From 7162a7a1f02eb4e2e0065733ca2d04d7558e49e4 Mon Sep 17 00:00:00 2001 From: beck Date: Sun, 19 Mar 2000 11:16:13 +0000 Subject: [PATCH] apache 1.3.12 + mod_ssl 2.6.2 merge --- usr.sbin/httpd/Announcement | 53 +- usr.sbin/httpd/INSTALL.SSL | 28 +- usr.sbin/httpd/conf/httpd.conf-dist | 554 ++--- usr.sbin/httpd/conf/ssl.crl/Makefile | 2 +- usr.sbin/httpd/conf/ssl.crt/ca-bundle.crt | 1873 +++++++++++++---- usr.sbin/httpd/configure | 15 +- usr.sbin/httpd/htdocs/manual/misc/FAQ.html | 43 +- .../htdocs/manual/misc/rewriteguide.html | 371 ++-- usr.sbin/httpd/htdocs/manual/mod/core.html | 24 + .../httpd/htdocs/manual/mod/directives.html | 2 + .../httpd/htdocs/manual/mod/mod_include.html | 25 +- .../httpd/htdocs/manual/mod/mod_mime.html | 10 +- .../httpd/htdocs/manual/mod/mod_rewrite.html | 267 ++- .../htdocs/manual/mod/mod_ssl/index.html | 2 +- .../htdocs/manual/mod/mod_ssl/ssl_compat.html | 2 +- .../htdocs/manual/mod/mod_ssl/ssl_cover.wml | 4 +- .../htdocs/manual/mod/mod_ssl/ssl_faq.html | 287 +-- .../htdocs/manual/mod/mod_ssl/ssl_faq.wml | 29 +- .../manual/mod/mod_ssl/ssl_glossary.html | 4 +- .../manual/mod/mod_ssl/ssl_glossary.wml | 2 +- .../htdocs/manual/mod/mod_ssl/ssl_howto.html | 2 +- .../htdocs/manual/mod/mod_ssl/ssl_intro.html | 4 +- .../htdocs/manual/mod/mod_ssl/ssl_intro.wml | 2 +- .../manual/mod/mod_ssl/ssl_overview.html | 2 +- .../manual/mod/mod_ssl/ssl_reference.html | 19 +- .../manual/mod/mod_ssl/ssl_reference.wml | 17 +- .../manual/mod/mod_ssl/ssl_template.inc | 2 +- .../httpd/htdocs/manual/vhosts/ip-based.html | 5 +- usr.sbin/httpd/src/ApacheCore.def | 26 +- usr.sbin/httpd/src/CHANGES | 65 +- usr.sbin/httpd/src/CHANGES.SSL | 142 ++ usr.sbin/httpd/src/Configure | 21 +- usr.sbin/httpd/src/ap/ap_getpass.c | 2 +- usr.sbin/httpd/src/helpers/binbuild.sh | 2 +- usr.sbin/httpd/src/include/ap_config.h | 1 + usr.sbin/httpd/src/include/ap_mmn.h | 3 +- usr.sbin/httpd/src/include/http_core.h | 9 + usr.sbin/httpd/src/include/httpd.h | 13 +- usr.sbin/httpd/src/main/http_core.c | 34 + usr.sbin/httpd/src/main/http_log.c | 13 +- usr.sbin/httpd/src/main/http_main.c | 15 +- usr.sbin/httpd/src/main/http_protocol.c | 51 +- usr.sbin/httpd/src/main/util.c | 38 + .../modules/experimental/mod_auth_digest.c | 2 +- usr.sbin/httpd/src/modules/proxy/mod_proxy.c | 4 + usr.sbin/httpd/src/modules/proxy/proxy_http.c | 13 +- usr.sbin/httpd/src/modules/proxy/proxy_util.c | 14 +- usr.sbin/httpd/src/modules/ssl/Makefile.tmpl | 10 + usr.sbin/httpd/src/modules/ssl/README | 2 +- usr.sbin/httpd/src/modules/ssl/libssl.module | 28 +- usr.sbin/httpd/src/modules/ssl/libssl.version | 2 +- usr.sbin/httpd/src/modules/ssl/mod_ssl.c | 32 +- usr.sbin/httpd/src/modules/ssl/mod_ssl.h | 36 +- .../httpd/src/modules/ssl/ssl_engine_compat.c | 19 +- .../httpd/src/modules/ssl/ssl_engine_config.c | 160 ++ .../httpd/src/modules/ssl/ssl_engine_ext.c | 398 +++- .../httpd/src/modules/ssl/ssl_engine_init.c | 19 +- .../httpd/src/modules/ssl/ssl_engine_io.c | 2 +- .../httpd/src/modules/ssl/ssl_engine_kernel.c | 4 +- .../httpd/src/modules/ssl/ssl_engine_mutex.c | 2 + .../httpd/src/modules/ssl/ssl_engine_rand.c | 27 +- .../httpd/src/modules/ssl/ssl_engine_vars.c | 2 +- usr.sbin/httpd/src/modules/ssl/ssl_util.c | 4 +- usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.c | 63 +- usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.h | 4 + .../httpd/src/modules/standard/mod_actions.c | 3 +- .../httpd/src/modules/standard/mod_auth.c | 2 +- .../src/modules/standard/mod_auth_db.module | 12 +- .../src/modules/standard/mod_autoindex.c | 2 +- .../src/modules/standard/mod_cern_meta.c | 4 +- .../httpd/src/modules/standard/mod_expires.c | 3 +- .../httpd/src/modules/standard/mod_include.c | 29 +- .../src/modules/standard/mod_log_config.c | 2 +- .../httpd/src/modules/standard/mod_mime.c | 2 +- .../httpd/src/modules/standard/mod_speling.c | 10 +- .../httpd/src/modules/standard/mod_status.c | 21 +- usr.sbin/httpd/src/os/bs2000/ebcdic.h | 2 +- usr.sbin/httpd/src/os/win32/registry.c | 2 +- usr.sbin/httpd/src/support/ab.c | 6 +- usr.sbin/httpd/src/support/apxs.pl | 6 +- usr.sbin/httpd/src/support/htdigest.c | 2 +- usr.sbin/httpd/src/support/htpasswd.1 | 22 +- usr.sbin/httpd/src/support/logresolve.c | 8 +- usr.sbin/httpd/src/support/mkcert.sh | 111 +- 84 files changed, 3813 insertions(+), 1368 deletions(-) diff --git a/usr.sbin/httpd/Announcement b/usr.sbin/httpd/Announcement index 758b5cc4b66..dfd664deac3 100644 --- a/usr.sbin/httpd/Announcement +++ b/usr.sbin/httpd/Announcement @@ -1,57 +1,30 @@ -Apache 1.3.11 Released +Apache 1.3.12 Released ====================== The Apache Software Foundation and The Apache Server Project are -pleased to announce the release of version 1.3.11 of the Apache HTTP server. -Apache 1.3.10 was not released due to a last-minute bug found and -fixed after the source was tagged and tested. +pleased to announce the release of version 1.3.12 of the Apache HTTP server. -This new Apache version incorporates numerous significant improvements -to the server. Apart from portability and security fixes, documentation -enhancements, performance improvements, and assorted other minor -features or fixes notable changes are: +The primary changes in this version of Apache are those related to +the ``cross site scripting'' security alerts described at - - Binary and shared builds on several platforms have been - improved. + http://www.cert.org/advisories/CA-2000-02.html + - and - + http://www.apache.org/info/css-security/index.html - - The time that a parent waits for its children to die - after SIGKILL has been sent has been reduced. - - - Various suexec improvements. - - - More rigorous checking of Host: headers to fix security problems - with mass name-based virtual hosting. - - - Addition of the %q logging format directive (logs "?" and the query - string part of a query, or the empty string if no query). - - - Improvement of the OS390 port. - - - Several EBCDIC fixes. - - - Better error reporting during the "compiler sanity" check. - - - Fixed the `quad integer' (aka `long long') handling in ap_snprintf.c - - - mod_rewrite's general substitution function was overhauled. - - - Several WIN32 bugs have been fixed, including: - - CGIs broken if script calls other programs which deliver on stdout - (Search this file for "DETACHED") - - 16 bit CGIs should work now - - Server will not start if passed the -d option with spaces in the - argument. +Specifically, charset handling has been improved and reinforced +(including a new directive: AddDefaultCharset) and server generated +pages properly escape ``userland'' input. A complete listing with detailed descriptions is provided in the src/CHANGES file. -We consider Apache 1.3.11 to be the best version of Apache available and +We consider Apache 1.3.12 to be the best version of Apache available and we strongly recommend that users of older versions, especially of the 1.1.x and 1.2.x family, upgrade as soon as possible. No further releases will be made in the 1.2.x family. -Apache 1.3.11 is available for download from +Apache 1.3.12 is available for download from http://www.apache.org/dist/ @@ -62,7 +35,7 @@ Binary distributions are available from http://www.apache.org/dist/binaries/ -As of Apache 1.3.11 binary distributions contain all standard Apache +As of Apache 1.3.12 binary distributions contain all standard Apache modules as shared objects (if supported by the platform) and include full source code. Installation is easily done by executing the included install script. See the README.bindist and INSTALL.bindist diff --git a/usr.sbin/httpd/INSTALL.SSL b/usr.sbin/httpd/INSTALL.SSL index d714a408658..c86eedadcf6 100644 --- a/usr.sbin/httpd/INSTALL.SSL +++ b/usr.sbin/httpd/INSTALL.SSL @@ -37,12 +37,12 @@ Type: MANDATORY o Package: mod_ssl - Version: 2.5.x + Version: 2.6.x Description: The Apache Interface to OpenSSL Reason: The interface module for Apache Homepage: http://www.modssl.org/ Distribution: ftp://ftp.modssl.org/source/ - Tarball: mod_ssl-2.5.x-1.3.x.tar.gz + Tarball: mod_ssl-2.6.x-1.3.x.tar.gz Location: Zurich, Switzerland, Europe Author(s): Ralf S. Engelschall Type: MANDATORY @@ -127,7 +127,7 @@ 2. Extract the required packages: $ gzip -d -c apache_1.3.x.tar.gz | tar xvf - ALL - $ gzip -d -c mod_ssl-2.5.x-1.3.x.tar.gz | tar xvf - ALL + $ gzip -d -c mod_ssl-2.6.x-1.3.x.tar.gz | tar xvf - ALL $ gzip -d -c openssl-0.9.x.tar.gz | tar xvf - ALL $ gzip -d -c mm-1.0.x.tar.gz | tar xvf - OPTIONAL $ mkdir rsaref-2.0 US @@ -231,7 +231,7 @@ RSA_BASE variables but get no intermediate chance to add more third-party Apache modules (e.g. mod_perl, PHP3, etc). - $ cd mod_ssl-2.5.x-1.3.x ALL + $ cd mod_ssl-2.6.x-1.3.x ALL $ ./configure \ ALL --with-apache=../apache_1.3.x \ ALL --with-ssl=../openssl-0.9.x \ ALL @@ -304,7 +304,7 @@ EAPI_MM variables manually and either copy your existing certificate manually to conf/ssl.crt/server.crt or use `make certificate': - $ cd mod_ssl-2.5.x-1.3.x ALL + $ cd mod_ssl-2.6.x-1.3.x ALL $ ./configure \ ALL --with-apache=../apache_1.3.x \ ALL --with-crt=/path/to/your/server.crt \ OPTIONAL @@ -378,7 +378,7 @@ EAPI_MM variables manually and more important: you have to install the Apache package manually, too. But feel free to be masochistic ;-) - $ cd mod_ssl-2.5.x-1.3.x ALL + $ cd mod_ssl-2.6.x-1.3.x ALL $ ./configure \ ALL --with-apache=../apache_1.3.x \ ALL --with-crt=/path/to/your/server.crt \ OPTIONAL @@ -437,7 +437,7 @@ o Read the mod_ssl user manual very carefully to understand the SSL-part of your Apache configuration: - $ netscape http://www.modssl.org/docs/2.5/ (official) + $ netscape http://www.modssl.org/docs/2.6/ (official) $ netscape http://localhost/manual/mod/mod_ssl/ (local copy) o Adjust your Apache configuration to your personal requirements. @@ -464,7 +464,7 @@ long as the Extended API (EAPI) didn't change and you've OpenSSL installed somewhere. For this you can use the following procedure: - $ cd mod_ssl-2.5.x-1.3.x ALL + $ cd mod_ssl-2.6.x-1.3.x ALL $ ./configure \ ALL --with-apxs[=/path/to/apache/sbin/apxs] \ ALL --with-ssl=/path/to/openssl \ ALL @@ -504,11 +504,11 @@ # extract the packages $ gzip -d -c apache_1.3.x.tar.gz | tar xvf - - $ gzip -d -c mod_ssl-2.5.x-1.3.x.tar.gz | tar xvf - + $ gzip -d -c mod_ssl-2.6.x-1.3.x.tar.gz | tar xvf - $ gzip -d -c mod_perl-1.xx.tar.gz | tar xvf - # apply mod_ssl to Apache source tree - $ cd mod_ssl-2.5.x-1.3.x + $ cd mod_ssl-2.6.x-1.3.x $ ./configure \ --with-apache=../apache_1.3.x $ cd .. @@ -541,7 +541,7 @@ # cleanup after work $ rm -rf mod_perl-1.xx - $ rm -rf mod_ssl-2.5.x-1.3.x + $ rm -rf mod_ssl-2.6.x-1.3.x $ rm -rf apache_1.3.x o Apache + mod_ssl/OpenSSL + PHP3/MySQL @@ -559,11 +559,11 @@ # extract the packages $ gzip -d -c apache_1.3.x.tar.gz | tar xvf - - $ gzip -d -c mod_ssl-2.5.x-1.3.x.tar.gz | tar xvf - + $ gzip -d -c mod_ssl-2.6.x-1.3.x.tar.gz | tar xvf - $ gzip -d -c php-3.0.x.tar.gz | tar xvf - # apply mod_ssl to Apache source tree - $ cd /mod_ssl-2.5.x-1.3.x + $ cd /mod_ssl-2.6.x-1.3.x $ ./configure \ --with-apache=../apache_1.3.x $ cd .. @@ -601,6 +601,6 @@ # cleanup after work $ rm -rf php-3.0.x - $ rm -rf mod_ssl-2.5.x-1.3.x + $ rm -rf mod_ssl-2.6.x-1.3.x $ rm -rf apache_1.3.x diff --git a/usr.sbin/httpd/conf/httpd.conf-dist b/usr.sbin/httpd/conf/httpd.conf-dist index 047116afbb5..97301900640 100644 --- a/usr.sbin/httpd/conf/httpd.conf-dist +++ b/usr.sbin/httpd/conf/httpd.conf-dist @@ -339,7 +339,9 @@ DocumentRoot "@@ServerRoot@@/htdocs" # UserDir: The name of the directory which is appended onto a user's home # directory if a ~user request is received. # -UserDir public_html + + UserDir public_html + # # Control access to UserDir directories. The following is an example @@ -362,7 +364,9 @@ UserDir public_html # DirectoryIndex: Name of the file or files to use as a pre-written HTML # directory index. Separate multiple entries with spaces. # -DirectoryIndex index.html + + DirectoryIndex index.html + # # AccessFileName: The name of the file to look for in each directory @@ -408,7 +412,9 @@ UseCanonicalName On # TypesConfig describes where the mime.types file (or equivalent) is # to be found. # -TypesConfig conf/mime.types + + TypesConfig conf/mime.types + # # DefaultType is the default MIME type the server will use for a document @@ -506,39 +512,45 @@ ServerSignature On # Aliases: Add here as many aliases as you need (with no limit). The format is # Alias fakename realname # -# Note that if you include a trailing / on fakename then the server will -# require it to be present in the URL. So "/icons" isn't aliased in this -# example, only "/icons/".. -# -Alias /icons/ "@@ServerRoot@@/icons/" - - - Options Indexes MultiViews - AllowOverride None - Order allow,deny - Allow from all - - -# -# ScriptAlias: This controls which directories contain server scripts. -# ScriptAliases are essentially the same as Aliases, except that -# documents in the realname directory are treated as applications and -# run by the server when requested rather than as documents sent to the client. -# The same rules about trailing "/" apply to ScriptAlias directives as to -# Alias. -# -ScriptAlias /cgi-bin/ "@@ServerRoot@@/cgi-bin/" + + + # + # Note that if you include a trailing / on fakename then the server will + # require it to be present in the URL. So "/icons" isn't aliased in this + # example, only "/icons/".. + # + Alias /icons/ "@@ServerRoot@@/icons/" + + + Options Indexes MultiViews + AllowOverride None + Order allow,deny + Allow from all + + + # + # ScriptAlias: This controls which directories contain server scripts. + # ScriptAliases are essentially the same as Aliases, except that + # documents in the realname directory are treated as applications and + # run by the server when requested rather than as documents sent to the client. + # The same rules about trailing "/" apply to ScriptAlias directives as to + # Alias. + # + ScriptAlias /cgi-bin/ "@@ServerRoot@@/cgi-bin/" + + # + # "@@ServerRoot@@/cgi-bin" should be changed to whatever your ScriptAliased + # CGI directory exists, if you have that configured. + # + + AllowOverride None + Options None + Order allow,deny + Allow from all + -# -# "@@ServerRoot@@/cgi-bin" should be changed to whatever your ScriptAliased -# CGI directory exists, if you have that configured. -# - - AllowOverride None - Options None - Order allow,deny - Allow from all - + +# End of aliases. # # Redirect allows you to tell clients about documents which used to exist in @@ -550,188 +562,209 @@ ScriptAlias /cgi-bin/ "@@ServerRoot@@/cgi-bin/" # # Directives controlling the display of server-generated directory listings. # + + + # + # FancyIndexing is whether you want fancy directory indexing or standard + # + IndexOptions FancyIndexing + + # + # AddIcon* directives tell the server which icon to show for different + # files or filename extensions. These are only displayed for + # FancyIndexed directories. + # + AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip + + AddIconByType (TXT,/icons/text.gif) text/* + AddIconByType (IMG,/icons/image2.gif) image/* + AddIconByType (SND,/icons/sound2.gif) audio/* + AddIconByType (VID,/icons/movie.gif) video/* + + AddIcon /icons/binary.gif .bin .exe + AddIcon /icons/binhex.gif .hqx + AddIcon /icons/tar.gif .tar + AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv + AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip + AddIcon /icons/a.gif .ps .ai .eps + AddIcon /icons/layout.gif .html .shtml .htm .pdf + AddIcon /icons/text.gif .txt + AddIcon /icons/c.gif .c + AddIcon /icons/p.gif .pl .py + AddIcon /icons/f.gif .for + AddIcon /icons/dvi.gif .dvi + AddIcon /icons/uuencoded.gif .uu + AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl + AddIcon /icons/tex.gif .tex + AddIcon /icons/bomb.gif core + + AddIcon /icons/back.gif .. + AddIcon /icons/hand.right.gif README + AddIcon /icons/folder.gif ^^DIRECTORY^^ + AddIcon /icons/blank.gif ^^BLANKICON^^ + + # + # DefaultIcon is which icon to show for files which do not have an icon + # explicitly set. + # + DefaultIcon /icons/unknown.gif + + # + # AddDescription allows you to place a short description after a file in + # server-generated indexes. These are only displayed for FancyIndexed + # directories. + # Format: AddDescription "description" filename + # + #AddDescription "GZIP compressed document" .gz + #AddDescription "tar archive" .tar + #AddDescription "GZIP compressed tar archive" .tgz + + # + # ReadmeName is the name of the README file the server will look for by + # default, and append to directory listings. + # + # HeaderName is the name of a file which should be prepended to + # directory indexes. + # + # If MultiViews are amongst the Options in effect, the server will + # first look for name.html and include it if found. If name.html + # doesn't exist, the server will then look for name.txt and include + # it as plaintext if found. + # + ReadmeName README + HeaderName HEADER + + # + # IndexIgnore is a set of filenames which directory indexing should ignore + # and not include in the listing. Shell-style wildcarding is permitted. + # + IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t -# -# FancyIndexing is whether you want fancy directory indexing or standard -# -IndexOptions FancyIndexing - -# -# AddIcon* directives tell the server which icon to show for different -# files or filename extensions. These are only displayed for -# FancyIndexed directories. -# -AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip - -AddIconByType (TXT,/icons/text.gif) text/* -AddIconByType (IMG,/icons/image2.gif) image/* -AddIconByType (SND,/icons/sound2.gif) audio/* -AddIconByType (VID,/icons/movie.gif) video/* - -AddIcon /icons/binary.gif .bin .exe -AddIcon /icons/binhex.gif .hqx -AddIcon /icons/tar.gif .tar -AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv -AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip -AddIcon /icons/a.gif .ps .ai .eps -AddIcon /icons/layout.gif .html .shtml .htm .pdf -AddIcon /icons/text.gif .txt -AddIcon /icons/c.gif .c -AddIcon /icons/p.gif .pl .py -AddIcon /icons/f.gif .for -AddIcon /icons/dvi.gif .dvi -AddIcon /icons/uuencoded.gif .uu -AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl -AddIcon /icons/tex.gif .tex -AddIcon /icons/bomb.gif core - -AddIcon /icons/back.gif .. -AddIcon /icons/hand.right.gif README -AddIcon /icons/folder.gif ^^DIRECTORY^^ -AddIcon /icons/blank.gif ^^BLANKICON^^ - -# -# DefaultIcon is which icon to show for files which do not have an icon -# explicitly set. -# -DefaultIcon /icons/unknown.gif - -# -# AddDescription allows you to place a short description after a file in -# server-generated indexes. These are only displayed for FancyIndexed -# directories. -# Format: AddDescription "description" filename -# -#AddDescription "GZIP compressed document" .gz -#AddDescription "tar archive" .tar -#AddDescription "GZIP compressed tar archive" .tgz - -# -# ReadmeName is the name of the README file the server will look for by -# default, and append to directory listings. -# -# HeaderName is the name of a file which should be prepended to -# directory indexes. -# -# The server will first look for name.html and include it if found. -# If name.html doesn't exist, the server will then look for name.txt -# and include it as plaintext if found. -# -ReadmeName README -HeaderName HEADER - -# -# IndexIgnore is a set of filenames which directory indexing should ignore -# and not include in the listing. Shell-style wildcarding is permitted. -# -IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t - -# -# AddEncoding allows you to have certain browsers (Mosaic/X 2.1+) uncompress -# information on the fly. Note: Not all browsers support this. -# Despite the name similarity, the following Add* directives have nothing -# to do with the FancyIndexing customization directives above. -# -AddEncoding x-compress Z -AddEncoding x-gzip gz tgz - -# -# AddLanguage allows you to specify the language of a document. You can -# then use content negotiation to give a browser a file in a language -# it can understand. -# -# Note 1: The suffix does not have to be the same as the language -# keyword --- those with documents in Polish (whose net-standard -# language code is pl) may wish to use "AddLanguage pl .po" to -# avoid the ambiguity with the common suffix for perl scripts. -# -# Note 2: The example entries below illustrate that in quite -# some cases the two character 'Language' abbriviation is not -# identical to the two character 'Country' code for it's country, -# E.g. 'Danmark/dk' versus 'Danish/da'. -# -# Note 3: In the case of 'ltz' we violate the RFC by using a three char -# specifier. But there is 'work in progress' to fix this and get -# the reference data for rfc1766 cleaned up. -# -# Danish (da) - Dutch (nl) - English (en) - Estonian (ee) -# French (fr) - German (de) - Greek-Modern (el) -# Italian (it) -Portugese (pt) - Luxembourgeois* (ltz) -# Spanish (es) - Swedish (sv) - Catalan (ca) - Czech(cz) -# -AddLanguage da .dk -AddLanguage nl .nl -AddLanguage en .en -AddLanguage et .ee -AddLanguage fr .fr -AddLanguage de .de -AddLanguage el .el -AddLanguage it .it -AddLanguage pt .pt -AddLanguage ltz .lu -AddLanguage ca .ca -AddLanguage es .es -AddLanguage sv .se -AddLanguage cz .cz - -# LanguagePriority allows you to give precedence to some languages -# in case of a tie during content negotiation. -# -# Just list the languages in decreasing order of preference. We have -# more or less alphabetized them here. You probably want to change this. -# -LanguagePriority en da nl et fr de el it pt ltz ca es sv - -# -# AddType allows you to tweak mime.types without actually editing it, or to -# make certain files to be certain types. -# -# For example, the PHP 3.x module (not part of the Apache distribution - see -# http://www.php.net) will typically use: -# -#AddType application/x-httpd-php3 .php3 -#AddType application/x-httpd-php3-source .phps -# -# And for PHP 4.x, use: -# -#AddType application/x-httpd-php .php -#AddType application/x-httpd-php-source .phps - -AddType application/x-tar .tgz - -# -# AddHandler allows you to map certain file extensions to "handlers", -# actions unrelated to filetype. These can be either built into the server -# or added with the Action command (see below) -# -# If you want to use server side includes, or CGI outside -# ScriptAliased directories, uncomment the following lines. -# -# To use CGI scripts: -# -#AddHandler cgi-script .cgi - -# -# To use server-parsed HTML files -# -#AddType text/html .shtml -#AddHandler server-parsed .shtml - -# -# Uncomment the following line to enable Apache's send-asis HTTP file -# feature -# -#AddHandler send-as-is asis - -# -# If you wish to use server-parsed imagemap files, use -# -#AddHandler imap-file map + +# End of indexing directives. + +# +# Document types. +# + + + # + # AddEncoding allows you to have certain browsers (Mosaic/X 2.1+) uncompress + # information on the fly. Note: Not all browsers support this. + # Despite the name similarity, the following Add* directives have nothing + # to do with the FancyIndexing customization directives above. + # + AddEncoding x-compress Z + AddEncoding x-gzip gz tgz + + # + # AddLanguage allows you to specify the language of a document. You can + # then use content negotiation to give a browser a file in a language + # it can understand. + # + # Note 1: The suffix does not have to be the same as the language + # keyword --- those with documents in Polish (whose net-standard + # language code is pl) may wish to use "AddLanguage pl .po" to + # avoid the ambiguity with the common suffix for perl scripts. + # + # Note 2: The example entries below illustrate that in quite + # some cases the two character 'Language' abbriviation is not + # identical to the two character 'Country' code for its country, + # E.g. 'Danmark/dk' versus 'Danish/da'. + # + # Note 3: In the case of 'ltz' we violate the RFC by using a three char + # specifier. But there is 'work in progress' to fix this and get + # the reference data for rfc1766 cleaned up. + # + # Danish (da) - Dutch (nl) - English (en) - Estonian (ee) + # French (fr) - German (de) - Greek-Modern (el) + # Italian (it) - Portugese (pt) - Luxembourgeois* (ltz) + # Spanish (es) - Swedish (sv) - Catalan (ca) - Czech(cz) + # Polish (pl) - Brazilian Portuguese (pt-br) - Japanese (ja) + # + AddLanguage da .dk + AddLanguage nl .nl + AddLanguage en .en + AddLanguage et .ee + AddLanguage fr .fr + AddLanguage de .de + AddLanguage el .el + AddLanguage it .it + AddLanguage ja .ja + AddCharset ISO-2022-JP .jis + AddLanguage pl .po + AddCharset ISO-8859-2 .iso-pl + AddLanguage pt .pt + AddLanguage pt-br .pt-br + AddLanguage ltz .lu + AddLanguage ca .ca + AddLanguage es .es + AddLanguage sv .se + AddLanguage cz .cz + + # LanguagePriority allows you to give precedence to some languages + # in case of a tie during content negotiation. + # + # Just list the languages in decreasing order of preference. We have + # more or less alphabetized them here. You probably want to change this. + # + + LanguagePriority en da nl et fr de el it ja pl pt pt-br ltz ca es sv + + + # + # AddType allows you to tweak mime.types without actually editing it, or to + # make certain files to be certain types. + # + # For example, the PHP 3.x module (not part of the Apache distribution - see + # http://www.php.net) will typically use: + # + #AddType application/x-httpd-php3 .php3 + #AddType application/x-httpd-php3-source .phps + # + # And for PHP 4.x, use: + # + #AddType application/x-httpd-php .php + #AddType application/x-httpd-php-source .phps + + AddType application/x-tar .tgz + + # + # AddHandler allows you to map certain file extensions to "handlers", + # actions unrelated to filetype. These can be either built into the server + # or added with the Action command (see below) + # + # If you want to use server side includes, or CGI outside + # ScriptAliased directories, uncomment the following lines. + # + # To use CGI scripts: + # + #AddHandler cgi-script .cgi + + # + # To use server-parsed HTML files + # + #AddType text/html .shtml + #AddHandler server-parsed .shtml + + # + # Uncomment the following line to enable Apache's send-asis HTTP file + # feature + # + #AddHandler send-as-is asis + + # + # If you wish to use server-parsed imagemap files, use + # + #AddHandler imap-file map + + # + # To enable type maps, you might want to use + # + #AddHandler type-map var -# -# To enable type maps, you might want to use -# -#AddHandler type-map var + +# End of document types. # # Action lets you define media types that will execute a script whenever @@ -774,24 +807,31 @@ AddType application/x-tar .tgz # request will *not* be available to such a script. # -# The following directives modify normal HTTP response behavior. -# The first directive disables keepalive for Netscape 2.x and browsers that -# spoof it. There are known problems with these browser implementations. -# The second directive is for Microsoft Internet Explorer 4.0b2 -# which has a broken HTTP/1.1 implementation and does not properly -# support keepalive when it is used on 301 or 302 (redirect) responses. +# Customize behaviour based on the browser # -BrowserMatch "Mozilla/2" nokeepalive -BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 + -# -# The following directive disables HTTP/1.1 responses to browsers which -# are in violation of the HTTP/1.0 spec by not being able to grok a -# basic 1.1 response. -# -BrowserMatch "RealPlayer 4\.0" force-response-1.0 -BrowserMatch "Java/1\.0" force-response-1.0 -BrowserMatch "JDK/1\.0" force-response-1.0 + # + # The following directives modify normal HTTP response behavior. + # The first directive disables keepalive for Netscape 2.x and browsers that + # spoof it. There are known problems with these browser implementations. + # The second directive is for Microsoft Internet Explorer 4.0b2 + # which has a broken HTTP/1.1 implementation and does not properly + # support keepalive when it is used on 301 or 302 (redirect) responses. + # + BrowserMatch "Mozilla/2" nokeepalive + BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 + + # + # The following directive disables HTTP/1.1 responses to browsers which + # are in violation of the HTTP/1.0 spec by not being able to grok a + # basic 1.1 response. + # + BrowserMatch "RealPlayer 4\.0" force-response-1.0 + BrowserMatch "Java/1\.0" force-response-1.0 + BrowserMatch "JDK/1\.0" force-response-1.0 + + # # Allow server status reports, with the URL of http://servername/server-status @@ -833,32 +873,32 @@ BrowserMatch "JDK/1\.0" force-response-1.0 # enable the proxy server: # # -#ProxyRequests On -# -# -# Order deny,allow -# Deny from all -# Allow from .your_domain.com -# - -# -# Enable/disable the handling of HTTP/1.1 "Via:" headers. -# ("Full" adds the server version; "Block" removes all outgoing Via: headers) -# Set to one of: Off | On | Full | Block -# -#ProxyVia On - -# -# To enable the cache as well, edit and uncomment the following lines: -# (no cacheing without CacheRoot) -# -#CacheRoot "@@ServerRoot@@/proxy" -#CacheSize 5 -#CacheGcInterval 4 -#CacheMaxExpire 24 -#CacheLastModifiedFactor 0.1 -#CacheDefaultExpire 1 -#NoCache a_domain.com another_domain.edu joes.garage_sale.com + #ProxyRequests On + # + # + # Order deny,allow + # Deny from all + # Allow from .your_domain.com + # + + # + # Enable/disable the handling of HTTP/1.1 "Via:" headers. + # ("Full" adds the server version; "Block" removes all outgoing Via: headers) + # Set to one of: Off | On | Full | Block + # + #ProxyVia On + + # + # To enable the cache as well, edit and uncomment the following lines: + # (no cacheing without CacheRoot) + # + #CacheRoot "@@ServerRoot@@/proxy" + #CacheSize 5 + #CacheGcInterval 4 + #CacheMaxExpire 24 + #CacheLastModifiedFactor 0.1 + #CacheDefaultExpire 1 + #NoCache a_domain.com another_domain.edu joes.garage_sale.com # # End of proxy directives. diff --git a/usr.sbin/httpd/conf/ssl.crl/Makefile b/usr.sbin/httpd/conf/ssl.crl/Makefile index 5401506fb7f..e8b5ae69e8e 100644 --- a/usr.sbin/httpd/conf/ssl.crl/Makefile +++ b/usr.sbin/httpd/conf/ssl.crl/Makefile @@ -36,7 +36,7 @@ update: clean n=0; \ while [ 1 ]; do \ hash="`$$ssl_program crl -noout -hash <$$file`"; \ - if [ -r "$$hash.$$n" ]; then \ + if [ -r "$$hash.r$$n" ]; then \ n=`expr $$n + 1`; \ else \ echo dummy |\ diff --git a/usr.sbin/httpd/conf/ssl.crt/ca-bundle.crt b/usr.sbin/httpd/conf/ssl.crt/ca-bundle.crt index 478f5f681e2..839857a4433 100644 --- a/usr.sbin/httpd/conf/ssl.crt/ca-bundle.crt +++ b/usr.sbin/httpd/conf/ssl.crt/ca-bundle.crt @@ -1,10 +1,10 @@ ## ## ca-bundle.crt -- Bundle of CA Root Certificates -## Last Modified: Fri Oct 22 17:15:27 CEST 1999 +## Last Modified: Thu Mar 2 09:32:46 CET 2000 ## ## This is a bundle of X.509 certificates of public ## Certificate Authorities (CA). These were automatically -## extracted from Netscape Communicator's certificate database +## extracted from Netscape Communicator 4.72's certificate database ## (the file `cert7.db'). It contains the certificates in both ## plain text and PEM format and therefore can be directly used ## with an Apache+mod_ssl webserver for SSL client authentication. @@ -15,82 +15,90 @@ ABAecom (sub., Am. Bankers Assn.) Root CA ========================================= -MD5 Fingerprint: BA:D9:60:04:63:E6:92:07:3C:C5:38:93:66:38:24:FE +MD5 Fingerprint: 82:12:F7:89:E1:0B:91:60:A4:B6:22:9F:94:68:11:92 PEM Data: -----BEGIN CERTIFICATE----- -MIIDkjCCAnqgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBgzELMAkGA1UEBhMCVVMx -CzAJBgNVBAgTAkRDMRMwEQYDVQQHEwpXYXNoaW5ndG9uMRcwFQYDVQQKEw5BQkEu -RUNPTSwgSW5jLjEZMBcGA1UEAxMQQUJBLkVDT00gUm9vdCBDQTEeMBwGCSqGSIb3 -DQEJARYPa2RhZ3Vpb0BhYmEuY29tMB4XDTk4MDcyOTE2NTk1MloXDTA1MDcyNzE2 -NTk1MlowgYMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJEQzETMBEGA1UEBxMKV2Fz -aGluZ3RvbjEXMBUGA1UEChMOQUJBLkVDT00sIEluYy4xGTAXBgNVBAMTEEFCQS5F -Q09NIFJvb3QgQ0ExHjAcBgkqhkiG9w0BCQEWD2tkYWd1aW9AYWJhLmNvbTCCASIw -DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMae3L3cDgkaUcaSm5lrjGmJvhvF -ohFOhGYNmfH/H5mhM9a0kouli57Wp5DEybSBGp6HUP9zVqdtEFsIE6asCKkaIHIa -DzN0sVixVm81Nj0zXpPjmgK1obfxbzEFNQ3XoA/OMmexPUj2SYuisf5GgC4/7EQN -FKfeuhDXvAn/VZZRF05luCegEpEA9bc7Ur2oNT4T0xhRvRb3fRIBiTc768GiYEK+ -QBzTd2hv+LQHfma542pUDaboHGDi7+6drWPsk2udrWMOno8jlhcF/Oh11hQ16i2D -mvZVjpNNsYziQWJk0P1G0/kVeo5G1EjbNge1b3JlD3BHdBW87oNQzk72r90CAwEA -AaMPMA0wCwYDVR0PBAQDAgLUMA0GCSqGSIb3DQEBBQUAA4IBAQBobiY2tbG5cy5Y -88T6IXNua5n4739dw7v3GyaeotvxbzI/5NjejwuXiE6bNp3RhWABmMdovkPBBoBn -JuMZwXZG3VfOxPa54d2cxyoEYZUpuXa/f93fs5fPmMsz5AXUyi3Z4xIpXhjoPwXM -aN5mX6LB15EExfCQSEFgW6hC85lUL6s3FVwTyTasHxaTWV1vXjkToFrSvTAPeGg8 -ptYvOS8ME51zN+daqhu3HsGRKb+Z8lqYclOV9IAyznxRb7XNSpnc44MbwcGdchyU -vjtfIwfoAWmL22SjjLIFKQFSfX5zrRHnLDVqCyMKGnnfcqLRR5/I61zt/szuAQkw -sV/IDA62 +MIID+DCCAuCgAwIBAgIRANAeQJAAACdLAAAAAQAAAAQwDQYJKoZIhvcNAQEFBQAw +gYwxCzAJBgNVBAYTAlVTMQ0wCwYDVQQIEwRVdGFoMRcwFQYDVQQHEw5TYWx0IExh +a2UgQ2l0eTEYMBYGA1UEChMPWGNlcnQgRVogYnkgRFNUMRgwFgYDVQQDEw9YY2Vy +dCBFWiBieSBEU1QxITAfBgkqhkiG9w0BCQEWEmNhQGRpZ3NpZ3RydXN0LmNvbTAe +Fw05OTA3MTQxNjE0MThaFw0wOTA3MTExNjE0MThaMIGMMQswCQYDVQQGEwJVUzEN +MAsGA1UECBMEVXRhaDEXMBUGA1UEBxMOU2FsdCBMYWtlIENpdHkxGDAWBgNVBAoT +D1hjZXJ0IEVaIGJ5IERTVDEYMBYGA1UEAxMPWGNlcnQgRVogYnkgRFNUMSEwHwYJ +KoZIhvcNAQkBFhJjYUBkaWdzaWd0cnVzdC5jb20wggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQCtVBjetL/3reh0qu2LfI/C1HUa1YS5tmL8ie/kl2GS+x24 +4VpHNJ6eBiL70+o4y7iLB/caoBd3B1owHNQpOCDXJ0DYUJNDv9IYoil2BXKqa7Zp +mKt5Hhxl9WqL/MUWqqJy2mDtTm4ZJXoKHTDjUJtCPETrobAgHtsCfv49H7/QAIrb +QHamGKUVp1e2UsIBF5h3j4qBxhq0airmr6nWAKzP2BVJfNsbof6B+of505DBAsD5 +0ELpkWglX8a/hznplQBgKL+DLMDnXrbXNhbnYId26OcnsiUNi3rlqh3lWc3OCw5v +xsic4xDZhTnTt5v6xrp8dNJddVardKSiUb9SfO5xAgMBAAGjUzBRMA8GA1UdEwEB +/wQFMAMBAf8wHwYDVR0jBBgwFoAUCCBsZuuBCmxc1bWmPEHdHJaRJ3cwHQYDVR0O +BBYEFAggbGbrgQpsXNW1pjxB3RyWkSd3MA0GCSqGSIb3DQEBBQUAA4IBAQBah1iP +Lat2IWtUDNnxQfZOzSue4x+boy1/2St9WMhnpCn16ezVvZY/o3P4xFs2fNBjLDQ5 +m0i4PW/2FMWeY+anNG7T6DOzxzwYbiOuQ5KZP5jFaTDxNjutuTCC1rZZFpYCCykS +YbQRifcML5SQhZgonFNsfmPdc/QZ/0qB0bJSI/08SjTOWhvgUIrtT4GV2GDn5MQN +u1g+WPdOaG8+Z8nLepcWJ+xCYRR2uwDF6wg9FX9LtiJdhzuQ9PPA/jez6dliDMDD +Wa9gvR8N26E0HzDEPYutsB0Ek+1f1eS/IDAE9EjpMwHRLpAnUrOb3jocq6mXf5vr +wo3CbezcE9NGxXl8 -----END CERTIFICATE----- Certificate Ingredients: Data: Version: 3 (0x2) - Serial Number: 0 (0x0) + Serial Number: + d0:1e:40:90:00:00:27:4b:00:00:00:01:00:00:00:04 Signature Algorithm: sha1WithRSAEncryption - Issuer: C=US, ST=DC, L=Washington, O=ABA.ECOM, Inc., CN=ABA.ECOM Root CA/Email=kdaguio@aba.com + Issuer: C=US, ST=Utah, L=Salt Lake City, O=Xcert EZ by DST, CN=Xcert EZ by DST/Email=ca@digsigtrust.com Validity - Not Before: Jul 29 16:59:52 1998 GMT - Not After : Jul 27 16:59:52 2005 GMT - Subject: C=US, ST=DC, L=Washington, O=ABA.ECOM, Inc., CN=ABA.ECOM Root CA/Email=kdaguio@aba.com + Not Before: Jul 14 16:14:18 1999 GMT + Not After : Jul 11 16:14:18 2009 GMT + Subject: C=US, ST=Utah, L=Salt Lake City, O=Xcert EZ by DST, CN=Xcert EZ by DST/Email=ca@digsigtrust.