EM>CondPattern</EM> as a plain string and compares it
-lexicographically to <EM>TestString</EM> and results in a true expression if
-<EM>TestString</EM> is lexicographically lower than <EM>CondPattern</EM>.
+lexically to <EM>TestString</EM>. True if
+<EM>TestString</EM> is lexically lower than <EM>CondPattern</EM>.
<P>
-<LI>'<STRONG>>CondPattern</STRONG>' (is lexicographically greater)<BR>
+<LI>'<STRONG>>CondPattern</STRONG>' (is lexically greater)<BR>
Treats the <EM>CondPattern</EM> as a plain string and compares it
-lexicographically to <EM>TestString</EM> and results in a true expression if
-<EM>TestString</EM> is lexicographically greater than <EM>CondPattern</EM>.
+lexically to <EM>TestString</EM>. True if
+<EM>TestString</EM> is lexically greater than <EM>CondPattern</EM>.
<P>
-<LI>'<STRONG>=CondPattern</STRONG>' (is lexicographically equal)<BR>
+<LI>'<STRONG>=CondPattern</STRONG>' (is lexically equal)<BR>
Treats the <EM>CondPattern</EM> as a plain string and compares it
-lexicographically to <EM>TestString</EM> and results in a true expression if
-<EM>TestString</EM> is lexicographically equal to <EM>CondPattern</EM>, i.e the
+lexically to <EM>TestString</EM>. True if
+<EM>TestString</EM> is lexically equal to <EM>CondPattern</EM>, i.e the
two strings are exactly equal (character by character).
If <EM>CondPattern</EM> is just <SAMP>""</SAMP> (two quotation marks) this
-compares <EM>TestString</EM> against the empty string.
+compares <EM>TestString</EM> to the empty string.
<P>
<LI>'<STRONG>-d</STRONG>' (is <STRONG>d</STRONG>irectory)<BR>
Treats the <EM>TestString</EM> as a pathname and
<TABLE WIDTH="70%" BORDER=0 BGCOLOR="#E0E0F0" CELLSPACING=0 CELLPADDING=10>
<TR><TD>
<STRONG>Notice:</STRONG>
-All of these tests can also be prefixed by a not ('!') character
+All of these tests can also be prefixed by an exclamation mark ('!')
to negate their meaning.
</TD></TR>
</TABLE>
<UL>
<LI>'<STRONG><CODE>nocase|NC</CODE></STRONG>' (<STRONG>n</STRONG>o <STRONG>c</STRONG>ase)<BR>
- This makes the condition test case-insensitive, <EM>i.e.</EM>, there is
+ This makes the test case-insensitive, <EM>i.e.</EM>, there is
no difference between 'A-Z' and 'a-z' both in the expanded
<EM>TestString</EM> and the <EM>CondPattern</EM>.
<P>
RewriteCond %{REMOTE_HOST} ^host3.*
RewriteRule ...some special stuff for any of these hosts...
</PRE></BLOCKQUOTE>
- Without this flag you had to write down the cond/rule three times.
+ Without this flag you would have to write the cond/rule three times.
</UL>
<P>
run-time.
<P>
-<A NAME="patterns"><EM>Pattern</EM></A> can be (for Apache 1.1.x a System
-V8 and for Apache 1.2.x a POSIX) <A NAME="regexp">regular expression</A>
-which gets applied to the current URL. Here ``current'' means the value of the
-URL when this rule gets applied. This may not be the original requested
-URL, because there could be any number of rules before which already matched
-and made alterations to it.
+<A NAME="patterns"><EM>Pattern</EM></A> can be (for Apache
+1.1.x a System V8 and for Apache 1.2.x and later a POSIX) <A
+NAME="regexp">regular expression</A> which gets applied to the current
+URL. Here ``current'' means the value of the URL when this rule gets
+applied. This may not be the originally requested URL, because no
+longer existingany number of rules may already have matched and made
+alterations to it.
<P>
Some hints about the syntax of regular expressions:
<STRONG>Quantifiers:</STRONG>
<STRONG><CODE>?</CODE></STRONG> 0 or 1 of the preceding text
- <STRONG><CODE>*</CODE></STRONG> 0 or N of the preceding text (N > 1)
+ <STRONG><CODE>*</CODE></STRONG> 0 or N of the preceding text (N > 0)
<STRONG><CODE>+</CODE></STRONG> 1 or N of the preceding text (N > 1)
<STRONG>Grouping:</STRONG>
<P>
For more information about regular expressions either have a look at your
local regex(3) manpage or its <CODE>src/regex/regex.3</CODE> copy in the
-Apache 1.3 distribution. When you are interested in more detailed and deeper
-information about regular expressions and its variants (POSIX regex, Perl
+Apache 1.3 distribution. If you are interested in more detailed
+information about regular expressions and their variants (POSIX regex, Perl
regex, <EM>etc.</EM>) have a look at the following dedicated book on this topic:
<BLOCKQUOTE>
<P>
Additionally in mod_rewrite the NOT character ('<CODE>!</CODE>') is a possible
pattern prefix. This gives you the ability to negate a pattern; to say, for
-instance: ``<EM>if the current URL does <STRONG>NOT</STRONG> match to this
-pattern</EM>''. This can be used for special cases where it is better to match
-the negative pattern or as a last default rule.
+instance: ``<EM>if the current URL does <STRONG>NOT</STRONG> match this
+pattern</EM>''. This can be used for exceptional cases, where it is easier to
+match the negative pattern, or as a last default rule.
<P>
<TABLE WIDTH="70%" BORDER=0 BGCOLOR="#E0E0F0" CELLSPACING=0 CELLPADDING=10>
As already mentioned above, all the rewriting rules are applied to the
<EM>Substitution</EM> (in the order of definition in the config file). The
URL is <STRONG>completely replaced</STRONG> by the <EM>Substitution</EM> and the
-rewriting process goes on until there are no more rules (unless explicitly
-terminated by a <CODE><STRONG>L</STRONG></CODE> flag - see below).
+rewriting process goes on until there are no more rules unless explicitly
+terminated by a <CODE><STRONG>L</STRONG></CODE> flag - see below.
<P>
There is a special substitution string named '<CODE>-</CODE>' which means:
<P>
<TABLE WIDTH="70%" BORDER=0 BGCOLOR="#E0E0F0" CELLSPACING=0 CELLPADDING=10>
<TR><TD>
-<STRONG>Notice</STRONG>: There is a special feature. When you prefix a substitution
+<STRONG>Note</STRONG>: There is a special feature: When you prefix a substitution
field with <CODE>http://</CODE><EM>thishost</EM>[<EM>:thisport</EM>] then
<STRONG>mod_rewrite</STRONG> automatically strips it out. This auto-reduction on
implicit external redirect URLs is a useful and important feature when
one of the following symbolic names: <CODE>temp</CODE> (default), <CODE>permanent</CODE>,
<CODE>seeother</CODE>.
Use it for rules which should
- canonicalize the URL and gives it back to the client, <EM>e.g.</EM>, translate
+ canonicalize the URL and give it back to the client, <EM>e.g.</EM>, translate
``<CODE>/~</CODE>'' into ``<CODE>/u/</CODE>'' or always append a slash to
<CODE>/u/</CODE><EM>user</EM>, etc.<BR>
<P>
- <STRONG>Notice:</STRONG> When you use this flag, make sure that the
+ <STRONG>Note:</STRONG> When you use this flag, make sure that the
substitution field is a valid URL! If not, you are redirecting to an
invalid location! And remember that this flag itself only prefixes the
- URL with <CODE>http://thishost[:thisport]/</CODE>, but rewriting goes on.
+ URL with <CODE>http://thishost[:thisport]/</CODE>, rewriting continues.
Usually you also want to stop and do the redirection immediately. To stop
the rewriting you also have to provide the 'L' flag.
<P>
<P>
<LI>'<STRONG><CODE>gone|G</CODE></STRONG>' (force URL to be <STRONG>g</STRONG>one)<BR>
This forces the current URL to be gone, <EM>i.e.</EM>, it immediately sends back a
- HTTP response of 410 (GONE). Use this flag to mark no longer existing
- pages as gone.
+ HTTP response of 410 (GONE). Use this flag to mark pages which no longer
+ exist as gone.
<P>
<LI>'<STRONG><CODE>proxy|P</CODE></STRONG>' (force <STRONG>p</STRONG>roxy)<BR>
This flag forces the substitution part to be internally forced as a proxy
don't apply any more rewriting rules. This corresponds to the Perl
<CODE>last</CODE> command or the <CODE>break</CODE> command from the C
language. Use this flag to prevent the currently rewritten URL from being
- rewritten further by following rules which may be wrong. For
+ rewritten further by following rules. For
example, use it to rewrite the root-path URL ('<CODE>/</CODE>') to a real
one, <EM>e.g.</EM>, '<CODE>/e/www/</CODE>'.
<P>
<CODE>next</CODE> command or the <CODE>continue</CODE> command from the C
language. Use this flag to restart the rewriting process, <EM>i.e.</EM>, to
immediately go to the top of the loop. <BR>
- <STRONG>But be careful not to create a deadloop!</STRONG>
+ <STRONG>But be careful not to create an infinite loop!</STRONG>
<P>
<LI>'<STRONG><CODE>chain|C</CODE></STRONG>' (<STRONG>c</STRONG>hained with next rule)<BR>
This flag chains the current rule with the next rule (which itself can
- also be chained with its following rule, <EM>etc.</EM>). This has the following
+ be chained with the following rule, <EM>etc.</EM>). This has the following
effect: if a rule matches, then processing continues as usual, <EM>i.e.</EM>, the
flag has no effect. If the rule does <STRONG>not</STRONG> match, then all following
chained rules are skipped. For instance, use it to remove the
translator should do. Then <CODE>mod_alias</CODE> comes and tries to do a
URI-to-filename transition which will not work.
<P>
- Notice: <STRONG>You have to use this flag if you want to intermix directives
+ Note: <STRONG>You have to use this flag if you want to intermix directives
of different modules which contain URL-to-filename translators</STRONG>. The
typical example is the use of <CODE>mod_alias</CODE> and
<CODE>mod_rewrite</CODE>..
<TABLE WIDTH="70%" BORDER=0 BGCOLOR="#E0E0F0" CELLSPACING=0 CELLPADDING=10>
<TR><TD>
<font size=-1>
- <STRONG>Notice - For the Apache hackers:</STRONG><BR>
+ <STRONG>Note - For Apache hackers:</STRONG><BR>
If the current Apache API had a
filename-to-filename hook additionally to the URI-to-filename hook then
we wouldn't need this flag! But without such a hook this flag is the
only solution. The Apache Group has discussed this problem and will
- add such hooks into Apache version 2.0.
+ add such a hook in Apache version 2.0.
</FONT>
</TD></TR>
</TABLE>
This flag forces the rewriting engine to skip the next <EM>num</EM> rules
in sequence when the current rule matches. Use this to make pseudo
if-then-else constructs: The last rule of the then-clause becomes
- a <CODE>skip=N</CODE> where N is the number of rules in the else-clause.
+ <CODE>skip=N</CODE> where N is the number of rules in the else-clause.
(This is <STRONG>not</STRONG> the same as the 'chain|C' flag!)
<P>
<LI>'<STRONG><CODE>env|E=</CODE></STRONG><EM>VAR</EM>:<EM>VAL</EM>' (set <STRONG>e</STRONG>nvironment variable)<BR>
value <EM>VAL</EM>, where <EM>VAL</EM> can contain regexp backreferences
<CODE>$N</CODE> and <CODE>%N</CODE> which will be expanded. You can use this flag
more than once to set more than one variable. The variables can be later
- dereferenced at a lot of situations, but the usual location will be from
+ dereferenced in many situations, but usually from
within XSSI (via <CODE><!--#echo var="VAR"--></CODE>) or CGI (<EM>e.g.</EM>
- <CODE>$ENV{'VAR'}</CODE>). But additionally you can also dereference it in a
+ <CODE>$ENV{'VAR'}</CODE>). Additionally you can dereference it in a
following RewriteCond pattern via <CODE>%{ENV:VAR}</CODE>. Use this to strip
but remember information from URLs.
</UL>
<P>
<TABLE WIDTH="70%" BORDER=0 BGCOLOR="#E0E0F0" CELLSPACING=0 CELLPADDING=10>
<TR><TD>
-<STRONG>Notice:</STRONG> Never forget that <EM>Pattern</EM> gets applied to a complete URL
+<STRONG>Note:</STRONG> Never forget that <EM>Pattern</EM> is applied to a complete URL
in per-server configuration files. <STRONG>But in per-directory configuration
files, the per-directory prefix (which always is the same for a specific
-directory!) gets automatically <EM>removed</EM> for the pattern matching and
+directory!) is automatically <EM>removed</EM> for the pattern matching and
automatically <EM>added</EM> after the substitution has been done.</STRONG> This feature is
essential for many sorts of rewriting, because without this prefix stripping
you have to match the parent directory which is not always possible.
<P>
There is one exception: If a substitution string starts with
-``<CODE>http://</CODE>'' then the directory prefix will be <STRONG>not</STRONG> added and a
+``<CODE>http://</CODE>'' then the directory prefix will <STRONG>not</STRONG> be added and an
external redirect or proxy throughput (if flag <STRONG>P</STRONG> is used!) is forced!
</TD></TR>
</TABLE>
<P>
<TABLE WIDTH="70%" BORDER=0 BGCOLOR="#E0E0F0" CELLSPACING=0 CELLPADDING=10>
<TR><TD>
-<STRONG>Notice:</STRONG> To enable the rewriting engine for per-directory configuration files
+<STRONG>Note:</STRONG> To enable the rewriting engine for per-directory configuration files
you need to set ``<CODE>RewriteEngine On</CODE>'' in these files <STRONG>and</STRONG>
-``<CODE>Option FollowSymLinks</CODE>'' enabled. If your administrator has
+``<CODE>Option FollowSymLinks</CODE>'' must be enabled. If your administrator has
disabled override of <CODE>FollowSymLinks</CODE> for a user's directory, then
you cannot use the rewriting engine. This restriction is needed for
security reasons.
<P>
Notice: These variables hold the URI/URL <EM>as they were initially
-requested</EM>, <EM>i.e.</EM>, in a state <EM>before</EM> any rewriting. This is
+requested</EM>, <EM>i.e.</EM>, <EM>before</EM> any rewriting. This is
important because the rewriting process is primarily used to rewrite logical
URLs to physical pathnames.
</tr>
<tr>
<td align="right">
- <font face="Arial,Helvetica">mod_ssl version 2.5</font>
+ <font face="Arial,Helvetica">mod_ssl version 2.6</font>
</td>
</tr>
</table>
<td> <table width="598">
<tr>
<td align="left"><font face="Arial,Helvetica">
- <a href="http://www.modssl.org/">mod_ssl</a> 2.5, User Manual<br>
+ <a href="http://www.modssl.org/">mod_ssl</a> 2.6, User Manual<br>
The Apache Interface to OpenSSL
</font>
</td>
-#!wml -oindex.html
+#!wml -o index.html
#use "ssl_template.inc" title="Title Page" tag=title num=0
</tr>
<tr>
<td align=right>
- <font face="Arial,Helvetica">mod_ssl version 2.5</font>
+ <font face="Arial,Helvetica">mod_ssl version 2.6</font>
</td>
</tr>
</table>
<a href="#ToC12"><strong>Permission problem on SSLMutex</strong></a><br>
<a href="#ToC13"><strong>Shared memory and process size?</strong></a><br>
<a href="#ToC14"><strong>Shared memory and pathname?</strong></a><br>
- <a href="#ToC15"><strong>About Configuration</strong></a><br>
- <a href="#ToC16"><strong>HTTP and HTTPS with a single server?</strong></a><br>
- <a href="#ToC17"><strong>Where is the HTTPS port?</strong></a><br>
- <a href="#ToC18"><strong>How to test HTTPS manually?</strong></a><br>
- <a href="#ToC19"><strong>Why does my connection hang?</strong></a><br>
- <a href="#ToC20"><strong>Why do I get connection refused?</strong></a><br>
- <a href="#ToC21"><strong>Why are the SSL_XXX variables missing?</strong></a><br>
- <a href="#ToC22"><strong>How to switch with relative hyperlinks?</strong></a><br>
- <a href="#ToC23"><strong>About Certificates</strong></a><br>
- <a href="#ToC24"><strong>What are Keys, CSRs and Certs?</strong></a><br>
- <a href="#ToC25"><strong>Difference on startup?</strong></a><br>
- <a href="#ToC26"><strong>How to create a dummy cert?</strong></a><br>
- <a href="#ToC27"><strong>How to create a real cert?</strong></a><br>
- <a href="#ToC28"><strong>How to create my own CA?</strong></a><br>
- <a href="#ToC29"><strong>How to change a pass phrase?</strong></a><br>
- <a href="#ToC30"><strong>How to remove a pass phrase?</strong></a><br>
- <a href="#ToC31"><strong>How to verify a key/cert pair?</strong></a><br>
- <a href="#ToC32"><strong>Bad Certificate Error?</strong></a><br>
- <a href="#ToC33"><strong>Why does a 2048-bit key not work?</strong></a><br>
- <a href="#ToC34"><strong>Why is client auth broken?</strong></a><br>
- <a href="#ToC35"><strong>How to convert from PEM to DER?</strong></a><br>
- <a href="#ToC36"><strong>Verisign and the magic getca program?</strong></a><br>
- <a href="#ToC37"><strong>Global IDs or SGC?</strong></a><br>
- <a href="#ToC38"><strong>Global IDs and Cert Chain?</strong></a><br>
- <a href="#ToC39"><strong>About SSL Protocol</strong></a><br>
- <a href="#ToC40"><strong>Why has the server a higher load?</strong></a><br>
- <a href="#ToC41"><strong>Why are connections horribly slow?</strong></a><br>
- <a href="#ToC42"><strong>Which ciphers are supported?</strong></a><br>
- <a href="#ToC43"><strong>How to use Anonymous-DH ciphers</strong></a><br>
- <a href="#ToC44"><strong>Why do I get 'no shared ciphers'?</strong></a><br>
- <a href="#ToC45"><strong>HTTPS and name-based vhosts</strong></a><br>
- <a href="#ToC46"><strong>The lock icon in Netscape locks very late</strong></a><br>
- <a href="#ToC47"><strong>Why do I get I/O errors with my MSIE clients?</strong></a><br>
- <a href="#ToC48"><strong>Why do I get I/O errors with my NS clients?</strong></a><br>
- <a href="#ToC49"><strong>About Support</strong></a><br>
- <a href="#ToC50"><strong>Resources in case of problems?</strong></a><br>
- <a href="#ToC51"><strong>Support in case of problems?</strong></a><br>
- <a href="#ToC52"><strong>How to write a problem report?</strong></a><br>
- <a href="#ToC53"><strong>I got a core dump, can you help me?</strong></a><br>
- <a href="#ToC54"><strong>How to get a backtrace?</strong></a><br>
+ <a href="#ToC15"><strong>PRNG and not enough entropy?</strong></a><br>
+ <a href="#ToC16"><strong>About Configuration</strong></a><br>
+ <a href="#ToC17"><strong>HTTP and HTTPS with a single server?</strong></a><br>
+ <a href="#ToC18"><strong>Where is the HTTPS port?</strong></a><br>
+ <a href="#ToC19"><strong>How to test HTTPS manually?</strong></a><br>
+ <a href="#ToC20"><strong>Why does my connection hang?</strong></a><br>
+ <a href="#ToC21"><strong>Why do I get connection refused?</strong></a><br>
+ <a href="#ToC22"><strong>Why are the SSL_XXX variables missing?</strong></a><br>
+ <a href="#ToC23"><strong>How to switch with relative hyperlinks?</strong></a><br>
+ <a href="#ToC24"><strong>About Certificates</strong></a><br>
+ <a href="#ToC25"><strong>What are Keys, CSRs and Certs?</strong></a><br>
+ <a href="#ToC26"><strong>Difference on startup?</strong></a><br>
+ <a href="#ToC27"><strong>How to create a dummy cert?</strong></a><br>
+ <a href="#ToC28"><strong>How to create a real cert?</strong></a><br>
+ <a href="#ToC29"><strong>How to create my own CA?</strong></a><br>
+ <a href="#ToC30"><strong>How to change a pass phrase?</strong></a><br>
+ <a href="#ToC31"><strong>How to remove a pass phrase?</strong></a><br>
+ <a href="#ToC32"><strong>How to verify a key/cert pair?</strong></a><br>
+ <a href="#ToC33"><strong>Bad Certificate Error?</strong></a><br>
+ <a href="#ToC34"><strong>Why does a 2048-bit key not work?</strong></a><br>
+ <a href="#ToC35"><strong>Why is client auth broken?</strong></a><br>
+ <a href="#ToC36"><strong>How to convert from PEM to DER?</strong></a><br>
+ <a href="#ToC37"><strong>Verisign and the magic getca program?</strong></a><br>
+ <a href="#ToC38"><strong>Global IDs or SGC?</strong></a><br>
+ <a href="#ToC39"><strong>Global IDs and Cert Chain?</strong></a><br>
+ <a href="#ToC40"><strong>About SSL Protocol</strong></a><br>
+ <a href="#ToC41"><strong>Why has the server a higher load?</strong></a><br>
+ <a href="#ToC42"><strong>Why are connections horribly slow?</strong></a><br>
+ <a href="#ToC43"><strong>Which ciphers are supported?</strong></a><br>
+ <a href="#ToC44"><strong>How to use Anonymous-DH ciphers</strong></a><br>
+ <a href="#ToC45"><strong>Why do I get 'no shared ciphers'?</strong></a><br>
+ <a href="#ToC46"><strong>HTTPS and name-based vhosts</strong></a><br>
+ <a href="#ToC47"><strong>The lock icon in Netscape locks very late</strong></a><br>
+ <a href="#ToC48"><strong>Why do I get I/O errors with my MSIE clients?</strong></a><br>
+ <a href="#ToC49"><strong>Why do I get I/O errors with my NS clients?</strong></a><br>
+ <a href="#ToC50"><strong>About Support</strong></a><br>
+ <a href="#ToC51"><strong>Resources in case of problems?</strong></a><br>
+ <a href="#ToC52"><strong>Support in case of problems?</strong></a><br>
+ <a href="#ToC53"><strong>How to write a problem report?</strong></a><br>
+ <a href="#ToC54"><strong>I got a core dump, can you help me?</strong></a><br>
+ <a href="#ToC55"><strong>How to get a backtrace?</strong></a><br>
</font>
</td>
</tr>
<li><a name="ToC2"></a>
<a name="history"></a>
<strong id="faq">What is the history of mod_ssl?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#history"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#history"><b>L</b></a>]
<p>
The mod_ssl v1 package was initially created in April 1998 by <a
href="mailto:rse@engelschall.com">Ralf S. Engelschall</a> via porting <a
<a name="apssl-diff"></a>
<strong id="faq">What are the functional differences between mod_ssl and Apache-SSL, from where
it is originally derived?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#apssl-diff"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#apssl-diff"><b>L</b></a>]
<p>
This neither can be answered in short (there were too much code changes)
nor can be answered at all by the author (there would be immediately flame
<a name="apssl-diff"></a>
<strong id="faq">What are the major differences between mod_ssl and
the commercial alternatives like Raven or Stronghold?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#apssl-diff"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#apssl-diff"><b>L</b></a>]
<p>
As of this writing (end of the year 1999) the major difference is
the RSA license which one receives (very cheaply in contrast to
<li><a name="ToC5"></a>
<a name="what-version"></a>
<strong id="faq">How do I know which mod_ssl version is for which Apache version?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#what-version"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#what-version"><b>L</b></a>]
<p>
That's trivial: mod_ssl uses version strings of the syntax
<em><mod_ssl-version></em>-<em><apache-version></em>, for
<li><a name="ToC6"></a>
<a name="y2k"></a>
<strong id="faq">Is mod_ssl Year 2000 compliant?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#y2k"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#y2k"><b>L</b></a>]
<p>
Yes, mod_ssl is Year 2000 compliant.
<p>
<li><a name="ToC7"></a>
<a name="wassenaar"></a>
<strong id="faq">What about mod_ssl and the Wassenaar Arrangement?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#wassenaar"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#wassenaar"><b>L</b></a>]
<p>
First, let us explain what <i>Wassenaar</i> and it's <i>Arrangement on
Export Controls for Conventional Arms and Dual-Use Goods and
<li><a name="ToC9"></a>
<a name="core-dbm"></a>
<strong id="faq">When I access my website the first time via HTTPS I get a core dump?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#core-dbm"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#core-dbm"><b>L</b></a>]
<p>
There can be a lot of reasons why a core dump can occur, of course.
Ranging from buggy third-party modules, over buggy vendor libraries up to
<li><a name="ToC10"></a>
<a name="core-php3"></a>
<strong id="faq">My Apache dumps core when I add both mod_ssl and PHP3?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#core-php3"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#core-php3"><b>L</b></a>]
<p>
Make sure you add mod_ssl to the Apache source tree first and then do a
fresh configuration and installation of PHP3. For SSL support EAPI patches
<li><a name="ToC11"></a>
<a name="dso-sym"></a>
<strong id="faq">When I startup Apache I get errors about undefined symbols like ap_global_ctx?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#dso-sym"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#dso-sym"><b>L</b></a>]
<p>
This actually means you installed mod_ssl as a DSO, but without rebuilding
Apache with EAPI. Because EAPI is a requirement for mod_ssl, you need an
<li><a name="ToC12"></a>
<a name="mutex-perm"></a>
<strong id="faq">When I startup Apache I get permission errors related to SSLMutex?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#mutex-perm"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#mutex-perm"><b>L</b></a>]
<p>
When you receive entries like ``<code>mod_ssl: Child could not open
SSLMutex lockfile /opt/apache/logs/ssl_mutex.18332 (System error follows)
<a name="mm"></a>
<strong id="faq">When I use the MM library and the shared memory cache each process grows
1.5MB according to `top' although I specified 512000 as the cache size?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#mm"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#mm"><b>L</b></a>]
<p>
The additional 1MB are caused by the global shared memory pool EAPI
allocates for all modules and which is not used by mod_ssl for
<strong id="faq">Apache creates files in a directory declared by the internal
EAPI_MM_CORE_PATH define. Is there a way to override the path using a
configuration directive?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#mmpath"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#mmpath"><b>L</b></a>]
<p>
No, there is not configuration directive, because for technical
bootstrapping reasons, a directive not possible at all. Instead
use ``<code>CFLAGS='-DEAPI_MM_CORE_PATH="/path/to/wherever/"'
./configure ...</code>'' when building Apache or use option
<b>-d</b> when starting <code>httpd</code>.
+<p>
+<li><a name="ToC15"></a>
+ <a name="entropy"></a>
+ <strong id="faq">When I fire up the server, mod_ssl stops with the error
+"Failed to generate temporary 512 bit RSA private key", why?
+And a "PRNG not seeded" error occurs if I try "make certificate".</strong>
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#entropy"><b>L</b></a>]
+ <p>
+ Cryptographic software needs a source of unpredictable data
+ to work correctly. Many open source operating systems provide
+ a "randomness device" that serves this purpose (usually named
+ <code>/dev/random</code>). On other systems, applications have to
+ seed the OpenSSL Pseudo Random Number Generator (PRNG) manually with
+ appropriate data before generating keys or performing public key
+ encryption. As of version 0.9.5, the OpenSSL functions that need
+ randomness report an error if the PRNG has not been seeded with
+ at least 128 bits of randomness. So mod_ssl has to provide enough
+ entropy to the PRNG to work correctly. For this one has to use the
+ <code>SSLRandSeed</code> directives (to solve the run-time problem)
+ and create a <code>$HOME/.rnd</code> file to make sure enough
+ entropy is available also for the "<code>make certificate</code>"
+ step (in case the "<code>make certificate</code>" procedure is not
+ able to gather enough entropy theirself by searching for system
+ files).
</ul>
<p>
<br>
-<H2><a name="ToC15">About Configuration</a></H2>
+<H2><a name="ToC16">About Configuration</a></H2>
<ul>
<p>
-<li><a name="ToC16"></a>
+<li><a name="ToC17"></a>
<a name="https-parallel"></a>
<strong id="faq">Is it possible to provide HTTP and HTTPS with a single server?</strong></strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#https-parallel"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#https-parallel"><b>L</b></a>]
<p>
Yes, HTTP and HTTPS use different server ports, so there is no direct
conflict between them. Either run two separate server instances (one binds
Apache dispatches: one responding to port 80 and speaking HTTP and one
responding to port 443 speaking HTTPS.
<p>
-<li><a name="ToC17"></a>
+<li><a name="ToC18"></a>
<a name="https-port"></a>
<strong id="faq">I know that HTTP is on port 80, but where is HTTPS?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#https-port"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#https-port"><b>L</b></a>]
<p>
You can run HTTPS on any port, but the standards specify port 443, which
is where any HTTPS compliant browser will look by default. You can force
your browser to look on a different port by specifying it in the URL like
this (for port 666): <code>https://secure.server.dom:666/</code>
<p>
-<li><a name="ToC18"></a>
+<li><a name="ToC19"></a>
<a name="https-test"></a>
<strong id="faq">How can I speak HTTPS manually for testing purposes?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#https-test"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#https-test"><b>L</b></a>]
<p>
While you usually just use
<p>
<code><b>$ curl http://localhost/</b></code><br>
<code><b>$ curl https://localhost/</b></code><br>
<p>
-<li><a name="ToC19"></a>
+<li><a name="ToC20"></a>
<a name="hang"></a>
<strong id="faq">Why does the connection hang when I connect to my SSL-aware Apache server?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#hang"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#hang"><b>L</b></a>]
<p>
Because you connected with HTTP to the HTTPS port, i.e. you used an URL of
the form ``<code>http://</code>'' instead of ``<code>https://</code>''.
virtual server that supports SSL, which is probably the IP associated with
your hostname, not localhost (127.0.0.1).
<p>
-<li><a name="ToC20"></a>
+<li><a name="ToC21"></a>
<a name="hang"></a>
<strong id="faq">Why do I get ``Connection Refused'' messages when trying to access my freshly
installed Apache+mod_ssl server via HTTPS?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#hang"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#hang"><b>L</b></a>]
<p>
There can be various reasons. Some of the common mistakes is that people
start Apache with just ``<tt>apachectl start</tt>'' (or
yourself a favor and start over with the default configuration mod_ssl
provides you.
<p>
-<li><a name="ToC21"></a>
+<li><a name="ToC22"></a>
<a name="env-vars"></a>
<strong id="faq">In my CGI programs and SSI scripts the various documented
<code>SSL_XXX</code> variables do not exists. Why?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#env-vars"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#env-vars"><b>L</b></a>]
<p>
Just make sure you have ``<code>SSLOptions +StdEnvVars</code>''
enabled for the context of your CGI/SSI requests.
<p>
-<li><a name="ToC22"></a>
+<li><a name="ToC23"></a>
<a name="relative-links"></a>
<strong id="faq">How can I use relative hyperlinks to switch between HTTP and HTTPS?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#relative-links"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#relative-links"><b>L</b></a>]
<p>
Usually you have to use fully-qualified hyperlinks because
you have to change the URL scheme. But with the help of some URL
</ul>
<p>
<br>
-<H2><a name="ToC23">About Certificates</a></H2>
+<H2><a name="ToC24">About Certificates</a></H2>
<ul>
<p>
-<li><a name="ToC24"></a>
+<li><a name="ToC25"></a>
<a name="what-is"></a>
<strong id="faq">What are RSA Private Keys, CSRs and Certificates?</strong></strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#what-is"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#what-is"><b>L</b></a>]
<p>
The RSA private key file is a digital file that you can use to decrypt
messages sent to you. It has a public component which you distribute (via
See the <a href="ssl_intro.html">Introduction</a> chapter for a general
description of the SSL protocol.
<p>
-<li><a name="ToC25"></a>
+<li><a name="ToC26"></a>
<a name="startup"></a>
<strong id="faq">Seems like there is a difference on startup between the original Apache and an SSL-aware Apache?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#startup"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#startup"><b>L</b></a>]
<p>
Yes, in general, starting Apache with a built-in mod_ssl is just like
starting an unencumbered Apache, except for the fact that when you have a
below under ``How can I get rid of the pass-phrase dialog at Apache
startup time?''.
<p>
-<li><a name="ToC26"></a>
+<li><a name="ToC27"></a>
<a name="cert-dummy"></a>
<strong id="faq">How can I create a dummy SSL server Certificate for testing purposes?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#cert-dummy"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#cert-dummy"><b>L</b></a>]
<p>
A Certificate does not have to be signed by a public CA. You can use your
private key to sign the Certificate which contains your public key. You
BUT REMEMBER: YOU REALLY HAVE TO CREATE A REAL CERTIFICATE FOR THE LONG
RUN! HOW THIS IS DONE IS DESCRIBED IN THE NEXT ANSWER.
<p>
-<li><a name="ToC27"></a>
+<li><a name="ToC28"></a>
<a name="cert-real"></a>
<strong id="faq">Ok, I've got my server installed and want to create a real SSL
server Certificate for it. How do I do it?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#cert-real"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#cert-real"><b>L</b></a>]
<p>
Here is a step-by-step description:
<p>
The <code>server.csr</code> file is no longer needed.
</ol>
<p>
-<li><a name="ToC28"></a>
+<li><a name="ToC29"></a>
<a name="cert-ownca"></a>
<strong id="faq">How can I create and use my own Certificate Authority (CA)?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#cert-ownca"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#cert-ownca"><b>L</b></a>]
<p>
The short answer is to use the <code>CA.sh</code> or <code>CA.pl</code>
script provided by OpenSSL. The long and manual answer is this:
This signs the server CSR and results in a <code>server.crt</code> file.
</ol>
<p>
-<li><a name="ToC29"></a>
+<li><a name="ToC30"></a>
<a name="change-passphrase"></a>
<strong id="faq">How can I change the pass-phrase on my private key file?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#change-passphrase"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#change-passphrase"><b>L</b></a>]
<p>
You simply have to read it with the old pass-phrase and write it again
by specifying the new pass-phrase. You can accomplish this with the following
prompt enter the old pass-phrase and at the second prompt
enter the new pass-phrase.
<p>
-<li><a name="ToC30"></a>
+<li><a name="ToC31"></a>
<a name="remove-passphrase"></a>
<strong id="faq">How can I get rid of the pass-phrase dialog at Apache startup time?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#remove-passphrase"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#remove-passphrase"><b>L</b></a>]
<p>
The reason why this dialog pops up at startup and every re-start
is that the RSA private key inside your server.key file is stored in
exec:/path/to/program</code>'' facility. But keep in mind that this is
neither more nor less secure, of course.
<p>
-<li><a name="ToC31"></a>
+<li><a name="ToC32"></a>
<a name="verify-key"></a>
<strong id="faq">How do I verify that a private key matches its Certificate?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#verify-key"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#verify-key"><b>L</b></a>]
<p>
The private key contains a series of numbers. Two of those numbers form
the "public key", the others are part of your "private key". The "public
<p>
<code><strong>$ openssl req -noout -modulus -in server.csr | openssl md5</strong></code>
<p>
-<li><a name="ToC32"></a>
+<li><a name="ToC33"></a>
<a name="keysize1"></a>
<strong id="faq">What does it mean when my connections fail with an "alert bad certificate"
error?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#keysize1"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#keysize1"><b>L</b></a>]
<p>
Usually when you see errors like ``<tt>OpenSSL: error:14094412: SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate</tt>'' in the SSL
certificate/private-key which perhaps contain a RSA-key not equal to 1024
bits. For instance Netscape Navigator 3.x is one of those browsers.
<p>
-<li><a name="ToC33"></a>
+<li><a name="ToC34"></a>
<a name="keysize2"></a>
<strong id="faq">Why does my 2048-bit private key not work?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#keysize2"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#keysize2"><b>L</b></a>]
<p>
The private key sizes for SSL must be either 512 or 1024 for compatibility
with certain web browsers. A keysize of 1024 bits is recommended because
Navigator and Microsoft Internet Explorer, and with other browsers that
use RSA's BSAFE cryptography toolkit.
<p>
-<li><a name="ToC34"></a>
+<li><a name="ToC35"></a>
<a name="hash-symlinks"></a>
<strong id="faq">Why is client authentication broken after upgrading from
SSLeay version 0.8 to 0.9?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#hash-symlinks"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#hash-symlinks"><b>L</b></a>]
<p>
The CA certificates under the path you configured with
<code>SSLCACertificatePath</code> are found by SSLeay through hash
all old hash symlinks and re-create new ones after upgrading. Use the
<code>Makefile</code> mod_ssl placed into this directory.
<p>
-<li><a name="ToC35"></a>
+<li><a name="ToC36"></a>
<a name="pem-to-der"></a>
<strong id="faq">How can I convert a certificate from PEM to DER format?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#pem-to-der"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#pem-to-der"><b>L</b></a>]
<p>
The default certificate format for SSLeay/OpenSSL is PEM, which actually
is Base64 encoded DER with header and footer lines. For some applications
corresponding DER file <code>cert.der</code> with the following command:
<code><strong>$ openssl x509 -in cert.pem -out cert.der -outform DER</strong></code>
<p>
-<li><a name="ToC36"></a>
+<li><a name="ToC37"></a>
<a name="verisign-getca"></a>
<strong id="faq">I try to install a Verisign certificate. Why can't I find neither the
<code>getca</code> nor <code>getverisign</code> programs Verisign mentions?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#verisign-getca"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#verisign-getca"><b>L</b></a>]
<p>
This is because Verisign has never provided specific instructions
for Apache+mod_ssl. Rather they tell you what you should do
href="http://www.thawte.com/certs/server/keygen/mod_ssl.html">
Thawte's mod_ssl instructions</a>.
<p>
-<li><a name="ToC37"></a>
+<li><a name="ToC38"></a>
<a name="gid"></a>
<strong id="faq">Can I use the Server Gated Cryptography (SGC) facility (aka Verisign Global
ID) also with mod_ssl?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#gid"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#gid"><b>L</b></a>]
<p>
Yes, mod_ssl since version 2.1 supports the SGC facility. You don't have
to configure anything special for this, just use a Global ID as your
automatically handled by mod_ssl under run-time. For details please read
the <tt>README.GlobalID</tt> document in the mod_ssl distribution.
<p>
-<li><a name="ToC38"></a>
+<li><a name="ToC39"></a>
<a name="gid"></a>
<strong id="faq">After I have installed my new Verisign Global ID server certificate, the
browsers complain that they cannot verify the server certificate?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#gid"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#gid"><b>L</b></a>]
<p>
That is because Verisign uses an intermediate CA certificate between
the root CA certificate (which is installed in the browsers) and
</ul>
<p>
<br>
-<H2><a name="ToC39">About SSL Protocol</a></H2>
+<H2><a name="ToC40">About SSL Protocol</a></H2>
<ul>
<p>
-<li><a name="ToC40"></a>
+<li><a name="ToC41"></a>
<a name="load"></a>
<strong id="faq">Why has my webserver a higher load now that I run SSL there?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#load"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#load"><b>L</b></a>]
<p>
Because SSL uses strong cryptographic encryption and this needs a lot of
number crunching. And because when you request a webpage via HTTPS even
the images are transfered encrypted. So, when you have a lot of HTTPS
traffic the load increases.
<p>
-<li><a name="ToC41"></a>
+<li><a name="ToC42"></a>
<a name="random"></a>
<strong id="faq">Often HTTPS connections to my server require up to 30 seconds for establishing
the connection, although sometimes it works faster?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#random"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#random"><b>L</b></a>]
<p>
Usually this is caused by using a <code>/dev/random</code> device for
<code>SSLRandomSeed</code> which is blocking in read(2) calls if not
enough entropy is available. Read more about this problem in the refernce
chapter under <code>SSLRandomSeed</code>.