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): - 00:c6:9e:dc:bd:dc:0e:09:1a:51:c6:92:9b:99:6b: - 8c:69:89:be:1b:c5:a2:11:4e:84:66:0d:99:f1:ff: - 1f:99:a1:33:d6:b4:92:8b:a5:8b:9e:d6:a7:90:c4: - c9:b4:81:1a:9e:87:50:ff:73:56:a7:6d:10:5b:08: - 13:a6:ac:08:a9:1a:20:72:1a:0f:33:74:b1:58:b1: - 56:6f:35:36:3d:33:5e:93:e3:9a:02:b5:a1:b7:f1: - 6f:31:05:35:0d:d7:a0:0f:ce:32:67:b1:3d:48:f6: - 49:8b:a2:b1:fe:46:80:2e:3f:ec:44:0d:14:a7:de: - ba:10:d7:bc:09:ff:55:96:51:17:4e:65:b8:27:a0: - 12:91:00:f5:b7:3b:52:bd:a8:35:3e:13:d3:18:51: - bd:16:f7:7d:12:01:89:37:3b:eb:c1:a2:60:42:be: - 40:1c:d3:77:68:6f:f8:b4:07:7e:66:b9:e3:6a:54: - 0d:a6:e8:1c:60:e2:ef:ee:9d:ad:63:ec:93:6b:9d: - ad:63:0e:9e:8f:23:96:17:05:fc:e8:75:d6:14:35: - ea:2d:83:9a:f6:55:8e:93:4d:b1:8c:e2:41:62:64: - d0:fd:46:d3:f9:15:7a:8e:46:d4:48:db:36:07:b5: - 6f:72:65:0f:70:47:74:15:bc:ee:83:50:ce:4e:f6: - af:dd + 00:ad:54:18:de:b4:bf:f7:ad:e8:74:aa:ed:8b:7c: + 8f:c2:d4:75:1a:d5:84:b9:b6:62:fc:89:ef:e4:97: + 61:92:fb:1d:b8:e1:5a:47:34:9e:9e:06:22:fb:d3: + ea:38:cb:b8:8b:07:f7:1a:a0:17:77:07:5a:30:1c: + d4:29:38:20:d7:27:40:d8:50:93:43:bf:d2:18:a2: + 29:76:05:72:aa:6b:b6:69:98:ab:79:1e:1c:65:f5: + 6a:8b:fc:c5:16:aa:a2:72:da:60:ed:4e:6e:19:25: + 7a:0a:1d:30:e3:50:9b:42:3c:44:eb:a1:b0:20:1e: + db:02:7e:fe:3d:1f:bf:d0:00:8a:db:40:76:a6:18: + a5:15:a7:57:b6:52:c2:01:17:98:77:8f:8a:81:c6: + 1a:b4:6a:2a:e6:af:a9:d6:00:ac:cf:d8:15:49:7c: + db:1b:a1:fe:81:fa:87:f9:d3:90:c1:02:c0:f9:d0: + 42:e9:91:68:25:5f:c6:bf:87:39:e9:95:00:60:28: + bf:83:2c:c0:e7:5e:b6:d7:36:16:e7:60:87:76:e8: + e7:27:b2:25:0d:8b:7a:e5:aa:1d:e5:59:cd:ce:0b: + 0e:6f:c6:c8:9c:e3:10:d9:85:39:d3:b7:9b:fa:c6: + ba:7c:74:d2:5d:75:56:ab:74:a4:a2:51:bf:52:7c: + ee:71 Exponent: 65537 (0x10001) X509v3 extensions: - X509v3 Key Usage: - .... + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Authority Key Identifier: + keyid:08:20:6C:66:EB:81:0A:6C:5C:D5:B5:A6:3C:41:DD:1C:96:91:27:77 + + X509v3 Subject Key Identifier: + 08:20:6C:66:EB:81:0A:6C:5C:D5:B5:A6:3C:41:DD:1C:96:91:27:77 Signature Algorithm: sha1WithRSAEncryption - 68:6e:26:36:b5:b1:b9:73:2e:58:f3:c4:fa:21:73:6e:6b:99: - f8:ef:7f:5d:c3:bb:f7:1b:26:9e:a2:db:f1:6f:32:3f:e4:d8: - de:8f:0b:97:88:4e:9b:36:9d:d1:85:60:01:98:c7:68:be:43: - c1:06:80:67:26:e3:19:c1:76:46:dd:57:ce:c4:f6:b9:e1:dd: - 9c:c7:2a:04:61:95:29:b9:76:bf:7f:dd:df:b3:97:cf:98:cb: - 33:e4:05:d4:ca:2d:d9:e3:12:29:5e:18:e8:3f:05:cc:68:de: - 66:5f:a2:c1:d7:91:04:c5:f0:90:48:41:60:5b:a8:42:f3:99: - 54:2f:ab:37:15:5c:13:c9:36:ac:1f:16:93:59:5d:6f:5e:39: - 13:a0:5a:d2:bd:30:0f:78:68:3c:a6:d6:2f:39:2f:0c:13:9d: - 73:37:e7:5a:aa:1b:b7:1e:c1:91:29:bf:99:f2:5a:98:72:53: - 95:f4:80:32:ce:7c:51:6f:b5:cd:4a:99:dc:e3:83:1b:c1:c1: - 9d:72:1c:94:be:3b:5f:23:07:e8:01:69:8b:db:64:a3:8c:b2: - 05:29:01:52:7d:7e:73:ad:11:e7:2c:35:6a:0b:23:0a:1a:79: - df:72:a2:d1:47:9f:c8:eb:5c:ed:fe:cc:ee:01:09:30:b1:5f: - c8:0c:0e:b6 + 5a:87:58:8f:2d:ab:76:21:6b:54:0c:d9:f1:41:f6:4e:cd:2b: + 9e:e3:1f:9b:a3:2d:7f:d9:2b:7d:58:c8:67:a4:29:f5:e9:ec: + d5:bd:96:3f:a3:73:f8:c4:5b:36:7c:d0:63:2c:34:39:9b:48: + b8:3d:6f:f6:14:c5:9e:63:e6:a7:34:6e:d3:e8:33:b3:c7:3c: + 18:6e:23:ae:43:92:99:3f:98:c5:69:30:f1:36:3b:ad:b9:30: + 82:d6:b6:59:16:96:02:0b:29:12:61:b4:11:89:f7:0c:2f:94: + 90:85:98:28:9c:53:6c:7e:63:dd:73:f4:19:ff:4a:81:d1:b2: + 52:23:fd:3c:4a:34:ce:5a:1b:e0:50:8a:ed:4f:81:95:d8:60: + e7:e4:c4:0d:bb:58:3e:58:f7:4e:68:6f:3e:67:c9:cb:7a:97: + 16:27:ec:42:61:14:76:bb:00:c5:eb:08:3d:15:7f:4b:b6:22: + 5d:87:3b:90:f4:f3:c0:fe:37:b3:e9:d9:62:0c:c0:c3:59:af: + 60:bd:1f:0d:db:a1:34:1f:30:c4:3d:8b:ad:b0:1d:04:93:ed: + 5f:d5:e4:bf:20:30:04:f4:48:e9:33:01:d1:2e:90:27:52:b3: + 9b:de:3a:1c:ab:a9:97:7f:9b:eb:c2:8d:c2:6d:ec:dc:13:d3: + 46:c5:79:7c ANX Network CA by DST ===================== @@ -142,22 +150,21 @@ Certificate Ingredients: Exponent: 3 (0x3) X509v3 extensions: Netscape Cert Type: - .... + SSL CA, S/MIME CA, Object Signing CA X509v3 CRL Distribution Points: - 0k0i.g.e.c0a1.0...U....US1$0"..U. -..Digital Signature Trust Co.1.0...U....DST (ANX Network) CA1 0...U....CRL1 + DirName:/C=US/O=Digital Signature Trust Co./OU=DST (ANX Network) CA/CN=CRL1 + X509v3 Private Key Usage Period: - 0"..19981209154648Z..20181209154648Z + Not Before: Dec 9 15:46:48 1998 GMT, Not After: Dec 9 15:46:48 2018 GMT X509v3 Key Usage: - .... + Certificate Sign, CRL Sign X509v3 Authority Key Identifier: - 0.....Up.. -Sd.....d.C?.6 + keyid:8C:16:55:70:CC:16:0A:53:64:C2:A5:84:AA:B3:64:17:43:3F:82:36 + X509v3 Subject Key Identifier: - ....Up.. -Sd.....d.C?.6 + 8C:16:55:70:CC:16:0A:53:64:C2:A5:84:AA:B3:64:17:43:3F:82:36 X509v3 Basic Constraints: - 0.... + CA:TRUE 1.2.840.113533.7.65.0: 0 ..V4.0.... @@ -171,84 +178,6 @@ Sd.....d.C?.6 ef:26:94:5f:ad:31:0c:fe:29:1e:17:01:84:37:5b:e8:12:32: a3:5d -Access America by DST -===================== -MD5 Fingerprint: CD:3B:3D:62:5B:09:B8:09:36:87:9E:12:2F:71:64:BA -PEM Data: ------BEGIN CERTIFICATE----- -MIID2DCCAsACEQDQHkCLAAB3bQAAAAEAAAAEMA0GCSqGSIb3DQEBBQUAMIGpMQsw -CQYDVQQGEwJ1czENMAsGA1UECBMEVXRhaDEXMBUGA1UEBxMOU2FsdCBMYWtlIENp -dHkxJDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0IENvLjERMA8GA1UE -CxMIRFNUQ0EgWDIxFjAUBgNVBAMTDURTVCBSb290Q0EgWDIxITAfBgkqhkiG9w0B -CQEWEmNhQGRpZ3NpZ3RydXN0LmNvbTAeFw05ODExMzAyMjQ2MTZaFw0wODExMjcy -MjQ2MTZaMIGpMQswCQYDVQQGEwJ1czENMAsGA1UECBMEVXRhaDEXMBUGA1UEBxMO -U2FsdCBMYWtlIENpdHkxJDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0 -IENvLjERMA8GA1UECxMIRFNUQ0EgWDIxFjAUBgNVBAMTDURTVCBSb290Q0EgWDIx -ITAfBgkqhkiG9w0BCQEWEmNhQGRpZ3NpZ3RydXN0LmNvbTCCASIwDQYJKoZIhvcN -AQEBBQADggEPADCCAQoCggEBANx18IzAdZaawGIfJvfE4Zrq4FZzW5nNAUSoCLbV -p9oaBBg5kkp4o4HC9Xd6ULRw/5qrxsfKboNPQpj7Jgva3G3WqZlVUmfpKAOS3OWw -BZoPFflrWXJW8vo5/Kpo7g8fEIMv/J36F5bdguPmRX3AS4BEH+0s4IT9kVySVGkl -5WJp3OXuAFK9MwutdQKFp2RQLcUZGTDAJtvJ0/0uma1ZtQtN1EGuhUhDWdy3qOKi -3sOP17ihYqZoUFLkzzGnlIXan0YyF1bl8utmPRL/Q9uY73fPy4GNNLHGUEom0eQ+ -QVCvbK4iNC7Va26Dunm4dmVI2gkpZGMiuftHdoWMhkTLCdsCAwEAATANBgkqhkiG -9w0BAQUFAAOCAQEAtTYOXeFhKFoRZcA/gwN5Tb4opgsHAlKFzfiR0BBstWogWxyQ -2TA8xkieil5k+aFxd+8EJx8H6+Qm93N0yUQYGmbT4EOvkTvRyyzYdFQ6HE3K1GjN -I3wdEJ5F6fYAbqbNGf9PLCmPV03Ed5K+4EwJ+11EhmYhqLkyolbV6YyDfFk/xPEL -553snr2cGA4+wjl5KLcDDQjLxufZATdQEOzMYRZA1K8xdHv8PzGn0EdzMzkbzE5q -10mDEQb+64JYMzJM8FasHpwvVpp7wUocpf1VNs78lk30sPDst2yC7S8xmUJMqbIN -uBVd8d+6ybVK1GSYsyapMMj9puyrliGtf8J4tg== ------END CERTIFICATE----- -Certificate Ingredients: - Data: - Version: 1 (0x0) - Serial Number: - d0:1e:40:8b:00:00:77:6d:00:00:00:01:00:00:00:04 - Signature Algorithm: sha1WithRSAEncryption - Issuer: C=us, ST=Utah, L=Salt Lake City, O=Digital Signature Trust Co., OU=DSTCA X2, CN=DST RootCA X2/Email=ca@digsigtrust.com - Validity - Not Before: Nov 30 22:46:16 1998 GMT - Not After : Nov 27 22:46:16 2008 GMT - Subject: C=us, ST=Utah, L=Salt Lake City, O=Digital Signature Trust Co., OU=DSTCA X2, CN=DST RootCA X2/Email=ca@digsigtrust.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public Key: (2048 bit) - Modulus (2048 bit): - 00:dc:75:f0:8c:c0:75:96:9a:c0:62:1f:26:f7:c4: - e1:9a:ea:e0:56:73:5b:99:cd:01:44:a8:08:b6:d5: - a7:da:1a:04:18:39:92:4a:78:a3:81:c2:f5:77:7a: - 50:b4:70:ff:9a:ab:c6:c7:ca:6e:83:4f:42:98:fb: - 26:0b:da:dc:6d:d6:a9:99:55:52:67:e9:28:03:92: - dc:e5:b0:05:9a:0f:15:f9:6b:59:72:56:f2:fa:39: - fc:aa:68:ee:0f:1f:10:83:2f:fc:9d:fa:17:96:dd: - 82:e3:e6:45:7d:c0:4b:80:44:1f:ed:2c:e0:84:fd: - 91:5c:92:54:69:25:e5:62:69:dc:e5:ee:00:52:bd: - 33:0b:ad:75:02:85:a7:64:50:2d:c5:19:19:30:c0: - 26:db:c9:d3:fd:2e:99:ad:59:b5:0b:4d:d4:41:ae: - 85:48:43:59:dc:b7:a8:e2:a2:de:c3:8f:d7:b8:a1: - 62:a6:68:50:52:e4:cf:31:a7:94:85:da:9f:46:32: - 17:56:e5:f2:eb:66:3d:12:ff:43:db:98:ef:77:cf: - cb:81:8d:34:b1:c6:50:4a:26:d1:e4:3e:41:50:af: - 6c:ae:22:34:2e:d5:6b:6e:83:ba:79:b8:76:65:48: - da:09:29:64:63:22:b9:fb:47:76:85:8c:86:44:cb: - 09:db - Exponent: 65537 (0x10001) - Signature Algorithm: sha1WithRSAEncryption - b5:36:0e:5d:e1:61:28:5a:11:65:c0:3f:83:03:79:4d:be:28: - a6:0b:07:02:52:85:cd:f8:91:d0:10:6c:b5:6a:20:5b:1c:90: - d9:30:3c:c6:48:9e:8a:5e:64:f9:a1:71:77:ef:04:27:1f:07: - eb:e4:26:f7:73:74:c9:44:18:1a:66:d3:e0:43:af:91:3b:d1: - cb:2c:d8:74:54:3a:1c:4d:ca:d4:68:cd:23:7c:1d:10:9e:45: - e9:f6:00:6e:a6:cd:19:ff:4f:2c:29:8f:57:4d:c4:77:92:be: - e0:4c:09:fb:5d:44:86:66:21:a8:b9:32:a2:56:d5:e9:8c:83: - 7c:59:3f:c4:f1:0b:e7:9d:ec:9e:bd:9c:18:0e:3e:c2:39:79: - 28:b7:03:0d:08:cb:c6:e7:d9:01:37:50:10:ec:cc:61:16:40: - d4:af:31:74:7b:fc:3f:31:a7:d0:47:73:33:39:1b:cc:4e:6a: - d7:49:83:11:06:fe:eb:82:58:33:32:4c:f0:56:ac:1e:9c:2f: - 56:9a:7b:c1:4a:1c:a5:fd:55:36:ce:fc:96:4d:f4:b0:f0:ec: - b7:6c:82:ed:2f:31:99:42:4c:a9:b2:0d:b8:15:5d:f1:df:ba: - c9:b5:4a:d4:64:98:b3:26:a9:30:c8:fd:a6:ec:ab:96:21:ad: - 7f:c2:78:b6 - American Express CA =================== MD5 Fingerprint: 1C:D5:8E:82:BE:70:55:8E:39:61:DF:AD:51:DB:6B:A0 @@ -366,15 +295,14 @@ Certificate Ingredients: Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical - 0....... + CA:TRUE, pathlen:5 X509v3 Key Usage: critical - .... + Certificate Sign, CRL Sign X509v3 Certificate Policies: - 0.0.. -*.H... -... + Policy: 1.2.840.113807.10.1.5.1 + X509v3 Subject Key Identifier: - ..WG5{6'..../F%.$i + 57:47:35:7B:36:27:11:A8:08:FC:2F:46:25:EB:24:69 Signature Algorithm: sha1WithRSAEncryption c7:61:45:a8:8a:71:b9:be:34:e9:21:7b:21:cd:56:13:98:d5: 30:63:e9:18:aa:4b:92:15:bf:0b:1d:bb:ec:92:69:c5:2e:c3: @@ -441,7 +369,7 @@ Certificate Ingredients: Exponent: 65537 (0x10001) X509v3 extensions: Netscape Cert Type: - .... + SSL CA, S/MIME CA, Object Signing CA Signature Algorithm: md5WithRSAEncryption 63:76:17:7c:96:f0:53:a5:5d:01:1c:53:ce:29:c2:7e:75:ac: 4c:0d:a2:08:73:b4:6a:31:fd:02:06:14:99:dc:54:04:a4:bf: @@ -500,7 +428,7 @@ Certificate Ingredients: Exponent: 65537 (0x10001) X509v3 extensions: Netscape Cert Type: - .... + SSL Client, S/MIME Signature Algorithm: md5WithRSAEncryption 6c:3d:99:c3:05:e2:1d:ca:e5:2d:aa:68:85:8b:40:31:20:66: 13:68:e6:58:3a:89:d0:8d:75:b2:c5:62:d8:7d:82:8f:f7:d9: @@ -557,11 +485,11 @@ Certificate Ingredients: Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: - 0....... + CA:TRUE, pathlen:5 X509v3 Key Usage: critical - .... + Certificate Sign, CRL Sign X509v3 Subject Key Identifier: - ..,.Y........>.~X. + 2C:87:59:1F:8B:13:80:B2:F9:86:9D:3E:12:7E:58:96 Signature Algorithm: md5WithRSAEncryption 0f:fe:73:b5:07:88:6f:a0:0b:89:ea:ca:50:1f:94:de:94:2b: 0b:27:5e:4f:f5:1c:95:26:da:8c:96:54:ad:19:91:37:43:5d: @@ -621,22 +549,21 @@ Certificate Ingredients: Exponent: 3 (0x3) X509v3 extensions: Netscape Cert Type: - .... + SSL CA, S/MIME CA, Object Signing CA X509v3 CRL Distribution Points: - 0_0].[.Y.W0U1.0...U....US1$0"..U. -..Digital Signature Trust Co.1.0...U....DSTCA E11 0...U....CRL1 + DirName:/C=US/O=Digital Signature Trust Co./OU=DSTCA E1/CN=CRL1 + X509v3 Private Key Usage Period: - 0"..19981210181023Z..20181210181023Z + Not Before: Dec 10 18:10:23 1998 GMT, Not After: Dec 10 18:10:23 2018 GMT X509v3 Key Usage: - .... + Certificate Sign, CRL Sign X509v3 Authority Key Identifier: - 0...jy~.iF.. -.w.Y[`.%... + keyid:6A:79:7E:91:69:46:18:13:0A:02:77:A5:59:5B:60:98:25:0E:A2:F8 + X509v3 Subject Key Identifier: - ..jy~.iF.. -.w.Y[`.%... + 6A:79:7E:91:69:46:18:13:0A:02:77:A5:59:5B:60:98:25:0E:A2:F8 X509v3 Basic Constraints: - 0.... + CA:TRUE 1.2.840.113533.7.65.0: 0 ..V4.0.... @@ -728,82 +655,503 @@ Certificate Ingredients: 4f:d2:08:da:93:dc:f0:92:11:7a:d0:dc:72:93:0c:73:93:62: 85:68:d0:f4 -Entrust Worldwide by DST -======================== -MD5 Fingerprint: B4:65:22:0A:7C:AD:DF:41:B7:D5:44:D5:AD:FA:9A:75 +Digital Signature Trust Co. Global CA 3 +======================================= +MD5 Fingerprint: 93:C2:8E:11:7B:D4:F3:03:19:BD:28:75:13:4A:45:4A +PEM Data: +-----BEGIN CERTIFICATE----- +MIIDKTCCApKgAwIBAgIENm7TzjANBgkqhkiG9w0BAQUFADBGMQswCQYDVQQGEwJV +UzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMREwDwYDVQQL +EwhEU1RDQSBFMjAeFw05ODEyMDkxOTE3MjZaFw0xODEyMDkxOTQ3MjZaMEYxCzAJ +BgNVBAYTAlVTMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4x +ETAPBgNVBAsTCERTVENBIEUyMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQC/ +k48Xku8zExjrEH9OFr//Bo8qhbxe+SSmJIi2A7fBw18DW9Fvrn5C6mYjuGODVvso +LeE4i7TuqAHhzhy2iCoiRoX7n6dwqUcUP87eZfCocfdPJmyMvMa1795JJ/9IKn3o +TQPMx7JSxhcxEzu1TdvIxPbDDyQq2gyd55FbgM2UnQIBA6OCASQwggEgMBEGCWCG +SAGG+EIBAQQEAwIABzBoBgNVHR8EYTBfMF2gW6BZpFcwVTELMAkGA1UEBhMCVVMx +JDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0IENvLjERMA8GA1UECxMI +RFNUQ0EgRTIxDTALBgNVBAMTBENSTDEwKwYDVR0QBCQwIoAPMTk5ODEyMDkxOTE3 +MjZagQ8yMDE4MTIwOTE5MTcyNlowCwYDVR0PBAQDAgEGMB8GA1UdIwQYMBaAFB6C +TShlgDzJQW6sNS5ay97u+DlbMB0GA1UdDgQWBBQegk0oZYA8yUFurDUuWsve7vg5 +WzAMBgNVHRMEBTADAQH/MBkGCSqGSIb2fQdBAAQMMAobBFY0LjADAgSQMA0GCSqG +SIb3DQEBBQUAA4GBAEeNg61i8tuwnkUiBbmi1gMOOHLnnvx75pO2mqWilMg0HZHR +xdf0CiUPPXiBng+xZ8SQTGPdXqfiup/1902lMXucKS1M/mQ+7LZT/uqb7YLbdHVL +B3luHtgZg3Pe9T7Qtd7nS2h9Qy4qIOF+oHhEngj1mPnHfxsb1gYgAlihw6ID +-----END CERTIFICATE----- +Certificate Ingredients: + Data: + Version: 3 (0x2) + Serial Number: 913232846 (0x366ed3ce) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, O=Digital Signature Trust Co., OU=DSTCA E2 + Validity + Not Before: Dec 9 19:17:26 1998 GMT + Not After : Dec 9 19:47:26 2018 GMT + Subject: C=US, O=Digital Signature Trust Co., OU=DSTCA E2 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (1024 bit) + Modulus (1024 bit): + 00:bf:93:8f:17:92:ef:33:13:18:eb:10:7f:4e:16: + bf:ff:06:8f:2a:85:bc:5e:f9:24:a6:24:88:b6:03: + b7:c1:c3:5f:03:5b:d1:6f:ae:7e:42:ea:66:23:b8: + 63:83:56:fb:28:2d:e1:38:8b:b4:ee:a8:01:e1:ce: + 1c:b6:88:2a:22:46:85:fb:9f:a7:70:a9:47:14:3f: + ce:de:65:f0:a8:71:f7:4f:26:6c:8c:bc:c6:b5:ef: + de:49:27:ff:48:2a:7d:e8:4d:03:cc:c7:b2:52:c6: + 17:31:13:3b:b5:4d:db:c8:c4:f6:c3:0f:24:2a:da: + 0c:9d:e7:91:5b:80:cd:94:9d + Exponent: 3 (0x3) + X509v3 extensions: + Netscape Cert Type: + SSL CA, S/MIME CA, Object Signing CA + X509v3 CRL Distribution Points: + DirName:/C=US/O=Digital Signature Trust Co./OU=DSTCA E2/CN=CRL1 + + X509v3 Private Key Usage Period: + Not Before: Dec 9 19:17:26 1998 GMT, Not After: Dec 9 19:17:26 2018 GMT + X509v3 Key Usage: + Certificate Sign, CRL Sign + X509v3 Authority Key Identifier: + keyid:1E:82:4D:28:65:80:3C:C9:41:6E:AC:35:2E:5A:CB:DE:EE:F8:39:5B + + X509v3 Subject Key Identifier: + 1E:82:4D:28:65:80:3C:C9:41:6E:AC:35:2E:5A:CB:DE:EE:F8:39:5B + X509v3 Basic Constraints: + CA:TRUE + 1.2.840.113533.7.65.0: + 0 +..V4.0.... + Signature Algorithm: sha1WithRSAEncryption + 47:8d:83:ad:62:f2:db:b0:9e:45:22:05:b9:a2:d6:03:0e:38: + 72:e7:9e:fc:7b:e6:93:b6:9a:a5:a2:94:c8:34:1d:91:d1:c5: + d7:f4:0a:25:0f:3d:78:81:9e:0f:b1:67:c4:90:4c:63:dd:5e: + a7:e2:ba:9f:f5:f7:4d:a5:31:7b:9c:29:2d:4c:fe:64:3e:ec: + b6:53:fe:ea:9b:ed:82:db:74:75:4b:07:79:6e:1e:d8:19:83: + 73:de:f5:3e:d0:b5:de:e7:4b:68:7d:43:2e:2a:20:e1:7e:a0: + 78:44:9e:08:f5:98:f9:c7:7f:1b:1b:d6:06:20:02:58:a1:c3: + a2:03 + +Digital Signature Trust Co. Global CA 4 +======================================= +MD5 Fingerprint: CD:3B:3D:62:5B:09:B8:09:36:87:9E:12:2F:71:64:BA +PEM Data: +-----BEGIN CERTIFICATE----- +MIID2DCCAsACEQDQHkCLAAB3bQAAAAEAAAAEMA0GCSqGSIb3DQEBBQUAMIGpMQsw +CQYDVQQGEwJ1czENMAsGA1UECBMEVXRhaDEXMBUGA1UEBxMOU2FsdCBMYWtlIENp +dHkxJDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0IENvLjERMA8GA1UE +CxMIRFNUQ0EgWDIxFjAUBgNVBAMTDURTVCBSb290Q0EgWDIxITAfBgkqhkiG9w0B +CQEWEmNhQGRpZ3NpZ3RydXN0LmNvbTAeFw05ODExMzAyMjQ2MTZaFw0wODExMjcy +MjQ2MTZaMIGpMQswCQYDVQQGEwJ1czENMAsGA1UECBMEVXRhaDEXMBUGA1UEBxMO +U2FsdCBMYWtlIENpdHkxJDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0 +IENvLjERMA8GA1UECxMIRFNUQ0EgWDIxFjAUBgNVBAMTDURTVCBSb290Q0EgWDIx +ITAfBgkqhkiG9w0BCQEWEmNhQGRpZ3NpZ3RydXN0LmNvbTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBANx18IzAdZaawGIfJvfE4Zrq4FZzW5nNAUSoCLbV +p9oaBBg5kkp4o4HC9Xd6ULRw/5qrxsfKboNPQpj7Jgva3G3WqZlVUmfpKAOS3OWw +BZoPFflrWXJW8vo5/Kpo7g8fEIMv/J36F5bdguPmRX3AS4BEH+0s4IT9kVySVGkl +5WJp3OXuAFK9MwutdQKFp2RQLcUZGTDAJtvJ0/0uma1ZtQtN1EGuhUhDWdy3qOKi +3sOP17ihYqZoUFLkzzGnlIXan0YyF1bl8utmPRL/Q9uY73fPy4GNNLHGUEom0eQ+ +QVCvbK4iNC7Va26Dunm4dmVI2gkpZGMiuftHdoWMhkTLCdsCAwEAATANBgkqhkiG +9w0BAQUFAAOCAQEAtTYOXeFhKFoRZcA/gwN5Tb4opgsHAlKFzfiR0BBstWogWxyQ +2TA8xkieil5k+aFxd+8EJx8H6+Qm93N0yUQYGmbT4EOvkTvRyyzYdFQ6HE3K1GjN +I3wdEJ5F6fYAbqbNGf9PLCmPV03Ed5K+4EwJ+11EhmYhqLkyolbV6YyDfFk/xPEL +553snr2cGA4+wjl5KLcDDQjLxufZATdQEOzMYRZA1K8xdHv8PzGn0EdzMzkbzE5q +10mDEQb+64JYMzJM8FasHpwvVpp7wUocpf1VNs78lk30sPDst2yC7S8xmUJMqbIN +uBVd8d+6ybVK1GSYsyapMMj9puyrliGtf8J4tg== +-----END CERTIFICATE----- +Certificate Ingredients: + Data: + Version: 1 (0x0) + Serial Number: + d0:1e:40:8b:00:00:77:6d:00:00:00:01:00:00:00:04 + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=us, ST=Utah, L=Salt Lake City, O=Digital Signature Trust Co., OU=DSTCA X2, CN=DST RootCA X2/Email=ca@digsigtrust.com + Validity + Not Before: Nov 30 22:46:16 1998 GMT + Not After : Nov 27 22:46:16 2008 GMT + Subject: C=us, ST=Utah, L=Salt Lake City, O=Digital Signature Trust Co., OU=DSTCA X2, CN=DST RootCA X2/Email=ca@digsigtrust.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:dc:75:f0:8c:c0:75:96:9a:c0:62:1f:26:f7:c4: + e1:9a:ea:e0:56:73:5b:99:cd:01:44:a8:08:b6:d5: + a7:da:1a:04:18:39:92:4a:78:a3:81:c2:f5:77:7a: + 50:b4:70:ff:9a:ab:c6:c7:ca:6e:83:4f:42:98:fb: + 26:0b:da:dc:6d:d6:a9:99:55:52:67:e9:28:03:92: + dc:e5:b0:05:9a:0f:15:f9:6b:59:72:56:f2:fa:39: + fc:aa:68:ee:0f:1f:10:83:2f:fc:9d:fa:17:96:dd: + 82:e3:e6:45:7d:c0:4b:80:44:1f:ed:2c:e0:84:fd: + 91:5c:92:54:69:25:e5:62:69:dc:e5:ee:00:52:bd: + 33:0b:ad:75:02:85:a7:64:50:2d:c5:19:19:30:c0: + 26:db:c9:d3:fd:2e:99:ad:59:b5:0b:4d:d4:41:ae: + 85:48:43:59:dc:b7:a8:e2:a2:de:c3:8f:d7:b8:a1: + 62:a6:68:50:52:e4:cf:31:a7:94:85:da:9f:46:32: + 17:56:e5:f2:eb:66:3d:12:ff:43:db:98:ef:77:cf: + cb:81:8d:34:b1:c6:50:4a:26:d1:e4:3e:41:50:af: + 6c:ae:22:34:2e:d5:6b:6e:83:ba:79:b8:76:65:48: + da:09:29:64:63:22:b9:fb:47:76:85:8c:86:44:cb: + 09:db + Exponent: 65537 (0x10001) + Signature Algorithm: sha1WithRSAEncryption + b5:36:0e:5d:e1:61:28:5a:11:65:c0:3f:83:03:79:4d:be:28: + a6:0b:07:02:52:85:cd:f8:91:d0:10:6c:b5:6a:20:5b:1c:90: + d9:30:3c:c6:48:9e:8a:5e:64:f9:a1:71:77:ef:04:27:1f:07: + eb:e4:26:f7:73:74:c9:44:18:1a:66:d3:e0:43:af:91:3b:d1: + cb:2c:d8:74:54:3a:1c:4d:ca:d4:68:cd:23:7c:1d:10:9e:45: + e9:f6:00:6e:a6:cd:19:ff:4f:2c:29:8f:57:4d:c4:77:92:be: + e0:4c:09:fb:5d:44:86:66:21:a8:b9:32:a2:56:d5:e9:8c:83: + 7c:59:3f:c4:f1:0b:e7:9d:ec:9e:bd:9c:18:0e:3e:c2:39:79: + 28:b7:03:0d:08:cb:c6:e7:d9:01:37:50:10:ec:cc:61:16:40: + d4:af:31:74:7b:fc:3f:31:a7:d0:47:73:33:39:1b:cc:4e:6a: + d7:49:83:11:06:fe:eb:82:58:33:32:4c:f0:56:ac:1e:9c:2f: + 56:9a:7b:c1:4a:1c:a5:fd:55:36:ce:fc:96:4d:f4:b0:f0:ec: + b7:6c:82:ed:2f:31:99:42:4c:a9:b2:0d:b8:15:5d:f1:df:ba: + c9:b5:4a:d4:64:98:b3:26:a9:30:c8:fd:a6:ec:ab:96:21:ad: + 7f:c2:78:b6 + +Entrust Worldwide by DST +======================== +MD5 Fingerprint: B4:65:22:0A:7C:AD:DF:41:B7:D5:44:D5:AD:FA:9A:75 +PEM Data: +-----BEGIN CERTIFICATE----- +MIIDRzCCArCgAwIBAgIENm3FGDANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJV +UzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRswGQYDVQQL +ExJEU1QtRW50cnVzdCBHVEkgQ0EwHhcNOTgxMjA5MDAwMjI0WhcNMTgxMjA5MDAz +MjI0WjBQMQswCQYDVQQGEwJVUzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUg +VHJ1c3QgQ28uMRswGQYDVQQLExJEU1QtRW50cnVzdCBHVEkgQ0EwgZ0wDQYJKoZI +hvcNAQEBBQADgYsAMIGHAoGBALYd90uNDxPjEvUJ/gYyDq9MQfV91Ec9KgrfgwXe +3n3mAxb2UTrLRxpKrX7E/R20vnSKeN0Lg460hBPE+/htKa6h4Q8PQ+O1XmBp+oOU +/Hnm3Hbt0UQrjv0Su/4XdxcMie2n71F9xO04wzujevviTaBgtfL9E2XTxuw/vjWc +PSLvAgEDo4IBLjCCASowEQYJYIZIAYb4QgEBBAQDAgAHMHIGA1UdHwRrMGkwZ6Bl +oGOkYTBfMQswCQYDVQQGEwJVUzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUg +VHJ1c3QgQ28uMRswGQYDVQQLExJEU1QtRW50cnVzdCBHVEkgQ0ExDTALBgNVBAMT +BENSTDEwKwYDVR0QBCQwIoAPMTk5ODEyMDkwMDAyMjRagQ8yMDE4MTIwOTAwMDIy +NFowCwYDVR0PBAQDAgEGMB8GA1UdIwQYMBaAFJOaRMrQeFOAKUkE38evMz+ZdV+u +MB0GA1UdDgQWBBSTmkTK0HhTgClJBN/HrzM/mXVfrjAMBgNVHRMEBTADAQH/MBkG +CSqGSIb2fQdBAAQMMAobBFY0LjADAgSQMA0GCSqGSIb3DQEBBQUAA4GBAGSJzAOn +3AryWCDn/RegKHLNh7DNmLUkR2MzMRAQsu+KV3KuTAPgZ5+sYEOEIsGpo+Wxp94J +1M8NeEYjW49Je/4TIpeU6nJI4SwgeJbpZkUZywllY2E/0UmYsXYQVdVjSmZLpAdr +3nt/ueaTWxoCW4AO3Y0Y1Iqjwmjxo+AY0U5M +-----END CERTIFICATE----- +Certificate Ingredients: + Data: + Version: 3 (0x2) + Serial Number: 913163544 (0x366dc518) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, O=Digital Signature Trust Co., OU=DST-Entrust GTI CA + Validity + Not Before: Dec 9 00:02:24 1998 GMT + Not After : Dec 9 00:32:24 2018 GMT + Subject: C=US, O=Digital Signature Trust Co., OU=DST-Entrust GTI CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (1024 bit) + Modulus (1024 bit): + 00:b6:1d:f7:4b:8d:0f:13:e3:12:f5:09:fe:06:32: + 0e:af:4c:41:f5:7d:d4:47:3d:2a:0a:df:83:05:de: + de:7d:e6:03:16:f6:51:3a:cb:47:1a:4a:ad:7e:c4: + fd:1d:b4:be:74:8a:78:dd:0b:83:8e:b4:84:13:c4: + fb:f8:6d:29:ae:a1:e1:0f:0f:43:e3:b5:5e:60:69: + fa:83:94:fc:79:e6:dc:76:ed:d1:44:2b:8e:fd:12: + bb:fe:17:77:17:0c:89:ed:a7:ef:51:7d:c4:ed:38: + c3:3b:a3:7a:fb:e2:4d:a0:60:b5:f2:fd:13:65:d3: + c6:ec:3f:be:35:9c:3d:22:ef + Exponent: 3 (0x3) + X509v3 extensions: + Netscape Cert Type: + SSL CA, S/MIME CA, Object Signing CA + X509v3 CRL Distribution Points: + DirName:/C=US/O=Digital Signature Trust Co./OU=DST-Entrust GTI CA/CN=CRL1 + + X509v3 Private Key Usage Period: + Not Before: Dec 9 00:02:24 1998 GMT, Not After: Dec 9 00:02:24 2018 GMT + X509v3 Key Usage: + Certificate Sign, CRL Sign + X509v3 Authority Key Identifier: + keyid:93:9A:44:CA:D0:78:53:80:29:49:04:DF:C7:AF:33:3F:99:75:5F:AE + + X509v3 Subject Key Identifier: + 93:9A:44:CA:D0:78:53:80:29:49:04:DF:C7:AF:33:3F:99:75:5F:AE + X509v3 Basic Constraints: + CA:TRUE + 1.2.840.113533.7.65.0: + 0 +..V4.0.... + Signature Algorithm: sha1WithRSAEncryption + 64:89:cc:03:a7:dc:0a:f2:58:20:e7:fd:17:a0:28:72:cd:87: + b0:cd:98:b5:24:47:63:33:31:10:10:b2:ef:8a:57:72:ae:4c: + 03:e0:67:9f:ac:60:43:84:22:c1:a9:a3:e5:b1:a7:de:09:d4: + cf:0d:78:46:23:5b:8f:49:7b:fe:13:22:97:94:ea:72:48:e1: + 2c:20:78:96:e9:66:45:19:cb:09:65:63:61:3f:d1:49:98:b1: + 76:10:55:d5:63:4a:66:4b:a4:07:6b:de:7b:7f:b9:e6:93:5b: + 1a:02:5b:80:0e:dd:8d:18:d4:8a:a3:c2:68:f1:a3:e0:18:d1: + 4e:4c + +Entrust.net Premium 2048 Secure Server CA +========================================= +MD5 Fingerprint: BA:21:EA:20:D6:DD:DB:8F:C1:57:8B:40:AD:A1:FC:FC +PEM Data: +-----BEGIN CERTIFICATE----- +MIIEXDCCA0SgAwIBAgIEOGO5ZjANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML +RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBp +bmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5 +IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRp +ZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4KTAeFw05OTEyMjQxNzUwNTFaFw0xOTEy +MjQxODIwNTFaMIG0MRQwEgYDVQQKEwtFbnRydXN0Lm5ldDFAMD4GA1UECxQ3d3d3 +LmVudHJ1c3QubmV0L0NQU18yMDQ4IGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxp +YWIuKTElMCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEG +A1UEAxMqRW50cnVzdC5uZXQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgKDIwNDgp +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArU1LqRKGsuqjIAcVFmQq +K0vRvwtKTY7tgHalZ7d4QMBzQshowNtTK91euHaYNZOLGp18EzoOH1u3Hs/lJBQe +sYGpjX24zGtLA/ECDNyrpUAkAH90lKGdCCmziAv1h3edVc3kw37XamSrhRSGlVuX +MlBvPci6Zgzj/L24ScF2iUkZ/cCovYmjZy/Gn7xxGWC4LeksyZB2ZnuU4q941mVT +XTzWnLLPKQP5L6RQstRIzgUyVYr9smRMDuSYB3Xbf9+5CFVghTAp+XtIpGmG4zU/ +HoZdenoVve8AjhUiVBcAkCaTvA5JaJG/+EfTnZVCwQ5N328mz8MYIWJmQ3DW1cAH +4QIDAQABo3QwcjARBglghkgBhvhCAQEEBAMCAAcwHwYDVR0jBBgwFoAUVeSB0RGA +vtiJuQijMfmhJAkWuXAwHQYDVR0OBBYEFFXkgdERgL7YibkIozH5oSQJFrlwMB0G +CSqGSIb2fQdBAAQQMA4bCFY1LjA6NC4wAwIEkDANBgkqhkiG9w0BAQUFAAOCAQEA +WUesIYSKF8mciVMeuoCFGsY8Tj6xnLZ8xpJdGGQC49MGCBFhfGPjK50xA3B20qMo +oPS7mmNz7W3lKtvtFKkrxjYR0CvrB4ul2p5cGZ1WEvVUKcgF7bISKo30Axv/55IQ +h7A6tcOdBTcSo8f0FbnVpDkWm1M6I5HxqIKiaohowXkCIryqptau37AUX7iH0N18 +f3v/rxzP5tsHrV7bhZ3QKw0z2wTR5klAEyt2+z7pnIkPFc4YsIV4IU9rTw76NmfN +B/L/CNDi3tm/Kq+4h4YhPATKt5Rof8886ZjXOP/swNlQ8C5LWK5Gb9Auw2DaclVy +vUxFnmG6v4SBkgPR0ml8xQ== +-----END CERTIFICATE----- +Certificate Ingredients: + Data: + Version: 3 (0x2) + Serial Number: 946059622 (0x3863b966) + Signature Algorithm: sha1WithRSAEncryption + Issuer: O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048) + Validity + Not Before: Dec 24 17:50:51 1999 GMT + Not After : Dec 24 18:20:51 2019 GMT + Subject: O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048) + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:ad:4d:4b:a9:12:86:b2:ea:a3:20:07:15:16:64: + 2a:2b:4b:d1:bf:0b:4a:4d:8e:ed:80:76:a5:67:b7: + 78:40:c0:73:42:c8:68:c0:db:53:2b:dd:5e:b8:76: + 98:35:93:8b:1a:9d:7c:13:3a:0e:1f:5b:b7:1e:cf: + e5:24:14:1e:b1:81:a9:8d:7d:b8:cc:6b:4b:03:f1: + 02:0c:dc:ab:a5:40:24:00:7f:74:94:a1:9d:08:29: + b3:88:0b:f5:87:77:9d:55:cd:e4:c3:7e:d7:6a:64: + ab:85:14:86:95:5b:97:32:50:6f:3d:c8:ba:66:0c: + e3:fc:bd:b8:49:c1:76:89:49:19:fd:c0:a8:bd:89: + a3:67:2f:c6:9f:bc:71:19:60:b8:2d:e9:2c:c9:90: + 76:66:7b:94:e2:af:78:d6:65:53:5d:3c:d6:9c:b2: + cf:29:03:f9:2f:a4:50:b2:d4:48:ce:05:32:55:8a: + fd:b2:64:4c:0e:e4:98:07:75:db:7f:df:b9:08:55: + 60:85:30:29:f9:7b:48:a4:69:86:e3:35:3f:1e:86: + 5d:7a:7a:15:bd:ef:00:8e:15:22:54:17:00:90:26: + 93:bc:0e:49:68:91:bf:f8:47:d3:9d:95:42:c1:0e: + 4d:df:6f:26:cf:c3:18:21:62:66:43:70:d6:d5:c0: + 07:e1 + Exponent: 65537 (0x10001) + X509v3 extensions: + Netscape Cert Type: + SSL CA, S/MIME CA, Object Signing CA + X509v3 Authority Key Identifier: + keyid:55:E4:81:D1:11:80:BE:D8:89:B9:08:A3:31:F9:A1:24:09:16:B9:70 + + X509v3 Subject Key Identifier: + 55:E4:81:D1:11:80:BE:D8:89:B9:08:A3:31:F9:A1:24:09:16:B9:70 + 1.2.840.113533.7.65.0: + 0...V5.0:4.0.... + Signature Algorithm: sha1WithRSAEncryption + 59:47:ac:21:84:8a:17:c9:9c:89:53:1e:ba:80:85:1a:c6:3c: + 4e:3e:b1:9c:b6:7c:c6:92:5d:18:64:02:e3:d3:06:08:11:61: + 7c:63:e3:2b:9d:31:03:70:76:d2:a3:28:a0:f4:bb:9a:63:73: + ed:6d:e5:2a:db:ed:14:a9:2b:c6:36:11:d0:2b:eb:07:8b:a5: + da:9e:5c:19:9d:56:12:f5:54:29:c8:05:ed:b2:12:2a:8d:f4: + 03:1b:ff:e7:92:10:87:b0:3a:b5:c3:9d:05:37:12:a3:c7:f4: + 15:b9:d5:a4:39:16:9b:53:3a:23:91:f1:a8:82:a2:6a:88:68: + c1:79:02:22:bc:aa:a6:d6:ae:df:b0:14:5f:b8:87:d0:dd:7c: + 7f:7b:ff:af:1c:cf:e6:db:07:ad:5e:db:85:9d:d0:2b:0d:33: + db:04:d1:e6:49:40:13:2b:76:fb:3e:e9:9c:89:0f:15:ce:18: + b0:85:78:21:4f:6b:4f:0e:fa:36:67:cd:07:f2:ff:08:d0:e2: + de:d9:bf:2a:af:b8:87:86:21:3c:04:ca:b7:94:68:7f:cf:3c: + e9:98:d7:38:ff:ec:c0:d9:50:f0:2e:4b:58:ae:46:6f:d0:2e: + c3:60:da:72:55:72:bd:4c:45:9e:61:ba:bf:84:81:92:03:d1: + d2:69:7c:c5 + +Entrust.net Secure Personal CA +============================== +MD5 Fingerprint: 0C:41:2F:13:5B:A0:54:F5:96:66:2D:7E:CD:0E:03:F4 +PEM Data: +-----BEGIN CERTIFICATE----- +MIIE7TCCBFagAwIBAgIEOAOR7jANBgkqhkiG9w0BAQQFADCByTELMAkGA1UEBhMC +VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MUgwRgYDVQQLFD93d3cuZW50cnVzdC5u +ZXQvQ2xpZW50X0NBX0luZm8vQ1BTIGluY29ycC4gYnkgcmVmLiBsaW1pdHMgbGlh +Yi4xJTAjBgNVBAsTHChjKSAxOTk5IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNV +BAMTKkVudHJ1c3QubmV0IENsaWVudCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAe +Fw05OTEwMTIxOTI0MzBaFw0xOTEwMTIxOTU0MzBaMIHJMQswCQYDVQQGEwJVUzEU +MBIGA1UEChMLRW50cnVzdC5uZXQxSDBGBgNVBAsUP3d3dy5lbnRydXN0Lm5ldC9D +bGllbnRfQ0FfSW5mby9DUFMgaW5jb3JwLiBieSByZWYuIGxpbWl0cyBsaWFiLjEl +MCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEGA1UEAxMq +RW50cnVzdC5uZXQgQ2xpZW50IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGdMA0G +CSqGSIb3DQEBAQUAA4GLADCBhwKBgQDIOpleMRffrCdvkHvkGf9FozTC28GoT/Bo +6oT9n3V5z8GKUZSvx1cDR2SerYIbWtp/N3hHuzeYEpbOxhN979IMMFGpOZ5V+Pux +5zDeg7K6PvHViTs7hbqqdCz+PzFur5GVbgbUB01LLFZHGARS2g4Qk79jkJvh34zm +AqTmT173iwIBA6OCAeAwggHcMBEGCWCGSAGG+EIBAQQEAwIABzCCASIGA1UdHwSC +ARkwggEVMIHkoIHhoIHepIHbMIHYMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLRW50 +cnVzdC5uZXQxSDBGBgNVBAsUP3d3dy5lbnRydXN0Lm5ldC9DbGllbnRfQ0FfSW5m +by9DUFMgaW5jb3JwLiBieSByZWYuIGxpbWl0cyBsaWFiLjElMCMGA1UECxMcKGMp +IDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEGA1UEAxMqRW50cnVzdC5uZXQg +Q2xpZW50IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMCyg +KqAohiZodHRwOi8vd3d3LmVudHJ1c3QubmV0L0NSTC9DbGllbnQxLmNybDArBgNV +HRAEJDAigA8xOTk5MTAxMjE5MjQzMFqBDzIwMTkxMDEyMTkyNDMwWjALBgNVHQ8E +BAMCAQYwHwYDVR0jBBgwFoAUxPucKXuXzUyW/O5bs8qZdIuV6kwwHQYDVR0OBBYE +FMT7nCl7l81MlvzuW7PKmXSLlepMMAwGA1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EA +BAwwChsEVjQuMAMCBJAwDQYJKoZIhvcNAQEEBQADgYEAP66K8ddmAwWePvrqHEa7 +pFuPeJoSSJn59DXeDDYHAmsQOokUgZwxpnyyQbJq5wcBoUv5nyU7lsqZwz6hURzz +wy5E97BnRqqS5TvaHBkUODDV4qIxJS7x7EU47fgGWANzYrAQMY9Av2TgXD7FTx/a +EkP/TOYGJqibGapEPHayXOw= +-----END CERTIFICATE----- +Certificate Ingredients: + Data: + Version: 3 (0x2) + Serial Number: 939758062 (0x380391ee) + Signature Algorithm: md5WithRSAEncryption + Issuer: C=US, O=Entrust.net, OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab., OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Client Certification Authority + Validity + Not Before: Oct 12 19:24:30 1999 GMT + Not After : Oct 12 19:54:30 2019 GMT + Subject: C=US, O=Entrust.net, OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab., OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Client Certification Authority + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (1024 bit) + Modulus (1024 bit): + 00:c8:3a:99:5e:31:17:df:ac:27:6f:90:7b:e4:19: + ff:45:a3:34:c2:db:c1:a8:4f:f0:68:ea:84:fd:9f: + 75:79:cf:c1:8a:51:94:af:c7:57:03:47:64:9e:ad: + 82:1b:5a:da:7f:37:78:47:bb:37:98:12:96:ce:c6: + 13:7d:ef:d2:0c:30:51:a9:39:9e:55:f8:fb:b1:e7: + 30:de:83:b2:ba:3e:f1:d5:89:3b:3b:85:ba:aa:74: + 2c:fe:3f:31:6e:af:91:95:6e:06:d4:07:4d:4b:2c: + 56:47:18:04:52:da:0e:10:93:bf:63:90:9b:e1:df: + 8c:e6:02:a4:e6:4f:5e:f7:8b + Exponent: 3 (0x3) + X509v3 extensions: + Netscape Cert Type: + SSL CA, S/MIME CA, Object Signing CA + X509v3 CRL Distribution Points: + DirName:/C=US/O=Entrust.net/OU=www.entrust.net/Client_CA_Info/CPS incorp. by ref. limits liab./OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Client Certification Authority/CN=CRL1 + URI:http://www.entrust.net/CRL/Client1.crl + + X509v3 Private Key Usage Period: + Not Before: Oct 12 19:24:30 1999 GMT, Not After: Oct 12 19:24:30 2019 GMT + X509v3 Key Usage: + Certificate Sign, CRL Sign + X509v3 Authority Key Identifier: + keyid:C4:FB:9C:29:7B:97:CD:4C:96:FC:EE:5B:B3:CA:99:74:8B:95:EA:4C + + X509v3 Subject Key Identifier: + C4:FB:9C:29:7B:97:CD:4C:96:FC:EE:5B:B3:CA:99:74:8B:95:EA:4C + X509v3 Basic Constraints: + CA:TRUE + 1.2.840.113533.7.65.0: + 0 +..V4.0.... + Signature Algorithm: md5WithRSAEncryption + 3f:ae:8a:f1:d7:66:03:05:9e:3e:fa:ea:1c:46:bb:a4:5b:8f: + 78:9a:12:48:99:f9:f4:35:de:0c:36:07:02:6b:10:3a:89:14: + 81:9c:31:a6:7c:b2:41:b2:6a:e7:07:01:a1:4b:f9:9f:25:3b: + 96:ca:99:c3:3e:a1:51:1c:f3:c3:2e:44:f7:b0:67:46:aa:92: + e5:3b:da:1c:19:14:38:30:d5:e2:a2:31:25:2e:f1:ec:45:38: + ed:f8:06:58:03:73:62:b0:10:31:8f:40:bf:64:e0:5c:3e:c5: + 4f:1f:da:12:43:ff:4c:e6:06:26:a8:9b:19:aa:44:3c:76:b2: + 5c:ec + +Entrust.net Secure Server CA +============================ +MD5 Fingerprint: DF:F2:80:73:CC:F1:E6:61:73:FC:F5:42:E9:C5:7C:EE PEM Data: -----BEGIN CERTIFICATE----- -MIIDRzCCArCgAwIBAgIENm3FGDANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJV -UzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRswGQYDVQQL -ExJEU1QtRW50cnVzdCBHVEkgQ0EwHhcNOTgxMjA5MDAwMjI0WhcNMTgxMjA5MDAz -MjI0WjBQMQswCQYDVQQGEwJVUzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUg -VHJ1c3QgQ28uMRswGQYDVQQLExJEU1QtRW50cnVzdCBHVEkgQ0EwgZ0wDQYJKoZI -hvcNAQEBBQADgYsAMIGHAoGBALYd90uNDxPjEvUJ/gYyDq9MQfV91Ec9KgrfgwXe -3n3mAxb2UTrLRxpKrX7E/R20vnSKeN0Lg460hBPE+/htKa6h4Q8PQ+O1XmBp+oOU -/Hnm3Hbt0UQrjv0Su/4XdxcMie2n71F9xO04wzujevviTaBgtfL9E2XTxuw/vjWc -PSLvAgEDo4IBLjCCASowEQYJYIZIAYb4QgEBBAQDAgAHMHIGA1UdHwRrMGkwZ6Bl -oGOkYTBfMQswCQYDVQQGEwJVUzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUg -VHJ1c3QgQ28uMRswGQYDVQQLExJEU1QtRW50cnVzdCBHVEkgQ0ExDTALBgNVBAMT -BENSTDEwKwYDVR0QBCQwIoAPMTk5ODEyMDkwMDAyMjRagQ8yMDE4MTIwOTAwMDIy -NFowCwYDVR0PBAQDAgEGMB8GA1UdIwQYMBaAFJOaRMrQeFOAKUkE38evMz+ZdV+u -MB0GA1UdDgQWBBSTmkTK0HhTgClJBN/HrzM/mXVfrjAMBgNVHRMEBTADAQH/MBkG -CSqGSIb2fQdBAAQMMAobBFY0LjADAgSQMA0GCSqGSIb3DQEBBQUAA4GBAGSJzAOn -3AryWCDn/RegKHLNh7DNmLUkR2MzMRAQsu+KV3KuTAPgZ5+sYEOEIsGpo+Wxp94J -1M8NeEYjW49Je/4TIpeU6nJI4SwgeJbpZkUZywllY2E/0UmYsXYQVdVjSmZLpAdr -3nt/ueaTWxoCW4AO3Y0Y1Iqjwmjxo+AY0U5M +MIIE2DCCBEGgAwIBAgIEN0rSQzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC +VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u +ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc +KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u +ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05OTA1 +MjUxNjA5NDBaFw0xOTA1MjUxNjM5NDBaMIHDMQswCQYDVQQGEwJVUzEUMBIGA1UE +ChMLRW50cnVzdC5uZXQxOzA5BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5j +b3JwLiBieSByZWYuIChsaW1pdHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBF +bnRydXN0Lm5ldCBMaW1pdGVkMTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUg +U2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGdMA0GCSqGSIb3DQEBAQUA +A4GLADCBhwKBgQDNKIM0VBuJ8w+vN5Ex/68xYMmo6LIQaO2f55M28Qpku0f1BBc/ +I0dNxScZgSYMVHINiC3ZH5oSn7yzcdOAGT9HZnuMNSjSuQrfJNqc1lB5gXpa0zf3 +wkrYKZImZNHkmGw6AIr1NJtl+O3jEP/9uElY3KDegjlrgbEWGWG5VLbmQwIBA6OC +AdcwggHTMBEGCWCGSAGG+EIBAQQEAwIABzCCARkGA1UdHwSCARAwggEMMIHeoIHb +oIHYpIHVMIHSMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLRW50cnVzdC5uZXQxOzA5 +BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5jb3JwLiBieSByZWYuIChsaW1p +dHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBFbnRydXN0Lm5ldCBMaW1pdGVk +MTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUgU2VydmVyIENlcnRpZmljYXRp +b24gQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMCmgJ6AlhiNodHRwOi8vd3d3LmVu +dHJ1c3QubmV0L0NSTC9uZXQxLmNybDArBgNVHRAEJDAigA8xOTk5MDUyNTE2MDk0 +MFqBDzIwMTkwNTI1MTYwOTQwWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAU8Bdi +E1U9s/8KAGv7UISX8+1i0BowHQYDVR0OBBYEFPAXYhNVPbP/CgBr+1CEl/PtYtAa +MAwGA1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EABAwwChsEVjQuMAMCBJAwDQYJKoZI +hvcNAQEFBQADgYEAkNwwAvpkdMKnCqV8IY00F6j7Rw7/JXyNEwr75Ji174z4xRAN +95K+8cPV1ZVqBLssziY2ZcgxxufuP+NXdYR6Ee9GTxj005i7qIcyunL2POI9n9cd +2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G+bI= -----END CERTIFICATE----- Certificate Ingredients: Data: Version: 3 (0x2) - Serial Number: 913163544 (0x366dc518) + Serial Number: 927650371 (0x374ad243) Signature Algorithm: sha1WithRSAEncryption - Issuer: C=US, O=Digital Signature Trust Co., OU=DST-Entrust GTI CA + Issuer: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification Authority Validity - Not Before: Dec 9 00:02:24 1998 GMT - Not After : Dec 9 00:32:24 2018 GMT - Subject: C=US, O=Digital Signature Trust Co., OU=DST-Entrust GTI CA + Not Before: May 25 16:09:40 1999 GMT + Not After : May 25 16:39:40 2019 GMT + Subject: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): - 00:b6:1d:f7:4b:8d:0f:13:e3:12:f5:09:fe:06:32: - 0e:af:4c:41:f5:7d:d4:47:3d:2a:0a:df:83:05:de: - de:7d:e6:03:16:f6:51:3a:cb:47:1a:4a:ad:7e:c4: - fd:1d:b4:be:74:8a:78:dd:0b:83:8e:b4:84:13:c4: - fb:f8:6d:29:ae:a1:e1:0f:0f:43:e3:b5:5e:60:69: - fa:83:94:fc:79:e6:dc:76:ed:d1:44:2b:8e:fd:12: - bb:fe:17:77:17:0c:89:ed:a7:ef:51:7d:c4:ed:38: - c3:3b:a3:7a:fb:e2:4d:a0:60:b5:f2:fd:13:65:d3: - c6:ec:3f:be:35:9c:3d:22:ef + 00:cd:28:83:34:54:1b:89:f3:0f:af:37:91:31:ff: + af:31:60:c9:a8:e8:b2:10:68:ed:9f:e7:93:36:f1: + 0a:64:bb:47:f5:04:17:3f:23:47:4d:c5:27:19:81: + 26:0c:54:72:0d:88:2d:d9:1f:9a:12:9f:bc:b3:71: + d3:80:19:3f:47:66:7b:8c:35:28:d2:b9:0a:df:24: + da:9c:d6:50:79:81:7a:5a:d3:37:f7:c2:4a:d8:29: + 92:26:64:d1:e4:98:6c:3a:00:8a:f5:34:9b:65:f8: + ed:e3:10:ff:fd:b8:49:58:dc:a0:de:82:39:6b:81: + b1:16:19:61:b9:54:b6:e6:43 Exponent: 3 (0x3) X509v3 extensions: Netscape Cert Type: - .... + SSL CA, S/MIME CA, Object Signing CA X509v3 CRL Distribution Points: - 0i0g.e.c.a0_1.0...U....US1$0"..U. -..Digital Signature Trust Co.1.0...U....DST-Entrust GTI CA1 0...U....CRL1 + DirName:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority/CN=CRL1 + URI:http://www.entrust.net/CRL/net1.crl + X509v3 Private Key Usage Period: - 0"..19981209000224Z..20181209000224Z + Not Before: May 25 16:09:40 1999 GMT, Not After: May 25 16:09:40 2019 GMT X509v3 Key Usage: - .... + Certificate Sign, CRL Sign X509v3 Authority Key Identifier: - 0.....D..xS.)I....3?.u_. + keyid:F0:17:62:13:55:3D:B3:FF:0A:00:6B:FB:50:84:97:F3:ED:62:D0:1A + X509v3 Subject Key Identifier: - ....D..xS.)I....3?.u_. + F0:17:62:13:55:3D:B3:FF:0A:00:6B:FB:50:84:97:F3:ED:62:D0:1A X509v3 Basic Constraints: - 0.... + CA:TRUE 1.2.840.113533.7.65.0: 0 ..V4.0.... Signature Algorithm: sha1WithRSAEncryption - 64:89:cc:03:a7:dc:0a:f2:58:20:e7:fd:17:a0:28:72:cd:87: - b0:cd:98:b5:24:47:63:33:31:10:10:b2:ef:8a:57:72:ae:4c: - 03:e0:67:9f:ac:60:43:84:22:c1:a9:a3:e5:b1:a7:de:09:d4: - cf:0d:78:46:23:5b:8f:49:7b:fe:13:22:97:94:ea:72:48:e1: - 2c:20:78:96:e9:66:45:19:cb:09:65:63:61:3f:d1:49:98:b1: - 76:10:55:d5:63:4a:66:4b:a4:07:6b:de:7b:7f:b9:e6:93:5b: - 1a:02:5b:80:0e:dd:8d:18:d4:8a:a3:c2:68:f1:a3:e0:18:d1: - 4e:4c + 90:dc:30:02:fa:64:74:c2:a7:0a:a5:7c:21:8d:34:17:a8:fb: + 47:0e:ff:25:7c:8d:13:0a:fb:e4:98:b5:ef:8c:f8:c5:10:0d: + f7:92:be:f1:c3:d5:d5:95:6a:04:bb:2c:ce:26:36:65:c8:31: + c6:e7:ee:3f:e3:57:75:84:7a:11:ef:46:4f:18:f4:d3:98:bb: + a8:87:32:ba:72:f6:3c:e2:3d:9f:d7:1d:d9:c3:60:43:8c:58: + 0e:22:96:2f:62:a3:2c:1f:ba:ad:05:ef:ab:32:78:87:a0:54: + 73:19:b5:5c:05:f9:52:3e:6d:2d:45:0b:f7:0a:93:ea:ed:06: + f9:b2 Equifax Premium CA ================== @@ -854,18 +1202,19 @@ Certificate Ingredients: Exponent: 65537 (0x10001) X509v3 extensions: X509v3 CRL Distribution Points: - 0h0f.d.b.`0^1.0...U....US1.0...U. -..Equifax1.0,..U...%Equifax Premium Certificate Authority1 0...U....CRL1 + DirName:/C=US/O=Equifax/OU=Equifax Premium Certificate Authority/CN=CRL1 + X509v3 Private Key Usage Period: - 0...20180824225423Z + Not After: Aug 24 22:54:23 2018 GMT X509v3 Key Usage: - .... + Certificate Sign, CRL Sign X509v3 Authority Key Identifier: - 0......(Y.n......$..?u.. + keyid:15:EE:B2:28:59:AB:6E:E5:F8:CF:8B:81:F4:24:E1:AE:3F:75:1B:98 + X509v3 Subject Key Identifier: - .....(Y.n......$..?u.. + 15:EE:B2:28:59:AB:6E:E5:F8:CF:8B:81:F4:24:E1:AE:3F:75:1B:98 X509v3 Basic Constraints: - 0.... + CA:TRUE 1.2.840.113533.7.65.0: 0...V3.0c.... Signature Algorithm: sha1WithRSAEncryption @@ -927,18 +1276,19 @@ Certificate Ingredients: Exponent: 65537 (0x10001) X509v3 extensions: X509v3 CRL Distribution Points: - 0g0e.c.a._0]1.0...U....US1.0...U. -..Equifax1-0+..U...$Equifax Secure Certificate Authority1 0...U....CRL1 + DirName:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority/CN=CRL1 + X509v3 Private Key Usage Period: - 0...20180822164151Z + Not After: Aug 22 16:41:51 2018 GMT X509v3 Key Usage: - .... + Certificate Sign, CRL Sign X509v3 Authority Key Identifier: - 0...H.h.+....G.# .O3.... + keyid:48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4 + X509v3 Subject Key Identifier: - ..H.h.+....G.# .O3.... + 48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4 X509v3 Basic Constraints: - 0.... + CA:TRUE 1.2.840.113533.7.65.0: 0...V3.0c.... Signature Algorithm: sha1WithRSAEncryption @@ -1349,15 +1699,14 @@ Certificate Ingredients: Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical - 0....... + CA:TRUE, pathlen:5 X509v3 Key Usage: critical - .... + Certificate Sign, CRL Sign X509v3 Certificate Policies: - 0.0.. -*.H..c.... + Policy: 1.2.840.113763.1.2.1.3 + X509v3 Subject Key Identifier: - ..v -I!8L....I.qq.. + 76:0A:49:21:38:4C:9F:DE:F8:C4:49:C7:71:71:91:9D Signature Algorithm: sha1WithRSAEncryption 41:3a:d4:18:5b:da:b8:de:21:1c:e1:8e:09:e5:f1:68:34:ff: de:96:f4:07:f5:a7:3c:f3:ac:4a:b1:9b:fa:92:fa:9b:ed:e6: @@ -1488,13 +1837,14 @@ Certificate Ingredients: Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical - .... + Certificate Sign, CRL Sign X509v3 Subject Key Identifier: - ..C$.p..bU.O.@.].^..L. + 43:24:8D:70:15:08:62:55:9C:4F:0C:40:17:5D:86:5E:0F:A2:4C:FB X509v3 Authority Key Identifier: - 0...`{f.E ...P/}..4....K + keyid:60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B + X509v3 Basic Constraints: critical - 0.... + CA:TRUE Signature Algorithm: md5WithRSAEncryption 66:ed:b4:88:69:11:99:82:21:83:ac:a1:6d:8b:9b:84:ad:0f: 2d:c8:1e:8c:ca:7b:7e:ad:aa:d4:8e:de:07:d6:9e:45:c7:a5: @@ -1574,13 +1924,14 @@ Certificate Ingredients: Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical - .... + Certificate Sign, CRL Sign X509v3 Subject Key Identifier: - ....f.Z5..@....C...... + FC:E0:66:F6:5A:35:99:EB:40:1E:D2:B8:1E:43:BC:98:8E:1F:8A:C3 X509v3 Authority Key Identifier: - 0...`{f.E ...P/}..4....K + keyid:60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B + X509v3 Basic Constraints: critical - 0.... + CA:TRUE Signature Algorithm: md5WithRSAEncryption 9b:a3:08:44:ce:f2:90:9d:71:f3:32:b3:05:6a:b5:ea:cf:29: 98:de:55:3e:a0:16:7d:06:7a:44:d6:af:d2:fa:13:58:8c:f8: @@ -1660,13 +2011,14 @@ Certificate Ingredients: Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical - .... + Certificate Sign, CRL Sign X509v3 Subject Key Identifier: - ..|...,...k.v....Nl... + 7C:E7:B2:B1:2C:DE:B1:A7:6B:E9:76:0C:E1:A3:FD:4E:6C:C7:B9:F6 X509v3 Authority Key Identifier: - 0...`{f.E ...P/}..4....K + keyid:60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B + X509v3 Basic Constraints: critical - 0.... + CA:TRUE Signature Algorithm: md5WithRSAEncryption 63:dd:59:ce:8a:79:aa:98:9d:4e:c5:89:64:37:7e:8a:93:67: 2f:10:ea:6f:27:c3:8d:77:6d:f2:5c:56:94:19:1a:69:60:30: @@ -1746,13 +2098,14 @@ Certificate Ingredients: Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical - .... + Certificate Sign, CRL Sign X509v3 Subject Key Identifier: - ...6...E./..;0Hw...... + CC:36:CC:17:B4:45:91:2F:ED:CF:3B:30:48:77:FB:B5:14:99:BE:E3 X509v3 Authority Key Identifier: - 0...`{f.E ...P/}..4....K + keyid:60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B + X509v3 Basic Constraints: critical - 0.... + CA:TRUE Signature Algorithm: md5WithRSAEncryption 57:b2:54:cc:bd:95:17:64:60:89:b6:53:91:0c:45:92:c3:3d: a8:6c:c3:cc:b2:18:f5:78:41:74:d8:7d:a3:27:af:77:0d:59: @@ -1831,11 +2184,11 @@ Certificate Ingredients: Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical - .... + Certificate Sign, CRL Sign X509v3 Subject Key Identifier: - ..`{f.E ...P/}..4....K + 60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B X509v3 Basic Constraints: critical - 0.... + CA:TRUE Signature Algorithm: md5WithRSAEncryption ae:aa:9f:fc:b7:d2:cb:1f:5f:39:29:28:18:9e:34:c9:6c:4f: 6f:1a:f0:64:a2:70:4a:4f:13:86:9b:60:28:9e:e8:81:49:98: @@ -1932,82 +2285,6 @@ Certificate Ingredients: ec:b9:94:6a:aa:12:4f:1a:dd:f5:77:b5:25:8c:f2:8a:0a:f1: fc:52:5b:58 -Novell E-Commerce Community by DST -================================== -MD5 Fingerprint: 93:C2:8E:11:7B:D4:F3:03:19:BD:28:75:13:4A:45:4A -PEM Data: ------BEGIN CERTIFICATE----- -MIIDKTCCApKgAwIBAgIENm7TzjANBgkqhkiG9w0BAQUFADBGMQswCQYDVQQGEwJV -UzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMREwDwYDVQQL -EwhEU1RDQSBFMjAeFw05ODEyMDkxOTE3MjZaFw0xODEyMDkxOTQ3MjZaMEYxCzAJ -BgNVBAYTAlVTMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4x -ETAPBgNVBAsTCERTVENBIEUyMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQC/ -k48Xku8zExjrEH9OFr//Bo8qhbxe+SSmJIi2A7fBw18DW9Fvrn5C6mYjuGODVvso -LeE4i7TuqAHhzhy2iCoiRoX7n6dwqUcUP87eZfCocfdPJmyMvMa1795JJ/9IKn3o -TQPMx7JSxhcxEzu1TdvIxPbDDyQq2gyd55FbgM2UnQIBA6OCASQwggEgMBEGCWCG -SAGG+EIBAQQEAwIABzBoBgNVHR8EYTBfMF2gW6BZpFcwVTELMAkGA1UEBhMCVVMx -JDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJlIFRydXN0IENvLjERMA8GA1UECxMI -RFNUQ0EgRTIxDTALBgNVBAMTBENSTDEwKwYDVR0QBCQwIoAPMTk5ODEyMDkxOTE3 -MjZagQ8yMDE4MTIwOTE5MTcyNlowCwYDVR0PBAQDAgEGMB8GA1UdIwQYMBaAFB6C -TShlgDzJQW6sNS5ay97u+DlbMB0GA1UdDgQWBBQegk0oZYA8yUFurDUuWsve7vg5 -WzAMBgNVHRMEBTADAQH/MBkGCSqGSIb2fQdBAAQMMAobBFY0LjADAgSQMA0GCSqG -SIb3DQEBBQUAA4GBAEeNg61i8tuwnkUiBbmi1gMOOHLnnvx75pO2mqWilMg0HZHR -xdf0CiUPPXiBng+xZ8SQTGPdXqfiup/1902lMXucKS1M/mQ+7LZT/uqb7YLbdHVL -B3luHtgZg3Pe9T7Qtd7nS2h9Qy4qIOF+oHhEngj1mPnHfxsb1gYgAlihw6ID ------END CERTIFICATE----- -Certificate Ingredients: - Data: - Version: 3 (0x2) - Serial Number: 913232846 (0x366ed3ce) - Signature Algorithm: sha1WithRSAEncryption - Issuer: C=US, O=Digital Signature Trust Co., OU=DSTCA E2 - Validity - Not Before: Dec 9 19:17:26 1998 GMT - Not After : Dec 9 19:47:26 2018 GMT - Subject: C=US, O=Digital Signature Trust Co., OU=DSTCA E2 - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public Key: (1024 bit) - Modulus (1024 bit): - 00:bf:93:8f:17:92:ef:33:13:18:eb:10:7f:4e:16: - bf:ff:06:8f:2a:85:bc:5e:f9:24:a6:24:88:b6:03: - b7:c1:c3:5f:03:5b:d1:6f:ae:7e:42:ea:66:23:b8: - 63:83:56:fb:28:2d:e1:38:8b:b4:ee:a8:01:e1:ce: - 1c:b6:88:2a:22:46:85:fb:9f:a7:70:a9:47:14:3f: - ce:de:65:f0:a8:71:f7:4f:26:6c:8c:bc:c6:b5:ef: - de:49:27:ff:48:2a:7d:e8:4d:03:cc:c7:b2:52:c6: - 17:31:13:3b:b5:4d:db:c8:c4:f6:c3:0f:24:2a:da: - 0c:9d:e7:91:5b:80:cd:94:9d - Exponent: 3 (0x3) - X509v3 extensions: - Netscape Cert Type: - .... - X509v3 CRL Distribution Points: - 0_0].[.Y.W0U1.0...U....US1$0"..U. -..Digital Signature Trust Co.1.0...U....DSTCA E21 0...U....CRL1 - X509v3 Private Key Usage Period: - 0"..19981209191726Z..20181209191726Z - X509v3 Key Usage: - .... - X509v3 Authority Key Identifier: - 0.....M(e.<.An.5.Z....9[ - X509v3 Subject Key Identifier: - ....M(e.<.An.5.Z....9[ - X509v3 Basic Constraints: - 0.... - 1.2.840.113533.7.65.0: - 0 -..V4.0.... - Signature Algorithm: sha1WithRSAEncryption - 47:8d:83:ad:62:f2:db:b0:9e:45:22:05:b9:a2:d6:03:0e:38: - 72:e7:9e:fc:7b:e6:93:b6:9a:a5:a2:94:c8:34:1d:91:d1:c5: - d7:f4:0a:25:0f:3d:78:81:9e:0f:b1:67:c4:90:4c:63:dd:5e: - a7:e2:ba:9f:f5:f7:4d:a5:31:7b:9c:29:2d:4c:fe:64:3e:ec: - b6:53:fe:ea:9b:ed:82:db:74:75:4b:07:79:6e:1e:d8:19:83: - 73:de:f5:3e:d0:b5:de:e7:4b:68:7d:43:2e:2a:20:e1:7e:a0: - 78:44:9e:08:f5:98:f9:c7:7f:1b:1b:d6:06:20:02:58:a1:c3: - a2:03 - TC TrustCenter, Germany, Class 0 CA =================================== MD5 Fingerprint: 35:85:49:8E:6E:57:FE:BD:97:F1:C9:46:23:3A:B6:7D @@ -2063,17 +2340,17 @@ Certificate Ingredients: Exponent: 65537 (0x10001) X509v3 extensions: Netscape Revocation Url: - .1https://www.trustcenter.de/cgi-bin/check-rev.cgi? + https://www.trustcenter.de/cgi-bin/check-rev.cgi? Netscape CA Revocation Url: - .1https://www.trustcenter.de/cgi-bin/check-rev.cgi? + https://www.trustcenter.de/cgi-bin/check-rev.cgi? Netscape Renewal Url: - .-https://www.trustcenter.de/cgi-bin/Renew.cgi? + https://www.trustcenter.de/cgi-bin/Renew.cgi? Netscape CA Policy Url: - ./http://www.trustcenter.de/guidelines/index.html + http://www.trustcenter.de/guidelines/index.html Netscape Comment: - ..TC TrustCenter Class 0 CA + TC TrustCenter Class 0 CA Netscape Cert Type: - .... + SSL CA, S/MIME CA, Object Signing CA Signature Algorithm: md5WithRSAEncryption 4d:07:7f:5f:09:30:19:92:aa:05:47:7a:94:75:54:2a:ae:cf: fc:d8:0c:42:e1:45:38:2b:24:95:b2:ca:87:ca:79:c4:c3:97: @@ -2139,17 +2416,17 @@ Certificate Ingredients: Exponent: 65537 (0x10001) X509v3 extensions: Netscape Revocation Url: - .1https://www.trustcenter.de/cgi-bin/check-rev.cgi? + https://www.trustcenter.de/cgi-bin/check-rev.cgi? Netscape CA Revocation Url: - .1https://www.trustcenter.de/cgi-bin/check-rev.cgi? + https://www.trustcenter.de/cgi-bin/check-rev.cgi? Netscape Renewal Url: - .-https://www.trustcenter.de/cgi-bin/Renew.cgi? + https://www.trustcenter.de/cgi-bin/Renew.cgi? Netscape CA Policy Url: - ./http://www.trustcenter.de/guidelines/index.html + http://www.trustcenter.de/guidelines/index.html Netscape Comment: - ..TC TrustCenter Class 1 CA + TC TrustCenter Class 1 CA Netscape Cert Type: - .... + SSL CA, S/MIME CA, Object Signing CA Signature Algorithm: md5WithRSAEncryption 05:42:52:26:a4:0c:27:01:44:ac:5c:25:28:c2:44:42:54:08: b9:1d:c5:3e:6c:59:66:c4:b3:4e:50:a7:f8:f8:96:75:a1:96: @@ -2215,17 +2492,17 @@ Certificate Ingredients: Exponent: 65537 (0x10001) X509v3 extensions: Netscape Revocation Url: - .1https://www.trustcenter.de/cgi-bin/check-rev.cgi? + https://www.trustcenter.de/cgi-bin/check-rev.cgi? Netscape CA Revocation Url: - .1https://www.trustcenter.de/cgi-bin/check-rev.cgi? + https://www.trustcenter.de/cgi-bin/check-rev.cgi? Netscape Renewal Url: - .-https://www.trustcenter.de/cgi-bin/Renew.cgi? + https://www.trustcenter.de/cgi-bin/Renew.cgi? Netscape CA Policy Url: - ./http://www.trustcenter.de/guidelines/index.html + http://www.trustcenter.de/guidelines/index.html Netscape Comment: - ..TC TrustCenter Class 2 CA + TC TrustCenter Class 2 CA Netscape Cert Type: - .... + SSL CA, S/MIME CA, Object Signing CA Signature Algorithm: md5WithRSAEncryption 89:1b:f4:ef:e9:38:e2:6c:0c:f6:cd:6f:49:ce:29:cc:fb:a6: 0f:f9:8d:3e:95:46:d6:fc:47:32:89:b2:c8:06:61:7a:d2:e7: @@ -2291,17 +2568,17 @@ Certificate Ingredients: Exponent: 65537 (0x10001) X509v3 extensions: Netscape Revocation Url: - .1https://www.trustcenter.de/cgi-bin/check-rev.cgi? + https://www.trustcenter.de/cgi-bin/check-rev.cgi? Netscape CA Revocation Url: - .1https://www.trustcenter.de/cgi-bin/check-rev.cgi? + https://www.trustcenter.de/cgi-bin/check-rev.cgi? Netscape Renewal Url: - .-https://www.trustcenter.de/cgi-bin/Renew.cgi? + https://www.trustcenter.de/cgi-bin/Renew.cgi? Netscape CA Policy Url: - ./http://www.trustcenter.de/guidelines/index.html + http://www.trustcenter.de/guidelines/index.html Netscape Comment: - ..TC TrustCenter Class 3 CA + TC TrustCenter Class 3 CA Netscape Cert Type: - .... + SSL CA, S/MIME CA, Object Signing CA Signature Algorithm: md5WithRSAEncryption 84:86:50:62:79:a0:27:e1:25:ba:09:b1:34:0f:13:09:ed:2d: ca:a3:e6:95:f9:30:ac:cd:17:a5:ce:3d:97:9d:ec:7c:8f:26: @@ -2367,17 +2644,17 @@ Certificate Ingredients: Exponent: 65537 (0x10001) X509v3 extensions: Netscape Revocation Url: - .1https://www.trustcenter.de/cgi-bin/check-rev.cgi? + https://www.trustcenter.de/cgi-bin/check-rev.cgi? Netscape CA Revocation Url: - .1https://www.trustcenter.de/cgi-bin/check-rev.cgi? + https://www.trustcenter.de/cgi-bin/check-rev.cgi? Netscape Renewal Url: - .-https://www.trustcenter.de/cgi-bin/Renew.cgi? + https://www.trustcenter.de/cgi-bin/Renew.cgi? Netscape CA Policy Url: - ./http://www.trustcenter.de/guidelines/index.html + http://www.trustcenter.de/guidelines/index.html Netscape Comment: - ..TC TrustCenter Class 4 CA + TC TrustCenter Class 4 CA Netscape Cert Type: - .... + SSL CA, S/MIME CA, Object Signing CA Signature Algorithm: md5WithRSAEncryption 94:68:14:1b:25:9e:29:99:b1:b2:23:d2:44:b3:95:9f:d1:9e: 55:04:dd:e3:2f:82:33:55:96:77:19:9d:2b:9e:65:1c:fa:8a: @@ -2437,7 +2714,7 @@ Certificate Ingredients: Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical - 0.... + CA:TRUE Signature Algorithm: md5WithRSAEncryption 2d:e2:99:6b:b0:3d:7a:89:d7:59:a2:94:01:1f:2b:dd:12:4b: 53:c2:ad:7f:aa:a7:00:5c:91:40:57:25:4a:38:aa:84:70:b9: @@ -2498,7 +2775,7 @@ Certificate Ingredients: Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical - 0.... + CA:TRUE Signature Algorithm: md5WithRSAEncryption c7:ec:92:7e:4e:f8:f5:96:a5:67:62:2a:a4:f0:4d:11:60:d0: 6f:8d:60:58:61:ac:26:bb:52:35:5c:08:cf:30:fb:a8:4a:96: @@ -2558,7 +2835,7 @@ Certificate Ingredients: Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical - 0.... + CA:TRUE Signature Algorithm: md5WithRSAEncryption 69:36:89:f7:34:2a:33:72:2f:6d:3b:d4:22:b2:b8:6f:9a:c5: 36:66:0e:1b:3c:a1:b1:75:5a:e6:fd:35:d3:f8:a8:f2:07:6f: @@ -2618,7 +2895,7 @@ Certificate Ingredients: Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical - 0.... + CA:TRUE Signature Algorithm: md5WithRSAEncryption 26:48:2c:16:c2:58:fa:e8:16:74:0c:aa:aa:5f:54:3f:f2:d7: c9:78:60:5e:5e:6e:37:63:22:77:36:7e:b2:17:c4:34:b9:f5: @@ -2678,7 +2955,7 @@ Certificate Ingredients: Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical - 0.... + CA:TRUE Signature Algorithm: md5WithRSAEncryption 07:fa:4c:69:5c:fb:95:cc:46:ee:85:83:4d:21:30:8e:ca:d9: a8:6f:49:1a:e6:da:51:e3:60:70:6c:84:61:11:a1:1a:c8:48: @@ -2689,6 +2966,372 @@ Certificate Ingredients: b2:75:1b:f6:42:f2:ef:c7:f2:18:f9:89:bc:a3:ff:8a:23:2e: 70:47 +Thawte Universal CA Root +======================== +MD5 Fingerprint: 17:AF:71:16:52:7B:73:65:22:05:29:28:84:71:9D:13 +PEM Data: +-----BEGIN CERTIFICATE----- +MIIRIjCCCQoCAQAwDQYJKoZIhvcNAQEFBQAwVzEPMA0GA1UEChMGVGhhd3RlMSEw +HwYDVQQLExhUaGF3dGUgVW5pdmVyc2FsIENBIFJvb3QxITAfBgNVBAMTGFRoYXd0 +ZSBVbml2ZXJzYWwgQ0EgUm9vdDAeFw05OTEyMDUxMzU2MDVaFw0zNzA0MDMxMzU2 +MDVaMFcxDzANBgNVBAoTBlRoYXd0ZTEhMB8GA1UECxMYVGhhd3RlIFVuaXZlcnNh +bCBDQSBSb290MSEwHwYDVQQDExhUaGF3dGUgVW5pdmVyc2FsIENBIFJvb3Qwgggi +MA0GCSqGSIb3DQEBAQUAA4IIDwAwgggKAoIIAQDiiQVtw3+tpok6/7vHzZ03seHS +IR6bYSoV53tXT1U80Lv52T0+przstK1TmhYC6wty/Yryj0QFxevT5b22RDnm+0e/ +ap4KlRjiaOLWltYhrYj99Rf109pCpZDtKZWWdTrah6HU9dOH3gVipuNmdJLPpby7 +32j/cXVWQVk16zNaZlHy0qMKwYzOc1wRby2MlYyRsf3P5a1WlcyFkoOQVUHJwnft ++aN0QgpoCPPQ0WX9Zyw0/yR/53nIBzslV92kDJg9vuDMGWXb8lSir0LUneKuhCMl +CTMStWoedsSL2UkAbF66H/Ib2mfKJ6qjRCMbg4LO8qsz7VSk3MmrWWXROA7BPhtn +j9Z1AeBVIt12d+yO3fTPeSJtuVcD9ZkIpzw+NPvEF64jWM0k8yPKagIolAGBNLRs +a66LGsOj0gk8FlT1Nl8k459KoeJkxhbDpoF6JDZHjsFeDvv5FXgE1g5Z2Z1YZmLS +lCkyMsh4uWb2tVbhbMYUS5ZSWZECJGpVR9c/tiMaYHeXLuJAr54EV56tEcXJQ3Dv +SLRerBxpLi6C1VuLvoK+GRRe5w0ix1Eb/x6b8TCPcTEGszQnj196ZoJPii0Tq0LP +IVael45mNg+Wm+Ur9AKpKmqMLMTDuHAsLSkeP1B3Hm0qVORVCpE4ocW1ZqJ2Wu4P +v7Rn4ShuD+E2oYLRv9R34cRnMpN4yOdUU/4jeeZozCaQ9hBjXSpvkS2kczJRIfK7 +Fd+qJAhIBt6hnia/uoO/fKTIoIy90v+8hGknEyQYxEUYIyZeGBTKLoiHYqNT5iG3 +uIV7moW7FSZy+Ln3anQPST+SvqkFt5knv78JF0uZTK0REHzfdDH2jyZfqoiuOFfI +VS3T+9gbUZm+JRs6usB9G+3O0km5z/PFfYmQgdhpSCAQo/jvklEYMosRGMA/G4VW +zlfJ8oJkxt8CCS5KES+xJ203UvDwFmHxZ43fh3Kvh9rP+1CUbtSUheuKLOoh9ZZK +RNXgzmp0RE3QBdOHFe020KSLZlVwk+5HBsF+LqUYeWfzKIXxcPcOg6R+VJ5adjLL +ZRu4zfvIKAPSVJHRp8WFQwgXdqXmL2cI2KGigi0M+MGvY9RQd21rRkpBhdWQX3kt +xOzXEYdAiuFo4mT4VTL7b5Ms2nfZIcEX5TYsTn6Qf6yUKzJnvjhQdriuQbnXIcUJ +TGDIo1HENJtXN9/LyTNXi+v7dp8ZTcVqHypFrivtL42npQDLBPolYi50SBvKKoy6 +27Z+9rsCfKnD21h4ob/w/hoQVRHO6GlOlmXGFwPWB2iMVIKuHCJVP/H0CZcowEb3 +TgslHfcH1wkdOhhXODvoMwbnj3hGHlv1BrbsuKYN8boTS9YYIN1pM0ozFa64yJiK +JyyTvC377jO/ZuZNurabBlVgl0u8RM1+9KHYqi/AAighFmJ42whU8vz0NOPGjxxD +V86QGkvcLjsokYk/eto1HY4s7kns9DOtyVOojJ8EUz4kHFLJEvliV6O87izrQHwg +I3ArlflzF4rRwRxpprc4mmf3cB16WgxAz2IPhTzCAk5+tfbFKimEsx83KuGqckLE +7Wsaj5IcXb7R8lvyq6qp0vW4pEErK5FuEkjKmNg3jcjtADC1tgROfpzahOzA+nvl +HYikU0awlORcG6ElLA9IUneXCWzsWxgzgwLlgn7NhSEwEf0nT8/kHuw/pVds6Sow +GSqI5cNpOKtvOXF/hOFBw+HMKokgUi6DD2w5P0stFqwt8CSsAHP0m7MGPwW4FIUf +q55cPJ5inQ5tO4AJ/ALqopd0ysf541bhw8qlpprAkOAkElPSwovavu0CQ15n4YmY +ee7LqsrDG9znpUalfGsWh7ZaKNfbJzxepb22Ud0fQ887Jsg6jSVhwUn0PBvJROqv +HMIrlAEqDjDRW4srR+XD0QQDmw45LNYn1OZwWtl1zyrYyQAF5BOI7MM5+4dhMDZD +A8ienKIGwi/F/PCAY7FUBKBMqS7G9XZ62NDk1JQR5RW1eAbcuICPmakgMz0QhUxl +Cco+WF5gk5qqYl3AUQYcXWCgDZxLQ/anFiGkh6rywS7ukjC4nt/fEAGLhglw2Gyo +t1AeFpa092f9NTohkCoyxwB7TQcQCbkvc9gYfmeZBE8G/FDHhZudQJ2zljf6pdyy +ck7vTgks/ZH9Tfe7pqE+q3uiA0CmqVUn4vr5Gc6HdarxdTbz87iR+JHDi3UTjkxl +mhY5auU06HqWWX81sAD9W2n8Qyb69Shu/ofZfiT7tKCCblSi/66/YrT0cgHCy5hH +mOFMtReAgM6PpijuHkVq+9/xHfxaO9bq9GwdYklXO4qPhurwUwTOnBZo/7q5/IgP +R/cCRHJAuMo7LVOd3DxWjFl7aBosjXG7bADHGs5vQJKxoy8P2UTyo3Aunu4OrjLQ +Oz6LB+rmebNcKeJ9a6he+Vox6AiWoowDmEbxuH2QVCbtdmL+numabl7JScdcNFMp +VNns5EbhgDt12d/7edWH8bqe6xnOTFJz5luHriVPOXnMxrj5EHvs8JtxpAWg0ynT +Tn8f9C0oeMxVlXsekS/MVhhzi7LbvGkH5tDYT+2i/1iFo23gSlO3Z32NDFxbe3co +AjVEegTTKEPIazAXXTK4KTW6dto7FEp2GFik+JI8nk0zb0ZrCNkxSGjd9PskVjSy +z2lmvkjSimYizfJpzcJTE0UpQSLWXZgftqSyo8LuAi9RG9yDpOxwJajUCGEyb+Sh +gS58Y3L6KWW8cETPXQIDAQABMA0GCSqGSIb3DQEBBQUAA4IIAQBVmjRqIgZpCUUz +x66pXMcJTpuGvEGQ1JRS9s0jKZRLIs3ovf6dzVLyve2rh8mrq0YEtL2iPyIwR1DA +S4x2DwP1ktKxLcR6NZzJc4frpp/eD3ON03+Z2LqPb8Tzvhqui6KUNpDi5euNBfT8 +Zd+V8cSUTRdW1588j1A853e/lYYmZPtq/8ba6YyuQrtp5TPG2OkNxlUhScEMtKP5 +m0tc3oNPQQPOKnloOH3wVEkg9bYQ/wjcM2aWm/8G3gCe185WQ5pR/HDN9vBRo7fN +tFyFYs1xt8YrIyvdw25AQvo3/zcc9npXlIeFI9fUycdfwU0vyQ3XXOycJe6eMIKR +lnK4dR34CWhXl7ItS+4l7HokKe5y1JwT26vcAwrYShTJCFdEXaG1U4A08hSXz1Le +og6KEOkU79BgvmGh8SVd1RhzP5MQypbus0DS26NVz1dapQ5PdUff6veQmm31cC4d +FBw3ZARZULDccoZvnDc9XSivc1Xv0u4kdHQT79zbMUn7P2P10wg+M6XnnQreUyxR +jmfbm0FlQVC91KSWbIe8EuCUx9PA5MtzWACD4awnhdadU51cvQo+A0OcDJH1bXv4 +QHJ1qxF2kSvhxqofcGl2cBUJ/pPQ1i23FWqbZ1y0aZ8lpn2K+30iqXHyzk6MuCEt +3v5BcQ3/nexzprsHT4gOWEcufqnCx3jdunqeTuAwTmNvhdQgQen6/kNF5/uverLO +pAUdIppYht/kzkyp/tgWpW/72M5We/XWIO/kR81jJP+5vvFIo8EBcua9wK3tJg3K +NJ/8Ai0gTwUgriE9DMIgPD/wBITcz4n9uSWRjtBD5rMgq1wt1UCeoEvY9LLMffFY +Co6H7YisNpbkVqARivKa0LNXozS7Gas44XRrIsQxzgHVGzbjHjhMM5PfQONZV06s +bnseWj3FHVusyBCCNQIisvx16BCRjcR9eJNHnhydrGtiAliM1hwj1q94woCcpKok +VBS1FJjG+CsaJMtxMgrimw5pa91+jGTRLmPvDn+xPohMnVXlyW4XBLdB/72KQcsl +MW9Edz9HsfyBiAeOBUkgtxHZaQMqA525M4Sa399640Zzo9iijFMZiFVMdLj2RIQr +0RQtTjkukmj/afyFYhvrVU/vJYRiRZnW2E5vP1MIfR0GlYGAf09OdDaYteKHcJjc +1/XcUhXmxtZ5ljl/j5XPq4BTrRsLRUAO1Bi9LN6Kd3b98kRHxiHQ5HTw2BgFyHww +csff8bv8AjCp9EImWQ2TBYKhc+005ThdzVCQ/pT8E7y9/KiiiKdzxLKo0V2IxAKi +evEEyf6MdMnvHWRBn6welmdkrKsoQced98CYG24HwmR9WoNmVig2nOf7HHcOKKDE +92t5OQQghMdXk7wboOq860LlqBH+/KxlzP34KIj0pZrlc1HgqJsNA3dO5eCYs4ja +febGnnwUZsEuU0qSBzegfuk9CeQVfM/9uEGl755mncReBx2H+EGt6ucv0kFjGDf5 +FONN0OX3Q/0V4/k2cwYm3wFPqcNO3iBGd5i0eiQrO3UrTliNm12kxxagvDKIP6GD +8wDI+NhY6WNdTCu18HJB2Kt3N9ZydK62NpzIpoNJS+DJVgspvgAwy93WyEKKANns +FdE0cfJbZIf2J9K364awkL8p2yGeNozjIC+VI1FsG8Kk1ebYAkNnoP6bUANEf7vk +ctXR5NqPkhRk+10UEBJKlQbJZQgpyiGjJjgRySffcGcE/cpIMn9jskV0MVBPh9kg +cNIhcLHWEJ0zXXiDkW1Vguza5GJjx4FG1xllcipDGZC41yNNTBzgRKlmZ6zucXkn +Jnhtcg71XUsjtXx8ZekXxjoLDd1eHlHDhrjsf8cnSqVG6GotGcGHo8uZk4dkolUU +TLdDpZPX59JOeUDKZZlGPT96gHqIaswe5WszRvRQwNUfCbjNii6hJ+tdc6foawrl +V4IqsPziVFJW8KupEsYjlgcknOC8RqW0IATaCZNj5dQuwn7FMe21FXSGF7mz8yaK +HQJq2ho/6LrxBG2UUVTiWrRZgx1g0C1zzAe1Joz518aIke+Az10PoWDLRdRCItGx +cB390LcwkDrGSG1n5TLaj9vjqOMdICWiHOFMuaT2xj9cWA27xrJ3ARaRnxcGDbdA +PsyPjpxL4J1+mx4Fq4gi+tMoG1cUZEo+JCw4TSFpAHMu0FUtdPIV6JRDPkAqxsa5 +alveoswYUFRdTiqFbPaSiykZfufqSuAiKyW892bPd5pBdPI8FA10afVQg83NLyHb +IkaK0PdRGpVX8gWLGhntO0XoNsJufvtXIgAfBlOprpPGj3EqMUWS545t5pkiwIP8 +79xXZndPojYx+6ETjeXKo5V9AQxkcDtTQmiAx7udqAA1aZgMqGfYQ+Wqz5XgUZWk +Fz9CnbgEztN5ecjTihYykuDXou7XN0wvrLh7vkX28RgznHs3piTZvECrAOnDN4ur +2LbzXoFOsBRrBz4f7ML2RCKVu7Pmb9b5cGW6CoNlqg4TL4MTI1OLQBb6zi/8TQT4 +69isxTbCFVdIOOxVs7Qeuq3SQgYXDXPIV6a+lk2p8sD7eiEc9clwqYKQtfEM1HkQ +voGm6VxhnHd5mqTDNyZXN8lSLPoI/9BfxmHA9Ha+/N5Oz6tRmXHH33701s8GVhkT +UwttdFlIGZtTBS2dMlTT5SxTi2Q+1GR744AJFMz+FkZja3Fp+PnLJ/aIVLxFs84C +yJTuQFv5QgLC/7DYLOsof17JJgGZpw== +-----END CERTIFICATE----- +Certificate Ingredients: + Data: + Version: 1 (0x0) + Serial Number: 0 (0x0) + Signature Algorithm: sha1WithRSAEncryption + Issuer: O=Thawte, OU=Thawte Universal CA Root, CN=Thawte Universal CA Root + Validity + Not Before: Dec 5 13:56:05 1999 GMT + Not After : Apr 3 13:56:05 2037 GMT + Subject: O=Thawte, OU=Thawte Universal CA Root, CN=Thawte Universal CA Root + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (16384 bit) + Modulus (16384 bit): + 00:e2:89:05:6d:c3:7f:ad:a6:89:3a:ff:bb:c7:cd: + 9d:37:b1:e1:d2:21:1e:9b:61:2a:15:e7:7b:57:4f: + 55:3c:d0:bb:f9:d9:3d:3e:a6:bc:ec:b4:ad:53:9a: + 16:02:eb:0b:72:fd:8a:f2:8f:44:05:c5:eb:d3:e5: + bd:b6:44:39:e6:fb:47:bf:6a:9e:0a:95:18:e2:68: + e2:d6:96:d6:21:ad:88:fd:f5:17:f5:d3:da:42:a5: + 90:ed:29:95:96:75:3a:da:87:a1:d4:f5:d3:87:de: + 05:62:a6:e3:66:74:92:cf:a5:bc:bb:df:68:ff:71: + 75:56:41:59:35:eb:33:5a:66:51:f2:d2:a3:0a:c1: + 8c:ce:73:5c:11:6f:2d:8c:95:8c:91:b1:fd:cf:e5: + ad:56:95:cc:85:92:83:90:55:41:c9:c2:77:ed:f9: + a3:74:42:0a:68:08:f3:d0:d1:65:fd:67:2c:34:ff: + 24:7f:e7:79:c8:07:3b:25:57:dd:a4:0c:98:3d:be: + e0:cc:19:65:db:f2:54:a2:af:42:d4:9d:e2:ae:84: + 23:25:09:33:12:b5:6a:1e:76:c4:8b:d9:49:00:6c: + 5e:ba:1f:f2:1b:da:67:ca:27:aa:a3:44:23:1b:83: + 82:ce:f2:ab:33:ed:54:a4:dc:c9:ab:59:65:d1:38: + 0e:c1:3e:1b:67:8f:d6:75:01:e0:55:22:dd:76:77: + ec:8e:dd:f4:cf:79:22:6d:b9:57:03:f5:99:08:a7: + 3c:3e:34:fb:c4:17:ae:23:58:cd:24:f3:23:ca:6a: + 02:28:94:01:81:34:b4:6c:6b:ae:8b:1a:c3:a3:d2: + 09:3c:16:54:f5:36:5f:24:e3:9f:4a:a1:e2:64:c6: + 16:c3:a6:81:7a:24:36:47:8e:c1:5e:0e:fb:f9:15: + 78:04:d6:0e:59:d9:9d:58:66:62:d2:94:29:32:32: + c8:78:b9:66:f6:b5:56:e1:6c:c6:14:4b:96:52:59: + 91:02:24:6a:55:47:d7:3f:b6:23:1a:60:77:97:2e: + e2:40:af:9e:04:57:9e:ad:11:c5:c9:43:70:ef:48: + b4:5e:ac:1c:69:2e:2e:82:d5:5b:8b:be:82:be:19: + 14:5e:e7:0d:22:c7:51:1b:ff:1e:9b:f1:30:8f:71: + 31:06:b3:34:27:8f:5f:7a:66:82:4f:8a:2d:13:ab: + 42:cf:21:56:9e:97:8e:66:36:0f:96:9b:e5:2b:f4: + 02:a9:2a:6a:8c:2c:c4:c3:b8:70:2c:2d:29:1e:3f: + 50:77:1e:6d:2a:54:e4:55:0a:91:38:a1:c5:b5:66: + a2:76:5a:ee:0f:bf:b4:67:e1:28:6e:0f:e1:36:a1: + 82:d1:bf:d4:77:e1:c4:67:32:93:78:c8:e7:54:53: + fe:23:79:e6:68:cc:26:90:f6:10:63:5d:2a:6f:91: + 2d:a4:73:32:51:21:f2:bb:15:df:aa:24:08:48:06: + de:a1:9e:26:bf:ba:83:bf:7c:a4:c8:a0:8c:bd:d2: + ff:bc:84:69:27:13:24:18:c4:45:18:23:26:5e:18: + 14:ca:2e:88:87:62:a3:53:e6:21:b7:b8:85:7b:9a: + 85:bb:15:26:72:f8:b9:f7:6a:74:0f:49:3f:92:be: + a9:05:b7:99:27:bf:bf:09:17:4b:99:4c:ad:11:10: + 7c:df:74:31:f6:8f:26:5f:aa:88:ae:38:57:c8:55: + 2d:d3:fb:d8:1b:51:99:be:25:1b:3a:ba:c0:7d:1b: + ed:ce:d2:49:b9:cf:f3:c5:7d:89:90:81:d8:69:48: + 20:10:a3:f8:ef:92:51:18:32:8b:11:18:c0:3f:1b: + 85:56:ce:57:c9:f2:82:64:c6:df:02:09:2e:4a:11: + 2f:b1:27:6d:37:52:f0:f0:16:61:f1:67:8d:df:87: + 72:af:87:da:cf:fb:50:94:6e:d4:94:85:eb:8a:2c: + ea:21:f5:96:4a:44:d5:e0:ce:6a:74:44:4d:d0:05: + d3:87:15:ed:36:d0:a4:8b:66:55:70:93:ee:47:06: + c1:7e:2e:a5:18:79:67:f3:28:85:f1:70:f7:0e:83: + a4:7e:54:9e:5a:76:32:cb:65:1b:b8:cd:fb:c8:28: + 03:d2:54:91:d1:a7:c5:85:43:08:17:76:a5:e6:2f: + 67:08:d8:a1:a2:82:2d:0c:f8:c1:af:63:d4:50:77: + 6d:6b:46:4a:41:85:d5:90:5f:79:2d:c4:ec:d7:11: + 87:40:8a:e1:68:e2:64:f8:55:32:fb:6f:93:2c:da: + 77:d9:21:c1:17:e5:36:2c:4e:7e:90:7f:ac:94:2b: + 32:67:be:38:50:76:b8:ae:41:b9:d7:21:c5:09:4c: + 60:c8:a3:51:c4:34:9b:57:37:df:cb:c9:33:57:8b: + eb:fb:76:9f:19:4d:c5:6a:1f:2a:45:ae:2b:ed:2f: + 8d:a7:a5:00:cb:04:fa:25:62:2e:74:48:1b:ca:2a: + 8c:ba:db:b6:7e:f6:bb:02:7c:a9:c3:db:58:78:a1: + bf:f0:fe:1a:10:55:11:ce:e8:69:4e:96:65:c6:17: + 03:d6:07:68:8c:54:82:ae:1c:22:55:3f:f1:f4:09: + 97:28:c0:46:f7:4e:0b:25:1d:f7:07:d7:09:1d:3a: + 18:57:38:3b:e8:33:06:e7:8f:78:46:1e:5b:f5:06: + b6:ec:b8:a6:0d:f1:ba:13:4b:d6:18:20:dd:69:33: + 4a:33:15:ae:b8:c8:98:8a:27:2c:93:bc:2d:fb:ee: + 33:bf:66:e6:4d:ba:b6:9b:06:55:60:97:4b:bc:44: + cd:7e:f4:a1:d8:aa:2f:c0:02:28:21:16:62:78:db: + 08:54:f2:fc:f4:34:e3:c6:8f:1c:43:57:ce:90:1a: + 4b:dc:2e:3b:28:91:89:3f:7a:da:35:1d:8e:2c:ee: + 49:ec:f4:33:ad:c9:53:a8:8c:9f:04:53:3e:24:1c: + 52:c9:12:f9:62:57:a3:bc:ee:2c:eb:40:7c:20:23: + 70:2b:95:f9:73:17:8a:d1:c1:1c:69:a6:b7:38:9a: + 67:f7:70:1d:7a:5a:0c:40:cf:62:0f:85:3c:c2:02: + 4e:7e:b5:f6:c5:2a:29:84:b3:1f:37:2a:e1:aa:72: + 42:c4:ed:6b:1a:8f:92:1c:5d:be:d1:f2:5b:f2:ab: + aa:a9:d2:f5:b8:a4:41:2b:2b:91:6e:12:48:ca:98: + d8:37:8d:c8:ed:00:30:b5:b6:04:4e:7e:9c:da:84: + ec:c0:fa:7b:e5:1d:88:a4:53:46:b0:94:e4:5c:1b: + a1:25:2c:0f:48:52:77:97:09:6c:ec:5b:18:33:83: + 02:e5:82:7e:cd:85:21:30:11:fd:27:4f:cf:e4:1e: + ec:3f:a5:57:6c:e9:2a:30:19:2a:88:e5:c3:69:38: + ab:6f:39:71:7f:84:e1:41:c3:e1:cc:2a:89:20:52: + 2e:83:0f:6c:39:3f:4b:2d:16:ac:2d:f0:24:ac:00: + 73:f4:9b:b3:06:3f:05:b8:14:85:1f:ab:9e:5c:3c: + 9e:62:9d:0e:6d:3b:80:09:fc:02:ea:a2:97:74:ca: + c7:f9:e3:56:e1:c3:ca:a5:a6:9a:c0:90:e0:24:12: + 53:d2:c2:8b:da:be:ed:02:43:5e:67:e1:89:98:79: + ee:cb:aa:ca:c3:1b:dc:e7:a5:46:a5:7c:6b:16:87: + b6:5a:28:d7:db:27:3c:5e:a5:bd:b6:51:dd:1f:43: + cf:3b:26:c8:3a:8d:25:61:c1:49:f4:3c:1b:c9:44: + ea:af:1c:c2:2b:94:01:2a:0e:30:d1:5b:8b:2b:47: + e5:c3:d1:04:03:9b:0e:39:2c:d6:27:d4:e6:70:5a: + d9:75:cf:2a:d8:c9:00:05:e4:13:88:ec:c3:39:fb: + 87:61:30:36:43:03:c8:9e:9c:a2:06:c2:2f:c5:fc: + f0:80:63:b1:54:04:a0:4c:a9:2e:c6:f5:76:7a:d8: + d0:e4:d4:94:11:e5:15:b5:78:06:dc:b8:80:8f:99: + a9:20:33:3d:10:85:4c:65:09:ca:3e:58:5e:60:93: + 9a:aa:62:5d:c0:51:06:1c:5d:60:a0:0d:9c:4b:43: + f6:a7:16:21:a4:87:aa:f2:c1:2e:ee:92:30:b8:9e: + df:df:10:01:8b:86:09:70:d8:6c:a8:b7:50:1e:16: + 96:b4:f7:67:fd:35:3a:21:90:2a:32:c7:00:7b:4d: + 07:10:09:b9:2f:73:d8:18:7e:67:99:04:4f:06:fc: + 50:c7:85:9b:9d:40:9d:b3:96:37:fa:a5:dc:b2:72: + 4e:ef:4e:09:2c:fd:91:fd:4d:f7:bb:a6:a1:3e:ab: + 7b:a2:03:40:a6:a9:55:27:e2:fa:f9:19:ce:87:75: + aa:f1:75:36:f3:f3:b8:91:f8:91:c3:8b:75:13:8e: + 4c:65:9a:16:39:6a:e5:34:e8:7a:96:59:7f:35:b0: + 00:fd:5b:69:fc:43:26:fa:f5:28:6e:fe:87:d9:7e: + 24:fb:b4:a0:82:6e:54:a2:ff:ae:bf:62:b4:f4:72: + 01:c2:cb:98:47:98:e1:4c:b5:17:80:80:ce:8f:a6: + 28:ee:1e:45:6a:fb:df:f1:1d:fc:5a:3b:d6:ea:f4: + 6c:1d:62:49:57:3b:8a:8f:86:ea:f0:53:04:ce:9c: + 16:68:ff:ba:b9:fc:88:0f:47:f7:02:44:72:40:b8: + ca:3b:2d:53:9d:dc:3c:56:8c:59:7b:68:1a:2c:8d: + 71:bb:6c:00:c7:1a:ce:6f:40:92:b1:a3:2f:0f:d9: + 44:f2:a3:70:2e:9e:ee:0e:ae:32:d0:3b:3e:8b:07: + ea:e6:79:b3:5c:29:e2:7d:6b:a8:5e:f9:5a:31:e8: + 08:96:a2:8c:03:98:46:f1:b8:7d:90:54:26:ed:76: + 62:fe:9e:e9:9a:6e:5e:c9:49:c7:5c:34:53:29:54: + d9:ec:e4:46:e1:80:3b:75:d9:df:fb:79:d5:87:f1: + ba:9e:eb:19:ce:4c:52:73:e6:5b:87:ae:25:4f:39: + 79:cc:c6:b8:f9:10:7b:ec:f0:9b:71:a4:05:a0:d3: + 29:d3:4e:7f:1f:f4:2d:28:78:cc:55:95:7b:1e:91: + 2f:cc:56:18:73:8b:b2:db:bc:69:07:e6:d0:d8:4f: + ed:a2:ff:58:85:a3:6d:e0:4a:53:b7:67:7d:8d:0c: + 5c:5b:7b:77:28:02:35:44:7a:04:d3:28:43:c8:6b: + 30:17:5d:32:b8:29:35:ba:76:da:3b:14:4a:76:18: + 58:a4:f8:92:3c:9e:4d:33:6f:46:6b:08:d9:31:48: + 68:dd:f4:fb:24:56:34:b2:cf:69:66:be:48:d2:8a: + 66:22:cd:f2:69:cd:c2:53:13:45:29:41:22:d6:5d: + 98:1f:b6:a4:b2:a3:c2:ee:02:2f:51:1b:dc:83:a4: + ec:70:25:a8:d4:08:61:32:6f:e4:a1:81:2e:7c:63: + 72:fa:29:65:bc:70:44:cf:5d + Exponent: 65537 (0x10001) + Signature Algorithm: sha1WithRSAEncryption + 55:9a:34:6a:22:06:69:09:45:33:c7:ae:a9:5c:c7:09:4e:9b: + 86:bc:41:90:d4:94:52:f6:cd:23:29:94:4b:22:cd:e8:bd:fe: + 9d:cd:52:f2:bd:ed:ab:87:c9:ab:ab:46:04:b4:bd:a2:3f:22: + 30:47:50:c0:4b:8c:76:0f:03:f5:92:d2:b1:2d:c4:7a:35:9c: + c9:73:87:eb:a6:9f:de:0f:73:8d:d3:7f:99:d8:ba:8f:6f:c4: + f3:be:1a:ae:8b:a2:94:36:90:e2:e5:eb:8d:05:f4:fc:65:df: + 95:f1:c4:94:4d:17:56:d7:9f:3c:8f:50:3c:e7:77:bf:95:86: + 26:64:fb:6a:ff:c6:da:e9:8c:ae:42:bb:69:e5:33:c6:d8:e9: + 0d:c6:55:21:49:c1:0c:b4:a3:f9:9b:4b:5c:de:83:4f:41:03: + ce:2a:79:68:38:7d:f0:54:49:20:f5:b6:10:ff:08:dc:33:66: + 96:9b:ff:06:de:00:9e:d7:ce:56:43:9a:51:fc:70:cd:f6:f0: + 51:a3:b7:cd:b4:5c:85:62:cd:71:b7:c6:2b:23:2b:dd:c3:6e: + 40:42:fa:37:ff:37:1c:f6:7a:57:94:87:85:23:d7:d4:c9:c7: + 5f:c1:4d:2f:c9:0d:d7:5c:ec:9c:25:ee:9e:30:82:91:96:72: + b8:75:1d:f8:09:68:57:97:b2:2d:4b:ee:25:ec:7a:24:29:ee: + 72:d4:9c:13:db:ab:dc:03:0a:d8:4a:14:c9:08:57:44:5d:a1: + b5:53:80:34:f2:14:97:cf:52:de:a2:0e:8a:10:e9:14:ef:d0: + 60:be:61:a1:f1:25:5d:d5:18:73:3f:93:10:ca:96:ee:b3:40: + d2:db:a3:55:cf:57:5a:a5:0e:4f:75:47:df:ea:f7:90:9a:6d: + f5:70:2e:1d:14:1c:37:64:04:59:50:b0:dc:72:86:6f:9c:37: + 3d:5d:28:af:73:55:ef:d2:ee:24:74:74:13:ef:dc:db:31:49: + fb:3f:63:f5:d3:08:3e:33:a5:e7:9d:0a:de:53:2c:51:8e:67: + db:9b:41:65:41:50:bd:d4:a4:96:6c:87:bc:12:e0:94:c7:d3: + c0:e4:cb:73:58:00:83:e1:ac:27:85:d6:9d:53:9d:5c:bd:0a: + 3e:03:43:9c:0c:91:f5:6d:7b:f8:40:72:75:ab:11:76:91:2b: + e1:c6:aa:1f:70:69:76:70:15:09:fe:93:d0:d6:2d:b7:15:6a: + 9b:67:5c:b4:69:9f:25:a6:7d:8a:fb:7d:22:a9:71:f2:ce:4e: + 8c:b8:21:2d:de:fe:41:71:0d:ff:9d:ec:73:a6:bb:07:4f:88: + 0e:58:47:2e:7e:a9:c2:c7:78:dd:ba:7a:9e:4e:e0:30:4e:63: + 6f:85:d4:20:41:e9:fa:fe:43:45:e7:fb:af:7a:b2:ce:a4:05: + 1d:22:9a:58:86:df:e4:ce:4c:a9:fe:d8:16:a5:6f:fb:d8:ce: + 56:7b:f5:d6:20:ef:e4:47:cd:63:24:ff:b9:be:f1:48:a3:c1: + 01:72:e6:bd:c0:ad:ed:26:0d:ca:34:9f:fc:02:2d:20:4f:05: + 20:ae:21:3d:0c:c2:20:3c:3f:f0:04:84:dc:cf:89:fd:b9:25: + 91:8e:d0:43:e6:b3:20:ab:5c:2d:d5:40:9e:a0:4b:d8:f4:b2: + cc:7d:f1:58:0a:8e:87:ed:88:ac:36:96:e4:56:a0:11:8a:f2: + 9a:d0:b3:57:a3:34:bb:19:ab:38:e1:74:6b:22:c4:31:ce:01: + d5:1b:36:e3:1e:38:4c:33:93:df:40:e3:59:57:4e:ac:6e:7b: + 1e:5a:3d:c5:1d:5b:ac:c8:10:82:35:02:22:b2:fc:75:e8:10: + 91:8d:c4:7d:78:93:47:9e:1c:9d:ac:6b:62:02:58:8c:d6:1c: + 23:d6:af:78:c2:80:9c:a4:aa:24:54:14:b5:14:98:c6:f8:2b: + 1a:24:cb:71:32:0a:e2:9b:0e:69:6b:dd:7e:8c:64:d1:2e:63: + ef:0e:7f:b1:3e:88:4c:9d:55:e5:c9:6e:17:04:b7:41:ff:bd: + 8a:41:cb:25:31:6f:44:77:3f:47:b1:fc:81:88:07:8e:05:49: + 20:b7:11:d9:69:03:2a:03:9d:b9:33:84:9a:df:df:7a:e3:46: + 73:a3:d8:a2:8c:53:19:88:55:4c:74:b8:f6:44:84:2b:d1:14: + 2d:4e:39:2e:92:68:ff:69:fc:85:62:1b:eb:55:4f:ef:25:84: + 62:45:99:d6:d8:4e:6f:3f:53:08:7d:1d:06:95:81:80:7f:4f: + 4e:74:36:98:b5:e2:87:70:98:dc:d7:f5:dc:52:15:e6:c6:d6: + 79:96:39:7f:8f:95:cf:ab:80:53:ad:1b:0b:45:40:0e:d4:18: + bd:2c:de:8a:77:76:fd:f2:44:47:c6:21:d0:e4:74:f0:d8:18: + 05:c8:7c:30:72:c7:df:f1:bb:fc:02:30:a9:f4:42:26:59:0d: + 93:05:82:a1:73:ed:34:e5:38:5d:cd:50:90:fe:94:fc:13:bc: + bd:fc:a8:a2:88:a7:73:c4:b2:a8:d1:5d:88:c4:02:a2:7a:f1: + 04:c9:fe:8c:74:c9:ef:1d:64:41:9f:ac:1e:96:67:64:ac:ab: + 28:41:c7:9d:f7:c0:98:1b:6e:07:c2:64:7d:5a:83:66:56:28: + 36:9c:e7:fb:1c:77:0e:28:a0:c4:f7:6b:79:39:04:20:84:c7: + 57:93:bc:1b:a0:ea:bc:eb:42:e5:a8:11:fe:fc:ac:65:cc:fd: + f8:28:88:f4:a5:9a:e5:73:51:e0:a8:9b:0d:03:77:4e:e5:e0: + 98:b3:88:da:7d:e6:c6:9e:7c:14:66:c1:2e:53:4a:92:07:37: + a0:7e:e9:3d:09:e4:15:7c:cf:fd:b8:41:a5:ef:9e:66:9d:c4: + 5e:07:1d:87:f8:41:ad:ea:e7:2f:d2:41:63:18:37:f9:14:e3: + 4d:d0:e5:f7:43:fd:15:e3:f9:36:73:06:26:df:01:4f:a9:c3: + 4e:de:20:46:77:98:b4:7a:24:2b:3b:75:2b:4e:58:8d:9b:5d: + a4:c7:16:a0:bc:32:88:3f:a1:83:f3:00:c8:f8:d8:58:e9:63: + 5d:4c:2b:b5:f0:72:41:d8:ab:77:37:d6:72:74:ae:b6:36:9c: + c8:a6:83:49:4b:e0:c9:56:0b:29:be:00:30:cb:dd:d6:c8:42: + 8a:00:d9:ec:15:d1:34:71:f2:5b:64:87:f6:27:d2:b7:eb:86: + b0:90:bf:29:db:21:9e:36:8c:e3:20:2f:95:23:51:6c:1b:c2: + a4:d5:e6:d8:02:43:67:a0:fe:9b:50:03:44:7f:bb:e4:72:d5: + d1:e4:da:8f:92:14:64:fb:5d:14:10:12:4a:95:06:c9:65:08: + 29:ca:21:a3:26:38:11:c9:27:df:70:67:04:fd:ca:48:32:7f: + 63:b2:45:74:31:50:4f:87:d9:20:70:d2:21:70:b1:d6:10:9d: + 33:5d:78:83:91:6d:55:82:ec:da:e4:62:63:c7:81:46:d7:19: + 65:72:2a:43:19:90:b8:d7:23:4d:4c:1c:e0:44:a9:66:67:ac: + ee:71:79:27:26:78:6d:72:0e:f5:5d:4b:23:b5:7c:7c:65:e9: + 17:c6:3a:0b:0d:dd:5e:1e:51:c3:86:b8:ec:7f:c7:27:4a:a5: + 46:e8:6a:2d:19:c1:87:a3:cb:99:93:87:64:a2:55:14:4c:b7: + 43:a5:93:d7:e7:d2:4e:79:40:ca:65:99:46:3d:3f:7a:80:7a: + 88:6a:cc:1e:e5:6b:33:46:f4:50:c0:d5:1f:09:b8:cd:8a:2e: + a1:27:eb:5d:73:a7:e8:6b:0a:e5:57:82:2a:b0:fc:e2:54:52: + 56:f0:ab:a9:12:c6:23:96:07:24:9c:e0:bc:46:a5:b4:20:04: + da:09:93:63:e5:d4:2e:c2:7e:c5:31:ed:b5:15:74:86:17:b9: + b3:f3:26:8a:1d:02:6a:da:1a:3f:e8:ba:f1:04:6d:94:51:54: + e2:5a:b4:59:83:1d:60:d0:2d:73:cc:07:b5:26:8c:f9:d7:c6: + 88:91:ef:80:cf:5d:0f:a1:60:cb:45:d4:42:22:d1:b1:70:1d: + fd:d0:b7:30:90:3a:c6:48:6d:67:e5:32:da:8f:db:e3:a8:e3: + 1d:20:25:a2:1c:e1:4c:b9:a4:f6:c6:3f:5c:58:0d:bb:c6:b2: + 77:01:16:91:9f:17:06:0d:b7:40:3e:cc:8f:8e:9c:4b:e0:9d: + 7e:9b:1e:05:ab:88:22:fa:d3:28:1b:57:14:64:4a:3e:24:2c: + 38:4d:21:69:00:73:2e:d0:55:2d:74:f2:15:e8:94:43:3e:40: + 2a:c6:c6:b9:6a:5b:de:a2:cc:18:50:54:5d:4e:2a:85:6c:f6: + 92:8b:29:19:7e:e7:ea:4a:e0:22:2b:25:bc:f7:66:cf:77:9a: + 41:74:f2:3c:14:0d:74:69:f5:50:83:cd:cd:2f:21:db:22:46: + 8a:d0:f7:51:1a:95:57:f2:05:8b:1a:19:ed:3b:45:e8:36:c2: + 6e:7e:fb:57:22:00:1f:06:53:a9:ae:93:c6:8f:71:2a:31:45: + 92:e7:8e:6d:e6:99:22:c0:83:fc:ef:dc:57:66:77:4f:a2:36: + 31:fb:a1:13:8d:e5:ca:a3:95:7d:01:0c:64:70:3b:53:42:68: + 80:c7:bb:9d:a8:00:35:69:98:0c:a8:67:d8:43:e5:aa:cf:95: + e0:51:95:a4:17:3f:42:9d:b8:04:ce:d3:79:79:c8:d3:8a:16: + 32:92:e0:d7:a2:ee:d7:37:4c:2f:ac:b8:7b:be:45:f6:f1:18: + 33:9c:7b:37:a6:24:d9:bc:40:ab:00:e9:c3:37:8b:ab:d8:b6: + f3:5e:81:4e:b0:14:6b:07:3e:1f:ec:c2:f6:44:22:95:bb:b3: + e6:6f:d6:f9:70:65:ba:0a:83:65:aa:0e:13:2f:83:13:23:53: + 8b:40:16:fa:ce:2f:fc:4d:04:f8:eb:d8:ac:c5:36:c2:15:57: + 48:38:ec:55:b3:b4:1e:ba:ad:d2:42:06:17:0d:73:c8:57:a6: + be:96:4d:a9:f2:c0:fb:7a:21:1c:f5:c9:70:a9:82:90:b5:f1: + 0c:d4:79:10:be:81:a6:e9:5c:61:9c:77:79:9a:a4:c3:37:26: + 57:37:c9:52:2c:fa:08:ff:d0:5f:c6:61:c0:f4:76:be:fc:de: + 4e:cf:ab:51:99:71:c7:df:7e:f4:d6:cf:06:56:19:13:53:0b: + 6d:74:59:48:19:9b:53:05:2d:9d:32:54:d3:e5:2c:53:8b:64: + 3e:d4:64:7b:e3:80:09:14:cc:fe:16:46:63:6b:71:69:f8:f9: + cb:27:f6:88:54:bc:45:b3:ce:02:c8:94:ee:40:5b:f9:42:02: + c2:ff:b0:d8:2c:eb:28:7f:5e:c9:26:01:99:a7 + UPS Document Exchange by DST ============================ MD5 Fingerprint: 78:A5:FB:10:4B:E4:63:2E:D2:6B:FB:F2:B6:C2:4B:8E @@ -2768,6 +3411,174 @@ Certificate Ingredients: 1b:38:71:9f:2c:07:90:ea:1d:e0:d3:89:5f:cb:ef:14:8d:27: 54:a5:bd:46 +ValiCert Class 1 VA +=================== +MD5 Fingerprint: 65:58:AB:15:AD:57:6C:1E:A8:A7:B5:69:AC:BF:FF:EB +PEM Data: +-----BEGIN CERTIFICATE----- +MIIC5zCCAlACAQEwDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0 +IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAz +BgNVBAsTLFZhbGlDZXJ0IENsYXNzIDEgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9y +aXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG +9w0BCQEWEWluZm9AdmFsaWNlcnQuY29tMB4XDTk5MDYyNTIyMjM0OFoXDTE5MDYy +NTIyMjM0OFowgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0IFZhbGlkYXRpb24gTmV0d29y +azEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENs +YXNzIDEgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9yaXR5MSEwHwYDVQQDExhodHRw +Oi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG9w0BCQEWEWluZm9AdmFsaWNl +cnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYWYJ6ibiWuqYvaG9Y +LqdUHAZu9OqNSLwxlBfw8068srg1knaw0KWlAdcAAxIiGQj4/xEjm84H9b9pGib+ +TunRf50sQB1ZaG6m+FiwnRqP0z/x3BkGgagO4DrdyFNFCQbmD3DD+kCmDuJWBQ8Y +TfwggtFzVXSNdnKgHZ0dwN0/cQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAFBoPUn0 +LBwGlN+VYH+Wexf+T3GtZMjdd9LvWVXoP+iOBSoh8gfStadS/pyxtuJbdxdA6nLW +I8sogTLDAHkY7FkXicnGah5xyf23dKUlRWnFSKsZ4UWKJWsZ7uW7EvV/96aNUcPw +nXS3qT6gpf+2SQMT2iLM7XGCK5nPOrf1LXLI +-----END CERTIFICATE----- +Certificate Ingredients: + Data: + Version: 1 (0x0) + Serial Number: 1 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Class 1 Policy Validation Authority, CN=http://www.valicert.com//Email=info@valicert.com + Validity + Not Before: Jun 25 22:23:48 1999 GMT + Not After : Jun 25 22:23:48 2019 GMT + Subject: L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Class 1 Policy Validation Authority, CN=http://www.valicert.com//Email=info@valicert.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (1024 bit) + Modulus (1024 bit): + 00:d8:59:82:7a:89:b8:96:ba:a6:2f:68:6f:58:2e: + a7:54:1c:06:6e:f4:ea:8d:48:bc:31:94:17:f0:f3: + 4e:bc:b2:b8:35:92:76:b0:d0:a5:a5:01:d7:00:03: + 12:22:19:08:f8:ff:11:23:9b:ce:07:f5:bf:69:1a: + 26:fe:4e:e9:d1:7f:9d:2c:40:1d:59:68:6e:a6:f8: + 58:b0:9d:1a:8f:d3:3f:f1:dc:19:06:81:a8:0e:e0: + 3a:dd:c8:53:45:09:06:e6:0f:70:c3:fa:40:a6:0e: + e2:56:05:0f:18:4d:fc:20:82:d1:73:55:74:8d:76: + 72:a0:1d:9d:1d:c0:dd:3f:71 + Exponent: 65537 (0x10001) + Signature Algorithm: sha1WithRSAEncryption + 50:68:3d:49:f4:2c:1c:06:94:df:95:60:7f:96:7b:17:fe:4f: + 71:ad:64:c8:dd:77:d2:ef:59:55:e8:3f:e8:8e:05:2a:21:f2: + 07:d2:b5:a7:52:fe:9c:b1:b6:e2:5b:77:17:40:ea:72:d6:23: + cb:28:81:32:c3:00:79:18:ec:59:17:89:c9:c6:6a:1e:71:c9: + fd:b7:74:a5:25:45:69:c5:48:ab:19:e1:45:8a:25:6b:19:ee: + e5:bb:12:f5:7f:f7:a6:8d:51:c3:f0:9d:74:b7:a9:3e:a0:a5: + ff:b6:49:03:13:da:22:cc:ed:71:82:2b:99:cf:3a:b7:f5:2d: + 72:c8 + +ValiCert Class 2 VA +=================== +MD5 Fingerprint: A9:23:75:9B:BA:49:36:6E:31:C2:DB:F2:E7:66:BA:87 +PEM Data: +-----BEGIN CERTIFICATE----- +MIIC5zCCAlACAQEwDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0 +IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAz +BgNVBAsTLFZhbGlDZXJ0IENsYXNzIDIgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9y +aXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG +9w0BCQEWEWluZm9AdmFsaWNlcnQuY29tMB4XDTk5MDYyNjAwMTk1NFoXDTE5MDYy +NjAwMTk1NFowgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0IFZhbGlkYXRpb24gTmV0d29y +azEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENs +YXNzIDIgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9yaXR5MSEwHwYDVQQDExhodHRw +Oi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG9w0BCQEWEWluZm9AdmFsaWNl +cnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOOnHK5avIWZJV16vY +dA757tn2VUdZZUcOBVXc65g2PFxTXdMwzzjsvUGJ7SVCCSRrCl6zfN1SLUzm1NZ9 +WlmpZdRJEy0kTRxQb7XBhVQ7/nHk01xC+YDgkRoKWzk2Z/M/VXwbP7RfZHM047QS +v4dk+NoS/zcnwbNDu+97bi5p9wIDAQABMA0GCSqGSIb3DQEBBQUAA4GBADt/UG9v +UJSZSWI4OB9L+KXIPqeCgfYrx+jFzug6EILLGACOTb2oWH+heQC1u+mNr0HZDzTu +IYEZoDJJKPTEjlbVUjP9UNV+mWwD5MlM/Mtsq2azSiGM5bUMMj4QssxsodyamEwC +W/POuZ6lcg5Ktz885hZo+L7tdEy8W9ViH0Pd +-----END CERTIFICATE----- +Certificate Ingredients: + Data: + Version: 1 (0x0) + Serial Number: 1 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Class 2 Policy Validation Authority, CN=http://www.valicert.com//Email=info@valicert.com + Validity + Not Before: Jun 26 00:19:54 1999 GMT + Not After : Jun 26 00:19:54 2019 GMT + Subject: L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Class 2 Policy Validation Authority, CN=http://www.valicert.com//Email=info@valicert.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (1024 bit) + Modulus (1024 bit): + 00:ce:3a:71:ca:e5:ab:c8:59:92:55:d7:ab:d8:74: + 0e:f9:ee:d9:f6:55:47:59:65:47:0e:05:55:dc:eb: + 98:36:3c:5c:53:5d:d3:30:cf:38:ec:bd:41:89:ed: + 25:42:09:24:6b:0a:5e:b3:7c:dd:52:2d:4c:e6:d4: + d6:7d:5a:59:a9:65:d4:49:13:2d:24:4d:1c:50:6f: + b5:c1:85:54:3b:fe:71:e4:d3:5c:42:f9:80:e0:91: + 1a:0a:5b:39:36:67:f3:3f:55:7c:1b:3f:b4:5f:64: + 73:34:e3:b4:12:bf:87:64:f8:da:12:ff:37:27:c1: + b3:43:bb:ef:7b:6e:2e:69:f7 + Exponent: 65537 (0x10001) + Signature Algorithm: sha1WithRSAEncryption + 3b:7f:50:6f:6f:50:94:99:49:62:38:38:1f:4b:f8:a5:c8:3e: + a7:82:81:f6:2b:c7:e8:c5:ce:e8:3a:10:82:cb:18:00:8e:4d: + bd:a8:58:7f:a1:79:00:b5:bb:e9:8d:af:41:d9:0f:34:ee:21: + 81:19:a0:32:49:28:f4:c4:8e:56:d5:52:33:fd:50:d5:7e:99: + 6c:03:e4:c9:4c:fc:cb:6c:ab:66:b3:4a:21:8c:e5:b5:0c:32: + 3e:10:b2:cc:6c:a1:dc:9a:98:4c:02:5b:f3:ce:b9:9e:a5:72: + 0e:4a:b7:3f:3c:e6:16:68:f8:be:ed:74:4c:bc:5b:d5:62:1f: + 43:dd + +ValiCert Class 3 VA +=================== +MD5 Fingerprint: A2:6F:53:B7:EE:40:DB:4A:68:E7:FA:18:D9:10:4B:72 +PEM Data: +-----BEGIN CERTIFICATE----- +MIIC5zCCAlACAQEwDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0 +IFZhbGlkYXRpb24gTmV0d29yazEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAz +BgNVBAsTLFZhbGlDZXJ0IENsYXNzIDMgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9y +aXR5MSEwHwYDVQQDExhodHRwOi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG +9w0BCQEWEWluZm9AdmFsaWNlcnQuY29tMB4XDTk5MDYyNjAwMjIzM1oXDTE5MDYy +NjAwMjIzM1owgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0IFZhbGlkYXRpb24gTmV0d29y +azEXMBUGA1UEChMOVmFsaUNlcnQsIEluYy4xNTAzBgNVBAsTLFZhbGlDZXJ0IENs +YXNzIDMgUG9saWN5IFZhbGlkYXRpb24gQXV0aG9yaXR5MSEwHwYDVQQDExhodHRw +Oi8vd3d3LnZhbGljZXJ0LmNvbS8xIDAeBgkqhkiG9w0BCQEWEWluZm9AdmFsaWNl +cnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDjmFGWHOjVsQaBalfD +cnWTq8+epvzzFlLWLU2fNUSoLgRNB0mKOCn1dzfnt6td3zZxFJmP3MKS8edgkpfs +2Ejcv8ECIMYkpChMMFp2bbFc893enhBxoYjHW5tBbcqwuI4V7q0zK89HBFx1cQqY +JJgpp0lZpd34t0NiYfPT4tBVPwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAFa7AliE +Zwgs3x/be0kz9dNnnfS0ChCzycUs4pJqcXgn8nCDQtM+z6lU9PHYkhaM0QTLS6vJ +n0WuPIqpsHEzXcjFV9+vqDWzf4mH6eglkrh/hXqu1rweN1gqZ8mRzyqBPu3GOd/A +PhmcGcwTTYJBtYze4D1gCCAPRX5ron+jjBXu +-----END CERTIFICATE----- +Certificate Ingredients: + Data: + Version: 1 (0x0) + Serial Number: 1 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Class 3 Policy Validation Authority, CN=http://www.valicert.com//Email=info@valicert.com + Validity + Not Before: Jun 26 00:22:33 1999 GMT + Not After : Jun 26 00:22:33 2019 GMT + Subject: L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Class 3 Policy Validation Authority, CN=http://www.valicert.com//Email=info@valicert.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (1024 bit) + Modulus (1024 bit): + 00:e3:98:51:96:1c:e8:d5:b1:06:81:6a:57:c3:72: + 75:93:ab:cf:9e:a6:fc:f3:16:52:d6:2d:4d:9f:35: + 44:a8:2e:04:4d:07:49:8a:38:29:f5:77:37:e7:b7: + ab:5d:df:36:71:14:99:8f:dc:c2:92:f1:e7:60:92: + 97:ec:d8:48:dc:bf:c1:02:20:c6:24:a4:28:4c:30: + 5a:76:6d:b1:5c:f3:dd:de:9e:10:71:a1:88:c7:5b: + 9b:41:6d:ca:b0:b8:8e:15:ee:ad:33:2b:cf:47:04: + 5c:75:71:0a:98:24:98:29:a7:49:59:a5:dd:f8:b7: + 43:62:61:f3:d3:e2:d0:55:3f + Exponent: 65537 (0x10001) + Signature Algorithm: sha1WithRSAEncryption + 56:bb:02:58:84:67:08:2c:df:1f:db:7b:49:33:f5:d3:67:9d: + f4:b4:0a:10:b3:c9:c5:2c:e2:92:6a:71:78:27:f2:70:83:42: + d3:3e:cf:a9:54:f4:f1:d8:92:16:8c:d1:04:cb:4b:ab:c9:9f: + 45:ae:3c:8a:a9:b0:71:33:5d:c8:c5:57:df:af:a8:35:b3:7f: + 89:87:e9:e8:25:92:b8:7f:85:7a:ae:d6:bc:1e:37:58:2a:67: + c9:91:cf:2a:81:3e:ed:c6:39:df:c0:3e:19:9c:19:cc:13:4d: + 82:41:b5:8c:de:e0:3d:60:08:20:0f:45:7e:6b:a2:7f:a3:8c: + 15:ee + VeriSign Class 4 Primary CA =========================== MD5 Fingerprint: 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10 @@ -2933,6 +3744,85 @@ Certificate Ingredients: 57:08:6a:d0:a0:42:42:42:1e:f4:20:cc:a5:78:82:95:26:38: 8a:47 +Verisign Class 1 Public Primary Certification Authority - G3 +============================================================ +MD5 Fingerprint: B1:47:BC:18:57:D1:18:A0:78:2D:EC:71:E8:2A:95:73 +PEM Data: +-----BEGIN CERTIFICATE----- +MIIEGjCCAwICEQCLW3VWhFSFCwDPrzhIzrGkMA0GCSqGSIb3DQEBBQUAMIHKMQsw +CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZl +cmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWdu +LCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlT +aWduIENsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3Jp +dHkgLSBHMzAeFw05OTEwMDEwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMIHKMQswCQYD +VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT +aWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWduLCBJ +bmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlTaWdu +IENsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg +LSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN2E1Lm0+afY8wR4 +nN493GwTFtl63SRRZsDHJlkNrAYIwpTRMx/wgzUfbhvI3qpuFU5UJ+/EbRrsC+MO +8ESlV8dAWB6jRx9x7GD2bZTIGDnt/kIYVt/kTEkQeE4BdjVjEjbdZrwBBDajVWjV +ojYJrKshJlQGrT/KFOCsyq0GHZXi+J3x4GD/wn91K0zM2v6HmSHquv4+VNfSWXjb +PG7PoBMAGrgnoeS+Z5bKoMWznN3JdZ7rMJpfo83ZrngZPyPpXNspva1VyBtUjGP2 +6KbqxzcSXKMpHgLZ2x87tNcPVkeBFQRKr4Mn0cVYiMHd9qqnoxjaaKptEVHhv2Vr +n5Z20T0CAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAq2aN17O6x5q25lXQBfGfMY1a +qtmqRiYPce2lrVNWYgFHKkTp/j90CxObufRNG7LRX7K20ohcs5/Ny9Sn2WCVhDr4 +wTcdYcrnsMXlkdpUpqwxga6X3s0IrLjAl4B/bnKk52kTlWUfxJM8/XmPBNQ+T+r3 +ns7NZ3xPZQL/kYVUc8f/NveGLezQXk//EZ9yBta4GvFMDSZl4kSAHsef493oCtrs +pSCAaWihT37ha88HQfqDjrw43bAuEbFrskLMmrz5SCJ5ShkPshw+IHTZasO+8ih4 +E1Z5T21Q6huwtVexN2ZYI/PcD98Kh8TvhgXVOBRgmaNL3gaWcSzy27YfpO8/7g== +-----END CERTIFICATE----- +Certificate Ingredients: + Data: + Version: 1 (0x0) + Serial Number: + 8b:5b:75:56:84:54:85:0b:00:cf:af:38:48:ce:b1:a4 + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 1999 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 1 Public Primary Certification Authority - G3 + Validity + Not Before: Oct 1 00:00:00 1999 GMT + Not After : Jul 16 23:59:59 2036 GMT + Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 1999 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 1 Public Primary Certification Authority - G3 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:dd:84:d4:b9:b4:f9:a7:d8:f3:04:78:9c:de:3d: + dc:6c:13:16:d9:7a:dd:24:51:66:c0:c7:26:59:0d: + ac:06:08:c2:94:d1:33:1f:f0:83:35:1f:6e:1b:c8: + de:aa:6e:15:4e:54:27:ef:c4:6d:1a:ec:0b:e3:0e: + f0:44:a5:57:c7:40:58:1e:a3:47:1f:71:ec:60:f6: + 6d:94:c8:18:39:ed:fe:42:18:56:df:e4:4c:49:10: + 78:4e:01:76:35:63:12:36:dd:66:bc:01:04:36:a3: + 55:68:d5:a2:36:09:ac:ab:21:26:54:06:ad:3f:ca: + 14:e0:ac:ca:ad:06:1d:95:e2:f8:9d:f1:e0:60:ff: + c2:7f:75:2b:4c:cc:da:fe:87:99:21:ea:ba:fe:3e: + 54:d7:d2:59:78:db:3c:6e:cf:a0:13:00:1a:b8:27: + a1:e4:be:67:96:ca:a0:c5:b3:9c:dd:c9:75:9e:eb: + 30:9a:5f:a3:cd:d9:ae:78:19:3f:23:e9:5c:db:29: + bd:ad:55:c8:1b:54:8c:63:f6:e8:a6:ea:c7:37:12: + 5c:a3:29:1e:02:d9:db:1f:3b:b4:d7:0f:56:47:81: + 15:04:4a:af:83:27:d1:c5:58:88:c1:dd:f6:aa:a7: + a3:18:da:68:aa:6d:11:51:e1:bf:65:6b:9f:96:76: + d1:3d + Exponent: 65537 (0x10001) + Signature Algorithm: sha1WithRSAEncryption + ab:66:8d:d7:b3:ba:c7:9a:b6:e6:55:d0:05:f1:9f:31:8d:5a: + aa:d9:aa:46:26:0f:71:ed:a5:ad:53:56:62:01:47:2a:44:e9: + fe:3f:74:0b:13:9b:b9:f4:4d:1b:b2:d1:5f:b2:b6:d2:88:5c: + b3:9f:cd:cb:d4:a7:d9:60:95:84:3a:f8:c1:37:1d:61:ca:e7: + b0:c5:e5:91:da:54:a6:ac:31:81:ae:97:de:cd:08:ac:b8:c0: + 97:80:7f:6e:72:a4:e7:69:13:95:65:1f:c4:93:3c:fd:79:8f: + 04:d4:3e:4f:ea:f7:9e:ce:cd:67:7c:4f:65:02:ff:91:85:54: + 73:c7:ff:36:f7:86:2d:ec:d0:5e:4f:ff:11:9f:72:06:d6:b8: + 1a:f1:4c:0d:26:65:e2:44:80:1e:c7:9f:e3:dd:e8:0a:da:ec: + a5:20:80:69:68:a1:4f:7e:e1:6b:cf:07:41:fa:83:8e:bc:38: + dd:b0:2e:11:b1:6b:b2:42:cc:9a:bc:f9:48:22:79:4a:19:0f: + b2:1c:3e:20:74:d9:6a:c3:be:f2:28:78:13:56:79:4f:6d:50: + ea:1b:b0:b5:57:b1:37:66:58:23:f3:dc:0f:df:0a:87:c4:ef: + 86:05:d5:38:14:60:99:a3:4b:de:06:96:71:2c:f2:db:b6:1f: + a4:ef:3f:ee + Verisign Class 2 Public Primary Certification Authority ======================================================= MD5 Fingerprint: B3:9C:25:B1:C3:2E:32:53:80:15:30:9D:4D:02:77:3E @@ -3044,6 +3934,85 @@ Certificate Ingredients: 12:df:67:a0:f4:ad:32:64:5e:b1:46:72:27:8c:12:7b:c5:44: b4:ae +Verisign Class 2 Public Primary Certification Authority - G3 +============================================================ +MD5 Fingerprint: F8:BE:C4:63:22:C9:A8:46:74:8B:B8:1D:1E:4A:2B:F6 +PEM Data: +-----BEGIN CERTIFICATE----- +MIIEGTCCAwECEGFwy0mMX5hFKeewptlQW3owDQYJKoZIhvcNAQEFBQAwgcoxCzAJ +BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVy +aVNpZ24gVHJ1c3QgTmV0d29yazE6MDgGA1UECxMxKGMpIDE5OTkgVmVyaVNpZ24s +IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTFFMEMGA1UEAxM8VmVyaVNp +Z24gQ2xhc3MgMiBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0 +eSAtIEczMB4XDTk5MTAwMTAwMDAwMFoXDTM2MDcxNjIzNTk1OVowgcoxCzAJBgNV +BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNp +Z24gVHJ1c3QgTmV0d29yazE6MDgGA1UECxMxKGMpIDE5OTkgVmVyaVNpZ24sIElu +Yy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTFFMEMGA1UEAxM8VmVyaVNpZ24g +Q2xhc3MgMiBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAt +IEczMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArwoNwtUs22e5LeWU +J92lvuCwTY+zYVY81nzD9M0+hsuiiOLh2KRpxbXiv8GmR1BeRjmL1Za6tW8UvxDO +JxOeBUebMXoT2B/Z0wI3i60sR/COgQanDTAM6/c8DyAd3HJG7qUCyFvDyVZpTMUY +wZF7C9UTAJu878NIPkZgIIUq1ZC2zYugzDLdt/1AVbJQHFauzI13TccgTacxdu9o +koqQHgiBVrKtaaNS0MscxCM9H5n+TOgWY47GCI72MfbS+uV23bUckqNJzc0BzWjN +qWm6o+sdDZykIKbBoMXRRkwXbdKsZj+WjOCE1Db/IlnF+RFgqF8EffIa9iVCYQ/E +Srg+iQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQA0JhU8wI1NQ0kdvekhktdmnLfe +xbjQ5F1fdiLAJvmEOjr5jLX77GDx6M4EsMjdpwOPMPOY36TmpDHf0xwLRtxyID+u +7gU8pDM/CzmscHhzS5kr3zDCVLCoO1Wh/hYozUK9dG6A2ydEp85EXdQbkJgNHkKU +sQAsBNB0owIFImNjzYO1+8FtYmtpdf1dcEG59b98377BMnMiIYtYgXsVkXq642RI +sH/7NiXaldDxJBQX3RiAa0YjOVT1jmIJBB2UkKab5iXiQkWquJCtvgiPqQtCGJTP +cjnhsUPgKM+351psE2tJs//jGHyJizNdrDPXp/naOlXJWBD5qu9ats9LS98q +-----END CERTIFICATE----- +Certificate Ingredients: + Data: + Version: 1 (0x0) + Serial Number: + 61:70:cb:49:8c:5f:98:45:29:e7:b0:a6:d9:50:5b:7a + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 1999 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 2 Public Primary Certification Authority - G3 + Validity + Not Before: Oct 1 00:00:00 1999 GMT + Not After : Jul 16 23:59:59 2036 GMT + Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 1999 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 2 Public Primary Certification Authority - G3 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:af:0a:0d:c2:d5:2c:db:67:b9:2d:e5:94:27:dd: + a5:be:e0:b0:4d:8f:b3:61:56:3c:d6:7c:c3:f4:cd: + 3e:86:cb:a2:88:e2:e1:d8:a4:69:c5:b5:e2:bf:c1: + a6:47:50:5e:46:39:8b:d5:96:ba:b5:6f:14:bf:10: + ce:27:13:9e:05:47:9b:31:7a:13:d8:1f:d9:d3:02: + 37:8b:ad:2c:47:f0:8e:81:06:a7:0d:30:0c:eb:f7: + 3c:0f:20:1d:dc:72:46:ee:a5:02:c8:5b:c3:c9:56: + 69:4c:c5:18:c1:91:7b:0b:d5:13:00:9b:bc:ef:c3: + 48:3e:46:60:20:85:2a:d5:90:b6:cd:8b:a0:cc:32: + dd:b7:fd:40:55:b2:50:1c:56:ae:cc:8d:77:4d:c7: + 20:4d:a7:31:76:ef:68:92:8a:90:1e:08:81:56:b2: + ad:69:a3:52:d0:cb:1c:c4:23:3d:1f:99:fe:4c:e8: + 16:63:8e:c6:08:8e:f6:31:f6:d2:fa:e5:76:dd:b5: + 1c:92:a3:49:cd:cd:01:cd:68:cd:a9:69:ba:a3:eb: + 1d:0d:9c:a4:20:a6:c1:a0:c5:d1:46:4c:17:6d:d2: + ac:66:3f:96:8c:e0:84:d4:36:ff:22:59:c5:f9:11: + 60:a8:5f:04:7d:f2:1a:f6:25:42:61:0f:c4:4a:b8: + 3e:89 + Exponent: 65537 (0x10001) + Signature Algorithm: sha1WithRSAEncryption + 34:26:15:3c:c0:8d:4d:43:49:1d:bd:e9:21:92:d7:66:9c:b7: + de:c5:b8:d0:e4:5d:5f:76:22:c0:26:f9:84:3a:3a:f9:8c:b5: + fb:ec:60:f1:e8:ce:04:b0:c8:dd:a7:03:8f:30:f3:98:df:a4: + e6:a4:31:df:d3:1c:0b:46:dc:72:20:3f:ae:ee:05:3c:a4:33: + 3f:0b:39:ac:70:78:73:4b:99:2b:df:30:c2:54:b0:a8:3b:55: + a1:fe:16:28:cd:42:bd:74:6e:80:db:27:44:a7:ce:44:5d:d4: + 1b:90:98:0d:1e:42:94:b1:00:2c:04:d0:74:a3:02:05:22:63: + 63:cd:83:b5:fb:c1:6d:62:6b:69:75:fd:5d:70:41:b9:f5:bf: + 7c:df:be:c1:32:73:22:21:8b:58:81:7b:15:91:7a:ba:e3:64: + 48:b0:7f:fb:36:25:da:95:d0:f1:24:14:17:dd:18:80:6b:46: + 23:39:54:f5:8e:62:09:04:1d:94:90:a6:9b:e6:25:e2:42:45: + aa:b8:90:ad:be:08:8f:a9:0b:42:18:94:cf:72:39:e1:b1:43: + e0:28:cf:b7:e7:5a:6c:13:6b:49:b3:ff:e3:18:7c:89:8b:33: + 5d:ac:33:d7:a7:f9:da:3a:55:c9:58:10:f9:aa:ef:5a:b6:cf: + 4b:4b:df:2a + Verisign Class 3 Public Primary Certification Authority ======================================================= MD5 Fingerprint: 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67 @@ -3155,6 +4124,85 @@ Certificate Ingredients: 57:26:79:00:f6:f8:0d:a2:33:30:28:d4:aa:58:a0:9d:9d:69: 91:fd +Verisign Class 3 Public Primary Certification Authority - G3 +============================================================ +MD5 Fingerprint: CD:68:B6:A7:C7:C4:CE:75:E0:1D:4F:57:44:61:92:09 +PEM Data: +-----BEGIN CERTIFICATE----- +MIIEGjCCAwICEQCbfgZJoz5iudXukEhxKe9XMA0GCSqGSIb3DQEBBQUAMIHKMQsw +CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZl +cmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWdu +LCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlT +aWduIENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3Jp +dHkgLSBHMzAeFw05OTEwMDEwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMIHKMQswCQYD +VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT +aWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWduLCBJ +bmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlTaWdu +IENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg +LSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMu6nFL8eB8aHm8b +N3O9+MlrlBIwT/A2R/XQkQr1F8ilYcEWQE37imGQ5XYgwREGfassbqb1EUGO+i2t +KmFZpGcmTNDovFJbcCAEWNF6yaRpvIMXZK0Fi7zQWM6NjPXr8EJJC52XJ2cybuGu +kxUccLwgTS8Y3pKI6GyFVxEa6X7jJhFUokWWVYPKMIno3Nij7SqAP395ZVc+FSBm +CC+Vk7+qRy+oRpfwEuL+wgorUeZ25rdGt+INpsyow0xZVYnm6FNcHOqd8GIWC6fJ +Xwzw3sJ2zq/3avL6QaaiMxTJ5Xpj055iN9WFZZ4O5lMkdBteHRJTW8cs54NJOxWu +imi5V5cCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAERSWwauSCPc/L8my/uRan2Te +2yFPhpk0djZX3dAVL8WtfxUfN2JzPtTnX84XA9s1+ivbrmAJXx5fj267Cz3qWhMe +DGBvtcC1IyIuBwvLqXTLR7sdwdela8wv0kL9Sd2nic9TutoAWii/gt/4uhMdUIaC +/Y4wjylGsB49Ndo4YhYYSq3mtlFs3q9i6wHQHiT+eo8SGhJouPtmmRQURVyu565p +F4ErWjfJXir0xuKhXFSbplQAz/DxwceYMBo7Nhbbo27q/a2ywtrvAkcTisDxszGt +TxzhT5yvDwyd93gN2PQ1VoDat20Xj50egWTh/sVFuq1ruQp6Tk9LhO5L8X3dEQ== +-----END CERTIFICATE----- +Certificate Ingredients: + Data: + Version: 1 (0x0) + Serial Number: + 9b:7e:06:49:a3:3e:62:b9:d5:ee:90:48:71:29:ef:57 + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 1999 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G3 + Validity + Not Before: Oct 1 00:00:00 1999 GMT + Not After : Jul 16 23:59:59 2036 GMT + Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 1999 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G3 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:cb:ba:9c:52:fc:78:1f:1a:1e:6f:1b:37:73:bd: + f8:c9:6b:94:12:30:4f:f0:36:47:f5:d0:91:0a:f5: + 17:c8:a5:61:c1:16:40:4d:fb:8a:61:90:e5:76:20: + c1:11:06:7d:ab:2c:6e:a6:f5:11:41:8e:fa:2d:ad: + 2a:61:59:a4:67:26:4c:d0:e8:bc:52:5b:70:20:04: + 58:d1:7a:c9:a4:69:bc:83:17:64:ad:05:8b:bc:d0: + 58:ce:8d:8c:f5:eb:f0:42:49:0b:9d:97:27:67:32: + 6e:e1:ae:93:15:1c:70:bc:20:4d:2f:18:de:92:88: + e8:6c:85:57:11:1a:e9:7e:e3:26:11:54:a2:45:96: + 55:83:ca:30:89:e8:dc:d8:a3:ed:2a:80:3f:7f:79: + 65:57:3e:15:20:66:08:2f:95:93:bf:aa:47:2f:a8: + 46:97:f0:12:e2:fe:c2:0a:2b:51:e6:76:e6:b7:46: + b7:e2:0d:a6:cc:a8:c3:4c:59:55:89:e6:e8:53:5c: + 1c:ea:9d:f0:62:16:0b:a7:c9:5f:0c:f0:de:c2:76: + ce:af:f7:6a:f2:fa:41:a6:a2:33:14:c9:e5:7a:63: + d3:9e:62:37:d5:85:65:9e:0e:e6:53:24:74:1b:5e: + 1d:12:53:5b:c7:2c:e7:83:49:3b:15:ae:8a:68:b9: + 57:97 + Exponent: 65537 (0x10001) + Signature Algorithm: sha1WithRSAEncryption + 11:14:96:c1:ab:92:08:f7:3f:2f:c9:b2:fe:e4:5a:9f:64:de: + db:21:4f:86:99:34:76:36:57:dd:d0:15:2f:c5:ad:7f:15:1f: + 37:62:73:3e:d4:e7:5f:ce:17:03:db:35:fa:2b:db:ae:60:09: + 5f:1e:5f:8f:6e:bb:0b:3d:ea:5a:13:1e:0c:60:6f:b5:c0:b5: + 23:22:2e:07:0b:cb:a9:74:cb:47:bb:1d:c1:d7:a5:6b:cc:2f: + d2:42:fd:49:dd:a7:89:cf:53:ba:da:00:5a:28:bf:82:df:f8: + ba:13:1d:50:86:82:fd:8e:30:8f:29:46:b0:1e:3d:35:da:38: + 62:16:18:4a:ad:e6:b6:51:6c:de:af:62:eb:01:d0:1e:24:fe: + 7a:8f:12:1a:12:68:b8:fb:66:99:14:14:45:5c:ae:e7:ae:69: + 17:81:2b:5a:37:c9:5e:2a:f4:c6:e2:a1:5c:54:9b:a6:54:00: + cf:f0:f1:c1:c7:98:30:1a:3b:36:16:db:a3:6e:ea:fd:ad:b2: + c2:da:ef:02:47:13:8a:c0:f1:b3:31:ad:4f:1c:e1:4f:9c:af: + 0f:0c:9d:f7:78:0d:d8:f4:35:56:80:da:b7:6d:17:8f:9d:1e: + 81:64:e1:fe:c5:45:ba:ad:6b:b9:0a:7a:4e:4f:4b:84:ee:4b: + f1:7d:dd:11 + Verisign Class 4 Public Primary Certification Authority - G2 ============================================================ MD5 Fingerprint: 26:6D:2C:19:98:B6:70:68:38:50:54:19:EC:90:34:60 @@ -3213,6 +4261,85 @@ Certificate Ingredients: 3f:22:8d:a1:c1:66:50:81:72:4c:ed:22:64:4f:4f:ca:80:91: b6:29 +Verisign Class 4 Public Primary Certification Authority - G3 +============================================================ +MD5 Fingerprint: DB:C8:F2:27:2E:B1:EA:6A:29:23:5D:FE:56:3E:33:DF +PEM Data: +-----BEGIN CERTIFICATE----- +MIIEGjCCAwICEQDsoKeLbnVqAc/EfMwvlF7XMA0GCSqGSIb3DQEBBQUAMIHKMQsw +CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZl +cmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWdu +LCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlT +aWduIENsYXNzIDQgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3Jp +dHkgLSBHMzAeFw05OTEwMDEwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMIHKMQswCQYD +VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT +aWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWduLCBJ +bmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlTaWdu +IENsYXNzIDQgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg +LSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK3LpRFpxlmr8Y+1 +GQ9Wzsy1HyDkniYlS+BzZYlZ3tCD5PUPtbut8XzoIfzk6AzufEUiGXaStBO3IFsJ ++mGuqPKljYXCKtbeZjbSmwL0qJJgfJxptI8kHtCGUvYynEFYHiK9zUVilQhu0Gbd +U6LM8BDcVHOLBKFGMzNcF0C5nk3T875Vg+ixiY5afJqWIpA7iCXy0lOIAgwLePLm +NxdLMEYH5IBtptiWLugs+BGzOA1mppvqySNb247i8xOOGlktqgLw7KSHZtzBP/XY +ufTsgsbSPZUd5cBPhMnZo0QoBmrXRazwa2rvTl/4EYIeOGM0ZlDUPpNz+jDDZq3/ +ky2X7wMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAj/ola09b5KROJ1WrIhVZPMq1 +CtRK26vdoV9TxaBXOcLORyu+OshWv8LZJxA6sQU8wHcxuzrTBXttmhwwjIDLk5Mq +g6sFUYICABFna/OIYUdfA5PVWw3g8dShMjWFsjrbsIKr0csKvE+MW8VLADsfKoKm +fjaF3H48ZwC15DtS4KjrXRX5xm3wrR0OhbepmnMUWluPQSjA1egtTaRezarZ7c7c +2NU8Qh0XwRJdRTjDOPP8hS6DRkiy1yBfkjaP53kPmF6Z6PDQpLv1U70qzlmwr25/ +bLvSHgCwIe34QWKCudiyxLtGUPMxxY8BqHTr9Xgn2uf3ZkPznoM+IKrDNWCRzg== +-----END CERTIFICATE----- +Certificate Ingredients: + Data: + Version: 1 (0x0) + Serial Number: + ec:a0:a7:8b:6e:75:6a:01:cf:c4:7c:cc:2f:94:5e:d7 + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 1999 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 4 Public Primary Certification Authority - G3 + Validity + Not Before: Oct 1 00:00:00 1999 GMT + Not After : Jul 16 23:59:59 2036 GMT + Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 1999 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 4 Public Primary Certification Authority - G3 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:ad:cb:a5:11:69:c6:59:ab:f1:8f:b5:19:0f:56: + ce:cc:b5:1f:20:e4:9e:26:25:4b:e0:73:65:89:59: + de:d0:83:e4:f5:0f:b5:bb:ad:f1:7c:e8:21:fc:e4: + e8:0c:ee:7c:45:22:19:76:92:b4:13:b7:20:5b:09: + fa:61:ae:a8:f2:a5:8d:85:c2:2a:d6:de:66:36:d2: + 9b:02:f4:a8:92:60:7c:9c:69:b4:8f:24:1e:d0:86: + 52:f6:32:9c:41:58:1e:22:bd:cd:45:62:95:08:6e: + d0:66:dd:53:a2:cc:f0:10:dc:54:73:8b:04:a1:46: + 33:33:5c:17:40:b9:9e:4d:d3:f3:be:55:83:e8:b1: + 89:8e:5a:7c:9a:96:22:90:3b:88:25:f2:d2:53:88: + 02:0c:0b:78:f2:e6:37:17:4b:30:46:07:e4:80:6d: + a6:d8:96:2e:e8:2c:f8:11:b3:38:0d:66:a6:9b:ea: + c9:23:5b:db:8e:e2:f3:13:8e:1a:59:2d:aa:02:f0: + ec:a4:87:66:dc:c1:3f:f5:d8:b9:f4:ec:82:c6:d2: + 3d:95:1d:e5:c0:4f:84:c9:d9:a3:44:28:06:6a:d7: + 45:ac:f0:6b:6a:ef:4e:5f:f8:11:82:1e:38:63:34: + 66:50:d4:3e:93:73:fa:30:c3:66:ad:ff:93:2d:97: + ef:03 + Exponent: 65537 (0x10001) + Signature Algorithm: sha1WithRSAEncryption + 8f:fa:25:6b:4f:5b:e4:a4:4e:27:55:ab:22:15:59:3c:ca:b5: + 0a:d4:4a:db:ab:dd:a1:5f:53:c5:a0:57:39:c2:ce:47:2b:be: + 3a:c8:56:bf:c2:d9:27:10:3a:b1:05:3c:c0:77:31:bb:3a:d3: + 05:7b:6d:9a:1c:30:8c:80:cb:93:93:2a:83:ab:05:51:82:02: + 00:11:67:6b:f3:88:61:47:5f:03:93:d5:5b:0d:e0:f1:d4:a1: + 32:35:85:b2:3a:db:b0:82:ab:d1:cb:0a:bc:4f:8c:5b:c5:4b: + 00:3b:1f:2a:82:a6:7e:36:85:dc:7e:3c:67:00:b5:e4:3b:52: + e0:a8:eb:5d:15:f9:c6:6d:f0:ad:1d:0e:85:b7:a9:9a:73:14: + 5a:5b:8f:41:28:c0:d5:e8:2d:4d:a4:5e:cd:aa:d9:ed:ce:dc: + d8:d5:3c:42:1d:17:c1:12:5d:45:38:c3:38:f3:fc:85:2e:83: + 46:48:b2:d7:20:5f:92:36:8f:e7:79:0f:98:5e:99:e8:f0:d0: + a4:bb:f5:53:bd:2a:ce:59:b0:af:6e:7f:6c:bb:d2:1e:00:b0: + 21:ed:f8:41:62:82:b9:d8:b2:c4:bb:46:50:f3:31:c5:8f:01: + a8:74:eb:f5:78:27:da:e7:f7:66:43:f3:9e:83:3e:20:aa:c3: + 35:60:91:ce + Verisign/RSA Commercial CA ========================== MD5 Fingerprint: 5A:0B:DD:42:9E:B2:B4:62:97:32:7F:7F:0A:AA:9A:39 diff --git a/usr.sbin/httpd/configure b/usr.sbin/httpd/configure index 58e05e2b58d..9e019641128 100644 --- a/usr.sbin/httpd/configure +++ b/usr.sbin/httpd/configure @@ -72,7 +72,13 @@ DIFS=' ## ## avoid brain dead shells on Ultrix and friends ## -test -f /bin/sh5 && exec /bin/sh5 $0 "$@" +if [ -f /bin/sh5 ]; then + if [ ".$APACI_SH5_UPGRADE_STEP" != .done ]; then + APACI_SH5_UPGRADE_STEP=done + export APACI_SH5_UPGRADE_STEP + exec /bin/sh5 $0 "$@" + fi +fi ## ## the paths to the Apache source tree @@ -423,7 +429,10 @@ do echo " --libexecdir=DIR install program executables in DIR" echo " --mandir=DIR install manual pages in DIR" echo " --sysconfdir=DIR install configuration files in DIR" - echo " --datadir=DIR install read-only data files in DIR" + echo " --datadir=DIR install read-only data files in DIR" + echo " --iconsdir=DIR install read-only icon files in DIR" + echo " --htdocsdir=DIR install read-only document files in DIR" + echo " --cgidir=DIR install read-only cgi files in DIR" echo " --includedir=DIR install includes files in DIR" echo " --localstatedir=DIR install modifiable data files in DIR" echo " --runtimedir=DIR install runtime data in DIR" @@ -448,7 +457,7 @@ do echo " --without-confadjust disable the user/situation adjustments in config" echo " --without-execstrip disable the stripping of executables on installation" echo " --server-uid=UID set the user ID the web server should run as [nobody]" - echo " --server-gid=GID set the group ID the web server UID is a memeber of [-1]" + echo " --server-gid=GID set the group ID the web server UID is a memeber of [#-1]" echo "" echo "suEXEC options:" echo " --enable-suexec enable the suEXEC feature" diff --git a/usr.sbin/httpd/htdocs/manual/misc/FAQ.html b/usr.sbin/httpd/htdocs/manual/misc/FAQ.html index 7d85c93a14a..109c5f87412 100644 --- a/usr.sbin/httpd/htdocs/manual/misc/FAQ.html +++ b/usr.sbin/httpd/htdocs/manual/misc/FAQ.html @@ -21,7 +21,7 @@