<p>
-<li><a name="ToC42"></a>
+<li><a name="ToC43"></a>
<a name="ciphers"></a>
<strong id="faq">What SSL Ciphers are supported by mod_ssl?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#ciphers"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#ciphers"><b>L</b></a>]
<p>
Usually just all SSL ciphers which are supported by the
version of OpenSSL in use (can depend on the way you built
<p>
<code><strong>$ openssl ciphers -v</strong></code><br>
<p>
-<li><a name="ToC43"></a>
+<li><a name="ToC44"></a>
<a name="cipher-adh"></a>
<strong id="faq">I want to use Anonymous Diffie-Hellman (ADH) ciphers, but I always get ``no
shared cipher'' errors?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#cipher-adh"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#cipher-adh"><b>L</b></a>]
<p>
In order to use Anonymous Diffie-Hellman (ADH) ciphers, it is not enough
to just put ``<code>ADH</code>'' into your <code>SSLCipherSuite</code>.
allow ADH ciphers for security reasons. So if you are actually enabling
these ciphers make sure you are informed about the side-effects.
<p>
-<li><a name="ToC44"></a>
+<li><a name="ToC45"></a>
<a name="cipher-shared"></a>
<strong id="faq">I always just get a 'no shared ciphers' error if
I try to connect to my freshly installed server?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#cipher-shared"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#cipher-shared"><b>L</b></a>]
<p>
Either you have messed up your <code>SSLCipherSuite</code>
directive (compare it with the pre-configured example in
this, regenerate your server certificate/key pair and this time
choose the RSA algorithm.
<p>
-<li><a name="ToC45"></a>
+<li><a name="ToC46"></a>
<a name="vhosts"></a>
<strong id="faq">Why can't I use SSL with name-based/non-IP-based virtual hosts?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#vhosts"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#vhosts"><b>L</b></a>]
<p>
The reason is very technical. Actually it's some sort of a chicken and
egg problem: The SSL protocol layer stays below the HTTP protocol layer
handshake is finished. But the information is already needed at the SSL
handshake phase. Bingo!
<p>
-<li><a name="ToC46"></a>
+<li><a name="ToC47"></a>
<a name="lock-icon"></a>
<strong id="faq">When I use Basic Authentication over HTTPS the lock icon in Netscape browsers
still show the unlocked state when the dialog pops up. Does this mean the
username/password is still transmitted unencrypted?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#lock-icon"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#lock-icon"><b>L</b></a>]
<p>
No, the username/password is already transmitted encrypted. The icon in
Netscape browsers is just not really synchronized with the SSL/TLS layer
handshake phase and switched to encrypted communication. So, don't get
confused by this icon.
<p>
-<li><a name="ToC47"></a>
+<li><a name="ToC48"></a>
<a name="io-ie"></a>
<strong id="faq">When I connect via HTTPS to an Apache+mod_ssl server with Microsoft Internet
Explorer (MSIE) I sometimes get I/O errors and the message "bad data from the
server". What's the reason?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#io-ie"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#io-ie"><b>L</b></a>]
<p>
The reason is that MSIE's SSL implementation has some subtle bugs related
to the HTTP keep-alive facility and the SSL close notify alerts on socket
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</pre>
<p>
-<li><a name="ToC48"></a>
+<li><a name="ToC49"></a>
<a name="io-ns"></a>
<strong id="faq">When I connect via HTTPS to an Apache+mod_ssl server with Netscape Navigator I
get I/O errors and the message "Netscape has encountered bad data from the
server" What's the reason?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#io-ns"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#io-ns"><b>L</b></a>]
<p>
The problem usually is that you had created a new server certificate with
the same DN, but you had told your browser to accept forever the old
</ul>
<p>
<br>
-<H2><a name="ToC49">About Support</a></H2>
+<H2><a name="ToC50">About Support</a></H2>
<ul>
<p>
-<li><a name="ToC50"></a>
+<li><a name="ToC51"></a>
<a name="resources"></a>
<strong id="faq">What information resources are available in case of mod_ssl problems?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#resources"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#resources"><b>L</b></a>]
<p>
The following information resources are available.
In case of problems you should search here first.
<p>
<ol>
<li><em>Answers in the User Manual's F.A.Q. List (this)</em><br>
- <a href="http://www.modssl.org/docs/2.5/ssl_faq.html">
- http://www.modssl.org/docs/2.5/ssl_faq.html</a><br>
+ <a href="http://www.modssl.org/docs/2.6/ssl_faq.html">
+ http://www.modssl.org/docs/2.6/ssl_faq.html</a><br>
First look inside the F.A.Q. (this text), perhaps your problem is such
popular that it was already answered a lot of times in the past.
<p>
someone else already has reported the problem.
</ol>
<p>
-<li><a name="ToC51"></a>
+<li><a name="ToC52"></a>
<a name="contact"></a>
<strong id="faq">What support contacts are available in case of mod_ssl problems?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#contact"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#contact"><b>L</b></a>]
<p>
The following lists all support possibilities for mod_ssl, in order of
preference, i.e. start in this order and do not pick the support possibility
usually not processed as fast as a posting on modssl-users.
</ol>
<p>
-<li><a name="ToC52"></a>
+<li><a name="ToC53"></a>
<a name="report-details"></a>
<strong id="faq">What information and details I've to provide to
the author when writing a bug report?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#report-details"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#report-details"><b>L</b></a>]
<p>
You have to at least always provide the following information:
<p>
course.
</ul>
<p>
-<li><a name="ToC53"></a>
+<li><a name="ToC54"></a>
<a name="core-dumped"></a>
<strong id="faq">I got a core dump, can you help me?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#core-dumped"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#core-dumped"><b>L</b></a>]
<p>
In general no, at least not unless you provide more details about the code
location where Apache dumped core. What is usually always required in
information it is mostly impossible to find the problem and help you in
fixing it.
<p>
-<li><a name="ToC54"></a>
+<li><a name="ToC55"></a>
<a name="report-backtrace"></a>
<strong id="faq">Ok, I got a core dump but how do I get a backtrace to find out the reason for it?</strong>
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#report-backtrace"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#report-backtrace"><b>L</b></a>]
<p>
Follow the following steps:
<p>
<td> <table width="598">
<tr>
<td align="left"><font face="Arial,Helvetica">
- <a href="http://www.modssl.org/">mod_ssl</a> 2.5, User Manual<br>
+ <a href="http://www.modssl.org/">mod_ssl</a> 2.6, User Manual<br>
The Apache Interface to OpenSSL
</font>
</td>
<a name="<get-var ref>"></a>
<strong id="faq">%body</strong>\
- [<a href="http://www.modssl.org/docs/2.5/ssl_faq.html#<get-var ref>"><b>L</b></a>]
+ [<a href="http://www.modssl.org/docs/2.6/ssl_faq.html#<get-var ref>"><b>L</b></a>]
<p>
<restore toc>
<restore ref>
./configure ...</code>'' when building Apache or use option
<b>-d</b> when starting <code>httpd</code>.
+<faq ref="entropy" toc="PRNG and not enough entropy?">
+When I fire up the server, mod_ssl stops with the error
+"Failed to generate temporary 512 bit RSA private key", why?
+And a "PRNG not seeded" error occurs if I try "make certificate".
+</faq>
+
+ Cryptographic software needs a source of unpredictable data
+ to work correctly. Many open source operating systems provide
+ a "randomness device" that serves this purpose (usually named
+ <code>/dev/random</code>). On other systems, applications have to
+ seed the OpenSSL Pseudo Random Number Generator (PRNG) manually with
+ appropriate data before generating keys or performing public key
+ encryption. As of version 0.9.5, the OpenSSL functions that need
+ randomness report an error if the PRNG has not been seeded with
+ at least 128 bits of randomness. So mod_ssl has to provide enough
+ entropy to the PRNG to work correctly. For this one has to use the
+ <code>SSLRandSeed</code> directives (to solve the run-time problem)
+ and create a <code>$HOME/.rnd</code> file to make sure enough
+ entropy is available also for the "<code>make certificate</code>"
+ step (in case the "<code>make certificate</code>" procedure is not
+ able to gather enough entropy theirself by searching for system
+ files).
+
</ul>
<p>
<p>
<ol>
<li><em>Answers in the User Manual's F.A.Q. List (this)</em><br>
- <a href="http://www.modssl.org/docs/2.5/ssl_faq.html">
- http://www.modssl.org/docs/2.5/ssl_faq.html</a><br>
+ <a href="http://www.modssl.org/docs/2.6/ssl_faq.html">
+ http://www.modssl.org/docs/2.6/ssl_faq.html</a><br>
First look inside the F.A.Q. (this text), perhaps your problem is such
popular that it was already answered a lot of times in the past.
<p>
<tr>
<td align="right">
<font size="-1">
-Unknown
+Richard Nixon
</font>
</td>
</tr>
<td> <table width="598">
<tr>
<td align="left"><font face="Arial,Helvetica">
- <a href="http://www.modssl.org/">mod_ssl</a> 2.5, User Manual<br>
+ <a href="http://www.modssl.org/">mod_ssl</a> 2.6, User Manual<br>
The Apache Interface to OpenSSL
</font>
</td>
<page_prev name="F.A.Q. List" url="ssl_faq.html">
-<quotation width=300 author="Unknown">
+<quotation width=300 author="Richard Nixon">
``I know you believe you understand what you think I said, but I am not sure you
realize that what you heard is not what I meant.''
</quotation>
<td> <table width="598">
<tr>
<td align="left"><font face="Arial,Helvetica">
- <a href="http://www.modssl.org/">mod_ssl</a> 2.5, User Manual<br>
+ <a href="http://www.modssl.org/">mod_ssl</a> 2.6, User Manual<br>
The Apache Interface to OpenSSL
</font>
</td>
<tr>
<td align="right">
<font size="-1">
-A. Tannenbaum, ``Introduction to Computer Networks''
+A. Tanenbaum, ``Introduction to Computer Networks''
</font>
</td>
</tr>
<td> <table width="598">
<tr>
<td align="left"><font face="Arial,Helvetica">
- <a href="http://www.modssl.org/">mod_ssl</a> 2.5, User Manual<br>
+ <a href="http://www.modssl.org/">mod_ssl</a> 2.6, User Manual<br>
The Apache Interface to OpenSSL
</font>
</td>
#use wml::std::toc style=nbsp
<quotation width=400
- author="A. Tannenbaum, ``Introduction to Computer Networks''">
+ author="A. Tanenbaum, ``Introduction to Computer Networks''">
``The nice thing about standards is that there are so many to choose from.
And if you really don't like all the standards you just have to wait another
year until the one arises you are looking for.''
<td> <table width="598">
<tr>
<td align="left"><font face="Arial,Helvetica">
- <a href="http://www.modssl.org/">mod_ssl</a> 2.5, User Manual<br>
+ <a href="http://www.modssl.org/">mod_ssl</a> 2.6, User Manual<br>
The Apache Interface to OpenSSL
</font>
</td>
On some platforms like FreeBSD one can even control how the entropy is
actually generated, i.e. by which system interrupts. More details one can
find under <i>rndcontrol(8)</i> on those platforms. Alternatively, when
- your system lacks such a random device, you can use tool like <a
- href="http://www.lothar.com/tech/crypto/">EGD</a> (Entropy Gathering
- Daemon) and run it's client program with the
- <code>exec:/path/to/program/</code> variant (see below).
+ your system lacks such a random device, you can use tool
+ like <a href="http://www.lothar.com/tech/crypto/">EGD</a>
+ (Entropy Gathering Daemon) and run it's client program with the
+ <code>exec:/path/to/program/</code> variant (see below) or use
+ <code>egd:/path/to/egd-socket</code> (see below).
<p>
<li><code>exec:/path/to/program</code>
<p>
which is based on the AT&T <em>truerand</em> library). Using this in
the connection context slows down the server too dramatically, of course.
So usually you should avoid using external programs in that context.
+<p>
+<li><code>egd:/path/to/egd-socket</code> (Unix only)
+ <p>
+ This variant uses the Unix domain socket of the
+ external Entropy Gathering Daemon (EGD) (see <a
+ href="http://www.lothar.com/tech/crypto/">http://www.lothar.com/tech
+ /crypto/</a>) to seed the PRNG. Use this if no random device exists
+ on your platform.
</ul>
<p>
Example:
<td> <table width="598">
<tr>
<td align="left"><font face="Arial,Helvetica">
- <a href="http://www.modssl.org/">mod_ssl</a> 2.5, User Manual<br>
+ <a href="http://www.modssl.org/">mod_ssl</a> 2.6, User Manual<br>
The Apache Interface to OpenSSL
</font>
</td>
On some platforms like FreeBSD one can even control how the entropy is
actually generated, i.e. by which system interrupts. More details one can
find under <i>rndcontrol(8)</i> on those platforms. Alternatively, when
- your system lacks such a random device, you can use tool like <a
- href="http://www.lothar.com/tech/crypto/">EGD</a> (Entropy Gathering
- Daemon) and run it's client program with the
- <code>exec:/path/to/program/</code> variant (see below).
+ your system lacks such a random device, you can use tool
+ like <a href="http://www.lothar.com/tech/crypto/">EGD</a>
+ (Entropy Gathering Daemon) and run it's client program with the
+ <code>exec:/path/to/program/</code> variant (see below) or use
+ <code>egd:/path/to/egd-socket</code> (see below).
<p>
<li><code>exec:/path/to/program</code>
<p>
which is based on the AT&T <em>truerand</em> library). Using this in
the connection context slows down the server too dramatically, of course.
So usually you should avoid using external programs in that context.
+<p>
+<li><code>egd:/path/to/egd-socket</code> (Unix only)
+ <p>
+ This variant uses the Unix domain socket of the
+ external Entropy Gathering Daemon (EGD) (see <a
+ href="http://www.lothar.com/tech/crypto/">http://www.lothar.com/tech
+ /crypto/</a>) to seed the PRNG. Use this if no random device exists
+ on your platform.
</ul>
<p>
<tr>
<td align=left>\
<font face="Arial,Helvetica">
- <a href="http://www.modssl.org/">mod_ssl</a> 2.5, User Manual<br>
+ <a href="http://www.modssl.org/">mod_ssl</a> 2.6, User Manual<br>
The Apache Interface to OpenSSL
</font>
</td>
<A HREF="../mod/core.html#listen">Listen</A>,
<A HREF="../mod/core.html#pidfile">PidFile</A>,
<A HREF="../mod/mod_mime.html#typesconfig">TypesConfig</A>,
-<A HREF="../mod/core.html#serverroot">ServerRoot</A> and
-<A HREF="../mod/core.html#namevirtualhost">NameVirtualHost</A>.
+<A HREF="../mod/core.html#serverroot">ServerRoot</A>,
+<A HREF="../mod/core.html#namevirtualhost">NameVirtualHost</A>
+and a few other directives.
<P>
<A HREF="../mod/core.html#user">User</A> and
<A HREF="../mod/core.html#group">Group</A> may be used inside a VirtualHost
ap_SHA1Final @355
ap_sha1_base64 @356
ap_send_error_response @357
- ap_add_config_define @357
- ap_global_ctx @358
- ap_ctx_new @359
- ap_ctx_get @360
- ap_ctx_set @361
- ap_hook_init @362
- ap_hook_kill @363
- ap_hook_configure @364
- ap_hook_register_I @365
- ap_hook_unregister_I @366
- ap_hook_status @367
- ap_hook_use @368
- ap_hook_call @369
+ ap_add_config_define @358
+ ap_global_ctx @359
+ ap_ctx_new @360
+ ap_ctx_get @361
+ ap_ctx_set @362
+ ap_hook_init @363
+ ap_hook_kill @364
+ ap_hook_configure @365
+ ap_hook_register_I @366
+ ap_hook_unregister_I @367
+ ap_hook_status @368
+ ap_hook_use @369
+ ap_hook_call @370
+Changes with Apache 1.3.12
+
+ *) Only OS/2 requires the addition "t" flag for ap_pfopen()
+ (as therefore fopen() as well). This is handled by the
+ FOPEN_REQUIRES_T macro. [Ian Turner <iant@sequent.com>,
+ Jim Jagielski] PR#5760
+
+ *) The default charset is only added, when enabled, for those
+ Content-types which require it (text/plain, text/html).
+ [Jim Jagielski] PR#5766
+
+ *) Fix handling of multiple queries in APXS commands (e.g. "apxs -q
+ CC CFLAGS") and make sure Perl-related command line options (which
+ can contain the "::" constructs) do no longer cause an incorrect
+ internal parsing of the query result.
+ [Ralf S. Engelschall, Steve Robb <steve@eu.c2.net>]
+
+ *) Avoid infinite looping in APACI's configure script
+ inside Ultrix' /bin/sh5 upgrade step.
+ [Jan Gallo <gallo@viapvt.sk>, Ralf S. Engelschall] PR#4940
+
+ *) PORT: Add support for Amdahl UTS 4.3 and later.
+ [Dave Dykstra <dwd@bell-labs.com>] PR#5654
+
+ *) Make implementation/descriptions of the FLAG directives
+ AuthAuthoritative, MetaFiles and ExtendedStatus consistent with
+ documentation and the standard way of implementation those directives.
+ [David MacKenzie <djm@web.us.uu.net>, Ralf S. Engelschall] PR#5642
+
+ *) Cast integer ap_wait_t values in http_main.c to get rid of compile
+ time errors on platforms where "ap_wait_t" is not defined as "int"
+ (currently only the NEXT and UTS21 platforms).
+ [Gary Bickford <garyb@fxt.com>, Ralf S. Engelschall] PR#5053
+
+ *) The default suexec path was HTTPD_ROOT/sbin/suexec if not
+ configured via APACI. Changed to HTTPD_ROOT/bin/suexec.
+ [Lars Eilebrecht]
+
+ *) Add an explicit charset=iso-8859-1 to pages generated by
+ ap_send_error_response(), such as the default 404 page.
+ [Marc Slemko]
+
+ *) Add the AddDefaultCharset directive. This allows you to specify
+ the given character set on any document that does not have one
+ explicitly specified in the headers. [Marc Slemko, Jim Jagielski]
+
+ *) Properly escape various messages output to the client from a number
+ of modules and places in the core code. [Marc Slemko]
+
+ *) Change mod_actions, mod_autoindex, mod_expires, and mod_log_config to
+ not consider any parameters such as charset when making decisions
+ based on content type. This does remove some functionality for
+ some users, but means that when these modules are configured to do
+ particular things with particular MIME types, the charset should
+ not be included. A better way of addressing this for users who
+ want to set things on a per charset basis is necessary in the future.
+ [Marc Slemko]
+
+ *) mod_include now entity encodes output from "printenv" and "echo var"
+ by default. The encoding for "echo var" can be set to URL encoding
+ or no encoding using the new "encoding" attribute to the echo tag.
+ [Marc Slemko]
+
Changes with Apache 1.3.11
*) MPE builds are no longer stripped, which caused the executable
*) Added a CLF '-' respecting %B to the log format.
Suggested by Ragnar Kjørstad [dirkx]
- *) Added protocol(%m)/method(%H) logging to the log format.
+ *) Added protocol(%H)/method(%m) logging to the log format.
Suggested by Peter W <peterw@usa.net> [dirkx]
*) Added a HEAD method to 'ab'. [dirkx]
_INTENTIONALLY_ no contributor names attached to the entries. Instead all
contributors are listed in the CREDITS file.
+ ____ __
+ |___ \ / /_
+ __) || '_ \
+ / __/ | (_) |
+ __ |_____(_)___/____________________________________________
+
+ Changes with mod_ssl 2.6.2 (29-Feb-2000 to 02-Mar-2000)
+
+ *) Updated the conf/ssl.crt/ca-bundle.crt file (containing the CA
+ Root Certificates of over 60 popular CAs) to the contents extracted
+ from Netscape Communicator 4.72's cert7.db file.