Apache Server Frequently Asked Questions

- $Revision: 1.5 $ ($Date: 2000/01/25 18:29:23 $) + $Revision: 1.6 $ ($Date: 2000/03/19 11:16:29 $)

The latest version of this FAQ is always available from the main @@ -163,6 +163,7 @@

  • What are "regular expressions"?
    • +
  • Why isn't there a binary for my platform?
    • @@ -1010,6 +1011,44 @@

    + +
  • + Why isn't there a binary for my platform? +

    + The developers make sure that the software builds and works + correctly on the platforms available to them; this does + not necessarily mean that your platform + is one of them. In addition, the Apache HTTP server project + is primarily source oriented, meaning that distributing + valid and buildable source code is the purpose of a release, + not making sure that there is a binary package for all of the + supported platforms. +

    +

    + If you don't see a kit for your platform listed in the + binary distribution area + (<URL:http://www.apache.org/dist/binaries/>), + it means either that the platform isn't available to any of + the developers, or that they just haven't gotten around to + preparing a binary for it. As this is a voluntary project, + they are under no obligation to do so. Users are encouraged + and expected to build the software themselves. +

    +

    + The sole exception to these practices is the Windows package. + Unlike most Unix and Unix-like platforms, Windows systems + do not come with a bundled software development environment, + so we do prepare binary kits for Windows when we make + a release. Again, however, it's a voluntary thing and only + a limited number of the developers have the capability to build + the InstallShield package, so the Windows release may lag + somewhat behind the source release. This lag should be + no more than a few days at most. +

    +
    +
    • + @@ -2926,7 +2965,7 @@ several third party modules available through the Apache Module Registry which will add footers to documents. These include mod_trailer, PHP - (php3_auto_append_file), and mod_perl + (php3_auto_append_file), mod_layout, and mod_perl (Apache::Sandwich).

    diff --git a/usr.sbin/httpd/htdocs/manual/misc/rewriteguide.html b/usr.sbin/httpd/htdocs/manual/misc/rewriteguide.html index 12363e9f146..25a0a23de79 100644 --- a/usr.sbin/httpd/htdocs/manual/misc/rewriteguide.html +++ b/usr.sbin/httpd/htdocs/manual/misc/rewriteguide.html @@ -34,14 +34,14 @@ December 1997

    -This document supplements the mod_rewrite reference documentation. It describes +This document supplements the mod_rewrite reference documentation. It describes how one can use Apache's mod_rewrite to solve typical URL-based problems webmasters are usually confronted with in practice. I give detailed descriptions on how to solve each problem by configuring URL rewriting rulesets. -

    Introduction to mod_rewrite

    +

    Introduction to mod_rewrite

    The Apache module mod_rewrite is a killer one, i.e. it is a really sophisticated module which provides a powerful way to do URL manipulations. @@ -56,19 +56,21 @@ first time and never use it again or love it for the rest of your life because of its power. This paper tries to give you a few initial success events to avoid the first case by presenting already invented solutions to you. -

    Practical Solutions

    +

    Practical Solutions

    Here come a lot of practical solutions I've either invented myself or collected from other peoples solutions in the past. Feel free to learn the black magic of URL rewriting from these examples.

    +
    ATTENTION: Depending on your server-configuration it can be necessary to slightly change the examples for your situation, e.g. adding the [PT] flag when additionally using mod_alias and mod_userdir, etc. Or rewriting a ruleset -to fit in .htaccess context instead of per-server context. Always try +to fit in .htaccess context instead of per-server context. Always try to understand what a particular ruleset really does before you use it. It avoid problems. +

    URL Layout

    @@ -89,12 +91,12 @@ supplied with the request he should finally see the canonical one only.
    We do an external HTTP redirect for all non-canonical URLs to fix them in the location view of the Browser and for all subsequent requests. In the example -ruleset below we replace /~user by the canonical /u/user and -fix a missing trailing slash for /u/user. +ruleset below we replace /~user by the canonical /u/user and +fix a missing trailing slash for /u/user. 

    -RewriteRule   ^/~([^/]+)/?(.*)    /u/$1/$2  [R]
-RewriteRule   ^/([uge])/([^/]+)$  /$1/$2/   [R]
+RewriteRule   ^/~([^/]+)/?(.*)    /u/$1/$2  [R]
+RewriteRule   ^/([uge])/([^/]+)$  /$1/$2/   [R]
    @@ -132,26 +134,26 @@ RewriteRule ^/(.*) http://fully.qualified.domain.name/$1 [L,R]

    Description:
    Usually the DocumentRoot of the webserver directly relates to the URL -``/''. But often this data is not really of top-level priority, it is +``/''. But often this data is not really of top-level priority, it is perhaps just one entity of a lot of data pools. For instance at our Intranet -sites there are /e/www/ (the homepage for WWW), /e/sww/ (the +sites there are /e/www/ (the homepage for WWW), /e/sww/ (the homepage for the Intranet) etc. Now because the data of the DocumentRoot stays -at /e/www/ we had to make sure that all inlined images and other +at /e/www/ we had to make sure that all inlined images and other stuff inside this data pool work for subsequent requests.