+
+ *) Fixed compilation of the new HTTPS proxy code (SSL_EXPERIMENTAL):
+ The SSL_VENDOR was required without need if SSL_EXPERIMENTAL was
+ enabled. This is now fixed and only SSL_EXPERIMENTAL is requied again
+ for the new HTTPS proxy stuff.
+
+ *) Added an FAQ entry about the "less entropy for the PRNG"
+ problem which now becomes "popular" ;) with OpenSSL 0.9.5.
+
+ *) Fixed conf/ssl.crl/Makefile: the files which have to be
+ checked for existance are named foo.rNNN and not just foo.NNN
+
+ *) Fixed a typo related to a RAND_status call in ssl_engine_rand.c
+ which was introduced in 2.6.1 and which caused mod_ssl fail to
+ compile if OpenSSL >= 0.9.5 was used [Sorry, my gcc hasn't catched
+ this typo :-(...]
+
+ *) Added also some random files which exists under Mach/Rhapshody
+ platforms to the list of files in src/support/mkcert.sh to make
+ sure enough entropy is available on these platforms under "make
+ certificate" with OpenSSL 0.9.5
+
+ *) Enhanced SSLRequire (SH2) -> SSLRequireSSL (mod_ssl)
+ directive compatibility mapping.
+
+ Changes with mod_ssl 2.6.1 (25-Feb-2000 to 29-Feb-2000)
+
+ *) Added support for OpenSSL 0.9.5's RAND_egd() which is now used
+ to read entropy from the EGD Unix domain socket if `SSLRandSeed
+ egd:/path/to/socket' is configured.
+
+ *) Extended builtin PRNG seeding with a run-time stack based source.
+ This way the builtin source now creates more entropy and usually
+ enough to make OpenSSL >= 0.9.5 happy again. If OpenSSL is still not
+ happy (i.e. still not sufficient entropy exists), a warning message
+ is logged by mod_ssl now.
+
+ *) Fixed Tanenbaum's name on the quote in ssl_intro.wml
+
+ *) Updated Thawte's sxnet stuff for latest OpenSSL.
+
+ *) Allow mod_ssl to compile also under Win32 & VC++ 6.0
+
+ *) Fix OS/2 support and this way make mod_ssl again work
+ also under this platform.
+
+ Changes with mod_ssl 2.6.0 (24-Feb-2000 to 25-Feb-2000)
+
+ *) Merged in enhanced HTTPS Proxy Support which is derived from
+ Stronghold 2.x and was originally contributed by C2Net over one
+ year ago. This is still _EXPERIMENTAL_ stuff, so it is entirely
+ wrapped with SSL_EXPERIMENTAL sections and has to be abled under
+ built-time with --enable-rule=SSL_EXPERIMENTAL. Then the following
+ new configuration directives are provided to fine-tune the HTTPS
+ proxy support:
+
+ o SSLProxyProtocol [+-][SSLv2|SSLv3|TLSv1] ...
+ (enable or disable SSL protocol flavors)
+ o SSLProxyCipherSuite XXX:...:XXX
+ (colon-delimited list of permitted SSL ciphers)
+ o SSLProxyVerify on|off
+ (whether to verify the remote certificate)
+ o SSLProxyVerifyDepth N
+ (maximum certificate verification depth)
+ o SSLProxyCACertificateFile /path/to/file
+ (file containing server certificates)
+ o SSLProxyCACertificatePath /path/to/dir
+ (directory containing server certificates)
+ o SSLProxyMachineCertificateFile /path/to/file
+ (file containing client certificates)
+ o SSLProxyMachineCertificatePath /path/to/dir
+ (directory containing client certificates)
+
+ This stuff is declared experimental, because it was still _NOT_
+ tested in depth and is still _UNDOCUMENTED_. So keep in mind what
+ SSL_EXPERIMENTAL means and use this with care!
+
+ *) Extended the EAPI patches to mod_proxy to allow the new
+ HTTPS proxy support to be merged in.
+
+ *) Fixed ssl_io_suck() prototype scope in mod_ssl.h by changing
+ the old #ifdef SSL_EXPERIMENTAL to the now correct #ifndef
+ SSL_CONSERVATIVE.
+
+ *) Added "cons" and "nocons" development target to
+ src/modules/ssl/Makefile.tmpl.
+
+ *) Upgraded to Apache version 1.3.12.
+
+
____ ____
|___ \ | ___|
__) | |___ \
/ __/ _ ___) |
__ |_____(_)____/___________________________________________
+ Changes with mod_ssl 2.5.1 (22-Jan-2000 to 24-Feb-2000)
+
+ *) Made sure OpenSSL's Pseudo Random Number Generator (PRNG) is
+ seeded already before the temporary RSA keys are generated.
+
+ *) Fixed possible security hole in mkcert.sh script (make
+ certificate) by making sure we already generate the foo.key files
+ with proper umask instead of chmod them later (and this way
+ perhaps too late).
+
+ *) Fixed memory leak caused by not-freed SSL_CTX in the HTTPS proxy
+ support (ssl_engine_ext.c/mod_proxy).
+
+ *) Fixed quotation author in ssl_glossary.html: it's Richard Nixon,
+ as Lukas Bradley pointed out.
+
+ *) Use "/usr/local/ssl" as the default for $SSL_BASE only if this
+ path really exists. Else use "SYSTEM" and this way be more
+ flexible. This is especially interesting for RedHat/RPM users
+ where OpenSSL stays often directly under /usr.
+
+ *) Make sure libssl.module also detects OpenSSL correctly
+ if OpenSSL was built as shared libraries (.so)
+
+ *) Let configure script more accurately check for -h, -v and
+ -q options on command line.
+
+ *) Make `SSLSessionCache none' really work as expected.
+
+ *) Added support for the latest OpenSSL snapshot (>= version 0.9.4).
+
+ *) Removed the removal of "#ifdef lint.. #endif" lines from
+ src/modules/ssl/Makefile.tmpl to make the life of the
+ OpenBSD guys easier in the future.
+
+ *) Removed Unix Bourne-Shell construct "2>&1" from Win32's
+ configure.bat script because Win32 hates this.
+
+ *) Fixed ApacheCore.def for Win32: Some numbers occured
+ multiple times.
+
Changes with mod_ssl 2.5.0 (08-Jan-2000 to 22-Jan-2000)
*) Switched the old "POST for HTTPS" support code from
#!/bin/sh
-# $OpenBSD: Configure,v 1.10 2000/01/28 18:39:57 beck Exp $
+# $OpenBSD: Configure,v 1.11 2000/03/19 11:16:52 beck Exp $
## ====================================================================
## Copyright (c) 1995-1999 The Apache Group. All rights reserved.
##
LIBS="$LIBS -lPW"
;;
*-uts*)
- OS='Amdahl UTS'
- CFLAGS="$CFLAGS -Xa -eft -DUTS21 -DUSEBCOPY"
- LIBS="$LIBS -lsocket -lbsd -la"
- DEF_WANTHSREGEX=yes
+ PLATOSVERS=`echo $PLAT | sed 's/^.*,//'`
+ OS='Amdahl UTS $PLATOSVERS'
+ case "$PLATOSVERS" in
+ 2*) CFLAGS="$CFLAGS -Xa -eft -DUTS21 -DUSEBCOPY"
+ LIBS="$LIBS -lsocket -lbsd -la"
+ DEF_WANTHSREGEX=yes
+ ;;
+ *) CFLAGS="$CFLAGS -Xa -DSVR4"
+ LIBS="$LIBS -lsocket -lnsl"
+ ;;
+ esac
;;
*-ultrix)
OS='ULTRIX'
# Older SINIX machines must be linked as "shared core"-Apache
case $CC in
*/gcc|gcc ) CFLAGS_SHLIB="-fpic" ;;
- */cc|cc ) CFLAGS_SHLIB="-KPIC" ;;
+ *) CFLAGS_SHLIB="-KPIC" ;;
esac
LDFLAGS_SHLIB="-G"
LDFLAGS_MOD_SHLIB=$LDFLAGS_SHLIB
# select the special subtarget for shared core generation
SUBTARGET=target_shared
# determine additional suffixes for libhttpd.so
- V=1 R=3 P=11
+ V=1 R=3 P=12
if [ "x$SHLIB_SUFFIX_DEPTH" = "x0" ]; then
SHLIB_SUFFIX_LIST=""
fi
#define ERR_OVERFLOW 5
-#ifdef MPE
+#if defined(MPE) || defined(BEOS)
#include <termios.h>
char *
echo " " && \
echo "echo \"Ready.\"" && \
echo "echo \" +--------------------------------------------------------+\"" && \
- echo "echo \" | You now have successfully installed the Apache $VER |\"" && \
+ echo "echo \" | You now have successfully installed the Apache $VER |\"" && \
echo "echo \" | HTTP server. To verify that Apache actually works |\"" && \
echo "echo \" | correctly you should first check the (initially |\"" && \
echo "echo \" | created or preserved) configuration files: |\"" && \
#define NO_RELIABLE_PIPED_LOGS
#define USE_OS2SEM_SERIALIZED_ACCEPT
#define SINGLE_LISTEN_UNSERIALIZED_ACCEPT
+#define FOPEN_REQUIRES_T
#elif defined(__MACHTEN__)
typedef int rlim_t;
* ap_base64encode_len(), ap_base64decode(),
* ap_base64decode_binary(), ap_base64decode_len(),
* ap_pbase64decode(), ap_pbase64encode()
+ * 19990320.7 - add ap_strcasestr()
*/
/*
#ifndef MODULE_MAGIC_NUMBER_MAJOR
#define MODULE_MAGIC_NUMBER_MAJOR 19990320
#endif
-#define MODULE_MAGIC_NUMBER_MINOR 6 /* 0...n */
+#define MODULE_MAGIC_NUMBER_MINOR 7 /* 0...n */
#define MODULE_MAGIC_NUMBER MODULE_MAGIC_NUMBER_MAJOR /* backward compat */
/* Useful for testing for features. */
*/
unsigned d_is_fnmatch : 1;
+ /* should we force a charset on any outgoing parameterless content-type?
+ * if so, which charset?
+ */
+#define ADD_DEFAULT_CHARSET_OFF (0)
+#define ADD_DEFAULT_CHARSET_ON (1)
+#define ADD_DEFAULT_CHARSET_UNSET (2)
+ unsigned add_default_charset : 2;
+ char *add_default_charset_name;
+
/* System Resource Control */
#ifdef RLIMIT_CPU
struct rlimit *limit_cpu;
/* The path to the suExec wrapper, can be overridden in Configuration */
#ifndef SUEXEC_BIN
-#define SUEXEC_BIN HTTPD_ROOT "/sbin/suexec"
+#define SUEXEC_BIN HTTPD_ROOT "/bin/suexec"
#endif
/* The default string lengths */
#define DEFAULT_LIMIT_REQUEST_FIELDS 100
#endif /* default limit on number of request header fields */
+/*
+ * The default default character set name to add if AddDefaultCharset is
+ * enabled. Overridden with AddDefaultCharsetName.
+ */
+#define DEFAULT_ADD_DEFAULT_CHARSET_NAME "iso-8859-1"
+
/*
* The below defines the base string of the Server: header. Additional
* tokens can be added via the ap_add_version_component() API call.
* Example: "Apache/1.1.0 MrWidget/0.1-alpha"
*/
-#define SERVER_BASEVERSION "Apache/1.3.11" /* SEE COMMENTS ABOVE */
+#define SERVER_BASEVERSION "Apache/1.3.12" /* SEE COMMENTS ABOVE */
#define SERVER_VERSION SERVER_BASEVERSION
enum server_token_type {
SrvTk_MIN, /* eg: Apache/1.3.0 */
* Always increases along the same track as the source branch.
* For example, Apache 1.4.2 would be '10402100', 2.5b7 would be '20500007'.
*/
-#define APACHE_RELEASE 10311100
+#define APACHE_RELEASE 10312100
#define SERVER_PROTOCOL "HTTP/1.1"
#ifndef SERVER_SUPPORT
API_EXPORT(int) ap_is_matchexp(const char *str);
API_EXPORT(int) ap_strcmp_match(const char *str, const char *exp);
API_EXPORT(int) ap_strcasecmp_match(const char *str, const char *exp);
+API_EXPORT(char *) ap_strcasestr(const char *s1, const char *s2);
API_EXPORT(char *) ap_pbase64decode(pool *p, const char *bufcoded);
API_EXPORT(char *) ap_pbase64encode(pool *p, char *string);
API_EXPORT(char *) ap_uudecode(pool *p, const char *bufcoded);
conf->server_signature = srv_sig_unset;
+ conf->add_default_charset = ADD_DEFAULT_CHARSET_UNSET;
+ conf->add_default_charset_name = DEFAULT_ADD_DEFAULT_CHARSET_NAME;
+
return (void *)conf;
}
conf->server_signature = new->server_signature;
}
+ if (new->add_default_charset != ADD_DEFAULT_CHARSET_UNSET) {
+ conf->add_default_charset = new->add_default_charset;
+ }
+
+ if (new->add_default_charset_name) {
+ conf->add_default_charset_name = new->add_default_charset_name;
+ }
+
return (void*)conf;
}
}
#endif /*GPROF*/
+static const char *set_add_default_charset(cmd_parms *cmd,
+ core_dir_config *d, char *arg)
+{
+ const char *err = ap_check_cmd_context(cmd, NOT_IN_LIMIT);
+ if (err != NULL) {
+ return err;
+ }
+ if (!strcasecmp(arg, "Off")) {
+ d->add_default_charset = ADD_DEFAULT_CHARSET_OFF;
+ }
+ else if (!strcasecmp(arg, "On")) {
+ d->add_default_charset = ADD_DEFAULT_CHARSET_ON;
+ d->add_default_charset_name = DEFAULT_ADD_DEFAULT_CHARSET_NAME;
+ }
+ else {
+ d->add_default_charset = ADD_DEFAULT_CHARSET_ON;
+ d->add_default_charset_name = arg;
+ }
+ return NULL;
+}
+
static const char *set_document_root(cmd_parms *cmd, void *dummy, char *arg)
{
void *sconf = cmd->server->module_config;
{ "GprofDir", set_gprof_dir, NULL, RSRC_CONF, TAKE1,
"Directory to plop gmon.out files" },
#endif
+{ "AddDefaultCharset", set_add_default_charset, NULL, OR_FILEINFO,
+ TAKE1, "The name of the default charset to add to any Content-Type without one or 'Off' to disable" },
/* Old resource config file commands */
if (((level & APLOG_LEVELMASK) <= APLOG_WARNING)
&& (ap_table_get(r->notes, "error-notes") == NULL)) {
ap_table_setn(r->notes, "error-notes",
- ap_pvsprintf(r->pool, fmt, args));
+ ap_escape_html(r->pool, ap_pvsprintf(r->pool, fmt,
+ args)));
}
va_end(args);
}
struct stat finfo;
static pid_t saved_pid = -1;
pid_t mypid;
+#ifndef WIN32
+ mode_t u;
+#endif
if (!fname)
return;
);
}
+#ifndef WIN32
+ u = umask(022);
+ (void) umask(u | 022);
+#endif
if(!(pid_file = fopen(fname, "w"))) {
perror("fopen");
fprintf(stderr, "%s: could not log pid to file %s\n",
ap_server_argv0, fname);
exit(1);
}
+#ifndef WIN32
+ (void) umask(u);
+#endif
fprintf(pid_file, "%ld\n", (long)mypid);
fclose(pid_file);
saved_pid = mypid;
for (pocr = &other_children; *pocr; pocr = &(*pocr)->next) {
if ((*pocr)->data == data) {
nocr = (*pocr)->next;
- (*(*pocr)->maintenance) (OC_REASON_UNREGISTER, (*pocr)->data, -1);
+ (*(*pocr)->maintenance) (OC_REASON_UNREGISTER, (*pocr)->data, (ap_wait_t)-1);
*pocr = nocr;
/* XXX: um, well we've just wasted some space in pconf ? */
return;
continue;
if (FD_ISSET(ocr->write_fd, &writable_fds))
continue;
- (*ocr->maintenance) (OC_REASON_UNWRITABLE, ocr->data, -1);
+ (*ocr->maintenance) (OC_REASON_UNWRITABLE, ocr->data, (ap_wait_t)-1);
}
}
waitret = waitpid(ocr->pid, &status, WNOHANG);
if (waitret == ocr->pid) {
ocr->pid = -1;
- (*ocr->maintenance) (OC_REASON_DEATH, ocr->data, status);
+ (*ocr->maintenance) (OC_REASON_DEATH, ocr->data, (ap_wait_t)status);
}
else if (waitret == 0) {
- (*ocr->maintenance) (OC_REASON_RESTART, ocr->data, -1);
+ (*ocr->maintenance) (OC_REASON_RESTART, ocr->data, (ap_wait_t)-1);
++not_dead_yet;
}
else if (waitret == -1) {
/* uh what the heck? they didn't call unregister? */
ocr->pid = -1;
- (*ocr->maintenance) (OC_REASON_LOST, ocr->data, -1);
+ (*ocr->maintenance) (OC_REASON_LOST, ocr->data, (ap_wait_t)-1);
}
}
#endif
child_timeouts = !ap_standalone || one_process;
+#ifdef BEOS
+ /* make sure we're running in single_process mode - Yuck! */
+ one_process = 1;
+#endif
+
#ifndef TPF
if (ap_standalone) {
ap_open_logs(server_conf, plog);
#endif /*CHARSET_EBCDIC*/
+/*
+ * Builds the content-type that should be sent to the client from the
+ * content-type specified. The following rules are followed:
+ * - if type is NULL, type is set to ap_default_type(r)
+ * - if charset adding is disabled, stop processing and return type.
+ * - then, if there are no parameters on type, add the default charset
+ * - return type
+ */
+static const char *make_content_type(request_rec *r, const char *type) {
+ char *needcset[] = {
+ "text/plain",
+ "text/html",
+ NULL };
+ char **pcset;
+ core_dir_config *conf = (core_dir_config *)ap_get_module_config(
+ r->per_dir_config, &core_module);
+ if (!type) type = ap_default_type(r);
+ if (conf->add_default_charset != ADD_DEFAULT_CHARSET_ON) return type;
+
+ if (ap_strcasestr(type, "charset=") != NULL) {
+ /* already has parameter, do nothing */
+ /* XXX we don't check the validity */
+ ;
+ } else {
+ /* see if it makes sense to add the charset. At present,
+ * we only add it if the Content-type is one of needcset[]
+ */
+ for (pcset = needcset; *pcset ; pcset++)
+ if (ap_strcasestr(type, *pcset) != NULL) {
+ type = ap_pstrcat(r->pool, type, "; charset=",
+ conf->add_default_charset_name, NULL);
+ break;
+ }
+ }
+ return type;
+}
+
static int parse_byterange(char *range, long clength, long *start, long *end)
{
char *dash = strchr(range, '-');
}
if (r->byterange > 1) {
- const char *ct = r->content_type ? r->content_type : ap_default_type(r);
+ const char *ct = make_content_type(r, r->content_type);
char ts[MAX_STRING_LEN];
ap_snprintf(ts, sizeof(ts), "%ld-%ld/%ld", range_start, range_end,
r->status = HTTP_BAD_REQUEST;
ap_table_setn(r->notes, "error-notes", ap_pstrcat(r->pool,
"Size of a request header field exceeds server limit.<P>\n"
- "<PRE>\n", field, "</PRE>\n", NULL));
+ "<PRE>\n", ap_escape_html(r->pool, field), "</PRE>\n", NULL));
return;
}
copy = ap_palloc(r->pool, len + 1);
r->status = HTTP_BAD_REQUEST; /* or abort the bad request */
ap_table_setn(r->notes, "error-notes", ap_pstrcat(r->pool,
"Request header field is missing colon separator.<P>\n"
- "<PRE>\n", copy, "</PRE>\n", NULL));
+ "<PRE>\n", ap_escape_html(r->pool, copy), "</PRE>\n", NULL));
return;
}
ap_table_setn(r->headers_out, "Content-Type",
ap_pstrcat(r->pool, "multipart", use_range_x(r) ? "/x-" : "/",
"byteranges; boundary=", r->boundary, NULL));
- else if (r->content_type)
- ap_table_setn(r->headers_out, "Content-Type", r->content_type);
- else
- ap_table_setn(r->headers_out, "Content-Type", ap_default_type(r));
+ else ap_table_setn(r->headers_out, "Content-Type", make_content_type(r,
+ r->content_type));
if (r->content_encoding)
ap_table_setn(r->headers_out, "Content-Encoding", r->content_encoding);
r->content_languages = NULL;
r->content_encoding = NULL;
r->clength = 0;
- r->content_type = "text/html";
+ r->content_type = "text/html; charset=iso-8859-1";
if ((status == METHOD_NOT_ALLOWED) || (status == NOT_IMPLEMENTED))
ap_table_setn(r->headers_out, "Allow", make_allow(r));
{
const char *semi;
+ if (intype == NULL) return NULL;
+
semi = strchr(intype, ';');
if (semi == NULL) {
return ap_pstrdup(p, intype);
return 0;
}
+/*
+ * Similar to standard strstr() but we ignore case in this version.