    Solution:
    -We just redirect the URL / to /e/www/. While is seems +We just redirect the URL / to /e/www/. While is seems trivial it is actually trivial with mod_rewrite, only. Because the typical -old mechanisms of URL Aliases (as provides by mod_alias and friends) -only used prefix matching. With this you cannot do such a redirection +old mechanisms of URL Aliases (as provides by mod_alias and friends) +only used prefix matching. With this you cannot do such a redirection because the DocumentRoot is a prefix of all URLs. With mod_rewrite it is really trivial: 

     RewriteEngine on
-RewriteRule   ^/$  /e/www/  [R]
+RewriteRule   ^/$  /e/www/  [R]
    @@ -165,9 +167,9 @@ RewriteRule ^/$ /e/www/ [R]

    Every webmaster can sing a song about the problem of the trailing slash on URLs referencing directories. If they are missing, the server dumps an error, -because if you say /~quux/foo instead of -/~quux/foo/ then the server searches for a file named -foo. And because this file is a directory it complains. Actually +because if you say /~quux/foo instead of +/~quux/foo/ then the server searches for a file named +foo. And because this file is a directory it complains. Actually is tries to fix it themself in most of the cases, but sometimes this mechanism need to be emulated by you. For instance after you have done a lot of complicated URL rewritings to CGI scripts etc. @@ -181,27 +183,27 @@ so the browser correctly requests subsequent images etc. If we only did a internal rewrite, this would only work for the directory page, but would go wrong when any images are included into this page with relative URLs, because the browser would request an in-lined object. For instance, a request for -image.gif in /~quux/foo/index.html would become -/~quux/image.gif without the external redirect! +image.gif in /~quux/foo/index.html would become +/~quux/image.gif without the external redirect!

    So, to do this trick we write: 

     RewriteEngine  on
 RewriteBase    /~quux/
-RewriteRule    ^foo$  foo/  [R]
+RewriteRule    ^foo$  foo/  [R]

    The crazy and lazy can even do the following in the top-level -.htaccess file of their homedir. But notice that this creates some +.htaccess file of their homedir. But notice that this creates some processing overhead. 

     RewriteEngine  on
 RewriteBase    /~quux/
-RewriteCond    %{REQUEST_FILENAME}  -d
-RewriteRule    ^(.+[^/])$           $1/  [R]
+RewriteCond    %{REQUEST_FILENAME}  -d
+RewriteRule    ^(.+[^/])$           $1/  [R]
    @@ -215,7 +217,7 @@ RewriteRule ^(.+[^/])$ $1/ [R]

    We want to create a homogenous and consistent URL layout over all WWW servers on a Intranet webcluster, i.e. all URLs (per definition server local and thus -server dependent!) become actually server independed! What we want is +server dependent!) become actually server independed! What we want is to give the WWW namespace a consistent server-independend layout: no URL should have to include any physically correct target server. The cluster itself should drive us automatically to the physical target host. @@ -233,7 +235,7 @@ user2 server_of_user2 : :

    -We put them into files map.xxx-to-host. Second we need to instruct +We put them into files map.xxx-to-host. Second we need to instruct all servers to redirect URLs of the forms 

    @@ -261,9 +263,9 @@ RewriteMap      user-to-host   txt:/path/to/map.user-to-host
 RewriteMap     group-to-host   txt:/path/to/map.group-to-host
 RewriteMap    entity-to-host   txt:/path/to/map.entity-to-host
 
-RewriteRule   ^/u/([^/]+)/?(.*)   http://${user-to-host:$1|server0}/u/$1/$2
-RewriteRule   ^/g/([^/]+)/?(.*)  http://${group-to-host:$1|server0}/g/$1/$2
-RewriteRule   ^/e/([^/]+)/?(.*) http://${entity-to-host:$1|server0}/e/$1/$2
+RewriteRule   ^/u/([^/]+)/?(.*)   http://${user-to-host:$1|server0}/u/$1/$2
+RewriteRule   ^/g/([^/]+)/?(.*)  http://${group-to-host:$1|server0}/g/$1/$2
+RewriteRule   ^/e/([^/]+)/?(.*) http://${entity-to-host:$1|server0}/e/$1/$2
 
 RewriteRule   ^/([uge])/([^/]+)/?$          /$1/$2/.www/
 RewriteRule   ^/([uge])/([^/]+)/([^.]+.+)   /$1/$2/.www/$3\
@@ -287,12 +289,12 @@ replace the old one over time.
 
    Solution:
 
    
 The solution is trivial with mod_rewrite. On the old webserver we just
-redirect all /~user/anypath URLs to
-http://newserver/~user/anypath.
+redirect all /~user/anypath URLs to
+http://newserver/~user/anypath.
 
 
     RewriteEngine on
-RewriteRule   ^/~(.+)  http://newserver/~$1  [R,L]
+RewriteRule   ^/~(.+)  http://newserver/~$1  [R,L]
 
    
 
 
@@ -306,9 +308,9 @@ RewriteRule   ^/~(.+)  http://newserver/~$1  [R,L]
 
    
 Some sites with thousend of users usually use a structured homedir layout,
 i.e.  each homedir is in a subdirectory which begins for instance with the
-first character of the username. So, /~foo/anypath is
-/home/f/foo/.www/anypath while /~bar/anypath is
-/home/b/bar/.www/anypath.
+first character of the username. So, /~foo/anypath is
+/home/f/foo/.www/anypath while /~bar/anypath is
+/home/b/bar/.www/anypath.
 
 
    
 
    Solution:
@@ -318,7 +320,7 @@ layout.
 
 
     RewriteEngine on
-RewriteRule   ^/~(([a-z])[a-z0-9]+)(.*)  /home/$2/$1/.www$3
+RewriteRule   ^/~(([a-z])[a-z0-9]+)(.*)  /home/$2/$1/.www$3
 
    
 
 
@@ -331,10 +333,10 @@ RewriteRule   ^/~(([a-z])[a-z0-9]+)(.*)  /home/$2/$1/.www$3
 
    Description:
 
    
 This really is a hardcore example: a killer application which heavily uses
-per-directory RewriteRules to get a smooth look and feel on the Web
+per-directory RewriteRules to get a smooth look and feel on the Web
 while its data structure is never touched or adjusted.
 
-Background: net.sw is my archive of freely available Unix
+Background: net.sw is my archive of freely available Unix
 software packages, which I started to collect in 1992. It is both my hobby and
 job to to this, because while I'm studying computer science I have also worked
 for many years as a system and network administrator in my spare time. Every
@@ -360,21 +362,20 @@ drwxrwxr-x  12 netsw  users    512 Aug  3 20:15 Typesetting/
 drwxrwxr-x  10 netsw  users    512 Jul  9 14:08 X11/

    -In July 1996 I decided to make this 350 MB archive public to the world via a -nice Web interface ( -http://net.sw.engelschall.com/net.sw/). "Nice" means that I wanted to -offer a interface where you can browse directly through the archive hierarchy. +In July 1996 I decided to make this archive public to the world via a +nice Web interface. "Nice" means that I wanted to +offer an interface where you can browse directly through the archive hierarchy. And "nice" means that I didn't wanted to change anything inside this hierarchy - not even by putting some CGI scripts at the top of it. Why? Because the above structure should be later accessible via FTP as well, and I didn't -want any Web or CGI stuuf to be there. +want any Web or CGI stuff to be there.

    Solution:
    The solution has two parts: The first is a set of CGI scripts which create all the pages at all directory levels on-the-fly. I put them under -/e/netsw/.www/ as follows: +/e/netsw/.www/ as follows: 

     -rw-r--r--   1 netsw  users    1318 Aug  1 18:10 .wwwacl
@@ -392,18 +393,18 @@ drwxr-xr-x   2 netsw  users     512 Jul  8 23:47 netsw-img/
 -rw-r--r--   1 netsw  users     234 Jul 30 16:35 netsw-unlimit.lst

    -The DATA/ subdirectory holds the above directory structure, i.e. the -real net.sw stuff and gets automatically updated via -rdist from time to time. +The DATA/ subdirectory holds the above directory structure, i.e. the +real net.sw stuff and gets automatically updated via +rdist from time to time. - The second part of the problem remains: how to link these two structures -together into one smooth-looking URL tree? We want to hide the DATA/ +The second part of the problem remains: how to link these two structures +together into one smooth-looking URL tree? We want to hide the DATA/ directory from the user while running the appropriate CGI scripts for the various URLs. Here is the solution: first I put the following into the per-directory configuration file in the Document Root of the server to rewrite the announced -URL /net.sw/ to the internal path /e/netsw: +URL /net.sw/ to the internal path /e/netsw: 

     RewriteRule  ^net.sw$       net.sw/        [R]
@@ -413,7 +414,7 @@ RewriteRule  ^net.sw/(.*)$  e/netsw/$1
 
    
 The first rule is for requests which miss the trailing slash!  The second rule
 does the real thing. And then comes the killer configuration which stays in
-the per-directory config file /e/netsw/.www/.wwwacl:
+the per-directory config file /e/netsw/.www/.wwwacl:
 
 
     Options       ExecCGI FollowSymLinks Includes MultiViews 
@@ -467,11 +468,11 @@ Some hints for interpretation:
 
    
 When switching from the NCSA webserver to the more modern Apache webserver a
 lot of people want a smooth transition. So they want pages which use their old
-NCSA imagemap program to work under Apache with the modern
-mod_imap. The problem is that there are a lot of
-hyperlinks around which reference the imagemap program via
-/cgi-bin/imagemap/path/to/page.map. Under Apache this
-has to read just /path/to/page.map.
+NCSA imagemap program to work under Apache with the modern
+mod_imap. The problem is that there are a lot of
+hyperlinks around which reference the imagemap program via
+/cgi-bin/imagemap/path/to/page.map. Under Apache this
+has to read just /path/to/page.map.
 
 
    
 
    Solution:
@@ -505,13 +506,13 @@ RewriteEngine on
 
 #   first try to find it in custom/...
 #   ...and if found stop and be happy:
-RewriteCond         /your/docroot/dir1/%{REQUEST_FILENAME}  -f
-RewriteRule  ^(.+)  /your/docroot/dir1/$1  [L]
+RewriteCond         /your/docroot/dir1/%{REQUEST_FILENAME}  -f
+RewriteRule  ^(.+)  /your/docroot/dir1/$1  [L]
 
 #   second try to find it in pub/...
 #   ...and if found stop and be happy:
-RewriteCond         /your/docroot/dir2/%{REQUEST_FILENAME}  -f
-RewriteRule  ^(.+)  /your/docroot/dir2/$1  [L]
+RewriteCond         /your/docroot/dir2/%{REQUEST_FILENAME}  -f
+RewriteRule  ^(.+)  /your/docroot/dir2/$1  [L]
 
 #   else go on for other Alias or ScriptAlias directives,
 #   etc.
@@ -536,13 +537,13 @@ strip out this information.
 
    
 We use a rewrite rule to strip out the status information and remember it via
 an environment variable which can be later dereferenced from within XSSI or
-CGI. This way a URL /foo/S=java/bar/ gets translated to
-/foo/bar/ and the environment variable named STATUS is set
+CGI. This way a URL /foo/S=java/bar/ gets translated to
+/foo/bar/ and the environment variable named STATUS is set
 to the value "java".
 
 
     RewriteEngine on
-RewriteRule   ^(.*)/S=([^/]+)/(.*)    $1/$3 [E=STATUS:$2]
+RewriteRule   ^(.*)/S=([^/]+)/(.*)    $1/$3 [E=STATUS:$2]
 
    
 
 
@@ -554,7 +555,7 @@ RewriteRule   ^(.*)/S=([^/]+)/(.*)    $1/$3 [E=STATUS:$2]
 
    
 
    Description:
 
    
-Assume that you want to provide www.username.host.domain.com
+Assume that you want to provide www.username.host.domain.com
 for the homepage of username via just DNS A records to the same machine and
 without any virtualhosts on this machine. 
 
@@ -563,14 +564,14 @@ without any virtualhosts on this machine.
 
    
 For HTTP/1.0 requests there is no solution, but for HTTP/1.1 requests which
 contain a Host: HTTP header we can use the following ruleset to rewrite
-http://www.username.host.com/anypath internally to
-/home/username/anypath:
+http://www.username.host.com/anypath internally to
+/home/username/anypath:
 
 
     RewriteEngine on
-RewriteCond   %{HTTP_HOST}                 ^www\.[^.]+\.host\.com$
+RewriteCond   %{HTTP_HOST}                 ^www\.[^.]+\.host\.com$
 RewriteRule   ^(.+)                        %{HTTP_HOST}$1          [C]
-RewriteRule   ^www\.([^.]+)\.host\.com(.*) /home/$1$2
+RewriteRule   ^www\.([^.]+)\.host\.com(.*) /home/$1$2
 
    
 
 
    
@@ -583,8 +584,8 @@ RewriteRule   ^www\.([^.]+)\.host\.com(.*) /home/$1$2
 
    Description:
 
    
 We want to redirect homedir URLs to another webserver
-www.somewhere.com when the requesting user does not stay in the local
-domain ourdomain.com. This is sometimes used in virtual host
+www.somewhere.com when the requesting user does not stay in the local
+domain ourdomain.com. This is sometimes used in virtual host
 contexts.
 
 
    
@@ -594,7 +595,7 @@ Just a rewrite condition:
 
 
     RewriteEngine on
-RewriteCond   %{REMOTE_HOST}  !^.+\.ourdomain\.com$
+RewriteCond   %{REMOTE_HOST}  !^.+\.ourdomain\.com$
 RewriteRule   ^(/~.+)         http://www.somewhere.com/$1 [R,L]
 
    
 
@@ -620,8 +621,8 @@ error safe:
 
 
     RewriteEngine on
-RewriteCond   /your/docroot/%{REQUEST_FILENAME} !-f
-RewriteRule   ^(.+)                             http://webserverB.dom/$1
+RewriteCond   /your/docroot/%{REQUEST_FILENAME} !-f
+RewriteRule   ^(.+)                             http://webserverB.dom/$1
 
    
 
 
    
@@ -631,8 +632,8 @@ homedirs, etc.) there is better variant:
 
 
     RewriteEngine on
-RewriteCond   %{REQUEST_URI} !-U
-RewriteRule   ^(.+)          http://webserverB.dom/$1
+RewriteCond   %{REQUEST_URI} !-U
+RewriteRule   ^(.+)          http://webserverB.dom/$1
 
    
 
 
    
@@ -663,7 +664,7 @@ also escape the hash character. How can we redirect to such a URL?
 
    
 We have to use a kludge by the use of a NPH-CGI script which does the redirect
 itself. Because here no escaping is done (NPH=non-parseable headers).  First
-we introduce a new URL scheme xredirect: by the following per-server
+we introduce a new URL scheme xredirect: by the following per-server
 config-line (should be one of the last rewrite rules):
 
 
    @@ -672,8 +673,8 @@ RewriteRule ^xredirect:(.+) /path/to/nph-xredirect.cgi/$1 \
 
    
 
 
    
-This forces all URLs prefixed with xredirect: to be piped through the
-nph-xredirect.cgi program. And this program just looks like:
+This forces all URLs prefixed with xredirect: to be piped through the
+nph-xredirect.cgi program. And this program just looks like:
 
 
     
    @@ -697,7 +698,7 @@ print "<title>302 Moved Temporarily (EXTENDED)</title>\n";
 print "</head>\n";
 print "<body>\n";
 print "<h1>Moved Temporarily (EXTENDED)</h1>\n";
-print "The document has moved <a href=\"$url\">here</a>.<p>\n";
+print "The document has moved <a HREF=\"$url\">here</a>.<p>\n";
 print "</body>\n";
 print "</html>\n";
 
@@ -708,7 +709,7 @@ print "</html>\n";
 
    
 This provides you with the functionality to do redirects to all URL schemes,
 i.e. including the one which are not directly accepted by mod_rewrite. For
-instance you can now also redirect to news:newsgroup via
+instance you can now also redirect to news:newsgroup via
 
 
     RewriteRule ^anyurl  xredirect:news:newsgroup
@@ -716,7 +717,7 @@ RewriteRule ^anyurl  xredirect:news:newsgroup
 
 
    
 Notice: You have not to put [R] or [R,L] to the above rule because the
-xredirect: need to be expanded later by our special "pipe through"
+xredirect: need to be expanded later by our special "pipe through"
 rule above.
 
 
@@ -728,8 +729,8 @@ rule above.
 
    
 
    Description:
 
    
-Do you know the great CPAN (Comprehensive Perl Archive Network) under http://www.perl.com/CPAN? This does a
+Do you know the great CPAN (Comprehensive Perl Archive Network) under http://www.perl.com/CPAN? This does a
 redirect to one of several FTP servers around the world which carry a CPAN
 mirror and is approximately near the location of the requesting client.
 Actually this can be called an FTP access multiplexing service. While CPAN
@@ -747,7 +748,7 @@ ruleset we can use this top-level domain as a key to our multiplexing map.
 RewriteEngine on
 RewriteMap    multiplex                txt:/path/to/map.cxan
 RewriteRule   ^/CxAN/(.*)              %{REMOTE_HOST}::$1                 [C]
-RewriteRule   ^.+\.([a-zA-Z]+)::(.*)$  ${multiplex:$1|ftp.default.dom}$2  [R,L]
+RewriteRule   ^.+\.([a-zA-Z]+)::(.*)$  ${multiplex:$1|ftp.default.dom}$2  [R,L]
 
    
 
 
    @@ -778,7 +779,7 @@ How can it be done via mod_rewrite?
 
    
 
    Solution:
 
    
-There are a lot of variables named TIME_xxx for rewrite conditions.
+There are a lot of variables named TIME_xxx for rewrite conditions.
 In conjunction with the special lexicographic comparison patterns <STRING,
 >STRING and =STRING we can do time-dependend redirects:
 
@@ -791,9 +792,9 @@ RewriteRule   ^foo\.html$             foo.night.html
 
    
 
 
    
-This provides the content of foo.day.html under the URL
-foo.html from 07:00-19:00 and at the remaining time the contents of
-foo.night.html. Just a nice feature for a homepage...
+This provides the content of foo.day.html under the URL
+foo.html from 07:00-19:00 and at the remaining time the contents of
+foo.night.html. Just a nice feature for a homepage...
 
 
 
@@ -843,8 +844,8 @@ RewriteRule   ^(.*)$ $1.html
 
    
 
    Description:
 
    
-Assume we have recently renamed the page bar.html to
-foo.html and now want to provide the old URL for backward
+Assume we have recently renamed the page bar.html to
+foo.html and now want to provide the old URL for backward
 compatibility. Actually we want that users of the old URL even not recognize
 that the pages was renamed.
 
@@ -856,7 +857,7 @@ We rewrite the old URL to the new one internally via the following rule:
 
     RewriteEngine  on
 RewriteBase    /~quux/
-RewriteRule    ^foo\.html$  bar.html
+RewriteRule    ^foo\.html$  bar.html
 
    
 
 
    
@@ -868,8 +869,8 @@ RewriteRule    ^foo\.html$  bar.html
 
    
 
    Description:
 
    
-Assume again that we have recently renamed the page bar.html to
-foo.html and now want to provide the old URL for backward
+Assume again that we have recently renamed the page bar.html to
+foo.html and now want to provide the old URL for backward
 compatibility. But this time we want that the users of the old URL get hinted
 to the new one, i.e. their browsers Location field should change, too.
 
@@ -882,7 +883,7 @@ browsers and thus the users view:
 
     RewriteEngine  on
 RewriteBase    /~quux/
-RewriteRule    ^foo\.html$  bar.html  [R]
+RewriteRule    ^foo\.html$  bar.html  [R]
 
    
 
 
    
@@ -905,21 +906,21 @@ browsers and a average feature version for all others.
 We cannot use content negotiation because the browsers do not provide their
 type in that form. Instead we have to act on the HTTP header "User-Agent".
 The following condig does the following: If the HTTP header "User-Agent"
-begins with "Mozilla/3", the page foo.html is rewritten to
-foo.NS.html and and the rewriting stops.  If the browser is "Lynx" or
-"Mozilla" of version 1 or 2 the URL becomes foo.20.html.  All other
-browsers receive page foo.32.html. This is done by the following
+begins with "Mozilla/3", the page foo.html is rewritten to
+foo.NS.html and and the rewriting stops.  If the browser is "Lynx" or
+"Mozilla" of version 1 or 2 the URL becomes foo.20.html.  All other
+browsers receive page foo.32.html. This is done by the following
 ruleset:
 
 
    -RewriteCond %{HTTP_USER_AGENT}  ^Mozilla/3.*
-RewriteRule ^foo\.html$         foo.NS.html          [L]
+RewriteCond %{HTTP_USER_AGENT}  ^Mozilla/3.*
+RewriteRule ^foo\.html$         foo.NS.html          [L]
 
-RewriteCond %{HTTP_USER_AGENT}  ^Lynx/.*         [OR]
-RewriteCond %{HTTP_USER_AGENT}  ^Mozilla/[12].*
-RewriteRule ^foo\.html$         foo.20.html          [L]
+RewriteCond %{HTTP_USER_AGENT}  ^Lynx/.*         [OR]
+RewriteCond %{HTTP_USER_AGENT}  ^Mozilla/[12].*
+RewriteRule ^foo\.html$         foo.20.html          [L]
 
-RewriteRule ^foo\.html$         foo.32.html          [L]
+RewriteRule ^foo\.html$         foo.32.html          [L]
 
    
 
 
@@ -932,9 +933,9 @@ RewriteRule ^foo\.html$         foo.32.html          [L]
 
    Description:
 
    
 Assume there are nice webpages on remote hosts we want to bring into our
-namespace. For FTP servers we would use the mirror program which
+namespace. For FTP servers we would use the mirror program which
 actually maintains an explicit up-to-date copy of the remote data on the local
-machine. For a webserver we could use the program webcopy which acts
+machine. For a webserver we could use the program webcopy which acts
 similar via HTTP. But both techniques have one major drawback: The local copy
 is always just as up-to-date as often we run the program. It would be much
 better if the mirror is not a static one we have to establish explicitly.
@@ -951,13 +952,13 @@ webarea to our namespace by the use of the Proxy Throughput feature
 
     RewriteEngine  on
 RewriteBase    /~quux/
-RewriteRule    ^hotsheet/(.*)$  http://www.tstimpreso.com/hotsheet/$1  [P]
+RewriteRule    ^hotsheet/(.*)$  http://www.tstimpreso.com/hotsheet/$1  [P]
 
    
 
 
     RewriteEngine  on
 RewriteBase    /~quux/
-RewriteRule    ^usa-news\.html$   http://www.quux-corp.com/news/index.html  [P]
+RewriteRule    ^usa-news\.html$   http://www.quux-corp.com/news/index.html  [P]
 
    
 
 
@@ -991,9 +992,9 @@ RewriteRule   ^http://www\.remotesite\.com/(.*)$ /mirror/of/remotesite/$1
 
    Description:
 
    
 This is a tricky way of virtually running a corporates (external) Internet
-webserver (www.quux-corp.dom), while actually keeping and maintaining
+webserver (www.quux-corp.dom), while actually keeping and maintaining
 its data on a (internal) Intranet webserver
-(www2.quux-corp.dom) which is protected by a firewall.  The
+(www2.quux-corp.dom) which is protected by a firewall.  The
 trick is that on the external webserver we retrieve the requested data
 on-the-fly from the internal one.
 
@@ -1006,8 +1007,8 @@ from it. For a packet-filtering firewall we could for instance configure a
 firewall ruleset like the following:
 
 
    -ALLOW Host www.quux-corp.dom Port >1024 --> Host www2.quux-corp.dom Port 80  
-DENY  Host *                 Port *     --> Host www2.quux-corp.dom Port 80
+ALLOW Host www.quux-corp.dom Port >1024 --> Host www2.quux-corp.dom Port 80  
+DENY  Host *                 Port *     --> Host www2.quux-corp.dom Port 80
 
    
 
 
    
@@ -1017,9 +1018,9 @@ proxy throughput feature:
 
 
     RewriteRule ^/~([^/]+)/?(.*)          /home/$1/.www/$2
-RewriteCond %{REQUEST_FILENAME}       !-f
-RewriteCond %{REQUEST_FILENAME}       !-d
-RewriteRule ^/home/([^/]+)/.www/?(.*) http://www2.quux-corp.dom/~$1/pub/$2 [P]
+RewriteCond %{REQUEST_FILENAME}       !-f
+RewriteCond %{REQUEST_FILENAME}       !-d
+RewriteRule ^/home/([^/]+)/.www/?(.*) http://www2.quux-corp.dom/~$1/pub/$2 [P]
 
    
 
 
@@ -1031,8 +1032,8 @@ RewriteRule ^/home/([^/]+)/.www/?(.*) http://www2.quux-corp.dom/~$1/pub/$
 
    
 
    Description:
 
    
-Suppose we want to load balance the traffic to www.foo.com over
-www[0-5].foo.com (a total of 6 servers). How can this be done?
+Suppose we want to load balance the traffic to www.foo.com over
+www[0-5].foo.com (a total of 6 servers). How can this be done?
 
 
    
 
    Solution:
@@ -1041,11 +1042,11 @@ There are a lot of possible solutions for this problem. We will discuss first
 a commonly known DNS-based variant and then the special one with mod_rewrite:
 
 
      
-
    1. DNS Round-Robin
+
    2. DNS Round-Robin
 
 
      
 The simplest method for load-balancing is to use the DNS round-robin feature
-of BIND. Here you just configure www[0-9].foo.com as usual in your
+of BIND. Here you just configure www[0-9].foo.com as usual in your
 DNS with A(address) records, e.g.
 
 
      @@ -1072,33 +1073,33 @@ www    IN  CNAME   www0.foo.com.
 
 
      
 Notice that this seems wrong, but is actually an intended feature of BIND and
-can be used in this way. However, now when www.foo.com gets resolved,
-BIND gives out www0-www6 - but in a slightly permutated/rotated order
+can be used in this way. However, now when www.foo.com gets resolved,
+BIND gives out www0-www6 - but in a slightly permutated/rotated order
 every time.  This way the clients are spread over the various servers.
 
 But notice that this not a perfect load balancing scheme, because DNS resolve
 information gets cached by the other nameservers on the net, so once a client
-has resolved www.foo.com to a particular wwwN.foo.com, all
-subsequent requests also go to this particular name wwwN.foo.com. But
+has resolved www.foo.com to a particular wwwN.foo.com, all
+subsequent requests also go to this particular name wwwN.foo.com. But
 the final result is ok, because the total sum of the requests are really
 spread over the various webservers.
 
 
      
-
    3. DNS Load-Balancing
+
    4. DNS Load-Balancing
 
 
      
 A sophisticated DNS-based method for load-balancing is to use the program
-lbnamed which can be found at http://www.stanford.edu/~schemers/docs/lbnamed/lbnamed.html.
+lbnamed which can be found at http://www.stanford.edu/~schemers/docs/lbnamed/lbnamed.html.
 It is a Perl 5 program in conjunction with auxilliary tools which provides a
 real load-balancing for DNS.
 
 
      
-
    5. Proxy Throughput Round-Robin
+
    6. Proxy Throughput Round-Robin
 
 
      
 In this variant we use mod_rewrite and its proxy throughput feature.  First we
-dedicate www0.foo.com to be actually www.foo.com by using a
+dedicate www0.foo.com to be actually www.foo.com by using a
 single
 
 
      @@ -1106,11 +1107,11 @@ www    IN  CNAME   www0.foo.com.
 
      
 
 
      
-entry in the DNS. Then we convert www0.foo.com to a proxy-only
+entry in the DNS. Then we convert www0.foo.com to a proxy-only
 server, i.e. we configure this machine so all arriving URLs are just pushed
-through the internal proxy to one of the 5 other servers (www1-www5).
+through the internal proxy to one of the 5 other servers (www1-www5).
 To accomplish this we first establish a ruleset which contacts a load
-balancing script lb.pl for all URLs.
+balancing script lb.pl for all URLs.
 
 
       RewriteEngine on
@@ -1119,7 +1120,7 @@ RewriteRule   ^/(.+)$ ${lb:$1}           [P,L]
 
      
 
 
      
-Then we write lb.pl:
+Then we write lb.pl:
 
 
       #!/path/to/perl
@@ -1145,13 +1146,13 @@ while (<STDIN>) {
 
      
 
 
      
-A last notice: Why is this useful? Seems like www0.foo.com still is
+A last notice: Why is this useful? Seems like www0.foo.com still is
 overloaded? The answer is yes, it is overloaded, but with plain proxy
 throughput requests, only! All SSI, CGI, ePerl, etc. processing is completely
 done on the other machines. This is the essential point.
 
 
      
-
    7. Hardware/TCP Round-Robin
+
    8. Hardware/TCP Round-Robin
 
 
      
 There is a hardware solution available, too. Cisco has a beast called
@@ -1291,34 +1292,34 @@ boring, so a lot of webmaster don't use them.  Even Apache's Action handler
 feature for MIME-types is only appropriate when the CGI programs don't need
 special URLs (actually PATH_INFO and QUERY_STRINGS) as their input. 
 
-First, let us configure a new file type with extension .scgi
-(for secure CGI) which will be processed by the popular cgiwrap
+First, let us configure a new file type with extension .scgi
+(for secure CGI) which will be processed by the popular cgiwrap
 program. The problem here is that for instance we use a Homogeneous URL Layout
 (see above) a file inside the user homedirs has the URL
-/u/user/foo/bar.scgi. But cgiwrap needs the URL in the form
-/~user/foo/bar.scgi/. The following rule solves the problem:
+/u/user/foo/bar.scgi. But cgiwrap needs the URL in the form
+/~user/foo/bar.scgi/. The following rule solves the problem:
 
 
      -RewriteRule ^/[uge]/([^/]+)/\.www/(.+)\.scgi(.*) ...
-... /internal/cgi/user/cgiwrap/~$1/$2.scgi$3  [NS,T=application/x-http-cgi]
+RewriteRule ^/[uge]/([^/]+)/\.www/(.+)\.scgi(.*) ...
+... /internal/cgi/user/cgiwrap/~$1/$2.scgi$3  [NS,T=application/x-http-cgi]
 
      
 
 
      
 Or assume we have some more nifty programs:
-wwwlog (which displays the access.log for a URL subtree and
-wwwidx (which runs Glimpse on a URL subtree). We have to
+wwwlog (which displays the access.log for a URL subtree and
+wwwidx (which runs Glimpse on a URL subtree). We have to
 provide the URL area to these programs so they know on which area
 they have to act on. But usually this ugly, because they are all the
 times still requested from that areas, i.e. typically we would run
-the swwidx program from within /u/user/foo/ via
+the swwidx program from within /u/user/foo/ via
 hyperlink to
 
 
       /internal/cgi/user/swwidx?i=/u/user/foo/
 
      
 
-which is ugly. Because we have to hard-code both the location of the
-area and the location of the CGI inside the hyperlink. When we have to
+which is ugly. Because we have to hard-code both the location of the
+area and the location of the CGI inside the hyperlink. When we have to
 reorganise or area, we spend a lot of time changing the various hyperlinks.
 
 
      
@@ -1333,10 +1334,10 @@ RewriteRule   ^/([uge])/([^/]+)(/?.*):log /internal/cgi/user/wwwlog?f=/$1/$2$3
 
      9. 
 
 
      
-Now the hyperlink to search at /u/user/foo/ reads only
+Now the hyperlink to search at /u/user/foo/ reads only
 
 
      -href="*"
+HREF="*"
 
      
 
 which internally gets automatically transformed to 
@@ -1346,7 +1347,7 @@ which internally gets automatically transformed to
 
    
 
 The same approach leads to an invocation for the access log CGI
-program when the hyperlink :log gets used.
+program when the hyperlink :log gets used.
 
 
 
@@ -1357,21 +1358,21 @@ program when the hyperlink :log gets used.
 
    
 
    Description:
 
    
-How can we transform a static page foo.html into a dynamic variant
-foo.cgi in a seemless way, i.e.  without notice by the browser/user.
+How can we transform a static page foo.html into a dynamic variant
+foo.cgi in a seemless way, i.e.  without notice by the browser/user.
 
 
    
 
    Solution:
 
    
 We just rewrite the URL to the CGI-script and force the correct MIME-type so
 it gets really run as a CGI-script. This way a request to
-/~quux/foo.html internally leads to the invokation of
-/~quux/foo.cgi.
+/~quux/foo.html internally leads to the invokation of
+/~quux/foo.cgi.
 
 
     RewriteEngine  on
 RewriteBase    /~quux/
-RewriteRule    ^foo\.html$  foo.cgi  [T=application/x-httpd-cgi]
+RewriteRule    ^foo\.html$  foo.cgi  [T=application/x-httpd-cgi]
 
    
 
 
    
@@ -1384,10 +1385,10 @@ RewriteRule    ^foo\.html$  foo.cgi  [T=application/x-httpd-cgi
 
    Description:
 
    
 Here comes a really esoteric feature: Dynamically generated but statically
-served pages, i.e. pages should be delivered as pur static pages (read from
+served pages, i.e. pages should be delivered as pure static pages (read from
 the filesystem and just passed through), but they have to be generated
 dynamically by the webserver if missing. This way you can have CGI-generated
-pages which are statically unless one (or a cronjob) removes the static
+pages which are statically served unless one (or a cronjob) removes the static
 contents. Then the contents gets refreshed.
 
 
    
@@ -1396,18 +1397,18 @@ contents. Then the contents gets refreshed.
 This is done via the following ruleset:
 
 
    -RewriteCond %{REQUEST_FILENAME}   !-s
-RewriteCond ^page\.html$          page.cgi   [T=application/x-httpd-cgi,L]
+RewriteCond %{REQUEST_FILENAME}   !-s
+RewriteRule ^page\.html$          page.cgi   [T=application/x-httpd-cgi,L]
 
    
 
 
    
-Here a request to page.html leads to a internal run of a
-corresponding page.cgi if page.html is still missing or has
-filesize null. The trick here is that page.cgi is a usual CGI script
+Here a request to page.html leads to a internal run of a
+corresponding page.cgi if page.html is still missing or has
+filesize null. The trick here is that page.cgi is a usual CGI script
 which (additionally to its STDOUT) writes its output to the file
-page.html. Once it was run, the server sends out the data of
-page.html. When the webmaster wants to force a refresh the contents,
-he just removes page.html (usually done by a cronjob).
+page.html. Once it was run, the server sends out the data of
+page.html. When the webmaster wants to force a refresh the contents,
+he just removes page.html (usually done by a cronjob).
 
 
 
@@ -1427,7 +1428,7 @@ our editor? Impossible?
 
    
 No! We just combine the MIME multipart feature, the webserver NPH feature and
 the URL manipulation power of mod_rewrite. First, we establish a new URL
-feature: Adding just :refresh to any URL causes this to be refreshed
+feature: Adding just :refresh to any URL causes this to be refreshed
 every time it gets updated on the filesystem.
 
 
    @@ -1563,7 +1564,7 @@ exit(0);
 
    
 
    Description:
 
    
-The <VirtualHost> feature of Apache is nice and works great
+The <VirtualHost> feature of Apache is nice and works great
 when you just have a few dozens virtual hosts. But when you are an ISP and
 have hundreds of virtual hosts to provide this feature is not the best choice.
 
@@ -1646,14 +1647,14 @@ RewriteRule   ^/(.*)$   %1/$1  [E=VHOST:${lowercase:%{HTTP_HOST}}]
 
    Description:
 
    
 How can we block a really annoying robot from retrieving pages of a specific
-webarea? A /robots.txt file containing entries of the "Robot
+webarea? A /robots.txt file containing entries of the "Robot
 Exclusion Protocol" is typically not enough to get rid of such a robot.
 
 
    
 
    Solution:
 
    
 We use a ruleset which forbids the URLs of the webarea
-/~quux/foo/arc/ (perhaps a very deep directory indexed area where the
+/~quux/foo/arc/ (perhaps a very deep directory indexed area where the
 robot traversal would create big server load).   We have to make sure that we
 forbid access only to the particular robot, i.e. just forbidding the host
 where the robot runs is not enough. This would block users from this host,
@@ -1661,9 +1662,9 @@ too. We accomplish this by also matching the User-Agent HTTP header
 information.
 
 
    -RewriteCond %{HTTP_USER_AGENT}   ^NameOfBadRobot.*      
-RewriteCond %{REMOTE_ADDR}       ^123\.45\.67\.[8-9]$
-RewriteRule ^/~quux/foo/arc/.+   -   [F]
+RewriteCond %{HTTP_USER_AGENT}   ^NameOfBadRobot.*      
+RewriteCond %{REMOTE_ADDR}       ^123\.45\.67\.[8-9]$
+RewriteRule ^/~quux/foo/arc/.+   -   [F]
 
    
 
 
    
@@ -1688,15 +1689,15 @@ can at least restrict the cases where the browser sends
 a HTTP Referer header.
 
 
    -RewriteCond %{HTTP_REFERER} !^$                                  
+RewriteCond %{HTTP_REFERER} !^$                                  
 RewriteCond %{HTTP_REFERER} !^http://www.quux-corp.de/~quux/.*$ [NC]
-RewriteRule .*\.gif$        -                                    [F]
+RewriteRule .*\.gif$        -                                    [F]
 
    
 
 
     RewriteCond %{HTTP_REFERER}         !^$                                  
 RewriteCond %{HTTP_REFERER}         !.*/foo-with-gif\.html$
-RewriteRule ^inlined-in-foo\.gif$   -                        [F]
+RewriteRule ^inlined-in-foo\.gif$   -                        [F]
 
    
 
 
@@ -1766,19 +1767,19 @@ the Apache proxy?
 
    Solution:
 
    
 We first have to make sure mod_rewrite is below(!) mod_proxy in the
-Configuration file when compiling the Apache webserver.  This way it
+Configuration file when compiling the Apache webserver.  This way it
 gets called _before_ mod_proxy. Then we configure the following for a
 host-dependend deny...
 
 
    -RewriteCond %{REMOTE_HOST} ^badhost\.mydomain\.com$ 
+RewriteCond %{REMOTE_HOST} ^badhost\.mydomain\.com$ 
 RewriteRule !^http://[^/.]\.mydomain.com.*  - [F]
 
    
 
 
    ...and this one for a user@host-dependend deny:
 
 
    -RewriteCond %{REMOTE_IDENT}@%{REMOTE_HOST}  ^badguy@badhost\.mydomain\.com$
+RewriteCond %{REMOTE_IDENT}@%{REMOTE_HOST}  ^badguy@badhost\.mydomain\.com$
 RewriteRule !^http://[^/.]\.mydomain.com.*  - [F]
 
    
 
@@ -1802,9 +1803,9 @@ when using the Basic Auth via mod_access).
 We use a list of rewrite conditions to exclude all except our friends:
 
 
    -RewriteCond %{REMOTE_IDENT}@%{REMOTE_HOST} !^friend1@client1.quux-corp\.com$ 
-RewriteCond %{REMOTE_IDENT}@%{REMOTE_HOST} !^friend2@client2.quux-corp\.com$ 
-RewriteCond %{REMOTE_IDENT}@%{REMOTE_HOST} !^friend3@client3.quux-corp\.com$ 
+RewriteCond %{REMOTE_IDENT}@%{REMOTE_HOST} !^friend1@client1.quux-corp\.com$ 
+RewriteCond %{REMOTE_IDENT}@%{REMOTE_HOST} !^friend2@client2.quux-corp\.com$ 
+RewriteCond %{REMOTE_IDENT}@%{REMOTE_HOST} !^friend3@client3.quux-corp\.com$ 
 RewriteRule ^/~quux/only-for-friends/      -                                 [F]
 
    
 
@@ -1878,8 +1879,8 @@ to put the resulting (usually rewritten) URL on STDOUT (same order!).
 
 
     RewriteEngine on
-RewriteMap    quux-map       prg:/path/to/map.quux.pl
-RewriteRule   ^/~quux/(.*)$  /~quux/${quux-map:$1}
+RewriteMap    quux-map       prg:/path/to/map.quux.pl
+RewriteRule   ^/~quux/(.*)$  /~quux/${quux-map:$1}
 
    
 
 
    @@ -1899,9 +1900,9 @@ while (<>) {
 
 
    
 This is a demonstration-only example and just rewrites all URLs
-/~quux/foo/... to /~quux/bar/.... Actually you can program
-whatever you like. But notice that while such maps can be used also by
-an average user, only the system administrator can define it.
+/~quux/foo/... to /~quux/bar/.... Actually you can program
+whatever you like. But notice that while such maps can be used also by
+an average user, only the system administrator can define it.
 
 
 
diff --git a/usr.sbin/httpd/htdocs/manual/mod/core.html b/usr.sbin/httpd/htdocs/manual/mod/core.html
index fdaedbdbf14..9826fec500e 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/core.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/core.html
@@ -29,6 +29,7 @@ always available.
 
    
 
 
    
-Then the document xxxx.ja.jis will be treated as being a
+Then the document xxxx.ja.jis will be treated as being a
 Japanese document whose charset is ISO-2022-JP (as will the document
-xxxx.jis.ja). Although the content charset is reported to
-the client, the browser is unlikely to use this information. The
-AddCharset directive is more useful for
-content negotiation, where
+xxxx.jis.ja). The AddCharset directive is useful for both
+to inform the client about the character encoding of the document so
+that the document can be interpreted and displayed appropriately, and
+for content negotiation, where
 the server returns one from several documents based on the client's
 charset preference.
 
    
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_rewrite.html b/usr.sbin/httpd/htdocs/manual/mod/mod_rewrite.html
index efbe6574135..e4397f9bc44 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_rewrite.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_rewrite.html
@@ -87,13 +87,13 @@ matching.
 
    
 This module operates on the full URLs (including the path-info part) both in
 per-server context (httpd.conf) and per-directory context
-(.htaccess) and even can generate query-string parts on result.
+(.htaccess) and can even generate query-string parts on result.
 The rewritten result can lead to internal sub-processing, external request
 redirection or even to an internal proxy throughput.
 
 
    
 But all this functionality and flexibility has its drawback: complexity. So
-don't expect to understand this module in its whole in just one day.
+don't expect to understand this entire module in just one day.
 