+ * Based on the strstr() implementation further below.
+ */
+API_EXPORT(char *) ap_strcasestr(const char *s1, const char *s2)
+{
+ char *p1, *p2;
+ if (*s2 == '\0') {
+ /* an empty s2 */
+ return((char *)s1);
+ }
+ while(1) {
+ for ( ; (*s1 != '\0') && (ap_tolower(*s1) != ap_tolower(*s2)); s1++);
+ if (*s1 == '\0') return(NULL);
+ /* found first character of s2, see if the rest matches */
+ p1 = (char *)s1;
+ p2 = (char *)s2;
+ while (ap_tolower(*++p1) == ap_tolower(*++p2)) {
+ if (*p1 == '\0') {
+ /* both strings ended together */
+ return((char *)s1);
+ }
+ }
+ if (*p2 == '\0') {
+ /* second string ended, a match */
+ break;
+ }
+ /* didn't find a match here, try starting at next character in s1 */
+ s1++;
+ }
+ return((char *)s1);
+}
/*
* Apache stub function for the regex libraries regexec() to make sure the
* whole regex(3) API is available through the Apache (exported) namespace.
return NULL;
}
+#ifdef FOPEN_REQUIRES_T
file = ap_pfopen(p, name, "rt");
+#else
+ file = ap_pfopen(p, name, "r");
+#endif
#ifdef DEBUG
saved_errno = errno;
ap_log_error(APLOG_MARK, APLOG_DEBUG | APLOG_NOERRNO, NULL,
* Name: digest_auth_module
* ConfigStart
- RULE_DEV_RANDOM=`sh helpers/CutRule DEV_RANDOM $file`
+ RULE_DEV_RANDOM=`./helpers/CutRule DEV_RANDOM $file`
if [ "$RULE_DEV_RANDOM" = "default" ]; then
if [ -r "/dev/random" ]; then
RULE_DEV_RANDOM="/dev/random"
static void proxy_init(server_rec *r, pool *p)
{
ap_proxy_garbage_init(r, p);
+#ifdef EAPI
+ ap_hook_use("ap::mod_proxy::init",
+ AP_HOOK_SIG3(void,ptr,ptr), AP_HOOK_ALL, r, p);
+#endif
}
#ifdef EAPI
const char *urlptr = NULL;
const char *datestr;
struct tbl_do_args tdo;
+#ifdef EAPI
+ char *peer;
+#endif
void *sconf = r->server->module_config;
proxy_server_conf *conf =
err = ap_proxy_host2addr(proxyhost, &server_hp);
if (err != NULL)
return DECLINED; /* try another */
+#ifdef EAPI
+ peer = ap_psprintf(p, "%s:%u", proxyhost, proxyport);
+#endif
}
else {
server.sin_port = htons(destport);
err = ap_proxy_host2addr(desthost, &server_hp);
if (err != NULL)
return ap_proxyerror(r, HTTP_INTERNAL_SERVER_ERROR, err);
+#ifdef EAPI
+ peer = ap_psprintf(p, "%s:%u", desthost, destport);
+#endif
}
sock = ap_psocket(p, PF_INET, SOCK_STREAM, IPPROTO_TCP);
{
char *errmsg = NULL;
ap_hook_use("ap::mod_proxy::http::handler::new_connection",
- AP_HOOK_SIG3(ptr,ptr,ptr),
+ AP_HOOK_SIG4(ptr,ptr,ptr,ptr),
AP_HOOK_DECLINE(NULL),
- &errmsg, r, f);
+ &errmsg, r, f, peer);
if (errmsg != NULL)
return ap_proxyerror(r, HTTP_BAD_GATEWAY, errmsg);
}
ap_table_setn(r->notes, "error-notes",
ap_pstrcat(r->pool,
"The proxy server could not handle the request "
- "<EM><A HREF=\"", r->uri, "\">",
- r->method, " ", r->uri, "</A></EM>.<P>\n"
- "Reason: <STRONG>", message, "</STRONG>", NULL));
-
- /* Allow the "error-notes" string to be printed by ap_send_error_response() */
+ "<EM><A HREF=\"", ap_escape_uri(r->pool, r->uri),
+ "\">", ap_escape_html(r->pool, r->method),
+ " ",
+ ap_escape_html(r->pool, r->uri), "</A></EM>.<P>\n"
+ "Reason: <STRONG>",
+ ap_escape_html(r->pool, message),
+ "</STRONG>", NULL));
+
+ /* Allow "error-notes" string to be printed by ap_send_error_response() */
ap_table_setn(r->notes, "verbose-error-to", ap_pstrdup(r->pool, "*"));
r->status_line = ap_psprintf(r->pool, "%3.3u Proxy Error", statuscode);
sed -e 's;yy;ssl_expr_yy;g' \
<y.tab.h >ssl_expr_parse.h && rm -f y.tab.h
+nocons:
+ @$(MAKE) $(MFLAGS) $(MFLAGS_STATIC) \
+ SSL_CFLAGS="`echo $(SSL_CFLAGS) |\
+ sed -e 's;-DSSL_CONSERVATIVE;;'`" all
+
+cons:
+ @$(MAKE) $(MFLAGS) $(MFLAGS_STATIC) \
+ SSL_CFLAGS="`echo $(SSL_CFLAGS) |\
+ sed -e 's;-DSSL_CONSERVATIVE;;' \
+ -e 's;^;-DSSL_CONSERVATIVE ;'`" all
noexp:
@$(MAKE) $(MFLAGS) $(MFLAGS_STATIC) \
SSL_CFLAGS="`echo $(SSL_CFLAGS) |\
mod_ssl ``Ralf Engelschall has released an
Apache Interface to OpenSSL excellent module that integrates
http://www.modssl.org/ Apache and SSLeay.''
- Version 2.5 -- Tim J. Hudson
+ Version 2.6 -- Tim J. Hudson
SYNOPSIS
my_rule_SSL_CONSERVATIVE=$SSL_CONSERVATIVE
my_rule_SSL_VENDOR=$SSL_VENDOR
else
- my_rule_SSL_COMPAT=`sh helpers/CutRule SSL_COMPAT $file`
- my_rule_SSL_SDBM=`sh helpers/CutRule SSL_SDBM $file`
- my_rule_SSL_EXPERIMENTAL=`sh helpers/CutRule SSL_EXPERIMENTAL $file`
- my_rule_SSL_CONSERVATIVE=`sh helpers/CutRule SSL_CONSERVATIVE $file`
- my_rule_SSL_VENDOR=`sh helpers/CutRule SSL_VENDOR $file`
+ my_rule_SSL_COMPAT=`./helpers/CutRule SSL_COMPAT $file`
+ my_rule_SSL_SDBM=`./helpers/CutRule SSL_SDBM $file`
+ my_rule_SSL_EXPERIMENTAL=`./helpers/CutRule SSL_EXPERIMENTAL $file`
+ my_rule_SSL_CONSERVATIVE=`./helpers/CutRule SSL_CONSERVATIVE $file`
+ my_rule_SSL_VENDOR=`./helpers/CutRule SSL_VENDOR $file`
fi
#
if [ ".$DBM_LIB" != . ]; then
LIBS_ORIG="$LIBS"
LIBS="$LIBS $DBM_LIB"
- if sh helpers/TestCompile func dbm_open; then
+ if ./helpers/TestCompile func dbm_open; then
SSL_DBM_NAME="Configured DBM ($DBM_LIB)"
SSL_DBM_FLAG="$DBM_LIB"
fi
fi
# 2. check for various vendor DBM libs
if [ ".$SSL_DBM_NAME" = . ]; then
- if sh helpers/TestCompile func dbm_open; then
+ if ./helpers/TestCompile func dbm_open; then
SSL_DBM_NAME='Vendor DBM (libc)'
SSL_DBM_FLAG=''
- elif sh helpers/TestCompile lib dbm dbm_open; then
+ elif ./helpers/TestCompile lib dbm dbm_open; then
SSL_DBM_NAME='Vendor DBM (libdbm)'
SSL_DBM_FLAG='-ldbm'
- elif sh helpers/TestCompile lib ndbm dbm_open; then
+ elif ./helpers/TestCompile lib ndbm dbm_open; then
SSL_DBM_NAME='Vendor DBM (libndbm)'
SSL_DBM_FLAG='-lndbm'
fi
if [ ".$SSL_BASE" = . ]; then
SSL_BASE=`egrep '^SSL_BASE=' $file | tail -1 | awk -F= '{print $2}'`
if [ ".$SSL_BASE" = . ]; then
- SSL_BASE="/usr/local/ssl"
+ if [ -d /usr/local/ssl ]; then
+ SSL_BASE="/usr/local/ssl"
+ else
+ SSL_BASE="SYSTEM"
+ fi
fi
fi
case $SSL_BASE in
exit 1
fi
else
- if [ -f "$SSL_BASE/libssl.a" ]; then
+ if [ -f "$SSL_BASE/libssl.a" -o -f "$SSL_BASE/libssl.so" ]; then
SSL_LIBDIR='$(SSL_BASE)'
my_real_ssl_libdir="$SSL_BASE"
- elif [ -f "$SSL_BASE/lib/libssl.a" ]; then
+ elif [ -f "$SSL_BASE/lib/libssl.a" -o -f "$SSL_BASE/lib/libssl.so" ]; then
SSL_LIBDIR='$(SSL_BASE)/lib'
my_real_ssl_libdir="$SSL_BASE/lib"
else
-mod_ssl/2.5.0-1.3.11
+mod_ssl/2.6.2-1.3.12
* identify the module to SCCS `what' and RCS `ident' commands
*/
static char const sccsid[] = "@(#) mod_ssl/" MOD_SSL_VERSION " >";
-static char const rcsid[] = "$Id: mod_ssl.c,v 1.3 2000/01/25 18:29:53 beck Exp $";
+static char const rcsid[] = "$Id: mod_ssl.c,v 1.4 2000/03/19 11:17:20 beck Exp $";
/*
* the table of configuration directives we provide
"Enable or disable various SSL protocols"
"(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
+#ifdef SSL_EXPERIMENTAL
+ /*
+ * Proxy configuration for remote SSL connections
+ */
+ AP_SRV_CMD(ProxyProtocol, RAW_ARGS,
+ "SSL Proxy: enable or disable SSL protocol flavors "
+ "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
+ AP_SRV_CMD(ProxyCipherSuite, TAKE1,
+ "SSL Proxy: colon-delimited list of permitted SSL ciphers "
+ "(`XXX:...:XXX' - see manual)")
+ AP_SRV_CMD(ProxyVerify, FLAG,
+ "SSL Proxy: whether to verify the remote certificate "
+ "(`on' or `off')")
+ AP_SRV_CMD(ProxyVerifyDepth, TAKE1,
+ "SSL Proxy: maximum certificate verification depth "
+ "(`N' - number of intermediate certificates)")
+ AP_SRV_CMD(ProxyCACertificateFile, TAKE1,
+ "SSL Proxy: file containing server certificates "
+ "(`/path/to/file' - PEM encoded certificates)")
+ AP_SRV_CMD(ProxyCACertificatePath, TAKE1,
+ "SSL Proxy: directory containing server certificates "
+ "(`/path/to/dir' - contains PEM encoded certificates)")
+ AP_SRV_CMD(ProxyMachineCertificateFile, TAKE1,
+ "SSL Proxy: file containing client certificates "
+ "(`/path/to/file' - PEM encoded certificates)")
+ AP_SRV_CMD(ProxyMachineCertificatePath, TAKE1,
+ "SSL Proxy: directory containing client certificates "
+ "(`/path/to/dir' - contains PEM encoded certificates)")
+#endif
+
/*
* Per-directory context configuration directives
*/
#include <stdlib.h>
#include <stdarg.h>
#include <errno.h>
+#include <sys/types.h>
+#include <sys/stat.h>
#include <time.h>
#ifndef WIN32
#include <sys/time.h>
#endif
-#include <sys/stat.h>
+#ifdef WIN32
+#include <wincrypt.h>
+#endif
/* OpenSSL headers */
#include <openssl/ssl.h>
SSL_RSSRC_BUILTIN = 1,
SSL_RSSRC_FILE = 2,
SSL_RSSRC_EXEC = 3
+#if SSL_LIBRARY_VERSION >= 0x00905100
+ ,SSL_RSSRC_EGD = 4
+#endif
} ssl_rssrc_t;
typedef struct {
ssl_rsctx_t nCtx;
char *szCARevocationPath;
char *szCARevocationFile;
X509_STORE *pRevocationStore;
+#ifdef SSL_EXPERIMENTAL
+ /* Configuration details for proxy operation */
+ ssl_proto_t nProxyProtocol;
+ int bProxyVerify;
+ int nProxyVerifyDepth;
+ char *szProxyCACertificatePath;
+ char *szProxyCACertificateFile;
+ char *szProxyClientCertificateFile;
+ char *szProxyClientCertificatePath;
+ char *szProxyCipherSuite;
+ SSL_CTX *pSSLProxyCtx;
+ STACK_OF(X509_INFO) *skProxyClientCerts;
+#endif
#ifdef SSL_VENDOR
ap_ctx *ctx;
#endif
const char *ssl_cmd_SSLOptions(cmd_parms *, SSLDirConfigRec *, const char *);
const char *ssl_cmd_SSLRequireSSL(cmd_parms *, SSLDirConfigRec *, char *);
const char *ssl_cmd_SSLRequire(cmd_parms *, SSLDirConfigRec *, char *);
+#ifdef SSL_EXPERIMENTAL
+const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, char *, const char *);
+const char *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, char *, char *);
+const char *ssl_cmd_SSLProxyVerify(cmd_parms *, char *, int);
+const char *ssl_cmd_SSLProxyVerifyDepth(cmd_parms *, char *, char *);
+const char *ssl_cmd_SSLProxyCACertificatePath(cmd_parms *, char *, char *);
+const char *ssl_cmd_SSLProxyCACertificateFile(cmd_parms *, char *, char *);
+const char *ssl_cmd_SSLProxyMachineCertificatePath(cmd_parms *, char *, char *);
+const char *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *, char *, char *);
+#endif
/* module initialization */
void ssl_init_Module(server_rec *, pool *);
void ssl_io_register(void);
void ssl_io_unregister(void);
long ssl_io_data_cb(BIO *, int, const char *, int, long, long);
-#ifdef SSL_EXPERIMENTAL
+#ifndef SSL_CONSERVATIVE
void ssl_io_suck(request_rec *, SSL *);
#endif
/* PRNG */
-int ssl_rand_seed(server_rec *, pool *, ssl_rsctx_t);
+int ssl_rand_seed(server_rec *, pool *, ssl_rsctx_t, char *);
/* Extensions */
void ssl_ext_register(void);
* The mapping of obsolete directives to official ones...
*/
+static char *ssl_compat_RequireSSL(pool *, const char *, const char *, const char *);
static char *ssl_compat_SSLSessionLockFile(pool *, const char *, const char *, const char *);
static char *ssl_compat_SSLCacheDisable(pool *, const char *, const char *, const char *);
static char *ssl_compat_SSLRequireCipher(pool *, const char *, const char *, const char *);
CRM_ENTRY( CRM_CMD("SSLClientCAfile"), CRM_SUB("SSLCACertificateFile") )
CRM_ENTRY( CRM_CMD("SSLSessionLockFile"), CRM_CAL(ssl_compat_SSLSessionLockFile) )
CRM_ENTRY( CRM_CMD("SSLCacheDisable"), CRM_CAL(ssl_compat_SSLCacheDisable) )
- CRM_ENTRY( CRM_CMD("RequireSSL"), CRM_SUB("SSLRequireSSL") )
+ CRM_ENTRY( CRM_CMD("RequireSSL"), CRM_CAL(ssl_compat_RequireSSL) )
CRM_ENTRY( CRM_CMD("SSLCipherList"), CRM_SUB("SSLCipherSuite") )
CRM_ENTRY( CRM_CMD("SSLErrorFile"), CRM_LOG("Not needed for mod_ssl") )
CRM_ENTRY( CRM_CMD("SSLRoot"), CRM_LOG("Not supported by mod_ssl") )
CRM_ENTRY( CRM_CMD("SSL_CertificateLogDir"), CRM_LOG("Not supported by mod_ssl") )
CRM_ENTRY( CRM_CMD("AuthCertDir"), CRM_LOG("Not supported by mod_ssl") )
CRM_ENTRY( CRM_CMD("SSL_Group"), CRM_LOG("Not supported by mod_ssl") )
+#ifndef SSL_EXPERIMENTAL
CRM_ENTRY( CRM_CMD("SSLProxyMachineCertPath"), CRM_LOG("Not supported by mod_ssl") )
CRM_ENTRY( CRM_CMD("SSLProxyMachineCertFile"), CRM_LOG("Not supported by mod_ssl") )
CRM_ENTRY( CRM_CMD("SSLProxyCACertificatePath"), CRM_LOG("Not supported by mod_ssl") )
CRM_ENTRY( CRM_CMD("SSLProxyCACertificateFile"), CRM_LOG("Not supported by mod_ssl") )
CRM_ENTRY( CRM_CMD("SSLProxyVerifyDepth"), CRM_LOG("Not supported by mod_ssl") )
CRM_ENTRY( CRM_CMD("SSLProxyCipherList"), CRM_LOG("Not supported by mod_ssl") )
+#else
+ CRM_ENTRY( CRM_CMD("SSLProxyCipherList"), CRM_SUB("SSLProxyCipherSuite") )
+#endif
CRM_END
};
+static char *ssl_compat_RequireSSL(
+ pool *p, const char *oline, const char *cmd, const char *args)
+{
+ char *cp;
+
+ for (cp = (char *)args; ap_isspace(*cp); cp++)
+ ;
+ if (strcEQ(cp, "on"))
+ return "SSLRequireSSL";
+ return "";
+}
+
static char *ssl_compat_SSLSessionLockFile(
pool *p, const char *oline, const char *cmd, const char *args)
{
sc->szCARevocationFile = NULL;
sc->pRevocationStore = NULL;
+#ifdef SSL_EXPERIMENTAL
+ sc->nProxyVerifyDepth = UNSET;
+ sc->szProxyCACertificatePath = NULL;
+ sc->szProxyCACertificateFile = NULL;
+ sc->szProxyClientCertificateFile = NULL;
+ sc->szProxyClientCertificatePath = NULL;
+ sc->szProxyCipherSuite = NULL;
+ sc->nProxyProtocol = SSL_PROTOCOL_ALL & ~SSL_PROTOCOL_TLSV1;
+ sc->bProxyVerify = UNSET;
+ sc->pSSLProxyCtx = NULL;
+#endif
+
(void)memset(sc->szPublicCertFile, 0, SSL_AIDX_MAX*sizeof(char *));
(void)memset(sc->szPrivateKeyFile, 0, SSL_AIDX_MAX*sizeof(char *));
(void)memset(sc->pPublicCert, 0, SSL_AIDX_MAX*sizeof(X509 *));
p, base, add, new);
#endif
+#ifdef SSL_EXPERIMENTAL
+ cfgMergeInt(nProxyVerifyDepth);
+ cfgMergeString(szProxyCACertificatePath);
+ cfgMergeString(szProxyCACertificateFile);
+ cfgMergeString(szProxyClientCertificateFile);
+ cfgMergeString(szProxyClientCertificatePath);
+ cfgMergeString(szProxyCipherSuite);
+ cfgMerge(nProxyProtocol, (SSL_PROTOCOL_ALL & ~SSL_PROTOCOL_TLSV1));
+ cfgMergeBool(bProxyVerify);
+ cfgMerge(pSSLProxyCtx, NULL);
+#endif
+
return new;
}
pRS->nSrc = SSL_RSSRC_EXEC;
pRS->cpPath = ap_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, arg2+5));
}
+#if SSL_LIBRARY_VERSION >= 0x00905100
+ else if (strlen(arg2) > 4 && strEQn(arg2, "egd:", 4)) {
+ pRS->nSrc = SSL_RSSRC_EGD;
+ pRS->cpPath = ap_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, arg2+4));
+ }
+#endif
else if (strcEQ(arg2, "builtin")) {
pRS->nSrc = SSL_RSSRC_BUILTIN;
pRS->cpPath = NULL;
return NULL;
}
+#ifdef SSL_EXPERIMENTAL
+
+const char *ssl_cmd_SSLProxyProtocol(
+ cmd_parms *cmd, char *struct_ptr, const char *opt)
+{
+ SSLSrvConfigRec *sc;
+ ssl_proto_t options, thisopt;
+ char action;
+ char *w;
+
+ sc = mySrvConfig(cmd->server);
+ options = SSL_PROTOCOL_NONE;
+ while (opt[0] != NUL) {
+ w = ap_getword_conf(cmd->pool, &opt);
+
+ action = NUL;
+ if (*w == '+' || *w == '-')
+ action = *(w++);
+
+ if (strcEQ(w, "SSLv2"))
+ thisopt = SSL_PROTOCOL_SSLV2;
+ else if (strcEQ(w, "SSLv3"))
+ thisopt = SSL_PROTOCOL_SSLV3;
+ else if (strcEQ(w, "TLSv1"))
+ thisopt = SSL_PROTOCOL_TLSV1;
+ else if (strcEQ(w, "all"))
+ thisopt = SSL_PROTOCOL_ALL;
+ else
+ return ap_pstrcat(cmd->pool, "SSLProxyProtocol: "
+ "Illegal protocol '", w, "'", NULL);
+ if (action == '-')
+ options &= ~thisopt;
+ else if (action == '+')
+ options |= thisopt;
+ else
+ options = thisopt;
+ }
+ sc->nProxyProtocol = options;
+ return NULL;
+}
+
+const char *ssl_cmd_SSLProxyCipherSuite(
+ cmd_parms *cmd, char *struct_ptr, char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->szProxyCipherSuite = arg;
+ return NULL;
+}
+
+const char *ssl_cmd_SSLProxyVerify(
+ cmd_parms *cmd, char *struct_ptr, int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->bProxyVerify = (flag ? TRUE : FALSE);
+ return NULL;
+}
+
+const char *ssl_cmd_SSLProxyVerifyDepth(
+ cmd_parms *cmd, char *struct_ptr, char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ int d;
+
+ d = atoi(arg);
+ if (d < 0)
+ return "SSLProxyVerifyDepth: Invalid argument";
+ sc->nProxyVerifyDepth = d;
+ return NULL;
+}
+
+const char *ssl_cmd_SSLProxyCACertificateFile(
+ cmd_parms *cmd, char *struct_ptr, char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ char *cpPath;
+
+ cpPath = ap_server_root_relative(cmd->pool, arg);
+ if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath))
+ return ap_pstrcat(cmd->pool, "SSLProxyCACertificateFile: file '",
+ cpPath, "' not exists or empty", NULL);
+ sc->szProxyCACertificateFile = cpPath;
+ return NULL;
+}
+
+const char *ssl_cmd_SSLProxyCACertificatePath(
+ cmd_parms *cmd, char *struct_ptr, char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ char *cpPath;
+
+ cpPath = ap_server_root_relative(cmd->pool, arg);
+ if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath))
+ return ap_pstrcat(cmd->pool, "SSLProxyCACertificatePath: directory '",
+ cpPath, "' does not exists", NULL);
+ sc->szProxyCACertificatePath = cpPath;
+ return NULL;
+}
+
+const char *ssl_cmd_SSLProxyMachineCertificateFile(
+ cmd_parms *cmd, char *struct_ptr, char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ char *cpPath;
+
+ cpPath = ap_server_root_relative(cmd->pool, arg);
+ if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath))
+ return ap_pstrcat(cmd->pool, "SSLProxyMachineCertFile: file '",
+ cpPath, "' not exists or empty", NULL);
+ sc->szProxyClientCertificateFile = cpPath;
+ return NULL;
+}
+
+const char *ssl_cmd_SSLProxyMachineCertificatePath(
+ cmd_parms *cmd, char *struct_ptr, char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ char *cpPath;
+
+ cpPath = ap_server_root_relative(cmd->pool, arg);
+ if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath))
+ return ap_pstrcat(cmd->pool, "SSLProxyMachineCertPath: directory '",
+ cpPath, "' does not exists", NULL);
+ sc->szProxyClientCertificatePath = cpPath;
+ return NULL;
+}
+
+#endif /* SSL_EXPERIMENTAL */
+
** _________________________________________________________________
*/
-static int ssl_ext_mp_canon(request_rec *r, char *url);
-static int ssl_ext_mp_handler(request_rec *r, void *cr, char *url, char *proxyhost, int proxyport, char *protocol);
-static int ssl_ext_mp_set_destport(request_rec *r);
-static char *ssl_ext_mp_new_connection(request_rec *r, BUFF *fb);
-static void ssl_ext_mp_close_connection(void *_fb);
-static int ssl_ext_mp_write_host_header(request_rec *r, BUFF *fb, char *host, int port, char *portstr);
+static int ssl_ext_mp_canon(request_rec *, char *);
+static int ssl_ext_mp_handler(request_rec *, void *, char *, char *, int, char *);
+static int ssl_ext_mp_set_destport(request_rec *);
+static char *ssl_ext_mp_new_connection(request_rec *, BUFF *, char *);
+static void ssl_ext_mp_close_connection(void *);
+static int ssl_ext_mp_write_host_header(request_rec *, BUFF *, char *, int, char *);
+#ifdef SSL_EXPERIMENTAL
+static void ssl_ext_mp_init(server_rec *, pool *);
+static int ssl_ext_mp_verify_cb(int, X509_STORE_CTX *);
+static int ssl_ext_mp_clientcert_cb(SSL *, X509 **, EVP_PKEY **);
+#endif
/*
* register us ...
*/
static void ssl_ext_mp_register(void)
{
+#ifdef SSL_EXPERIMENTAL
+ ap_hook_register("ap::mod_proxy::init",
+ ssl_ext_mp_init, AP_HOOK_NOCTX);
+#endif
ap_hook_register("ap::mod_proxy::canon",
ssl_ext_mp_canon, AP_HOOK_NOCTX);
ap_hook_register("ap::mod_proxy::handler",
static void ssl_ext_mp_unregister(void)
{
+#ifdef SSL_EXPERIMENTAL
+ ap_hook_unregister("ap::mod_proxy::init", ssl_ext_mp_init);
+#endif
ap_hook_unregister("ap::mod_proxy::canon", ssl_ext_mp_canon);
ap_hook_unregister("ap::mod_proxy::handler", ssl_ext_mp_handler);
ap_hook_unregister("ap::mod_proxy::http::handler::set_destport",
return;
}
+/*
+ * SSL proxy initialization
+ */
+#ifdef SSL_EXPERIMENTAL
+static void ssl_ext_mp_init(server_rec *s, pool *p)
+{
+ SSLSrvConfigRec *sc;
+ char *cpVHostID;
+ int nVerify;
+ SSL_CTX *ctx;
+ char *cp;
+ STACK_OF(X509_INFO) *sk;
+
+ /*
+ * Initialize each virtual server
+ */
+ for (; s != NULL; s = s->next) {
+ sc = mySrvConfig(s);
+ cpVHostID = ssl_util_vhostid(p, s);
+
+ if (sc->bProxyVerify == UNSET)
+ sc->bProxyVerify = FALSE;
+
+ /*
+ * Create new SSL context and configure callbacks
+ */
+ if (sc->nProxyProtocol == SSL_PROTOCOL_NONE) {
+ ssl_log(s, SSL_LOG_ERROR,
+ "Init: (%s) No Proxy SSL protocols available [hint: SSLProxyProtocol]",
+ cpVHostID);
+ ssl_die();
+ }
+ cp = ap_pstrcat(p, (sc->nProxyProtocol & SSL_PROTOCOL_SSLV2 ? "SSLv2, " : ""),
+ (sc->nProxyProtocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
+ (sc->nProxyProtocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""), NULL);
+ cp[strlen(cp)-2] = NUL;
+ ssl_log(s, SSL_LOG_TRACE,
+ "Init: (%s) Creating new proxy SSL context (protocols: %s)",
+ cpVHostID, cp);
+ if (sc->nProxyProtocol == SSL_PROTOCOL_SSLV2)
+ ctx = SSL_CTX_new(SSLv2_client_method()); /* only SSLv2 is left */
+ else
+ ctx = SSL_CTX_new(SSLv23_client_method()); /* be more flexible */
+ if (ctx == NULL) {
+ ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ "Init: (%s) Unable to create SSL Proxy context", cpVHostID);
+ ssl_die();
+ }
+ sc->pSSLProxyCtx = ctx;
+ SSL_CTX_set_options(ctx, SSL_OP_ALL);
+ if (!(sc->nProxyProtocol & SSL_PROTOCOL_SSLV2))
+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+ if (!(sc->nProxyProtocol & SSL_PROTOCOL_SSLV3))
+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
+ if (!(sc->nProxyProtocol & SSL_PROTOCOL_TLSV1))
+ SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
+
+ if (sc->szProxyClientCertificateFile || sc->szProxyClientCertificatePath) {
+ sk = sk_X509_INFO_new_null();
+ if (sc->szProxyClientCertificateFile)
+ SSL_load_CrtAndKeyInfo_file(p, sk, sc->szProxyClientCertificateFile);
+ if (sc->szProxyClientCertificatePath)
+ SSL_load_CrtAndKeyInfo_path(p, sk, sc->szProxyClientCertificatePath);
+ ssl_log(s, SSL_LOG_TRACE, "Init: (%s) loaded %d client certs for SSL proxy",
+ cpVHostID, sk_X509_INFO_num(sk));
+ if (sk_X509_INFO_num(sk) > 0) {
+ SSL_CTX_set_client_cert_cb(ctx, ssl_ext_mp_clientcert_cb);
+ sc->skProxyClientCerts = sk;
+ }
+ }
+
+ /*
+ * Calculate OpenSSL verify type for verifying the remote server
+ * certificate. We either verify it against our list of CA's, or don't
+ * bother at all.
+ */
+ nVerify = SSL_VERIFY_NONE;
+ if (sc->bProxyVerify)
+ nVerify |= SSL_VERIFY_PEER;
+ if ( nVerify & SSL_VERIFY_PEER
+ && sc->szProxyCACertificateFile == NULL
+ && sc->szProxyCACertificatePath == NULL) {
+ ssl_log(s, SSL_LOG_ERROR,
+ "Init: (%s) SSLProxyVerify set to On but no CA certificates configured",
+ cpVHostID);
+ ssl_die();
+ }
+ if ( nVerify & SSL_VERIFY_NONE
+ && ( sc->szProxyCACertificateFile != NULL
+ || sc->szProxyCACertificatePath != NULL)) {
+ ssl_log(s, SSL_LOG_WARN,
+ "init: (%s) CA certificates configured but ignored because SSLProxyVerify is Off",
+ cpVHostID);
+ }
+ SSL_CTX_set_verify(ctx, nVerify, ssl_ext_mp_verify_cb);
+
+ /*
+ * Enable session caching. We can safely use the same cache
+ * as used for communicating with the other clients.
+ */
+ SSL_CTX_sess_set_new_cb(sc->pSSLProxyCtx, ssl_callback_NewSessionCacheEntry);
+ SSL_CTX_sess_set_get_cb(sc->pSSLProxyCtx, ssl_callback_GetSessionCacheEntry);
+ SSL_CTX_sess_set_remove_cb(sc->pSSLProxyCtx, ssl_callback_DelSessionCacheEntry);
+
+ /*
+ * Configure SSL Cipher Suite
+ */
+ ssl_log(s, SSL_LOG_TRACE,
+ "Init: (%s) Configuring permitted SSL ciphers for SSL proxy", cpVHostID);
+ if (sc->szProxyCipherSuite != NULL) {
+ if (!SSL_CTX_set_cipher_list(sc->pSSLProxyCtx, sc->szProxyCipherSuite)) {
+ ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ "Init: (%s) Unable to configure permitted SSL ciphers for SSL Proxy",
+ cpVHostID);
+ ssl_die();
+ }
+ }
+
+ /*
+ * Configure Client Authentication details
+ */
+ if (sc->szProxyCACertificateFile != NULL || sc->szProxyCACertificatePath != NULL) {
+ ssl_log(s, SSL_LOG_DEBUG,
+ "Init: (%s) Configuring client verification locations for SSL Proxy",
+ cpVHostID);
+ if (!SSL_CTX_load_verify_locations(sc->pSSLProxyCtx,
+ sc->szProxyCACertificateFile,
+ sc->szProxyCACertificatePath)) {
+ ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+ "Init: (%s) Unable to configure SSL verify locations for SSL proxy",
+ cpVHostID);
+ ssl_die();
+ }
+ }
+ }
+ return;
+}
+#endif /* SSL_EXPERIMENTAL */
+
static int ssl_ext_mp_canon(request_rec *r, char *url)
{
int rc;
return DEFAULT_HTTP_PORT;
}
-static char *ssl_ext_mp_new_connection(request_rec *r, BUFF *fb)
+static char *ssl_ext_mp_new_connection(request_rec *r, BUFF *fb, char *peer)
{
+#ifndef SSL_EXPERIMENTAL
SSL_CTX *ssl_ctx;
+#endif
SSL *ssl;
char *errmsg;
int rc;
char *cpVHostID;
char *cpVHostMD5;
+#ifdef SSL_EXPERIMENTAL
+ SSLSrvConfigRec *sc;
+ char *cp;
+#endif
if (ap_ctx_get(r->ctx, "ssl::proxy::enabled") == PFALSE)
return NULL;
+
+ /*
+ * Find context
+ */
+#ifdef SSL_EXPERIMENTAL
+ sc = mySrvConfig(r->server);
+#endif
cpVHostID = ssl_util_vhostid(r->pool, r->server);
/*
* Create a SSL context and handle
*/
+#ifdef SSL_EXPERIMENTAL
+ ssl = SSL_new(sc->pSSLProxyCtx);
+#else
ssl_ctx = SSL_CTX_new(SSLv23_client_method());
- if ((ssl = SSL_new(ssl_ctx)) == NULL) {
- errmsg = ap_pstrcat(r->pool, "SSL new failed (%s): ", cpVHostID,
- ERR_reason_error_string(ERR_get_error()), NULL);
+ ssl = SSL_new(ssl_ctx);
+#endif
+ if (ssl == NULL) {
+ errmsg = ap_psprintf(r->pool, "SSL proxy new failed (%s): peer %s: %s",
+ cpVHostID, peer, ERR_reason_error_string(ERR_get_error()));
ap_ctx_set(fb->ctx, "ssl", NULL);
return errmsg;
}
SSL_clear(ssl);
cpVHostMD5 = ap_md5(r->pool, cpVHostID);
if (!SSL_set_session_id_context(ssl, (unsigned char *)cpVHostMD5, strlen(cpVHostMD5))) {
- errmsg = ap_pstrcat(r->pool, "Unable to set session id context to `%s': ", cpVHostMD5,
- ERR_reason_error_string(ERR_get_error()), NULL);
+ errmsg = ap_psprintf(r->pool, "Unable to set session id context to `%s': peer %s: %s",
+ cpVHostMD5, peer, ERR_reason_error_string(ERR_get_error()));
ap_ctx_set(fb->ctx, "ssl", NULL);
return errmsg;
}
SSL_set_fd(ssl, fb->fd);
+#ifdef SSL_EXPERIMENTAL
+ SSL_set_app_data(ssl, fb->ctx);
+#endif
ap_ctx_set(fb->ctx, "ssl", ssl);
+#ifdef SSL_EXPERIMENTAL
+ ap_ctx_set(fb->ctx, "ssl::proxy::server_rec", r->server);
+ ap_ctx_set(fb->ctx, "ssl::proxy::peer", peer);
+ ap_ctx_set(fb->ctx, "ssl::proxy::servername", cpVHostID);
+ ap_ctx_set(fb->ctx, "ssl::proxy::verifyerror", NULL);
+#endif
/*
* Give us a chance to gracefully close the connection
* Establish the SSL connection
*/
if ((rc = SSL_connect(ssl)) <= 0) {
- errmsg = ap_pstrcat(r->pool, "SSL connect failed (%s): ", cpVHostID,
- ERR_reason_error_string(ERR_get_error()), NULL);
+#ifdef SSL_EXPERIMENTAL
+ if ((cp = (char *)ap_ctx_get(fb->ctx, "ssl::proxy::verifyerror")) != NULL) {
+ SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
+ SSL_smart_shutdown(ssl);
+ SSL_free(ssl);
+ ap_ctx_set(fb->ctx, "ssl", NULL);
+ ap_bsetflag(fb, B_EOF|B_EOUT, 1);
+ return NULL;
+ }
+#endif
+ errmsg = ap_psprintf(r->pool, "SSL proxy connect failed (%s): peer %s: %s",
+ cpVHostID, peer, ERR_reason_error_string(ERR_get_error()));
+ ssl_log(r->server, SSL_LOG_ERROR, errmsg);
SSL_free(ssl);
ap_ctx_set(fb->ctx, "ssl", NULL);
return errmsg;
{
BUFF *fb = _fb;
SSL *ssl;
+ SSL_CTX *ctx;
ssl = ap_ctx_get(fb->ctx, "ssl");
if (ssl != NULL) {
+ ctx = SSL_get_SSL_CTX(ssl);
SSL_set_shutdown(ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
SSL_smart_shutdown(ssl);
SSL_free(ssl);
ap_ctx_set(fb->ctx, "ssl", NULL);
+ if (ctx != NULL)
+ SSL_CTX_free(ctx);
}
return;
}
return DECLINED;
}
+#ifdef SSL_EXPERIMENTAL
+
+/*
+ * Callback for client certificate stuff.
+ * If the remote site sent us a SSLv3 list of acceptable CA's then trawl the
+ * table of client certs and send the first one that matches.