 
    
 This module was invented and originally written in April 1996
    
@@ -158,46 +158,46 @@ you exploit its full functionality.
 First you have to understand that when Apache processes a HTTP request it does
 this in phases. A hook for each of these phases is provided by the Apache API.
 Mod_rewrite uses two of these hooks: the URL-to-filename translation hook
-which is used after the HTTP request was read and before any authorization
+which is used after the HTTP request has been read but before any authorization
 starts and the Fixup hook which is triggered after the authorization phases
-and after the per-directory config files (.htaccess) where read,
-but before the content handler is activated.
+and after the per-directory config files (.htaccess) have been 
+read, but before the content handler is activated.
 
 
    
 So, after a request comes in and Apache has determined the corresponding
-server (or virtual server) the rewriting engine start processing of all
+server (or virtual server) the rewriting engine starts processing of all
 mod_rewrite directives from the per-server configuration in the
 URL-to-filename phase. A few steps later when the final data directories are
 found, the per-directory configuration directives of mod_rewrite are triggered
-in the Fixup phase. In both situations mod_rewrite either rewrites URLs to new
+in the Fixup phase. In both situations mod_rewrite rewrites URLs either to new
 URLs or to filenames, although there is no obvious distinction between them.
-This is a usage of the API which was not intended this way when the API
+This is a usage of the API which was not intended to be this way when the API
 was designed, but as of Apache 1.x this is the only way mod_rewrite can
 operate. To make this point more clear remember the following two points:
 
 
      
-
    1. The API currently provides only a URL-to-filename hook. Although
-    mod_rewrite rewrites URLs to URLs, URLs to filenames and even
-    filenames to filenames. In Apache 2.0 the two missing hooks 
-    will be added to make the processing more clear. But this
-    point has no drawbacks for the user, it is just a fact which
-    should be remembered: Apache does more in the URL-to-filename hook
-    then the API intends for it.
+
    2. Although mod_rewrite rewrites URLs to URLs, URLs to filenames and
+    even filenames to filenames, the API currently provides only a
+    URL-to-filename hook.  In Apache 2.0 the two missing hooks will be
+    added to make the processing more clear. But this point has no
+    drawbacks for the user, it is just a fact which should be
+    remembered: Apache does more in the URL-to-filename hook than the
+    API intends for it.
 
      
 
    3. Unbelievably mod_rewrite provides URL manipulations in per-directory
-    context, i.e., within .htaccess files, although
-    these are
-    reached a very long time after the URLs were translated to filenames (this
-    has to be this way, because .htaccess files stay in the
-    filesystem, so processing has already been reached this stage of
-    processing). In other words: According to the API phases at this time it
-    is too late for any URL manipulations.  To overcome this chicken and egg
-    problem mod_rewrite uses a trick: When you manipulate a URL/filename in
-    per-directory context mod_rewrite first rewrites the filename back to its
-    corresponding URL (which it usually impossible, but see the
-    RewriteBase directive below for the trick to achieve this)
-    and then initiates a new internal sub-request with the new URL. This leads
-    to a new processing of the API phases from the beginning. 
+    context, i.e., within .htaccess files,
+    although these are reached a very long time after the URLs have
+    been translated to filenames.  It has to be this way because
+    .htaccess files live in the filesystem, so processing
+    has already reached this stage.  In other words: According to the
+    API phases at this time it is too late for any URL manipulations.
+    To overcome this chicken and egg problem mod_rewrite uses a trick:
+    When you manipulate a URL/filename in per-directory context
+    mod_rewrite first rewrites the filename back to its corresponding
+    URL (which is usually impossible, but see the RewriteBase
+    directive below for the trick to achieve this) and then initiates
+    a new internal sub-request with the new URL. This restarts
+    processing of the API phases.
     
      
     Again mod_rewrite tries hard to make this complicated step totally
     transparent to the user, but you should remember here: While URL
@@ -214,21 +214,21 @@ Don't forget these two points!
 
 Now when mod_rewrite is triggered in these two API phases, it reads the
 configured rulesets from its configuration structure (which itself was either
-created on startup for per-server context or while the directory walk of the
+created on startup for per-server context or during the directory walk of the
 Apache kernel for per-directory context).  Then the URL rewriting engine is
 started with the contained ruleset (one or more rules together with their
 conditions). The operation of the URL rewriting engine itself is exactly the
-same for both configuration contexts. Just the final result processing is
+same for both configuration contexts. Only the final result processing is
 different.
 
 
      
 The order of rules in the ruleset is important because the rewriting engine
-processes them in a special order. And this order is not very obvious. The
+processes them in a special (and not very obvious) order.  The
 rule is this: The rewriting engine loops through the ruleset rule by rule
-(RewriteRule directives!) and when a particular rule matched it
+(RewriteRule directives) and when a particular rule matches it
 optionally loops through existing corresponding conditions
-(RewriteCond directives). Because of historical reasons the 
-conditions are given first, the control flow is a little bit winded. See
+(RewriteCond directives).  For historical reasons the conditions 
+are given first, and so the control flow is a little bit long-winded. See
 Figure 1 for more details.
 
 
      
@@ -251,29 +251,29 @@ Figure 1 for more details.
 
      
 As you can see, first the URL is matched against the Pattern of each
 rule. When it fails mod_rewrite immediately stops processing this rule and
-continues with the next rule. If the Pattern matched, mod_rewrite
+continues with the next rule. If the Pattern matches, mod_rewrite
 looks for corresponding rule conditions. If none are present, it just
 substitutes the URL with a new value which is constructed from the string
-Substitution and goes on with its rule-looping. But
-if conditions exists, it starts an inner loop for processing them in order
-they are listed. For conditions the logic is different: We don't match a
+Substitution and goes on with its rule-looping. But if conditions
+exist, it starts an inner loop for processing them in the order that
+they are listed. For conditions the logic is different: we don't match a
 pattern against the current URL. Instead we first create a string
 TestString by expanding variables, back-references, map lookups,
 etc. and then we try to match CondPattern against it. If the
 pattern doesn't match, the complete set of conditions and the corresponding
 rule fails.  If the pattern matches, then the next condition is processed
-until no more condition is available. If all conditions matched processing is
-continued with the substitution of the URL with Substitution.
+until no more conditions are available. If all conditions match, processing
+is continued with the substitution of the URL with Substitution.
 
 
      Regex Back-Reference Availability
      
 
 One important thing here has to be remembered: Whenever you
-use parenthesis in Pattern or in one of the CondPattern
-back-reference are internally created which can be used with the
-strings $N and %N (see below). And these
+use parentheses in Pattern or in one of the CondPattern
+back-references are internally created which can be used with the
+strings $N and %N (see below). These
 are available for creating the strings Substitution and
-TestCond. Figure 2 shows at which locations the back-references are
-transfered to for expansion.
+TestCond. Figure 2 shows to which locations the back-references are
+transfered for expansion.
 
 
      
 
      
@@ -293,7 +293,7 @@ transfered to for expansion.
 
      
 
 
      
-We know, this was a crash course of mod_rewrite's internal processing.  But
+We know this was a crash course on mod_rewrite's internal processing.  But
 you will benefit from this knowledge when reading the following documentation
 of the available directives.
 
@@ -348,12 +348,12 @@ environment variables.
 
 
      
 Use this directive to disable the module instead of commenting out
-all RewriteRule directives!
+all the RewriteRule directives!
 
 
      
 Note that, by default, rewrite configurations are not inherited.
 This means that you need to have a RewriteEngine on
-directive for each virtual host you wish to use it in.
+directive for each virtual host in which you wish to use it.
 
 
      
 
      
@@ -399,9 +399,9 @@ strings can be one of the following:
 
    4. 'inherit'
      
     This forces the current configuration to inherit the configuration of the
     parent. In per-virtual-server context this means that the maps,
-    conditions and rules of the main server gets inherited. In per-directory
+    conditions and rules of the main server are inherited. In per-directory
     context this means that conditions and rules of the parent directory's
-    .htaccess configuration gets inherited.
+    .htaccess configuration are inherited.
 
 
 
      
@@ -448,10 +448,10 @@ config.
 
      
 
     MapType: prg, MapSource: Unix filesystem path to valid
     regular file
     
      
-    Here the source is a Unix program, not a map file. To create it you can use
-    the language of your choice, but the result has to be a run-able Unix
+    Here the source is a program, not a map file. To create it you
+    can use the language of your choice, but the result has to be a
     executable (i.e., either object-code or a script with the
-    magic cookie trick '#!/path/to/interpreter' as the first
-    line).
+    magic cookie trick '#!/path/to/interpreter' as the
+    first line).
     
      
-    This program gets started once at startup of the Apache servers and then
+    This program is started once at startup of the Apache servers and then
     communicates with the rewriting engine over its stdin and
     stdout file-handles.  For each map-function lookup it will
     receive the key to lookup as a newline-terminated string on
@@ -789,8 +788,7 @@ close(TXT)
 #!/usr/bin/perl
 $| = 1;
 while (<STDIN>) {
-    # ...here any transformations
-    # or lookups should occur...
+    # ...put here any transformations or lookups...
     print $_;
 }
 
@@ -798,15 +796,15 @@ while (<STDIN>) {
     
      
     But be very careful:
      
     
        
-    
      1. ``Keep the program simple, stupid'' (KISS), because
-        if this program hangs it will lead to a hang of the Apache server
+    
      2. ``Keep it simple, stupid'' (KISS), because
+        if this program hangs it will hang the Apache server
         when the rule occurs.
     
      3. Avoid one common mistake: never do buffered I/O on stdout!
         This will cause a deadloop! Hence the ``$|=1'' in the
         above example...
     
      4. Use the RewriteLock directive to define a lockfile
         mod_rewrite can use to synchronize the communication to the program.
-        Per default no such synchronization takes place.
+        By default no such synchronization takes place.
     
      
 
@@ -819,7 +817,7 @@ this map in per-directory context.
 
      
 
      
 
      
-Notice: To disable the logging of rewriting actions it is
+Note: To disable the logging of rewriting actions it is
 not recommended to set Filename
 to /dev/null, because although the rewriting engine does
-not create output to a logfile it still creates the logfile
+not then output to a logfile it still creates the logfile
 output internally. This will slow down the server with no advantage
 to the administrator!
 To disable logging either remove or comment out the
@@ -514,7 +514,7 @@ RewriteLog "/usr/local/var/apache/logs/rewrite.log"
 >Compatibility: Apache 1.2
      
 
 
      
-The RewriteLogLevel directive set the verbosity level of the
+The RewriteLogLevel directive sets the verbosity level of the
 rewriting
 logfile.  The default level 0 means no logging, while 9 or more means
 that practically all actions are logged.
@@ -527,9 +527,8 @@ This disables all rewrite action logs.
 
      
 
      
 Notice: Using a high value for Level will slow down
-your Apache
-server dramatically! Use the rewriting logfile only for debugging or at least
-at Level not greater than 2!
+your Apache server dramatically! Use the rewriting logfile at
+a Level greater than 2 only for debugging!
 
      
 
      
 
@@ -581,7 +580,7 @@ This directive sets the filename for a synchronization lockfile which
 mod_rewrite needs to communicate with RewriteMap
 programs. Set this lockfile to a local path (not on a NFS-mounted
 device) when you want to use a rewriting map-program. It is not required for
-all other types of rewriting maps.
+other types of rewriting maps.
 
 
      
 
      
@@ -640,7 +639,7 @@ When such a construct occurs the map MapName
 is consulted and the key LookupKey is looked-up. If the key is
 found, the map-function construct is substituted by SubstValue. If
 the key is not found then it is substituted by DefaultValue or
-the empty string if no DefaultValue was specified.
+by the empty string if no DefaultValue was specified.
 
 
      
 The following combinations for MapType and MapSource
@@ -689,8 +688,8 @@ RewriteMap real-to-user txt:/path/to/file/map.txt
     special
     post-processing feature: After looking up a value it is parsed according
     to contained ``|'' characters which have the meaning of
-    ``or''.  Or
-    in other words: they indicate a set of alternatives from which the actual
+    ``or''.
+    In other words they indicate a set of alternatives from which the actual
     returned value is chosen randomly. Although this sounds crazy and useless,
     it
     was actually designed for load balancing in a reverse proxy situation where
@@ -767,13 +766,13 @@ close(TXT)
      
 
      
 
      
-Notice: For plain text and DBM format files the looked-up
+Note: For plain text and DBM format files the looked-up
 keys are cached in-core
 until the mtime of the mapfile changes or the server does a
 restart. This way you can have map-functions in rules which are used
@@ -869,15 +867,15 @@ per-directory rewrites. As you will see below, RewriteRule can be
 used in per-directory config files (.htaccess). There it will act
 locally, i.e., the local directory prefix is stripped at this stage of
 processing and your rewriting rules act only on the remainder. At the end
-it is automatically added.
+it is automatically added back to the path.
 
 
      
 When a substitution occurs for a new URL, this module has to re-inject the URL
 into the server processing. To be able to do this it needs to know what the
 corresponding URL-prefix or URL-base is. By default this prefix is the
 corresponding filepath itself. But at most websites URLs are
-NOT directly related to physical filename paths, so this
-assumption will be usually be wrong! There you have to use the
+NOT directly related to physical filename paths, so this
+assumption will usually be wrong! There you have to use the
 RewriteBase directive to specify the correct URL-prefix.
 
 
      
@@ -908,7 +906,7 @@ directives.
 
 RewriteEngine On
 
-#  let the server know that we are reached via /xyz and not
+#  let the server know that we were reached via /xyz and not
 #  via the physical path prefix /abc/def
 RewriteBase   /xyz
 
@@ -926,7 +924,7 @@ rewritten to the physical file /abc/def/newstuff.html.
 
      
 
      
 
-Notice - For the Apache hackers:
      
+Note - For Apache hackers:
      
 The following list gives detailed information about the internal
 processing steps:
 
@@ -949,7 +947,7 @@ This seems very complicated but is the correct Apache internal processing,
 because the per-directory rewriting comes too late in the process.  So,
 when it occurs the (rewritten) request has to be re-injected into the Apache
 kernel! BUT: While this seems like a serious overhead, it really isn't, because
-this re-injection happens fully internal to the Apache server and the same
+this re-injection happens fully internally to the Apache server and the same
 procedure is used by many other operations inside Apache. So, you can be
 sure the design and implementation is correct.
       
@@ -1028,7 +1026,7 @@ the form
 %N
 
 
-(1 <= N <= 9) which provide access to the grouped parts (parenthesis!) of
+(1 <= N <= 9) which provide access to the grouped parts (parentheses!) of
 the pattern from the last matched RewriteCond directive in the
 current bunch of conditions.
 
@@ -1041,7 +1039,7 @@ current bunch of conditions.
 
 
 where NAME_OF_VARIABLE can be a string
-of the following list:
+taken from the following list:
 
 
      
 
@@ -1120,7 +1118,7 @@ IS_SUBREQ
      
 
      
 
      
@@ -1157,7 +1155,7 @@ is the value of the HTTP header ``Proxy-Connection:''.
 
    5. There is the special format %{LA-U:variable} for look-aheads
 which perform an internal (URL-based) sub-request to determine the final value
 of variable. Use this when you want to use a variable for rewriting
-which actually is set later in an API phase and thus is not available at the
+which is actually set later in an API phase and thus is not available at the
 current stage. For instance when you want to rewrite according to the
 REMOTE_USER variable from within the per-server context
 (httpd.conf file) you have to use %{LA-U:REMOTE_USER}
@@ -1169,16 +1167,16 @@ authorization phases come before this phase, you just can use
 %{REMOTE_USER} there.
 
 
      
-
    6. There is the special format: %{LA-F:variable} which perform an
+
    7. There is the special format: %{LA-F:variable} which performs an
 internal (filename-based) sub-request to determine the final value of
-variable. This is the most of the time the same as LA-U above.
+variable. Most of the time this is the same as LA-U above.
 
 
 
      
 CondPattern is the condition pattern, i.e., a regular
 expression
-which gets applied to the current instance of the TestString,
-i.e., TestString gets evaluated and then matched against
+which is applied to the current instance of the TestString,
+i.e., TestString is evaluated and then matched against
 CondPattern.
 
 
      
@@ -1186,7 +1184,7 @@ which gets applied to the current instance of the TestString,
 Extended Regular Expression with some additions:
 
 
        
-
      1. You can precede the pattern string with a '!' character
+
      2. You can prefix the pattern string with a '!' character
 (exclamation mark) to specify a non-matching pattern.
 
 
        
@@ -1195,23 +1193,23 @@ There are some special variants of CondPatterns. Instead of real
 regular expression strings you can also use one of the following:
 
        
 
          
-
        • '<CondPattern' (is lexicographically lower)
          
+
        • '<CondPattern' (is lexically lower)
          
 Treats the CondPattern as a plain string and compares it
-lexicographically to TestString and results in a true expression if
-TestString is lexicographically lower than CondPattern.
+lexically to TestString. True if
+TestString is lexically lower than CondPattern.
 
          
-
        • '>CondPattern' (is lexicographically greater)
          
+
        • '>CondPattern' (is lexically greater)
          
 Treats the CondPattern as a plain string and compares it
-lexicographically to TestString and results in a true expression if
-TestString is lexicographically greater than CondPattern.
+lexically to TestString. True if
+TestString is lexically greater than CondPattern.
 
          
-
        • '=CondPattern' (is lexicographically equal)
          
+
        • '=CondPattern' (is lexically equal)
          
 Treats the CondPattern as a plain string and compares it
-lexicographically to TestString and results in a true expression if
-TestString is lexicographically equal to CondPattern, i.e the
+lexically to TestString. True if
+TestString is lexically equal to CondPattern, i.e the
 two strings are exactly equal (character by character).
 If CondPattern is just "" (two quotation marks) this
-compares TestString against the empty string.
+compares TestString to the empty string.
 
          
 
        • '-d' (is directory)
          
 Treats the TestString as a pathname and
@@ -1246,7 +1244,7 @@ your server's performance!
 
      8. 
 
      
-Notice: These variables all correspond to the similar named
+Notice: These variables all correspond to the similarly named
 HTTP MIME-headers, C variables of the Apache server or struct tm
 fields of the Unix system.
 
      
 
      
 Notice:
-All of these tests can also be prefixed by a not ('!') character
+All of these tests can also be prefixed by an exclamation mark ('!')
 to negate their meaning.
 
      
 
      
@@ -1264,7 +1262,7 @@ is a comma-separated list of the following flags:
 
 
        
 
      • 'nocase|NC' (no case)
        
-    This makes the condition test case-insensitive, i.e., there is
+    This makes the test case-insensitive, i.e., there is
     no difference between 'A-Z' and 'a-z' both in the expanded
     TestString and the CondPattern.
 
        
@@ -1278,7 +1276,7 @@ RewriteCond %{REMOTE_HOST}  ^host2.*  [OR]
 RewriteCond %{REMOTE_HOST}  ^host3.*
 RewriteRule ...some special stuff for any of these hosts...
 
-    Without this flag you had to write down the cond/rule three times.
+    Without this flag you would have to write the cond/rule three times.
 
      
 
 
      
@@ -1347,12 +1345,13 @@ rewriting rule.  The definition order of these rules is
 run-time.
 
 
      
-Pattern can be (for Apache 1.1.x a System
-V8 and for Apache 1.2.x a POSIX) regular expression
-which gets applied to the current URL. Here ``current'' means the value of the
-URL when this rule gets applied. This may not be the original requested
-URL, because there could be any number of rules before which already matched
-and made alterations to it.
+Pattern can be (for Apache
+1.1.x a System V8 and for Apache 1.2.x and later a POSIX) regular expression which gets applied to the current
+URL. Here ``current'' means the value of the URL when this rule gets
+applied. This may not be the originally requested URL, because no
+longer existingany number of rules may already have matched and made
+alterations to it.
 
 
      
 Some hints about the syntax of regular expressions:
@@ -1370,7 +1369,7 @@ Some hints about the syntax of regular expressions:
 
 Quantifiers:
   ?           0 or 1 of the preceding text
-  *           0 or N of the preceding text (N > 1)
+  *           0 or N of the preceding text (N > 0)
   +           1 or N of the preceding text (N > 1)
 
 Grouping:
@@ -1394,8 +1393,8 @@ Some hints about the syntax of regular expressions:
 
      
 For more information about regular expressions either have a look at your
 local regex(3) manpage or its src/regex/regex.3 copy in the
-Apache 1.3 distribution.  When you are interested in more detailed and deeper
-information about regular expressions and its variants (POSIX regex, Perl
+Apache 1.3 distribution.  If you are interested in more detailed
+information about regular expressions and their variants (POSIX regex, Perl
 regex, etc.) have a look at the following dedicated book on this topic: 
 
 
      
@@ -1409,9 +1408,9 @@ ISBN 1-56592-257-3
      
 
      
 Additionally in mod_rewrite the NOT character ('!') is a possible
 pattern prefix. This gives you the ability to negate a pattern; to say, for
-instance: ``if the current URL does NOT match to this
-pattern''. This can be used for special cases where it is better to match
-the negative pattern or as a last default rule.
+instance: ``if the current URL does NOT match this
+pattern''. This can be used for exceptional cases, where it is easier to
+match the negative pattern, or as a last default rule.
 
 
      
 
@@ -1448,8 +1447,8 @@ the above list.
 As already mentioned above, all the rewriting rules are applied to the
 Substitution (in the order of definition in the config file).  The
 URL is completely replaced by the Substitution and the
-rewriting process goes on until there are no more rules (unless explicitly
-terminated by a L flag - see below).
+rewriting process goes on until there are no more rules unless explicitly
+terminated by a L flag - see below.
 
 
      
 There is a special substitution string named '-' which means:
@@ -1468,7 +1467,7 @@ substitution string with just the question mark.
 
      
 
      
@@ -346,7 +347,7 @@ author.
 
    8. 
     
     What is the history of mod_ssl?  
-    [L]
+    [L]
     
      
     The mod_ssl v1 package was initially created in April 1998 by Ralf S. Engelschall via porting 
     What are the functional differences between mod_ssl and Apache-SSL, from where
 it is originally derived?  
-    [L]
+    [L]
     
      
     This neither can be answered in short (there were too much code changes)
     nor can be answered at all by the author (there would be immediately flame
@@ -410,7 +411,7 @@ it is originally derived?  
     
     What are the major differences between mod_ssl and
 the commercial alternatives like Raven or Stronghold?  
-    [L]
+    [L]
     
      
     As of this writing (end of the year 1999) the major difference is
     the RSA license which one receives (very cheaply in contrast to
@@ -458,7 +459,7 @@ the commercial alternatives like Raven or Stronghold?  
 
    9. 
     
     How do I know which mod_ssl version is for which Apache version?  
-    [L]
+    [L]
     
      
     That's trivial: mod_ssl uses version strings of the syntax
     <mod_ssl-version>-<apache-version>, for
@@ -471,7 +472,7 @@ the commercial alternatives like Raven or Stronghold?  
 
    10. 
     
     Is mod_ssl Year 2000 compliant?  
-    [L]
+    [L]
     
      
     Yes, mod_ssl is Year 2000 compliant.
     
      
@@ -494,7 +495,7 @@ the commercial alternatives like Raven or Stronghold?  
 
    11. 
     
     What about mod_ssl and the Wassenaar Arrangement?  
-    [L]
+    [L]
     
      
     First, let us explain what Wassenaar and it's Arrangement on
     Export Controls for Conventional Arms and Dual-Use Goods and
@@ -551,7 +552,7 @@ the commercial alternatives like Raven or Stronghold?  
 
    12. 
     
     When I access my website the first time via HTTPS I get a core dump?  
-    [L]
+    [L]
     
      
     There can be a lot of reasons why a core dump can occur, of course.
     Ranging from buggy third-party modules, over buggy vendor libraries up to
@@ -565,7 +566,7 @@ the commercial alternatives like Raven or Stronghold?  
 
    13. 
     
     My Apache dumps core when I add both mod_ssl and PHP3?  
-    [L]
+    [L]
     
      
     Make sure you add mod_ssl to the Apache source tree first and then do a
     fresh configuration and installation of PHP3. For SSL support EAPI patches
@@ -576,7 +577,7 @@ the commercial alternatives like Raven or Stronghold?  
 
    14. 
     
     When I startup Apache I get errors about undefined symbols like ap_global_ctx?  
-    [L]
+    [L]
     
      
     This actually means you installed mod_ssl as a DSO, but without rebuilding
     Apache with EAPI. Because EAPI is a requirement for mod_ssl, you need an
@@ -587,7 +588,7 @@ the commercial alternatives like Raven or Stronghold?  
 
    15. 
     
     When I startup Apache I get permission errors related to SSLMutex?  
-    [L]
+    [L]
     
      
     When you receive entries like ``mod_ssl: Child could not open
     SSLMutex lockfile /opt/apache/logs/ssl_mutex.18332 (System error follows)
@@ -602,7 +603,7 @@ the commercial alternatives like Raven or Stronghold?  
     
     When I use the MM library and the shared memory cache each process grows
 1.5MB according to `top' although I specified 512000 as the cache size?  
-    [L]
+    [L]
     
      
     The additional 1MB are caused by the global shared memory pool EAPI
     allocates for all modules and which is not used by mod_ssl for
@@ -619,23 +620,47 @@ the commercial alternatives like Raven or Stronghold?  
     Apache creates files in a directory declared by the internal
 EAPI_MM_CORE_PATH define. Is there a way to override the path using a
 configuration directive?  
-    [L]
+    [L]
     
      
     No, there is not configuration directive, because for technical
     bootstrapping reasons, a directive not possible at all. Instead
     use ``CFLAGS='-DEAPI_MM_CORE_PATH="/path/to/wherever/"'
     ./configure ...'' when building Apache or use option
     -d when starting httpd.
+
      
+
    16. 
+    
+    When I fire up the server, mod_ssl stops with the error
+"Failed to generate temporary 512 bit RSA private key", why?
+And a "PRNG not seeded" error occurs if I try "make certificate".  
+    [L]
+    
      
+    Cryptographic software needs a source of unpredictable data
+    to work correctly. Many open source operating systems provide
+    a "randomness device" that serves this purpose (usually named
+    /dev/random). On other systems, applications have to
+    seed the OpenSSL Pseudo Random Number Generator (PRNG) manually with
+    appropriate data before generating keys or performing public key
+    encryption. As of version 0.9.5, the OpenSSL functions that need
+    randomness report an error if the PRNG has not been seeded with
+    at least 128 bits of randomness. So mod_ssl has to provide enough
+    entropy to the PRNG to work correctly. For this one has to use the
+    SSLRandSeed directives (to solve the run-time problem)
+    and create a $HOME/.rnd file to make sure enough
+    entropy is available also for the "make certificate"
+    step (in case the "make certificate" procedure is not
+    able to gather enough entropy theirself by searching for system
+    files).
 
 
      
 
      
-
      About Configuration
      
+
      About Configuration
      
 
        
 
        
-
      • 
+
      • 
     
     Is it possible to provide HTTP and HTTPS with a single server?  
-    [L]
+    [L]
     
        
     Yes, HTTP and HTTPS use different server ports, so there is no direct
     conflict between them. Either run two separate server instances (one binds
@@ -644,20 +669,20 @@ configuration directive?  
     Apache dispatches: one responding to port 80 and speaking HTTP and one
     responding to port 443 speaking HTTPS.
 
        
-
      • 
+
      • 
     
     I know that HTTP is on port 80, but where is HTTPS?  
-    [L]
+    [L]
     
        
     You can run HTTPS on any port, but the standards specify port 443, which
     is where any HTTPS compliant browser will look by default. You can force
     your browser to look on a different port by specifying it in the URL like
     this (for port 666): https://secure.server.dom:666/
 
        
-
      • 
+
      • 
     
     How can I speak HTTPS manually for testing purposes?  
-    [L]
+    [L]
     
        
     While you usually just use
     
        
@@ -683,10 +708,10 @@ configuration directive?  
     $ curl http://localhost/
        
     $ curl https://localhost/
        
 
        
-
      • 
+
      • 
     
     Why does the connection hang when I connect to my SSL-aware Apache server?  
-    [L]
+    [L]
     
        
     Because you connected with HTTP to the HTTPS port, i.e. you used an URL of
     the form ``http://'' instead of ``https://''.
@@ -696,11 +721,11 @@ configuration directive?  
     virtual server that supports SSL, which is probably the IP associated with
     your hostname, not localhost (127.0.0.1).
 
        
-
      • 
+
      • 
     
     Why do I get ``Connection Refused'' messages when trying to access my freshly
 installed Apache+mod_ssl server via HTTPS?  
-    [L]
+    [L]
     
        
     There can be various reasons. Some of the common mistakes is that people
     start Apache with just ``apachectl start'' (or
@@ -711,19 +736,19 @@ installed Apache+mod_ssl server via HTTPS?  
     yourself a favor and start over with the default configuration mod_ssl
     provides you.
 
        
-
      • 
+
      • 
     
     In my CGI programs and SSI scripts the various documented
 SSL_XXX variables do not exists. Why?  
-    [L]
+    [L]
     
        
     Just make sure you have ``SSLOptions +StdEnvVars''
     enabled for the context of your CGI/SSI requests.
 
        
-
      • 
+
      • 
     
     How can I use relative hyperlinks to switch between HTTP and HTTPS?  
-    [L]
+    [L]
     
        
     Usually you have to use fully-qualified hyperlinks because
     you have to change the URL scheme. But with the help of some URL
@@ -741,13 +766,13 @@ installed Apache+mod_ssl server via HTTPS?  
 
      
 
      
 
      
-
      About Certificates
      
+
      About Certificates
      
 
        
 
        
-
      • 
+
      • 
     
     What are RSA Private Keys, CSRs and Certificates?  
-    [L]
+    [L]
     
        
     The RSA private key file is a digital file that you can use to decrypt
     messages sent to you. It has a public component which you distribute (via
@@ -762,10 +787,10 @@ installed Apache+mod_ssl server via HTTPS?  
     See the Introduction chapter for a general
     description of the SSL protocol.
 
        
-
      • 
+
      • 
     
     Seems like there is a difference on startup between the original Apache and an SSL-aware Apache?  
-    [L]
+    [L]
     
        
     Yes, in general, starting Apache with a built-in mod_ssl is just like
     starting an unencumbered Apache, except for the fact that when you have a
@@ -778,10 +803,10 @@ installed Apache+mod_ssl server via HTTPS?  
     below under ``How can I get rid of the pass-phrase dialog at Apache
     startup time?''.
 
        
-
      • 
+
      • 
     
     How can I create a dummy SSL server Certificate for testing purposes?  
-    [L]
+    [L]
     
        
     A Certificate does not have to be signed by a public CA. You can use your
     private key to sign the Certificate which contains your public key. You
@@ -800,11 +825,11 @@ installed Apache+mod_ssl server via HTTPS?  
     BUT REMEMBER: YOU REALLY HAVE TO CREATE A REAL CERTIFICATE FOR THE LONG
     RUN! HOW THIS IS DONE IS DESCRIBED IN THE NEXT ANSWER.
 
        
-
      • 
+
      • 
     
     Ok, I've got my server installed and want to create a real SSL
 server Certificate for it. How do I do it?  
-    [L]
+    [L]
     
        
     Here is a step-by-step description:
     
        
@@ -896,10 +921,10 @@ server Certificate for it. How do I do it?  
        The server.csr file is no longer needed.
     
 
        
-
      • 
+
      • 
     
     How can I create and use my own Certificate Authority (CA)?  
-    [L]
+    [L]
     
        
     The short answer is to use the CA.sh or CA.pl
     script provided by OpenSSL. The long and manual answer is this:
@@ -946,10 +971,10 @@ server Certificate for it. How do I do it?  
        This signs the server CSR and results in a server.crt file.
     
 
        
-
      • 
+
      • 
     
     How can I change the pass-phrase on my private key file?  
-    [L]
+    [L]
     
        
     You simply have to read it with the old pass-phrase and write it again
     by specifying the new pass-phrase. You can accomplish this with the following
@@ -962,10 +987,10 @@ server Certificate for it. How do I do it?  
     prompt enter the old pass-phrase and at the second prompt
     enter the new pass-phrase.
 
        
-
      • 
+
      • 
     
     How can I get rid of the pass-phrase dialog at Apache startup time?  
-    [L]
+    [L]
     
        
     The reason why this dialog pops up at startup and every re-start
     is that the RSA private key inside your server.key file is stored in
@@ -997,10 +1022,10 @@ server Certificate for it. How do I do it?  
     exec:/path/to/program'' facility. But keep in mind that this is
     neither more nor less secure, of course.
 
        
-
      • 
+
      • 
     
     How do I verify that a private key matches its Certificate?  
-    [L]
+    [L]
     
        
     The private key contains a series of numbers. Two of those numbers form
     the "public key", the others are part of your "private key". The "public
@@ -1027,11 +1052,11 @@ server Certificate for it. How do I do it?  
     
        
     $ openssl req -noout -modulus -in server.csr | openssl md5
 
        
-
      • 
+
      • 
     
     What does it mean when my connections fail with an "alert bad certificate"
 error?  
-    [L]
+    [L]
     
        
     Usually when you see errors like ``OpenSSL: error:14094412: SSL
     routines:SSL3_READ_BYTES:sslv3 alert bad certificate'' in the SSL
@@ -1039,10 +1064,10 @@ error?  
     certificate/private-key which perhaps contain a RSA-key not equal to 1024
     bits. For instance Netscape Navigator 3.x is one of those browsers.
 
        
-
      • 
+
      • 
     
     Why does my 2048-bit private key not work?  
-    [L]
+    [L]
     
        
     The private key sizes for SSL must be either 512 or 1024 for compatibility
     with certain web browsers. A keysize of 1024 bits is recommended because
@@ -1050,11 +1075,11 @@ error?  
     Navigator and Microsoft Internet Explorer, and with other browsers that
     use RSA's BSAFE cryptography toolkit.
 
        
-
      • 
+
      • 
     
     Why is client authentication broken after upgrading from
 SSLeay version 0.8 to 0.9?  
-    [L]
+    [L]
     
        
     The CA certificates under the path you configured with
     SSLCACertificatePath are found by SSLeay through hash
@@ -1064,10 +1089,10 @@ SSLeay version 0.8 to 0.9?  
     all old hash symlinks and re-create new ones after upgrading. Use the
     Makefile mod_ssl placed into this directory.
 
        
-
      • 
+
      • 
     
     How can I convert a certificate from PEM to DER format?  
-    [L]
+    [L]
     
        
     The default certificate format for SSLeay/OpenSSL is PEM, which actually
     is Base64 encoded DER with header and footer lines. For some applications
@@ -1076,11 +1101,11 @@ SSLeay version 0.8 to 0.9?  
     corresponding DER file cert.der with the following command:
     $ openssl x509 -in cert.pem -out cert.der -outform DER
 
        
-
      • 
+
      • 
     
     I try to install a Verisign certificate. Why can't I find neither the
 getca nor getverisign programs Verisign mentions?  
-    [L]
+    [L]
     
        
     This is because Verisign has never provided specific instructions
     for Apache+mod_ssl. Rather they tell you what you should do
@@ -1094,11 +1119,11 @@ SSLeay version 0.8 to 0.9?  
     href="http://www.thawte.com/certs/server/keygen/mod_ssl.html">
     Thawte's mod_ssl instructions.
 
        
-
      • 
+
      • 
     
     Can I use the Server Gated Cryptography (SGC) facility (aka Verisign Global
 ID) also with mod_ssl?  
-    [L]
+    [L]
     
        
     Yes, mod_ssl since version 2.1 supports the SGC facility. You don't have
     to configure anything special for this, just use a Global ID as your
@@ -1106,11 +1131,11 @@ ID) also with mod_ssl?  
     automatically handled by mod_ssl under run-time. For details please read
     the README.GlobalID document in the mod_ssl distribution.
 
        
-
      • 
+
      • 
     
     After I have installed my new Verisign Global ID server certificate, the
 browsers complain that they cannot verify the server certificate?  
-    [L]
+    [L]
     
        
     That is because Verisign uses an intermediate CA certificate between
     the root CA certificate (which is installed in the browsers) and
@@ -1123,34 +1148,34 @@ browsers complain that they cannot verify the server certificate? 
 
      
 
      
 
      
-
      About SSL Protocol
      
+
      About SSL Protocol
      
 
        
 
        
-
      • 
+
      • 
     
     Why has my webserver a higher load now that I run SSL there?  
-    [L]
+    [L]
     
        
     Because SSL uses strong cryptographic encryption and this needs a lot of
     number crunching. And because when you request a webpage via HTTPS even
     the images are transfered encrypted. So, when you have a lot of HTTPS
     traffic the load increases.
 
        
-
      • 
+
      • 
     
     Often HTTPS connections to my server require up to 30 seconds for establishing
 the connection, although sometimes it works faster?  
-    [L]
+    [L]
     
        
     Usually this is caused by using a /dev/random device for
     SSLRandomSeed which is blocking in read(2) calls if not
     enough entropy is available. Read more about this problem in the refernce
     chapter under SSLRandomSeed.
 
        
-
      • 
+
      • 
     
     What SSL Ciphers are supported by mod_ssl?  
-    [L]
+    [L]
     
        
     Usually just all SSL ciphers which are supported by the
     version of OpenSSL in use (can depend on the way you built
@@ -1171,11 +1196,11 @@ the connection, although sometimes it works faster?  
     
        
     $ openssl ciphers -v
        
 
        
-
      • 
+
      • 
     
     I want to use Anonymous Diffie-Hellman (ADH) ciphers, but I always get ``no
 shared cipher'' errors?  
-    [L]
+    [L]
     
        
     In order to use Anonymous Diffie-Hellman (ADH) ciphers, it is not enough
     to just put ``ADH'' into your SSLCipherSuite.
@@ -1184,11 +1209,11 @@ shared cipher'' errors?  
     allow ADH ciphers for security reasons. So if you are actually enabling
     these ciphers make sure you are informed about the side-effects.
 
        
-
      • 
+
      • 
     
     I always just get a 'no shared ciphers' error if
 I try to connect to my freshly installed server?  
-    [L]
+    [L]
     
        
     Either you have messed up your SSLCipherSuite
     directive (compare it with the pre-configured example in
@@ -1202,10 +1227,10 @@ I try to connect to my freshly installed server?  
     this, regenerate your server certificate/key pair and this time
     choose the RSA algorithm.
 
        
-
      • 
+
      • 
     
     Why can't I use SSL with name-based/non-IP-based virtual hosts?  
-    [L]
+    [L]
     
        
     The reason is very technical. Actually it's some sort of a chicken and
     egg problem: The SSL protocol layer stays below the HTTP protocol layer
@@ -1219,12 +1244,12 @@ I try to connect to my freshly installed server?  
     handshake is finished. But the information is already needed at the SSL
     handshake phase. Bingo!
 
        
-
      • 
+
      • 
     
     When I use Basic Authentication over HTTPS the lock icon in Netscape browsers
 still show the unlocked state when the dialog pops up. Does this mean the
 username/password is still transmitted unencrypted?  
-    [L]
+    [L]
     
        
     No, the username/password is already transmitted encrypted. The icon in
     Netscape browsers is just not really synchronized with the SSL/TLS layer
@@ -1236,12 +1261,12 @@ username/password is still transmitted unencrypted?  
     handshake phase and switched to encrypted communication. So, don't get
     confused by this icon.
 
        
-
      • 
+
      • 
     
     When I connect via HTTPS to an Apache+mod_ssl server with Microsoft Internet
 Explorer (MSIE) I sometimes get I/O errors and the message "bad data from the
 server". What's the reason?  
-    [L]
+    [L]
     
        
     The reason is that MSIE's SSL implementation has some subtle bugs related
     to the HTTP keep-alive facility and the SSL close notify alerts on socket
@@ -1253,12 +1278,12 @@ server". What's the reason?  
     SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
     
 
        
-
      • 
+
      • 
     
     When I connect via HTTPS to an Apache+mod_ssl server with Netscape Navigator I
 get I/O errors and the message "Netscape has encountered bad data from the
 server" What's the reason?  
-    [L]
+    [L]
     
        
     The problem usually is that you had created a new server certificate with
     the same DN, but you had told your browser to accept forever the old
@@ -1269,21 +1294,21 @@ server" What's the reason?  
 
      
 
      
 
      
-
      About Support
      
+
      About Support
      
 
        
 
        
-
      • 
+
      • 
     
     What information resources are available in case of mod_ssl problems?  
-    [L]
+    [L]
     
        
 The following information resources are available.
 In case of problems you should search here first.
 
        
 
          
 
        1. Answers in the User Manual's F.A.Q. List (this)
          
-    
-    http://www.modssl.org/docs/2.5/ssl_faq.html
          
+    
+    http://www.modssl.org/docs/2.6/ssl_faq.html
          
     First look inside the F.A.Q. (this text), perhaps your problem is such
     popular that it was already answered a lot of times in the past.
 
          
@@ -1301,10 +1326,10 @@ In case of problems you should search here first.
     someone else already has reported the problem.
 
        
 
        
-
      • 
+
      • 
     
     What support contacts are available in case of mod_ssl problems?  
-    [L]
+    [L]
     
        
 The following lists all support possibilities for mod_ssl, in order of
 preference, i.e. start in this order and do not pick the support possibility
@@ -1335,11 +1360,11 @@ you just like most, please.
     usually not processed as fast as a posting on modssl-users.
 
 
        
-
      • 
+
      • 
     
     What information and details I've to provide to
 the author when writing a bug report?  
-    [L]
+    [L]
     
        
 You have to at least always provide the following information:
 
        
@@ -1373,10 +1398,10 @@ You have to at least always provide the following information:
     course.
 
      
 
      
-
    17. 
+
    18. 
     
     I got a core dump, can you help me?  
-    [L]
+    [L]
     
      
     In general no, at least not unless you provide more details about the code
     location where Apache dumped core. What is usually always required in
@@ -1384,10 +1409,10 @@ You have to at least always provide the following information:
     information it is mostly impossible to find the problem and help you in
     fixing it.
 
      
-
    19. 
+
    20. 
     
     Ok, I got a core dump but how do I get a backtrace to find out the reason for it?  
-    [L]
+    [L]
     
      
 Follow the following steps:
 
      
@@ -1477,7 +1502,7 @@ if (document.images) {
         
      21. 
 