+ */
+static int ssl_ext_mp_clientcert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
+{
+ SSLSrvConfigRec *sc;
+ X509_NAME *xnx;
+ X509_NAME *issuer;
+ X509_INFO *xi;
+ char *peer;
+ char *servername;
+ server_rec *s;
+ ap_ctx *pCtx;
+ STACK_OF(X509_NAME) *sk;
+ STACK_OF(X509_INFO) *pcerts;
+ char *cp;
+ int i, j;
+
+ pCtx = (ap_ctx *)SSL_get_app_data(ssl);
+ s = ap_ctx_get(pCtx, "ssl::proxy::server_rec");
+ peer = ap_ctx_get(pCtx, "ssl::proxy::peer");
+ servername = ap_ctx_get(pCtx, "ssl::proxy::servername");
+
+ sc = mySrvConfig(s);
+ pcerts = sc->skProxyClientCerts;
+
+ ssl_log(s, SSL_LOG_DEBUG, "Proxy client certificate callback: (%s) entered");
+
+ if ((pcerts == NULL) || (sk_X509_INFO_num(pcerts) <= 0)) {
+ ssl_log(s, SSL_LOG_TRACE,
+ "Proxy client certificate callback: (%s) "
+ "site wanted client certificate but none available",
+ servername);
+ return 0;
+ }
+
+ sk = SSL_get_client_CA_list(ssl);
+
+ if ((sk == NULL) || (sk_X509_NAME_num(sk) <= 0)) {
+ /*
+ * remote site didn't send us a list of acceptable CA certs,
+ * so lets send the first one we came across
+ */
+ xi = sk_X509_INFO_value(pcerts, 0);
+ cp = X509_NAME_oneline(X509_get_subject_name(xi->x509), NULL, 0);
+ ssl_log(s, SSL_LOG_DEBUG,
+ "SSL Proxy: (%s) no acceptable CA list, sending %s",
+ servername, cp != NULL ? cp : "-unknown-");
+ free(cp);
+ /* export structures to the caller */
+ *x509 = xi->x509;
+ *pkey = xi->x_pkey->dec_pkey;
+ /* prevent OpenSSL freeing these structures */
+ CRYPTO_add(&((*x509)->references), +1, CRYPTO_LOCK_X509_PKEY);
+ CRYPTO_add(&((*pkey)->references), +1, CRYPTO_LOCK_X509_PKEY);
+ return 1;
+ }
+
+ for (i = 0; i < sk_X509_NAME_num(sk); i++) {
+ xnx = sk_X509_NAME_value(sk, i);
+ for (j = 0; j < sk_X509_INFO_num(pcerts); j++) {
+ xi = sk_X509_INFO_value(pcerts,j);
+ issuer = X509_get_issuer_name(xi->x509);
+ if (X509_NAME_cmp(issuer, xnx) == 0) {
+ cp = X509_NAME_oneline(X509_get_subject_name(xi->x509), NULL, 0);
+ ssl_log(s, SSL_LOG_DEBUG, "SSL Proxy: (%s) sending %s",
+ servername, cp != NULL ? cp : "-unknown-");
+ free(cp);
+ /* export structures to the caller */
+ *x509 = xi->x509;
+ *pkey = xi->x_pkey->dec_pkey;
+ /* prevent OpenSSL freeing these structures */
+ CRYPTO_add(&((*x509)->references), +1, CRYPTO_LOCK_X509_PKEY);
+ CRYPTO_add(&((*pkey)->references), +1, CRYPTO_LOCK_X509_PKEY);
+ return 1;
+ }
+ }
+ }
+ ssl_log(s, SSL_LOG_TRACE,
+ "Proxy client certificate callback: (%s) "
+ "no client certificate found!?", servername);
+ return 0;
+}
+
+/*
+ * This is the verify callback when we are connecting to a remote SSL server
+ * from the proxy. Information is passed in via the SSL "ctx" app_data
+ * mechanism. We pass in an Apache context in this field, which contains
+ * server_rec of the server making the proxy connection from the
+ * "ssl::proxy::server_rec" context.
+ *
+ * The result of the verification is passed back out to SSLERR via the return
+ * value. We also store the error message in the "proxyverifyfailed" context,
+ * so the caller of SSL_connect() can log a detailed error message.
+ */
+static int ssl_ext_mp_verify_cb(int ok, X509_STORE_CTX *ctx)
+{
+ SSLSrvConfigRec *sc;
+ X509 *xs;
+ int errnum;
+ int errdepth;
+ char *cp, *cp2;
+ ap_ctx *pCtx;
+ server_rec *s;
+ SSL *ssl;
+ char *peer;
+ char *servername;
+
+ ssl = (SSL *)X509_STORE_CTX_get_app_data(ctx);
+ pCtx = (ap_ctx *)SSL_get_app_data(ssl);
+ s = ap_ctx_get(pCtx, "ssl::proxy::server_rec");
+ peer = ap_ctx_get(pCtx, "ssl::proxy::peer");
+ servername = ap_ctx_get(pCtx, "ssl::proxy::servername");
+ sc = mySrvConfig(s);
+
+ /*
+ * Get verify ingredients
+ */
+ xs = X509_STORE_CTX_get_current_cert(ctx);
+ errnum = X509_STORE_CTX_get_error(ctx);
+ errdepth = X509_STORE_CTX_get_error_depth(ctx);
+
+ /*
+ * Log verification information
+ */
+ cp = X509_NAME_oneline(X509_get_subject_name(xs), NULL, 0);
+ cp2 = X509_NAME_oneline(X509_get_issuer_name(xs), NULL, 0);
+ ssl_log(s, SSL_LOG_DEBUG,
+ "SSL Proxy: (%s) Certificate Verification for remote server %s: "
+ "depth: %d, subject: %s, issuer: %s",
+ servername, peer != NULL ? peer : "-unknown-",
+ errdepth, cp != NULL ? cp : "-unknown-",
+ cp2 != NULL ? cp2 : "-unknown");
+ free(cp);
+ free(cp2);
+
+ /*
+ * If we already know it's not ok, log the real reason
+ */
+ if (!ok) {
+ ssl_log(s, SSL_LOG_ERROR,
+ "SSL Proxy: (%s) Certificate Verification failed for %s: "
+ "Error (%d): %s", servername,
+ peer != NULL ? peer : "-unknown-",
+ errnum, X509_verify_cert_error_string(errnum));
+ ap_ctx_set(pCtx, "ssl::proxy::verifyerror",
+ (void *)X509_verify_cert_error_string(errnum));
+ return ok;
+ }
+
+ /*
+ * Check the depth of the certificate chain
+ */
+ if (sc->nProxyVerifyDepth > 0) {
+ if (errdepth > sc->nProxyVerifyDepth) {
+ ssl_log(s, SSL_LOG_ERROR,
+ "SSL Proxy: (%s) Certificate Verification failed for %s: "
+ "Certificate Chain too long "
+ "(chain has %d certificates, but maximum allowed are only %d)",
+ servername, peer, errdepth, sc->nProxyVerifyDepth);
+ ap_ctx_set(pCtx, "ssl::proxy::verifyerror",
+ (void *)X509_verify_cert_error_string(X509_V_ERR_CERT_CHAIN_TOO_LONG));
+ ok = FALSE;
+ }
+ }
+
+ /*
+ * And finally signal OpenSSL the (perhaps changed) state
+ */
+ return (ok);
+}
+
+#endif /* SSL_EXPERIMENTAL */
/* _________________________________________________________________
**
SSLSrvConfigRec *sc;
server_rec *s2;
char *cp;
- int n;
mc->nInitCount++;
sc->nVerifyClient = SSL_CVERIFY_NONE;
if (sc->nVerifyDepth == UNSET)
sc->nVerifyDepth = 1;
+#ifdef SSL_EXPERIMENTAL
+ if (sc->nProxyVerifyDepth == UNSET)
+ sc->nProxyVerifyDepth = 1;
+#endif
if (sc->nSessionCacheTimeout == UNSET)
sc->nSessionCacheTimeout = SSL_SESSION_CACHE_TIMEOUT;
if (sc->nPassPhraseDialogType == SSL_PPTYPE_UNSET)
/*
* Seed the Pseudo Random Number Generator (PRNG)
*/
- n = ssl_rand_seed(s, p, SSL_RSCTX_STARTUP);
- ssl_log(s, SSL_LOG_INFO, "Init: Seeding PRNG with %d bytes of entropy", n);
+ ssl_rand_seed(s, p, SSL_RSCTX_STARTUP, "Init: ");
/*
* allocate the temporary RSA keys and DH params
/* Generate Keys and Params */
if (action == SSL_TKP_GEN) {
- ssl_log(s, SSL_LOG_INFO, "Init: Generating temporary RSA private keys (512/1024 bits)");
+ /* seed PRNG */
+ ssl_rand_seed(s, p, SSL_RSCTX_STARTUP, "Init: ");
/* generate 512 bit RSA key */
+ ssl_log(s, SSL_LOG_INFO, "Init: Generating temporary RSA private keys (512/1024 bits)");
if ((rsa = RSA_generate_key(512, RSA_F4, NULL, NULL)) == NULL) {
ssl_log(s, SSL_LOG_ERROR, "Init: Failed to generate temporary 512 bit RSA private key");
+#if 0
ssl_die();
+#else
+ ssl_log(s, SSL_LOG_ERROR, "Init: You probably have no RSA support in libcrypto. See ssl(8)");
+ return;
+#endif
}
asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tTmpKeys, "RSA:512");
asn1->nData = i2d_RSAPrivateKey(rsa, NULL);
* Configure additional context ingredients
*/
SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
- if (mc->nSessionCacheMode == SSL_SCMODE_UNSET)
+ if (mc->nSessionCacheMode == SSL_SCMODE_NONE)
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
else
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER);
return;
}
-/* the SSL_read replacement routine which known about the suck buffer */
+/* the SSL_read replacement routine which knows about the suck buffer */
static int ssl_io_suck_read(SSL *ssl, char *buf, int len)
{
ap_ctx *actx;
char *cpVHostMD5;
X509 *xs;
int rc;
- int n;
/*
* Get context
/*
* Seed the Pseudo Random Number Generator (PRNG)
*/
- n = ssl_rand_seed(srvr, conn->pool, SSL_RSCTX_CONNECT);
- ssl_log(srvr, SSL_LOG_TRACE, "Seeding PRNG with %d bytes of entropy", n);
+ ssl_rand_seed(srvr, conn->pool, SSL_RSCTX_CONNECT, "");
/*
* Create a new SSL connection with the configured server SSL context and
ap_pclosef(p, mc->nMutexFD);
/* make sure the childs have access to this file */
+#ifndef OS2
if (geteuid() == 0 /* is superuser */)
chown(mc->szMutexFile, ap_user_id, -1 /* no gid change */);
+#endif
/* open the lockfile for real */
if ((mc->nMutexFD = ap_popenf(p, mc->szMutexFile,
static int ssl_rand_choosenum(int, int);
static int ssl_rand_feedfp(pool *, FILE *, int);
-int ssl_rand_seed(server_rec *s, pool *p, ssl_rsctx_t nCtx)
+int ssl_rand_seed(server_rec *s, pool *p, ssl_rsctx_t nCtx, char *prefix)
{
SSLModConfigRec *mc;
array_header *apRandSeed;
ssl_randseed_t *pRandSeeds;
ssl_randseed_t *pRandSeed;
+ unsigned char stackdata[256];
int nReq, nDone;
FILE *fp;
int i, n, l;
nDone += ssl_rand_feedfp(p, fp, pRandSeed->nBytes);
ssl_util_ppclose(s, p, fp);
}
+#if SSL_LIBRARY_VERSION >= 0x00905100
+ else if (pRandSeed->nSrc == SSL_RSSRC_EGD) {
+ /*
+ * seed in contents provided by the external
+ * Entropy Gathering Daemon (EGD)
+ */
+ if ((n = RAND_egd(pRandSeed->cpPath)) == -1)
+ continue;
+ nDone += n;
+ }
+#endif
else if (pRandSeed->nSrc == SSL_RSSRC_BUILTIN) {
/*
* seed in the current time (usually just 4 bytes)
l = sizeof(pid_t);
RAND_seed((unsigned char *)&pid, l);
nDone += l;
+
+ /*
+ * seed in some current state of the run-time stack (128 bytes)
+ */
+ n = ssl_rand_choosenum(0, sizeof(stackdata)-128-1);
+ RAND_seed(stackdata+n, 128);
+ nDone += 128;
/*
* seed in an 1KB extract of the current scoreboard
}
}
}
+ ssl_log(s, SSL_LOG_INFO, "%sSeeding PRNG with %d bytes of entropy", prefix, nDone);
+
+#if SSL_LIBRARY_VERSION >= 0x00905100
+ if (RAND_status() == 0)
+ ssl_log(s, SSL_LOG_WARN, "%sPRNG still contains not sufficient entropy!", prefix);
+#endif
return nDone;
}
result = ssl_var_lookup_ssl_version(p, var+8);
}
else if (ssl != NULL && strcEQ(var, "PROTOCOL")) {
- result = SSL_get_version(ssl);
+ result = (char *)SSL_get_version(ssl);
}
else if (ssl != NULL && strcEQ(var, "SESSION_ID")) {
SSL_SESSION *pSession = SSL_get_session(ssl);
}
#elif defined(OS2)
/* IBM OS/2 */
- execl(SHELL_PATH, SHELL_PATH, "/c", (char *)cmd, NULL);
+ spawnl(P_NOWAIT, SHELL_PATH, SHELL_PATH, "/c", (char *)cmd, NULL);
#else
/* Standard Unix */
execl(SHELL_PATH, SHELL_PATH, "-c", (char *)cmd, NULL);
return NULL;
for (k = 0; read(fileno(fp), &c, 1) == 1
&& (k < MAX_STRING_LEN-1) ; ) {
- if (c == '\n')
+ if (c == '\n' || c == '\r')
break;
buf[k++] = c;
}
return rc;
}
-static EVP_PKEY *d2i_PrivateKey_bio(BIO *bio, EVP_PKEY *key)
+#if SSL_LIBRARY_VERSION <= 0x00904100
+static EVP_PKEY *d2i_PrivateKey_bio(BIO *bio, EVP_PKEY **key)
{
return ((EVP_PKEY *)ASN1_d2i_bio(
(char *(*)())EVP_PKEY_new,
(char *(*)())d2i_PrivateKey,
(bio), (unsigned char **)(key)));
}
+#endif
EVP_PKEY *SSL_read_PrivateKey(FILE *fp, EVP_PKEY **key, int (*cb)())
{
return FALSE;
}
+/* _________________________________________________________________
+**
+** Low-Level CA Certificate Loading
+** _________________________________________________________________
+*/
+
+#ifdef SSL_EXPERIMENTAL
+
+BOOL SSL_load_CrtAndKeyInfo_file(pool *p, STACK_OF(X509_INFO) *sk, char *filename)
+{
+ BIO *in;
+
+ if ((in = BIO_new(BIO_s_file())) == NULL)
+ return FALSE;
+ if (BIO_read_filename(in, filename) <= 0) {
+ BIO_free(in);
+ return FALSE;
+ }
+ ERR_clear_error();
+#if SSL_LIBRARY_VERSION < 0x00904000
+ PEM_X509_INFO_read_bio(in, sk, NULL);
+#else
+ PEM_X509_INFO_read_bio(in, sk, NULL, NULL);
+#endif
+ BIO_free(in);
+ return TRUE;
+}
+
+BOOL SSL_load_CrtAndKeyInfo_path(pool *p, STACK_OF(X509_INFO) *sk, char *pathname)
+{
+ struct stat st;
+ DIR *dir;
+ pool *sp;
+ struct dirent *nextent;
+ char *fullname;
+ BOOL ok;
+
+ sp = ap_make_sub_pool(p);
+ if ((dir = ap_popendir(sp, pathname)) == NULL) {
+ ap_destroy_pool(sp);
+ return FALSE;
+ }
+ ok = FALSE;
+ while ((nextent = readdir(dir)) != NULL) {
+ fullname = ap_pstrcat(sp, pathname, "/", nextent->d_name, NULL);
+ if (stat(fullname, &st) != 0)
+ continue;
+ if (!S_ISREG(st.st_mode))
+ continue;
+ if (SSL_load_CrtAndKeyInfo_file(sp, sk, fullname))
+ ok = TRUE;
+ }
+ ap_pclosedir(p, dir);
+ ap_destroy_pool(sp);
+ return ok;
+}
+
+#endif /* SSL_EXPERIMENTAL */
+
/* _________________________________________________________________
**
** Extra Server Certificate Chain Support
BOOL SSL_X509_isSGC(X509 *);
BOOL SSL_X509_getBC(X509 *, int *, int *);
BOOL SSL_X509_getCN(pool *, X509 *, char **);
+#ifdef SSL_EXPERIMENTAL
+BOOL SSL_load_CrtAndKeyInfo_file(pool *, STACK_OF(X509_INFO) *, char *);
+BOOL SSL_load_CrtAndKeyInfo_path(pool *, STACK_OF(X509_INFO) *, char *);
+#endif
int SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, int (*)());
#endif /* SSL_UTIL_SSL_H */
{
action_dir_config *conf = (action_dir_config *)
ap_get_module_config(r->per_dir_config, &action_module);
- const char *t, *action = r->handler ? r->handler : r->content_type;
+ const char *t, *action = r->handler ? r->handler :
+ ap_field_noparam(r->pool, r->content_type);
const char *script;
int i;
{"AuthAuthoritative", ap_set_flag_slot,
(void *) XtOffsetOf(auth_config_rec, auth_authoritative),
OR_AUTHCFG, FLAG,
- "Set to 'no' to allow access control to be passed along to lower modules if the UserID is not known to this module"},
+ "Set to 'off' to allow access control to be passed along to lower modules if the UserID is not known to this module"},
{NULL}
};
ConfigStart
DB_VERSION=''
DB_LIB=''
- if sh helpers/TestCompile func db_create; then
+ if ./helpers/TestCompile func db_create; then
DB_VERSION='Berkeley-DB/3.x'
- elif sh helpers/TestCompile lib db db_create; then
+ elif ./helpers/TestCompile lib db db_create; then
DB_VERSION='Berkeley-DB/3.x'
DB_LIB='-ldb'
- elif sh helpers/TestCompile func db_open; then
+ elif ./helpers/TestCompile func db_open; then
DB_VERSION='Berkeley-DB/2.x'
- elif sh helpers/TestCompile lib db db_open; then
+ elif ./helpers/TestCompile lib db db_open; then
DB_VERSION='Berkeley-DB/2.x'
DB_LIB='-ldb'
- elif sh helpers/TestCompile func dbopen; then
+ elif ./helpers/TestCompile func dbopen; then
DB_VERSION='Berkeley-DB/1.x'
- elif sh helpers/TestCompile lib db dbopen; then
+ elif ./helpers/TestCompile lib db dbopen; then
DB_VERSION='Berkeley-DB/1.x'
DB_LIB='-ldb'
fi
static char *find_item(request_rec *r, array_header *list, int path_only)
{
- const char *content_type = r->content_type;
+ const char *content_type = ap_field_noparam(r->pool, r->content_type);
const char *content_encoding = r->content_encoding;
char *path = r->filename;
typedef struct {
char *metadir;
char *metasuffix;
- char *metafiles;
+ int metafiles;
} cern_meta_dir_config;
static void *create_cern_meta_dir_config(pool *p, char *dummy)
return NULL;
}
-static const char *set_metafiles(cmd_parms *parms, cern_meta_dir_config * dconf, char *arg)
+static const char *set_metafiles(cmd_parms *parms, cern_meta_dir_config * dconf, int arg)
{
dconf->metafiles = arg;
return NULL;
if (r->content_type == NULL)
code = NULL;
else
- code = (char *) ap_table_get(conf->expiresbytype, r->content_type);
+ code = (char *) ap_table_get(conf->expiresbytype,
+ ap_field_noparam(r->pool, r->content_type));
if (code == NULL) {
/* no expires defined for that type, is there a default? */
{
char tag[MAX_STRING_LEN];
char *tag_val;
+ enum {E_NONE, E_URL, E_ENTITY} encode;
+
+ encode = E_ENTITY;
while (1) {
if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) {
const char *val = ap_table_get(r->subprocess_env, tag_val);
if (val) {
- ap_rputs(val, r);
+ if (encode == E_NONE) {
+ ap_rputs(val, r);
+ }
+ else if (encode == E_URL) {
+ ap_rputs(ap_escape_uri(r->pool, val), r);
+ }
+ else if (encode == E_ENTITY) {
+ ap_rputs(ap_escape_html(r->pool, val), r);
+ }
}
else {
ap_rputs("(none)", r);
else if (!strcmp(tag, "done")) {
return 0;
}
+ else if (!strcmp(tag, "encoding")) {
+ if (!strcasecmp(tag_val, "none")) encode = E_NONE;
+ else if (!strcasecmp(tag_val, "url")) encode = E_URL;
+ else if (!strcasecmp(tag_val, "entity")) encode = E_ENTITY;
+ else {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
+ "unknown value \"%s\" to parameter \"encoding\" of "
+ "tag echo in %s",
+ tag_val, r->filename);
+ ap_rputs(error, r);
+ }
+ }
+
else {
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
"unknown parameter \"%s\" to tag echo in %s",
}
else if (!strcmp(tag, "done")) {
for (i = 0; i < arr->nelts; ++i) {
- ap_rvputs(r, elts[i].key, "=", elts[i].val, "\n", NULL);
+ ap_rvputs(r, ap_escape_html(r->pool, elts[i].key), "=",
+ ap_escape_html(r->pool, elts[i].val), "\n", NULL);
}
return 0;
}
{
const char *cp = ap_table_get(r->headers_out, a);
if (!strcasecmp(a, "Content-type") && r->content_type) {
- cp = r->content_type;
+ cp = ap_field_noparam(r->pool, r->content_type);
}
if (cp) {
return cp;
{
int res;
- res = (ap_isascii(c) && isgraph(c)
+ res = (ap_isascii(c) && ap_isgraph(c)
&& (strchr(tspecial, c) == NULL)) ? 1 : -1;
return res;
}
*(const char **)ap_push_array(t) =
"The document name you requested (<code>";
- *(const char **)ap_push_array(t) = r->uri;
+ *(const char **)ap_push_array(t) = ap_escape_html(sub_pool, r->uri);
*(const char **)ap_push_array(t) =
"</code>) could not be found on this server.\n"
"However, we found documents with names similar "
? r->parsed_uri.query : "",
NULL);
*(const char **)ap_push_array(v) = "\"";
- *(const char **)ap_push_array(v) = vuri;
+ *(const char **)ap_push_array(v) = ap_escape_uri(sub_pool, vuri);
*(const char **)ap_push_array(v) = "\";\"";
*(const char **)ap_push_array(v) = reason;
*(const char **)ap_push_array(v) = "\"";
*(const char **)ap_push_array(t) = "<li><a href=\"";
- *(const char **)ap_push_array(t) = vuri;
+ *(const char **)ap_push_array(t) = ap_escape_uri(sub_pool, vuri);
*(const char **)ap_push_array(t) = "\">";
- *(const char **)ap_push_array(t) = vuri;
+ *(const char **)ap_push_array(t) = ap_escape_html(sub_pool, vuri);
*(const char **)ap_push_array(t) = "</a> (";
*(const char **)ap_push_array(t) = reason;
*(const char **)ap_push_array(t) = ")\n";
*(const char **)ap_push_array(t) =
"Please consider informing the owner of the "
"<a href=\"";
- *(const char **)ap_push_array(t) = ref;
+ *(const char **)ap_push_array(t) = ap_escape_uri(sub_pool, ref);
*(const char **)ap_push_array(t) = "\">referring page</a> "
"about the broken link.\n";
}
*command-related code. This is here to prevent use of ExtendedStatus
* without status_module included.
*/
-static const char *set_extended_status(cmd_parms *cmd, void *dummy, char *arg)
+static const char *set_extended_status(cmd_parms *cmd, void *dummy, int arg)
{
const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
if (err != NULL) {
return err;
}
- if (!strcasecmp(arg, "off") || !strcmp(arg, "0")) {
- ap_extended_status = 0;
- }
- else {
- ap_extended_status = 1;
- }
+ ap_extended_status = arg;
return NULL;
}
static const command_rec status_module_cmds[] =
{
- { "ExtendedStatus", set_extended_status, NULL, RSRC_CONF, TAKE1,
+ { "ExtendedStatus", set_extended_status, NULL, RSRC_CONF, FLAG,
"\"On\" to enable extended status information, \"Off\" to disable" },
{NULL}
};
format_byte_out(r, bytes);
ap_rputs(")\n", r);
ap_rprintf(r, " <i>%s {%s}</i> <b>[%s]</b><br>\n\n",
- score_record.client,
+ ap_escape_html(r->pool, score_record.client),
ap_escape_html(r->pool, score_record.request),
- vhost ? vhost->server_hostname : "(unavailable)");
+ vhost ? ap_escape_html(r->pool,
+ vhost->server_hostname) : "(unavailable)");
}
else { /* !no_table_report */
#ifndef NO_PRETTYPRINT
#else
ap_rprintf(r,
"<td>%s<td nowrap>%s<td nowrap>%s</tr>\n\n",
- score_record.client,
- vhost ? vhost->server_hostname : "(unavailable)",
+ ap_escape_html(r->pool, score_record.client),
+ vhost ? ap_escape_html(r->pool,
+ vhost->server_hostname) : "(unavailable)",
ap_escape_html(r->pool, score_record.request));
#endif
} /* no_table_report */
#ifndef AP_EBCDIC_H
-#define AP_EBCDIC_H "$Id: ebcdic.h,v 1.2 2000/01/25 18:30:05 beck Exp $"
+#define AP_EBCDIC_H "$Id: ebcdic.h,v 1.3 2000/03/19 11:17:32 beck Exp $"
#include <sys/types.h>
#define VENDOR "Apache Group"
#define SOFTWARE "Apache"
-#define VERSION "1.3.11"
+#define VERSION "1.3.12"
#define REGKEY "SOFTWARE\\" VENDOR "\\" SOFTWARE "\\" VERSION
** - Cleaned up by Ralf S. Engelschall <rse@apache.org>, March 1998
** - POST and verbosity by Kurt Sussman <kls@merlot.com>, August 1998
** - HTML table output added by David N. Welton <davidw@prosa.it>, January 1999
- ** - Added Cookie, Arbitrary header and auth support. <dirkx@webweaving.org>, April 199
+ ** - Added Cookie, Arbitrary header and auth support. <dirkx@webweaving.org>, April 1999
**
*/
static void copyright(void)
{
if (!use_html) {
- printf("This is ApacheBench, Version %s\n", VERSION " <$Revision: 1.4 $> apache-1.3");
+ printf("This is ApacheBench, Version %s\n", VERSION " <$Revision: 1.5 $> apache-1.3");
printf("Copyright (c) 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/\n");
printf("Copyright (c) 1998-1999 The Apache Group, http://www.apache.org/\n");
printf("\n");
}
else {
printf("<p>\n");
- printf(" This is ApacheBench, Version %s <i><%s></i> apache-1.3<br>\n", VERSION, "$Revision: 1.4 $");
+ printf(" This is ApacheBench, Version %s <i><%s></i> apache-1.3<br>\n", VERSION, "$Revision: 1.5 $");
printf(" Copyright (c) 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/<br>\n");
printf(" Copyright (c) 1998-1999 The Apache Group, http://www.apache.org/<br>\n");
printf("</p>\n<p>\n");
)) {
if ($arg eq $name or $arg eq lc($name)) {
my $val = eval "\$CFG_$name";
- $result .= "${val}::";
+ $result .= "${val}##";
$ok = 1;
}
}
exit(1);
}
}
- $result =~ s|::$||;
- $result =~ s|::| |;
+ $result =~ s|##$||;
+ $result =~ s|##| |g;
print $result;
}
#endif
#include "ap.h"
#include "ap_md5.h"
-#if defined(MPE) || defined(QNX) || defined(WIN32) || defined(__TANDEM) || defined(OS390)
+#if defined(MPE) || defined(QNX) || defined(WIN32) || defined(__TANDEM) || defined(OS390) || defined(BEOS)
#include <signal.h>
#else
#include <sys/signal.h>
-.TH htpasswd 1 "February 1997"
-.\" Copyright (c) 1997-1999 The Apache Group. All rights reserved.
+.TH htpasswd 1 "February 2000"
+.\" Copyright (c) 1997-2000 The Apache Group. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
]
[
.B \-m
+|
+.B \-d
+|
+.B \-s
+|
+.B \-p
]
.I passwdfile
.I username
]
[
.B \-m
+|
.B \-d
-.B \-p
+|
.B \-s
+|
+.B \-p
]
.I passwdfile
.I username
Create the \fIpasswdfile\fP. If \fIpasswdfile\fP already exists, it
is rewritten and truncated.
.IP \-m
-Use MD5 encryption for passwords. On Windows and TPF, this is the default.
+Use Apache's modified MD5 algorithm for passwords. Passwords encrypted
+with this algorithm are transportable to any platform (Windows, Unix,
+BeOS, et cetera) running Apache 1.3.9 or later. On Windows and TPF,
+this flag is the default.
.IP \-d
Use crypt() encryption for passwords. The default on all platforms but
Windows and TPF. Though possibly supported by
.IP \-p
Use plaintext passwords. Though
.B htpasswd
-will support creation on all platofrms, the
+will support creation on all platforms, the
.B httpd
deamon will only accept plain text passwords on Windows and TPF.
.IP \fB\fIpasswdfile\fP
#include <ctype.h>
#ifndef MPE
+#ifndef BEOS
#include <arpa/inet.h>
-#endif
+#else
+/* BeOS lacks the necessary files until we get the new networking */
+#include <netinet/in.h>
+#define NO_ADDRESS 4
+#endif /* BEOS */
+#endif /* MPE */
static void cgethost(struct in_addr ipnum, char *string, int check);
static int getline(char *s, int n);
#!/bin/sh
##
-## mkcert.sh -- Make SSL Certificate Files for `make certificate' command
+## mkcert.sh -- SSL Certificate Generation Utility
## Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved.
##
# (do not use /dev/random here, because this device
# doesn't work as expected on all platforms)
randfiles=''
-for file in /var/log/messages /var/adm/messages \
- /kernel /vmunix /vmlinuz \
- /etc/hosts /etc/resolv.conf; do
+for file in /var/log/messages /var/adm/messages /var/log/system.log \
+ /kernel /vmunix /vmlinuz /mach /etc/hosts /etc/resolv.conf; do
if [ -f $file ]; then
if [ ".$randfiles" = . ]; then
randfiles="$file"
fi
done
+# initialize random file
+if [ -f $HOME/.rnd ]; then
+ RANDFILE="$HOME/.rnd"
+else
+ RANDFILE=".mkcert.rnd"
+ touch $RANDFILE
+fi
+export RANDFILE
+
# canonicalize parameters
case "x$type" in
x ) type=test ;;
fi
if [ ".$algo" = .RSA ]; then
cp $sslcrtdir/snakeoil-rsa.crt $sslcrtdir/server.crt
- cp $sslkeydir/snakeoil-rsa.key $sslkeydir/server.key
+ (umask 077; cp $sslkeydir/snakeoil-rsa.key $sslkeydir/server.key)
else
cp $sslcrtdir/snakeoil-dsa.crt $sslcrtdir/server.crt
- cp $sslkeydir/snakeoil-dsa.key $sslkeydir/server.key
+ (umask 077; cp $sslkeydir/snakeoil-dsa.key $sslkeydir/server.key)
fi
- chmod 600 $sslkeydir/server.key
echo "${T_MD}RESULT: Server Certification Files${T_ME}"
echo ""
echo "o ${T_MD}conf/ssl.key/server.key${T_ME}"
echo "______________________________________________________________________"
echo ""
echo "${T_MD}STEP 1: Generating $algo private key (1024 bit) [server.key]${T_ME}"
- if [ ! -f $HOME/.rnd ]; then
- touch $HOME/.rnd
- fi
if [ ".$algo" = .RSA ]; then
if [ ".$randfiles" != . ]; then
$openssl genrsa -rand $randfiles -out $sslkeydir/server.key 1024
else
echo "Generating DSA private key via SnakeOil CA DSA parameters"
if [ ".$randfiles" != . ]; then
- $openssl gendsa -rand $randfiles -out $sslkeydir/server.key $sslprmdir/snakeoil-ca-dsa.prm
+ (umask 077
+ $openssl gendsa -rand $randfiles \
+ -out $sslkeydir/server.key \
+ $sslprmdir/snakeoil-ca-dsa.prm)
else
- $openssl gendsa -out $sslkeydir/server.key $sslprmdir/snakeoil-ca-dsa.prm
+ (umask 077
+ $openssl gendsa -out $sslkeydir/server.key \
+ $sslprmdir/snakeoil-ca-dsa.prm)
fi
if [ $? -ne 0 ]; then
echo "mkcert.sh:Error: Failed to generate DSA private key" 1>&2
exit 1
fi
fi
- chmod 600 $sslkeydir/server.key
echo "______________________________________________________________________"
echo ""
echo "${T_MD}STEP 2: Generating X.509 certificate signing request [server.csr]${T_ME}"
done
if [ ".$rc" = .y ]; then
if [ ".$algo" = .RSA ]; then
- $openssl rsa -des3 \
- -in $sslkeydir/server.key \
- -out $sslkeydir/server.key.crypt
+ (umask 077
+ $openssl rsa -des3 \
+ -in $sslkeydir/server.key \
+ -out $sslkeydir/server.key.crypt)
else
- $openssl dsa -des3 \
- -in $sslkeydir/server.key \
- -out $sslkeydir/server.key.crypt
+ (umask 077
+ $openssl dsa -des3 \
+ -in $sslkeydir/server.key \
+ -out $sslkeydir/server.key.crypt)
fi
if [ $? -ne 0 ]; then
echo "mkcert.sh:Error: Failed to encrypt $algo private key" 1>&2
exit 1
fi
- cp $sslkeydir/server.key.crypt $sslkeydir/server.key
+ (umask 077; cp $sslkeydir/server.key.crypt $sslkeydir/server.key)
rm -f $sslkeydir/server.key.crypt
- chmod 600 $sslkeydir/server.key
echo "Fine, you're using an encrypted $algo private key."
else
echo "Warning, you're using an unencrypted $algo private key."
echo "______________________________________________________________________"
echo ""
echo "${T_MD}STEP 1: Generating $algo private key for CA (1024 bit) [ca.key]${T_ME}"
- if [ ! -f $HOME/.rnd ]; then
- touch $HOME/.rnd
- fi
if [ ".$algo" = .RSA ]; then
if [ ".$randfiles" != . ]; then
$openssl genrsa -rand $randfiles -out $sslkeydir/ca.key 1024
if [ ".$randfiles" != . ]; then
$openssl dsaparam -rand $randfiles -out $sslprmdir/ca.prm 1024
echo "Generating DSA private key:"
- $openssl gendsa -rand $randfiles -out $sslkeydir/ca.key $sslprmdir/ca.prm
+ (umask 077
+ $openssl gendsa -rand $randfiles -out $sslkeydir/ca.key $sslprmdir/ca.prm)
else
$openssl dsaparam -out $sslprmdir/ca.prm 1024
echo "Generating DSA private key:"
- $openssl gendsa -out $sslkeydir/ca.key $sslprmdir/ca.prm
+ (umask 077
+ $openssl gendsa -out $sslkeydir/ca.key $sslprmdir/ca.prm)
fi
if [ $? -ne 0 ]; then
echo "mkcert.sh:Error: Failed to generate DSA private key" 1>&2
exit 1
fi
fi
- chmod 600 $sslkeydir/ca.key
echo "______________________________________________________________________"
echo ""
echo "${T_MD}STEP 2: Generating X.509 certificate signing request for CA [ca.csr]${T_ME}"
echo "______________________________________________________________________"
echo ""
echo "${T_MD}STEP 4: Generating $algo private key for SERVER (1024 bit) [server.key]${T_ME}"
- if [ ! -f $HOME/.rnd ]; then
- touch $HOME/.rnd
- fi
if [ ".$algo" = .RSA ]; then
if [ ".$randfiles" != . ]; then
$openssl genrsa -rand $randfiles -out $sslkeydir/server.key 1024
fi
else
if [ ".$randfiles" != . ]; then
- $openssl gendsa -rand $randfiles -out $sslkeydir/server.key $sslprmdir/ca.prm
+ (umask 077
+ $openssl gendsa -rand $randfiles \
+ -out $sslkeydir/server.key $sslprmdir/ca.prm)
else
- $openssl gendsa -out $sslkeydir/server.key $sslprmdir/ca.prm
+ (umask 077
+ $openssl gendsa -out $sslkeydir/server.key $sslprmdir/ca.prm)
fi
if [ $? -ne 0 ]; then
echo "mkcert.sh:Error: Failed to generate DSA private key" 1>&2
exit 1
fi
fi
- chmod 600 $sslkeydir/server.key
echo "______________________________________________________________________"
echo ""
echo "${T_MD}STEP 5: Generating X.509 certificate signing request for SERVER [server.csr]${T_ME}"
done
if [ ".$rc" = .y ]; then
if [ ".$algo" = .RSA ]; then
- $openssl rsa -des3 \
- -in $sslkeydir/ca.key \
- -out $sslkeydir/ca.key.crypt
+ (umask 077
+ $openssl rsa -des3 \
+ -in $sslkeydir/ca.key \
+ -out $sslkeydir/ca.key.crypt)
else
- $openssl dsa -des3 \
- -in $sslkeydir/ca.key \
- -out $sslkeydir/ca.key.crypt
+ (umask 077
+ $openssl dsa -des3 \
+ -in $sslkeydir/ca.key \
+ -out $sslkeydir/ca.key.crypt)
fi
if [ $? -ne 0 ]; then
echo "mkcert.sh:Error: Failed to encrypt $algo private key" 1>&2
exit 1
fi
- cp $sslkeydir/ca.key.crypt $sslkeydir/ca.key
+ (umask 077; cp $sslkeydir/ca.key.crypt $sslkeydir/ca.key)
rm -f $sslkeydir/ca.key.crypt
- chmod 600 $sslkeydir/ca.key
echo "Fine, you're using an encrypted private key."
else
echo "Warning, you're using an unencrypted private key."
done
if [ ".$rc" = .y ]; then
if [ ".$algo" = .RSA ]; then
- $openssl rsa -des3 \
- -in $sslkeydir/server.key \
- -out $sslkeydir/server.key.crypt
+ (umask 077
+ $openssl rsa -des3 \
+ -in $sslkeydir/server.key \
+ -out $sslkeydir/server.key.crypt)
else
- $openssl dsa -des3 \
- -in $sslkeydir/server.key \
- -out $sslkeydir/server.key.crypt
+ (umask 077
+ $openssl dsa -des3 \
+ -in $sslkeydir/server.key \
+ -out $sslkeydir/server.key.crypt)
fi
if [ $? -ne 0 ]; then
echo "mkcert.sh:Error: Failed to encrypt $algo private key" 1>&2
exit 1
fi
- cp $sslkeydir/server.key.crypt $sslkeydir/server.key
+ (umask 077; cp $sslkeydir/server.key.crypt $sslkeydir/server.key)
rm -f $sslkeydir/server.key.crypt
- chmod 600 $sslkeydir/server.key
echo "Fine, you're using an encrypted $algo private key."
else
echo "Warning, you're using an unencrypted $algo private key."
exit 1
fi
cp $crt $sslcrtdir/server.crt
- cp $key $sslkeydir/server.key
+ (umask 077; cp $key $sslkeydir/server.key)
else
key=$crt
+ umask 077
+ touch $sslkeydir/server.key
sed -e '/-----BEGIN CERTIFICATE/,/-----END CERTIFICATE/p' -e '/.*/d' \
<$crt >$sslcrtdir/server.crt
sed -e '/-----BEGIN ... PRIVATE KEY/,/-----END ... PRIVATE KEY/p' -e '/.*/d' \
<$key >$sslkeydir/server.key
fi
- chmod 600 $sslkeydir/server.key
$openssl x509 -noout -in $sslcrtdir/server.crt
if [ $? -ne 0 ]; then
echo "mkcert.sh:Error: Failed to check certificate contents: $crt" 1>&2
projects / openbsd / commitdiff