      
-Notice: There is a special feature. When you prefix a substitution
+Note: There is a special feature: When you prefix a substitution
 field with http://thishost[:thisport] then
 mod_rewrite automatically strips it out.   This auto-reduction on
 implicit external redirect URLs is a useful and important feature when
@@ -1508,14 +1507,14 @@ comma-separated list of the following flags:
     one of the following symbolic names: temp (default), permanent,
     seeother.
     Use it for rules which should
-    canonicalize the URL and gives it back to the client, e.g., translate
+    canonicalize the URL and give it back to the client, e.g., translate
     ``/~'' into ``/u/'' or always append a slash to
     /u/user, etc.
      
     
      
-    Notice: When you use this flag, make sure that the
+    Note: When you use this flag, make sure that the
     substitution field is a valid URL! If not, you are redirecting to an
     invalid location!  And remember that this flag itself only prefixes the
-    URL with http://thishost[:thisport]/, but rewriting goes on.
+    URL with http://thishost[:thisport]/, rewriting continues.
     Usually you also want to stop and do the redirection immediately.  To stop
     the rewriting you also have to provide the 'L' flag.
 
      
@@ -1526,8 +1525,8 @@ comma-separated list of the following flags:
 
      
 
    21. 'gone|G' (force URL to be gone)
      
     This forces the current URL to be gone, i.e., it immediately sends back a
-    HTTP response of 410 (GONE). Use this flag to mark no longer existing
-    pages as gone.
+    HTTP response of 410 (GONE). Use this flag to mark pages which no longer
+    exist as gone.
 
      
 
    22. 'proxy|P' (force proxy)
      
     This flag forces the substitution part to be internally forced as a proxy
@@ -1552,7 +1551,7 @@ comma-separated list of the following flags:
     don't apply any more rewriting rules. This corresponds to the Perl
     last command or the break command from the C
     language. Use this flag to prevent the currently rewritten URL from being
-    rewritten further by following rules which may be wrong. For
+    rewritten further by following rules. For
     example, use it to rewrite the root-path URL ('/') to a real
     one, e.g., '/e/www/'.
 
      
@@ -1563,11 +1562,11 @@ comma-separated list of the following flags:
     next command or the continue command from the C
     language. Use this flag to restart the rewriting process, i.e.,  to
     immediately go to the top of the loop. 
      
-    But be careful not to create a deadloop!
+    But be careful not to create an infinite loop!
 
      
 
    23. 'chain|C' (chained with next rule)
      
     This flag chains the current rule with the next rule (which itself can
-    also be chained with its following rule, etc.). This has the following
+    be chained with the following rule, etc.). This has the following
     effect: if a rule matches, then processing continues as usual, i.e., the
     flag has no effect. If the rule does not match, then all following
     chained rules are skipped.   For instance, use it to remove the
@@ -1628,7 +1627,7 @@ comma-separated list of the following flags:
     translator should do. Then mod_alias comes and tries to do a
     URI-to-filename transition which will not work.
     
      
-    Notice: You have to use this flag if you want to intermix directives
+    Note: You have to use this flag if you want to intermix directives
     of different modules which contain URL-to-filename translators. The
     typical example is the use of mod_alias and
     mod_rewrite..
@@ -1636,12 +1635,12 @@ comma-separated list of the following flags:
 
      
 
      
 
-    Notice - For the Apache hackers:
      
+    Note - For Apache hackers:
      
     If the current Apache API had a
     filename-to-filename hook additionally to the URI-to-filename hook then
     we wouldn't need this flag!  But without  such a hook this flag is the
     only solution. The Apache Group has discussed this problem and will
-    add such hooks into Apache version 2.0.
+    add such a hook in Apache version 2.0.
       
 
      
 
      
@@ -1650,7 +1649,7 @@ comma-separated list of the following flags:
     This flag forces the rewriting engine to skip the next num rules
     in sequence when the current rule matches. Use this to make pseudo
     if-then-else constructs: The last rule of the then-clause becomes
-    a skip=N where N is the number of rules in the else-clause.
+    skip=N where N is the number of rules in the else-clause.
     (This is not the same as the 'chain|C' flag!)
 
      
 
    24. 'env|E=VAR:VAL' (set environment variable)
      
@@ -1658,9 +1657,9 @@ comma-separated list of the following flags:
     value VAL, where VAL can contain regexp backreferences
     $N and %N which will be expanded. You can use this flag
     more than once to set more than one variable. The variables can be later
-    dereferenced at a lot of situations, but the usual location will be from
+    dereferenced in many situations, but usually from
     within XSSI (via <!--#echo var="VAR"-->) or CGI (e.g.
-    $ENV{'VAR'}).  But additionally you can also dereference it in a
+    $ENV{'VAR'}).  Additionally you can dereference it in a
     following RewriteCond pattern via %{ENV:VAR}. Use this to strip
     but remember information from URLs.
 
@@ -1668,16 +1667,16 @@ comma-separated list of the following flags:
 
      
 
      
 
      
-Notice: Never forget that Pattern gets applied to a complete URL
+Note: Never forget that Pattern is applied to a complete URL
 in per-server configuration files. But in per-directory configuration
 files, the per-directory prefix (which always is the same for a specific
-directory!) gets automatically removed for the pattern matching and
+directory!) is automatically removed for the pattern matching and
 automatically added after the substitution has been done. This feature is
 essential for many sorts of rewriting, because without this prefix stripping
 you have to match the parent directory which is not always possible.
 
      
 There is one exception: If a substitution string starts with
-``http://'' then the directory prefix will be not added and a
+``http://'' then the directory prefix will not be added and an
 external redirect or proxy throughput (if flag P is used!) is forced!
 
      
 
      
@@ -1685,9 +1684,9 @@ external redirect or proxy throughput (if flag P is used!) is f
 
      
 
      
 
      
-Notice: To enable the rewriting engine for per-directory configuration files
+Note: To enable the rewriting engine for per-directory configuration files
 you need to set ``RewriteEngine On'' in these files and
-``Option FollowSymLinks'' enabled. If your administrator has
+``Option FollowSymLinks'' must be enabled. If your administrator has
 disabled override of FollowSymLinks for a user's directory, then
 you cannot use the rewriting engine.  This restriction is needed for
 security reasons.
@@ -1841,7 +1840,7 @@ variables SCRIPT_NAME and SCRIPT_FILENAME contain the
 
 
      
 Notice: These variables hold the URI/URL as they were initially
-requested, i.e., in a state before any rewriting. This is
+requested, i.e., before any rewriting. This is
 important because the rewriting process is primarily used to rewrite logical
 URLs to physical pathnames.
 
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/index.html b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/index.html
index 265f4a78c5c..30ea742cde1 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/index.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/index.html
@@ -148,7 +148,7 @@ H4 {
         
      
         
      
         
-        mod_ssl version 2.5   
+        mod_ssl version 2.6   
         
         
      
         
      
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_compat.html b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_compat.html
index e43f61dea01..19875dfb13f 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_compat.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_compat.html
@@ -556,7 +556,7 @@ if (document.images) {
         
      		25.         
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_cover.wml b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_cover.wml
index 1028e99910d..988a0091367 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_cover.wml
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_cover.wml
@@ -1,4 +1,4 @@
-#!wml -oindex.html
+#!wml -o index.html
 
 #use "ssl_template.inc" title="Title Page" tag=title num=0 
 
@@ -17,7 +17,7 @@
         
      
         
      
         
-        mod_ssl 2.5, User Manual
      
+        mod_ssl 2.6, User Manual
      
         The Apache Interface to OpenSSL
               
         
      
         
      
         
-        mod_ssl version 2.5   
+        mod_ssl version 2.6   
         
         
      
         
      
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.html b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.html
index b633181bddb..926a739c575 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.html
@@ -292,46 +292,47 @@ author.
                 Permission problem on SSLMutex
      
                 Shared memory and process size?
      
                 Shared memory and pathname?
      
-        About Configuration
      
-                HTTP and HTTPS with a single server?
      
-                Where is the HTTPS port?
      
-                How to test HTTPS manually?
      
-                Why does my connection hang?
      
-                Why do I get connection refused?
      
-                Why are the SSL_XXX variables missing?
      
-                How to switch with relative hyperlinks?
      
-        About Certificates
      
-                What are Keys, CSRs and Certs?
      
-                Difference on startup?
      
-                How to create a dummy cert?
      
-                How to create a real cert?
      
-                How to create my own CA?
      
-                How to change a pass phrase?
      
-                How to remove a pass phrase?
      
-                How to verify a key/cert pair?
      
-                Bad Certificate Error?
      
-                Why does a 2048-bit key not work?
      
-                Why is client auth broken?
      
-                How to convert from PEM to DER?
      
-                Verisign and the magic getca program?
      
-                Global IDs or SGC?
      
-                Global IDs and Cert Chain?
      
-        About SSL Protocol
      
-                Why has the server a higher load?
      
-                Why are connections horribly slow?
      
-                Which ciphers are supported?
      
-                How to use Anonymous-DH ciphers
      
-                Why do I get 'no shared ciphers'?
      
-                HTTPS and name-based vhosts
      
-                The lock icon in Netscape locks very late
      
-                Why do I get I/O errors with my MSIE clients?
      
-                Why do I get I/O errors with my NS clients?
      
-        About Support
      
-                Resources in case of problems?
      
-                Support in case of problems?
      
-                How to write a problem report?
      
-                I got a core dump, can you help me?
      
-                How to get a backtrace?
      
+                PRNG and not enough entropy?
      
+        About Configuration
      
+                HTTP and HTTPS with a single server?
      
+                Where is the HTTPS port?
      
+                How to test HTTPS manually?
      
+                Why does my connection hang?
      
+                Why do I get connection refused?
      
+                Why are the SSL_XXX variables missing?
      
+                How to switch with relative hyperlinks?
      
+        About Certificates
      
+                What are Keys, CSRs and Certs?
      
+                Difference on startup?
      
+                How to create a dummy cert?
      
+                How to create a real cert?
      
+                How to create my own CA?
      
+                How to change a pass phrase?
      
+                How to remove a pass phrase?
      
+                How to verify a key/cert pair?
      
+                Bad Certificate Error?
      
+                Why does a 2048-bit key not work?
      
+                Why is client auth broken?
      
+                How to convert from PEM to DER?
      
+                Verisign and the magic getca program?
      
+                Global IDs or SGC?
      
+                Global IDs and Cert Chain?
      
+        About SSL Protocol
      
+                Why has the server a higher load?
      
+                Why are connections horribly slow?
      
+                Which ciphers are supported?
      
+                How to use Anonymous-DH ciphers
      
+                Why do I get 'no shared ciphers'?
      
+                HTTPS and name-based vhosts
      
+                The lock icon in Netscape locks very late
      
+                Why do I get I/O errors with my MSIE clients?
      
+                Why do I get I/O errors with my NS clients?
      
+        About Support
      
+                Resources in case of problems?
      
+                Support in case of problems?
      
+                How to write a problem report?
      
+                I got a core dump, can you help me?
      
+                How to get a backtrace?
      
 
       		
 
              
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.wml b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.wml
index 9a8250fe179..74e36599a86 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.wml
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_faq.wml
@@ -69,7 +69,7 @@ author.
     %body\
       
-    [L]
+    [L]
     
      
 
 
@@ -365,6 +365,29 @@ configuration directive?
     ./configure ...'' when building Apache or use option
     -d when starting httpd.
 
+
+When I fire up the server, mod_ssl stops with the error
+"Failed to generate temporary 512 bit RSA private key", why?
+And a "PRNG not seeded" error occurs if I try "make certificate".
+
+
+    Cryptographic software needs a source of unpredictable data
+    to work correctly. Many open source operating systems provide
+    a "randomness device" that serves this purpose (usually named
+    /dev/random). On other systems, applications have to
+    seed the OpenSSL Pseudo Random Number Generator (PRNG) manually with
+    appropriate data before generating keys or performing public key
+    encryption. As of version 0.9.5, the OpenSSL functions that need
+    randomness report an error if the PRNG has not been seeded with
+    at least 128 bits of randomness. So mod_ssl has to provide enough
+    entropy to the PRNG to work correctly. For this one has to use the
+    SSLRandSeed directives (to solve the run-time problem)
+    and create a $HOME/.rnd file to make sure enough
+    entropy is available also for the "make certificate"
+    step (in case the "make certificate" procedure is not
+    able to gather enough entropy theirself by searching for system
+    files).
+ 
 
 
 
      
@@ -1051,8 +1074,8 @@ In case of problems you should search here first.
 
      
 
        
 
      1. Answers in the User Manual's F.A.Q. List (this)
        
-    
-    http://www.modssl.org/docs/2.5/ssl_faq.html
        
+    
+    http://www.modssl.org/docs/2.6/ssl_faq.html
        
     First look inside the F.A.Q. (this text), perhaps your problem is such
     popular that it was already answered a lot of times in the past.
 
        
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_glossary.html b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_glossary.html
index 79947dd5f2a..3d2674cd4f8 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_glossary.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_glossary.html
@@ -218,7 +218,7 @@ realize that what you heard is not what I meant.''
 
      
@@ -406,7 +406,7 @@ if (document.images) {
         
      
         
      
         
-        mod_ssl 2.5, User Manual
      
+        mod_ssl 2.6, User Manual
      
         The Apache Interface to OpenSSL
               
               		
     
      
 
 
-Unknown
+Richard Nixon
 
 
 
              
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_glossary.wml b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_glossary.wml
index 02841151ae4..d29b8d0b492 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_glossary.wml
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_glossary.wml
@@ -3,7 +3,7 @@
 
 
 
-
+
 ``I know you believe you understand what you think I said, but I am not sure you
 realize that what you heard is not what I meant.''
 
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.html b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.html
index c8451adeb21..fe1c1326bb9 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_howto.html
@@ -884,7 +884,7 @@ if (document.images) {
         
      
         
      
         
-        mod_ssl 2.5, User Manual
      
+        mod_ssl 2.6, User Manual
      
         The Apache Interface to OpenSSL
               
               		        
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_intro.html b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_intro.html
index ecee2367506..50e44466b06 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_intro.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_intro.html
@@ -239,7 +239,7 @@ year until the one arises you are looking for.''
@@ -916,7 +916,7 @@ if (document.images) {
         
      
         
      
         
-        mod_ssl 2.5, User Manual
      
+        mod_ssl 2.6, User Manual
      
         The Apache Interface to OpenSSL
               
               		
 
      
 
 
-A. Tannenbaum, ``Introduction to Computer Networks''
+A. Tanenbaum, ``Introduction to Computer Networks''
 
 
 
              
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_intro.wml b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_intro.wml
index 03b438302b6..69af97df0f5 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_intro.wml
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_intro.wml
@@ -7,7 +7,7 @@
 #use wml::std::toc style=nbsp
 
 
+           author="A. Tanenbaum, ``Introduction to Computer Networks''">
 ``The nice thing about standards is that there are so many to choose from.
 And if you really don't like all the standards you just have to wait another
 year until the one arises you are looking for.''
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_overview.html b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_overview.html
index 2d68c6ac544..90e021ad7b0 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_overview.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_overview.html
@@ -486,7 +486,7 @@ if (document.images) {
         
      
         
      
         
-        mod_ssl 2.5, User Manual
      
+        mod_ssl 2.6, User Manual
      
         The Apache Interface to OpenSSL
               
               		        
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.html b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.html
index de8166b5716..779dc7950d5 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.html
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.html
@@ -626,10 +626,11 @@ The following source variants are available:
     On some platforms like FreeBSD one can even control how the entropy is
     actually generated, i.e. by which system interrupts. More details one can
     find under rndcontrol(8) on those platforms. Alternatively, when
-    your system lacks such a random device, you can use tool like EGD (Entropy Gathering
-    Daemon) and run it's client program with the
-    exec:/path/to/program/ variant (see below).
+    your system lacks such a random device, you can use tool
+    like EGD
+    (Entropy Gathering Daemon) and run it's client program with the
+    exec:/path/to/program/ variant (see below) or use
+    egd:/path/to/egd-socket (see below).
 
      
 
    25. exec:/path/to/program
     
      
@@ -644,6 +645,14 @@ The following source variants are available:
     which is based on the AT&T truerand library). Using this in
     the connection context slows down the server too dramatically, of course.
     So usually you should avoid using external programs in that context.
+
      
+
    26. egd:/path/to/egd-socket (Unix only)
+    
      
+    This variant uses the Unix domain socket of the
+    external Entropy Gathering Daemon (EGD) (see http://www.lothar.com/tech
+    /crypto/) to seed the PRNG. Use this if no random device exists
+    on your platform.
 
 
      
 Example:
@@ -2485,7 +2494,7 @@ if (document.images) {
         
      27. 
         
      
         
-        mod_ssl 2.5, User Manual
      
+        mod_ssl 2.6, User Manual
      
         The Apache Interface to OpenSSL
               
               		        
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.wml b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.wml
index bd91edd0efd..0ebebfab536 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.wml
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_reference.wml
@@ -295,10 +295,11 @@ The following source variants are available:
     On some platforms like FreeBSD one can even control how the entropy is
     actually generated, i.e. by which system interrupts. More details one can
     find under rndcontrol(8) on those platforms.  Alternatively, when
-    your system lacks such a random device, you can use tool like EGD (Entropy Gathering
-    Daemon) and run it's client program with the
-    exec:/path/to/program/ variant (see below).
+    your system lacks such a random device, you can use tool
+    like EGD
+    (Entropy Gathering Daemon) and run it's client program with the
+    exec:/path/to/program/ variant (see below) or use
+    egd:/path/to/egd-socket (see below).
 
      
 
    27. exec:/path/to/program
     
      
@@ -313,6 +314,14 @@ The following source variants are available:
     which is based on the AT&T truerand library). Using this in
     the connection context slows down the server too dramatically, of course.
     So usually you should avoid using external programs in that context.
+
      
+
    28. egd:/path/to/egd-socket (Unix only)
+    
      
+    This variant uses the Unix domain socket of the
+    external Entropy Gathering Daemon (EGD) (see http://www.lothar.com/tech
+    /crypto/) to seed the PRNG. Use this if no random device exists
+    on your platform.
 
 
 
      
diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_template.inc b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_template.inc
index fd1161eae66..3529a504051 100644
--- a/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_template.inc
+++ b/usr.sbin/httpd/htdocs/manual/mod/mod_ssl/ssl_template.inc
@@ -233,7 +233,7 @@ H4 {
         
      29. 
diff --git a/usr.sbin/httpd/htdocs/manual/vhosts/ip-based.html b/usr.sbin/httpd/htdocs/manual/vhosts/ip-based.html
index 7b8993b5c58..7aef0b67575 100644
--- a/usr.sbin/httpd/htdocs/manual/vhosts/ip-based.html
+++ b/usr.sbin/httpd/htdocs/manual/vhosts/ip-based.html
@@ -125,8 +125,9 @@ in the VirtualHost directive, with the exception of
 Listen,
 PidFile,
 TypesConfig,
-ServerRoot and
-NameVirtualHost.
+ServerRoot,
+NameVirtualHost
+and a few other directives.
 
      
 User and
 Group may be used inside a VirtualHost
diff --git a/usr.sbin/httpd/src/ApacheCore.def b/usr.sbin/httpd/src/ApacheCore.def
index 26e748c42c6..c81df4845e6 100644
--- a/usr.sbin/httpd/src/ApacheCore.def
+++ b/usr.sbin/httpd/src/ApacheCore.def
@@ -360,17 +360,17 @@ EXPORTS
 	ap_SHA1Final   @355
 	ap_sha1_base64   @356
         ap_send_error_response @357
-	ap_add_config_define   @357
-	ap_global_ctx   @358
-	ap_ctx_new   @359
-	ap_ctx_get   @360
-	ap_ctx_set   @361
-	ap_hook_init   @362
-	ap_hook_kill   @363
-	ap_hook_configure   @364
-	ap_hook_register_I   @365
-	ap_hook_unregister_I   @366
-	ap_hook_status   @367
-	ap_hook_use   @368
-	ap_hook_call   @369
+	ap_add_config_define   @358
+	ap_global_ctx   @359
+	ap_ctx_new   @360
+	ap_ctx_get   @361
+	ap_ctx_set   @362
+	ap_hook_init   @363
+	ap_hook_kill   @364
+	ap_hook_configure   @365
+	ap_hook_register_I   @366
+	ap_hook_unregister_I   @367
+	ap_hook_status   @368
+	ap_hook_use   @369
+	ap_hook_call   @370
 
diff --git a/usr.sbin/httpd/src/CHANGES b/usr.sbin/httpd/src/CHANGES
index 229ced6c17b..b4863aa7285 100644
--- a/usr.sbin/httpd/src/CHANGES
+++ b/usr.sbin/httpd/src/CHANGES
@@ -1,3 +1,66 @@
+Changes with Apache 1.3.12
+
+  *) Only OS/2 requires the addition "t" flag for ap_pfopen()
+     (as therefore fopen() as well). This is handled by the
+     FOPEN_REQUIRES_T macro. [Ian Turner ,
+     Jim Jagielski] PR#5760
+
+  *) The default charset is only added, when enabled, for those
+     Content-types which require it (text/plain, text/html).
+     [Jim Jagielski] PR#5766
+
+  *) Fix handling of multiple queries in APXS commands (e.g. "apxs -q
+     CC CFLAGS") and make sure Perl-related command line options (which
+     can contain the "::" constructs) do no longer cause an incorrect
+     internal parsing of the query result.
+     [Ralf S. Engelschall, Steve Robb ]
+
+  *) Avoid infinite looping in APACI's configure script
+     inside Ultrix' /bin/sh5 upgrade step.
+     [Jan Gallo , Ralf S. Engelschall] PR#4940
+
+  *) PORT: Add support for Amdahl UTS 4.3 and later.
+     [Dave Dykstra ] PR#5654
+
+  *) Make implementation/descriptions of the FLAG directives
+     AuthAuthoritative, MetaFiles and ExtendedStatus consistent with
+     documentation and the standard way of implementation those directives.
+     [David MacKenzie , Ralf S. Engelschall] PR#5642
+
+  *) Cast integer ap_wait_t values in http_main.c to get rid of compile
+     time errors on platforms where "ap_wait_t" is not defined as "int"
+     (currently only the NEXT and UTS21 platforms).
+     [Gary Bickford , Ralf S. Engelschall] PR#5053
+
+  *) The default suexec path was HTTPD_ROOT/sbin/suexec if not
+     configured via APACI. Changed to HTTPD_ROOT/bin/suexec.
+     [Lars Eilebrecht]
+
+  *) Add an explicit charset=iso-8859-1 to pages generated by
+     ap_send_error_response(), such as the default 404 page.
+     [Marc Slemko]
+
+  *) Add the AddDefaultCharset directive. This allows you to specify
+     the given character set on any document that does not have one
+     explicitly specified in the headers.  [Marc Slemko, Jim Jagielski]
+
+  *) Properly escape various messages output to the client from a number
+     of modules and places in the core code.  [Marc Slemko]
+
+  *) Change mod_actions, mod_autoindex, mod_expires, and mod_log_config to
+     not consider any parameters such as charset when making decisions 
+     based on content type.  This does remove some functionality for 
+     some users, but means that when these modules are configured to do 
+     particular things with particular MIME types, the charset should 
+     not be included.  A better way of addressing this for users who 
+     want to set things on a per charset basis is necessary in the future.  
+     [Marc Slemko]
+
+  *) mod_include now entity encodes output from "printenv" and "echo var"
+     by default.  The encoding for "echo var" can be set to URL encoding
+     or no encoding using the new "encoding" attribute to the echo tag.
+     [Marc Slemko]
+ 
 Changes with Apache 1.3.11
 
   *) MPE builds are no longer stripped, which caused the executable
@@ -266,7 +329,7 @@ Changes with Apache 1.3.10
   *) Added a CLF '-' respecting %B to the log format.
      Suggested by Ragnar Kjørstad [dirkx]
 
-  *) Added protocol(%m)/method(%H) logging to the log format.
+  *) Added protocol(%H)/method(%m) logging to the log format.
      Suggested by Peter W  [dirkx]
 
   *) Added a HEAD method to 'ab'. [dirkx]
diff --git a/usr.sbin/httpd/src/CHANGES.SSL b/usr.sbin/httpd/src/CHANGES.SSL
index 649b5e0ce47..66b7d5df32e 100644
--- a/usr.sbin/httpd/src/CHANGES.SSL
+++ b/usr.sbin/httpd/src/CHANGES.SSL
@@ -17,12 +17,154 @@
   _INTENTIONALLY_ no contributor names attached to the entries. Instead all
   contributors are listed in the CREDITS file.
 
+      ____    __   
+     |___ \  / /_  
+       __) || '_ \ 
+      / __/ | (_) |
+  __ |_____(_)___/____________________________________________
+
+  Changes with mod_ssl 2.6.2 (29-Feb-2000 to 02-Mar-2000)
+
+   *) Updated the conf/ssl.crt/ca-bundle.crt file (containing the CA
+      Root Certificates of over 60 popular CAs) to the contents extracted
+      from Netscape Communicator 4.72's cert7.db file.
+
+   *) Fixed compilation of the new HTTPS proxy code (SSL_EXPERIMENTAL):
+      The SSL_VENDOR was required without need if SSL_EXPERIMENTAL was
+      enabled. This is now fixed and only SSL_EXPERIMENTAL is requied again
+      for the new HTTPS proxy stuff.
+
+   *) Added an FAQ entry about the "less entropy for the PRNG"
+      problem which now becomes "popular" ;) with OpenSSL 0.9.5.
+
+   *) Fixed conf/ssl.crl/Makefile: the files which have to be
+      checked for existance are named foo.rNNN and not just foo.NNN
+
+   *) Fixed a typo related to a RAND_status call in ssl_engine_rand.c
+      which was introduced in 2.6.1 and which caused mod_ssl fail to
+      compile if OpenSSL >= 0.9.5 was used [Sorry, my gcc hasn't catched
+      this typo :-(...]
+
+   *) Added also some random files which exists under Mach/Rhapshody
+      platforms to the list of files in src/support/mkcert.sh to make
+      sure enough entropy is available on these platforms under "make
+      certificate" with OpenSSL 0.9.5
+
+   *) Enhanced SSLRequire (SH2) -> SSLRequireSSL (mod_ssl)
+      directive compatibility mapping.
+
+  Changes with mod_ssl 2.6.1 (25-Feb-2000 to 29-Feb-2000)
+
+   *) Added support for OpenSSL 0.9.5's RAND_egd() which is now used
+      to read entropy from the EGD Unix domain socket if `SSLRandSeed
+      egd:/path/to/socket' is configured. 
+
+   *) Extended builtin PRNG seeding with a run-time stack based source.
+      This way the builtin source now creates more entropy and usually
+      enough to make OpenSSL >= 0.9.5 happy again. If OpenSSL is still not
+      happy (i.e. still not sufficient entropy exists), a warning message
+      is logged by mod_ssl now.
+
+   *) Fixed Tanenbaum's name on the quote in ssl_intro.wml
+
+   *) Updated Thawte's sxnet stuff for latest OpenSSL.
+
+   *) Allow mod_ssl to compile also under Win32 & VC++ 6.0
+   
+   *) Fix OS/2 support and this way make mod_ssl again work
+      also under this platform.
+
+  Changes with mod_ssl 2.6.0 (24-Feb-2000 to 25-Feb-2000)
+
+   *) Merged in enhanced HTTPS Proxy Support which is derived from
+      Stronghold 2.x and was originally contributed by C2Net over one
+      year ago. This is still _EXPERIMENTAL_ stuff, so it is entirely
+      wrapped with SSL_EXPERIMENTAL sections and has to be abled under
+      built-time with --enable-rule=SSL_EXPERIMENTAL. Then the following
+      new configuration directives are provided to fine-tune the HTTPS
+      proxy support:
+
+          o  SSLProxyProtocol [+-][SSLv2|SSLv3|TLSv1] ...
+             (enable or disable SSL protocol flavors)
+          o  SSLProxyCipherSuite XXX:...:XXX
+             (colon-delimited list of permitted SSL ciphers)
+          o  SSLProxyVerify on|off
+             (whether to verify the remote certificate)
+          o  SSLProxyVerifyDepth N
+             (maximum certificate verification depth)
+          o  SSLProxyCACertificateFile /path/to/file
+             (file containing server certificates)
+          o  SSLProxyCACertificatePath /path/to/dir
+             (directory containing server certificates)
+          o  SSLProxyMachineCertificateFile /path/to/file
+             (file containing client certificates)
+          o  SSLProxyMachineCertificatePath /path/to/dir
+             (directory containing client certificates)
+
+      This stuff is declared experimental, because it was still _NOT_
+      tested in depth and is still _UNDOCUMENTED_. So keep in mind what
+      SSL_EXPERIMENTAL means and use this with care!
+
+   *) Extended the EAPI patches to mod_proxy to allow the new
+      HTTPS proxy support to be merged in.
+
+   *) Fixed ssl_io_suck() prototype scope in mod_ssl.h by changing
+      the old #ifdef SSL_EXPERIMENTAL to the now correct #ifndef
+      SSL_CONSERVATIVE.
+
+   *) Added "cons" and "nocons" development target to
+      src/modules/ssl/Makefile.tmpl.
+
+   *) Upgraded to Apache version 1.3.12.
+
+
       ____    ____  
      |___ \  | ___| 
        __) | |___ \ 
       / __/ _ ___) |
   __ |_____(_)____/___________________________________________
                
+  Changes with mod_ssl 2.5.1 (22-Jan-2000 to 24-Feb-2000)
+
+   *) Made sure OpenSSL's Pseudo Random Number Generator (PRNG) is
+      seeded already before the temporary RSA keys are generated.
+
+   *) Fixed possible security hole in mkcert.sh script (make
+      certificate) by making sure we already generate the foo.key files
+      with proper umask instead of chmod them later (and this way
+      perhaps too late).
+
+   *) Fixed memory leak caused by not-freed SSL_CTX in the HTTPS proxy
+      support (ssl_engine_ext.c/mod_proxy).
+
+   *) Fixed quotation author in ssl_glossary.html: it's Richard Nixon,
+      as Lukas Bradley pointed out.
+
+   *) Use "/usr/local/ssl" as the default for $SSL_BASE only if this
+      path really exists. Else use "SYSTEM" and this way be more
+      flexible. This is especially interesting for RedHat/RPM users
+      where OpenSSL stays often directly under /usr.
+
+   *) Make sure libssl.module also detects OpenSSL correctly
+      if OpenSSL was built as shared libraries (.so)
+   
+   *) Let configure script more accurately check for -h, -v and
+      -q options on command line.
+
+   *) Make `SSLSessionCache none' really work as expected.
+
+   *) Added support for the latest OpenSSL snapshot (>= version 0.9.4).
+
+   *) Removed the removal of "#ifdef lint.. #endif" lines from
+      src/modules/ssl/Makefile.tmpl to make the life of the 
+      OpenBSD guys easier in the future.
+
+   *) Removed Unix Bourne-Shell construct "2>&1" from Win32's
+      configure.bat script because Win32 hates this.
+   
+   *) Fixed ApacheCore.def for Win32: Some numbers occured 
+      multiple times.
+
   Changes with mod_ssl 2.5.0 (08-Jan-2000 to 22-Jan-2000)
 
    *) Switched the old "POST for HTTPS" support code from
diff --git a/usr.sbin/httpd/src/Configure b/usr.sbin/httpd/src/Configure
index f397c14aa0f..73896039b12 100644
--- a/usr.sbin/httpd/src/Configure
+++ b/usr.sbin/httpd/src/Configure
@@ -1,5 +1,5 @@
 #!/bin/sh
-# $OpenBSD: Configure,v 1.10 2000/01/28 18:39:57 beck Exp $
+# $OpenBSD: Configure,v 1.11 2000/03/19 11:16:52 beck Exp $
 ## ====================================================================
 ## Copyright (c) 1995-1999 The Apache Group.  All rights reserved.
 ##
@@ -678,10 +678,17 @@ case "$PLAT" in
 	LIBS="$LIBS -lPW"
 	;;
     *-uts*)
-	OS='Amdahl UTS'
-	CFLAGS="$CFLAGS -Xa -eft -DUTS21 -DUSEBCOPY"
-	LIBS="$LIBS -lsocket -lbsd -la"
-	DEF_WANTHSREGEX=yes
+	PLATOSVERS=`echo $PLAT | sed 's/^.*,//'`
+	OS='Amdahl UTS $PLATOSVERS'
+	case "$PLATOSVERS" in
+	    2*) CFLAGS="$CFLAGS -Xa -eft -DUTS21 -DUSEBCOPY"
+	        LIBS="$LIBS -lsocket -lbsd -la"
+	        DEF_WANTHSREGEX=yes
+	        ;;
+	    *)  CFLAGS="$CFLAGS -Xa -DSVR4"
+	        LIBS="$LIBS -lsocket -lnsl"
+	        ;;
+	esac
 	;;
     *-ultrix)
 	OS='ULTRIX'
@@ -1221,7 +1228,7 @@ if [ "x$using_shlib" = "x1" ] ; then
 	    # Older SINIX machines must be linked as "shared core"-Apache
 	    case $CC in
 		*/gcc|gcc ) CFLAGS_SHLIB="-fpic" ;;
-		*/cc|cc   ) CFLAGS_SHLIB="-KPIC" ;;
+		*)          CFLAGS_SHLIB="-KPIC" ;;
 	    esac
 	    LDFLAGS_SHLIB="-G"
 	    LDFLAGS_MOD_SHLIB=$LDFLAGS_SHLIB
@@ -1843,7 +1850,7 @@ if [ "x$using_shlib" = "x1" ] ; then
 	#    select the special subtarget for shared core generation
 	SUBTARGET=target_shared
 	#    determine additional suffixes for libhttpd.so
-	V=1 R=3 P=11
+	V=1 R=3 P=12
 	if [ "x$SHLIB_SUFFIX_DEPTH" = "x0" ]; then
 	    SHLIB_SUFFIX_LIST=""
 	fi
diff --git a/usr.sbin/httpd/src/ap/ap_getpass.c b/usr.sbin/httpd/src/ap/ap_getpass.c
index 9ed6897d6b3..0cd59f4c345 100644
--- a/usr.sbin/httpd/src/ap/ap_getpass.c
+++ b/usr.sbin/httpd/src/ap/ap_getpass.c
@@ -84,7 +84,7 @@
 
 #define ERR_OVERFLOW 5
 
-#ifdef MPE
+#if defined(MPE) || defined(BEOS)
 #include 
 
 char *
diff --git a/usr.sbin/httpd/src/helpers/binbuild.sh b/usr.sbin/httpd/src/helpers/binbuild.sh
index 9d44b6a5e9d..1e2f454ff03 100644
--- a/usr.sbin/httpd/src/helpers/binbuild.sh
+++ b/usr.sbin/httpd/src/helpers/binbuild.sh
@@ -229,7 +229,7 @@ cp README.bindist ../apache_$VER-$OS.README
   echo " " && \
   echo "echo \"Ready.\"" && \
   echo "echo \" +--------------------------------------------------------+\"" && \
-  echo "echo \" | You now have successfully installed the Apache $VER   |\"" && \
+  echo "echo \" | You now have successfully installed the Apache $VER  |\"" && \
   echo "echo \" | HTTP server. To verify that Apache actually works      |\"" && \
   echo "echo \" | correctly you should first check the (initially        |\"" && \
   echo "echo \" | created or preserved) configuration files:             |\"" && \
diff --git a/usr.sbin/httpd/src/include/ap_config.h b/usr.sbin/httpd/src/include/ap_config.h
index 5ea94b88a4d..f60be1c3b5e 100644
--- a/usr.sbin/httpd/src/include/ap_config.h
+++ b/usr.sbin/httpd/src/include/ap_config.h
@@ -812,6 +812,7 @@ typedef int rlim_t;
 #define NO_RELIABLE_PIPED_LOGS
 #define USE_OS2SEM_SERIALIZED_ACCEPT
 #define SINGLE_LISTEN_UNSERIALIZED_ACCEPT
+#define FOPEN_REQUIRES_T
 
 #elif defined(__MACHTEN__)
 typedef int rlim_t;
diff --git a/usr.sbin/httpd/src/include/ap_mmn.h b/usr.sbin/httpd/src/include/ap_mmn.h
index e34607926f6..bb043ad0c7f 100644
--- a/usr.sbin/httpd/src/include/ap_mmn.h
+++ b/usr.sbin/httpd/src/include/ap_mmn.h
@@ -226,6 +226,7 @@
  *                        ap_base64encode_len(), ap_base64decode(),
  *                        ap_base64decode_binary(), ap_base64decode_len(),
  *                        ap_pbase64decode(), ap_pbase64encode()
+ * 19990320.7           - add ap_strcasestr()
  */
 
 /* 
@@ -249,7 +250,7 @@
 #ifndef MODULE_MAGIC_NUMBER_MAJOR
 #define MODULE_MAGIC_NUMBER_MAJOR 19990320
 #endif
-#define MODULE_MAGIC_NUMBER_MINOR 6                     /* 0...n */
+#define MODULE_MAGIC_NUMBER_MINOR 7                     /* 0...n */
 #define MODULE_MAGIC_NUMBER MODULE_MAGIC_NUMBER_MAJOR	/* backward compat */
 
 /* Useful for testing for features. */
diff --git a/usr.sbin/httpd/src/include/http_core.h b/usr.sbin/httpd/src/include/http_core.h
index 459fd248f35..81cd3c8be60 100644
--- a/usr.sbin/httpd/src/include/http_core.h
+++ b/usr.sbin/httpd/src/include/http_core.h
@@ -243,6 +243,15 @@ typedef struct {
      */
     unsigned d_is_fnmatch : 1;
 
+    /* should we force a charset on any outgoing parameterless content-type?
+     * if so, which charset?
+     */
+#define ADD_DEFAULT_CHARSET_OFF   (0)
+#define ADD_DEFAULT_CHARSET_ON    (1)
+#define ADD_DEFAULT_CHARSET_UNSET (2)
+    unsigned add_default_charset : 2;
+    char *add_default_charset_name;
+
     /* System Resource Control */
 #ifdef RLIMIT_CPU
     struct rlimit *limit_cpu;
diff --git a/usr.sbin/httpd/src/include/httpd.h b/usr.sbin/httpd/src/include/httpd.h
index 9ad91305f5a..d817ac4f628 100644
--- a/usr.sbin/httpd/src/include/httpd.h
+++ b/usr.sbin/httpd/src/include/httpd.h
@@ -269,7 +269,7 @@ extern "C" {
 
 /* The path to the suExec wrapper, can be overridden in Configuration */
 #ifndef SUEXEC_BIN
-#define SUEXEC_BIN  HTTPD_ROOT "/sbin/suexec"
+#define SUEXEC_BIN  HTTPD_ROOT "/bin/suexec"
 #endif
 
 /* The default string lengths */
@@ -438,6 +438,12 @@ extern "C" {
 #define DEFAULT_LIMIT_REQUEST_FIELDS 100
 #endif /* default limit on number of request header fields */
 
+/*
+ * The default default character set name to add if AddDefaultCharset is 
+ * enabled.  Overridden with AddDefaultCharsetName.
+ */
+#define DEFAULT_ADD_DEFAULT_CHARSET_NAME "iso-8859-1"
+
 /*
  * The below defines the base string of the Server: header. Additional
  * tokens can be added via the ap_add_version_component() API call.
@@ -451,7 +457,7 @@ extern "C" {
  * Example: "Apache/1.1.0 MrWidget/0.1-alpha" 
  */
 
-#define SERVER_BASEVERSION "Apache/1.3.11"	/* SEE COMMENTS ABOVE */
+#define SERVER_BASEVERSION "Apache/1.3.12"	/* SEE COMMENTS ABOVE */
 #define SERVER_VERSION  SERVER_BASEVERSION
 enum server_token_type {
     SrvTk_MIN,		/* eg: Apache/1.3.0 */
@@ -470,7 +476,7 @@ API_EXPORT(void) ap_add_config_define(const char *define);
  * Always increases along the same track as the source branch.
  * For example, Apache 1.4.2 would be '10402100', 2.5b7 would be '20500007'.
  */
-#define APACHE_RELEASE 10311100
+#define APACHE_RELEASE 10312100
 
 #define SERVER_PROTOCOL "HTTP/1.1"
 #ifndef SERVER_SUPPORT
@@ -1046,6 +1052,7 @@ API_EXPORT(char *) ap_make_full_path(pool *a, const char *dir, const char *f);
 API_EXPORT(int) ap_is_matchexp(const char *str);
 API_EXPORT(int) ap_strcmp_match(const char *str, const char *exp);
 API_EXPORT(int) ap_strcasecmp_match(const char *str, const char *exp);
+API_EXPORT(char *) ap_strcasestr(const char *s1, const char *s2);
 API_EXPORT(char *) ap_pbase64decode(pool *p, const char *bufcoded);
 API_EXPORT(char *) ap_pbase64encode(pool *p, char *string); 
 API_EXPORT(char *) ap_uudecode(pool *p, const char *bufcoded);
diff --git a/usr.sbin/httpd/src/main/http_core.c b/usr.sbin/httpd/src/main/http_core.c
index 8c11f1771f8..4c4c64d275d 100644
--- a/usr.sbin/httpd/src/main/http_core.c
+++ b/usr.sbin/httpd/src/main/http_core.c
@@ -154,6 +154,9 @@ static void *create_core_dir_config(pool *a, char *dir)
 
     conf->server_signature = srv_sig_unset;
 
+    conf->add_default_charset = ADD_DEFAULT_CHARSET_UNSET;
+    conf->add_default_charset_name = DEFAULT_ADD_DEFAULT_CHARSET_NAME;
+
     return (void *)conf;
 }
 
@@ -281,6 +284,14 @@ static void *merge_core_dir_configs(pool *a, void *basev, void *newv)
 	conf->server_signature = new->server_signature;
     }
 
+    if (new->add_default_charset != ADD_DEFAULT_CHARSET_UNSET) {
+	conf->add_default_charset = new->add_default_charset;
+    }
+
+    if (new->add_default_charset_name) {
+	conf->add_default_charset_name = new->add_default_charset_name;
+    }
+
     return (void*)conf;
 }
 
@@ -1035,6 +1046,27 @@ static const char *set_gprof_dir(cmd_parms *cmd, void *dummy, char *arg)
 }
 #endif /*GPROF*/
 
+static const char *set_add_default_charset(cmd_parms *cmd, 
+	core_dir_config *d, char *arg)
+{
+    const char *err = ap_check_cmd_context(cmd, NOT_IN_LIMIT);
+    if (err != NULL) {
+        return err;
+    }
+    if (!strcasecmp(arg, "Off")) {
+       d->add_default_charset = ADD_DEFAULT_CHARSET_OFF;
+    }
+    else if (!strcasecmp(arg, "On")) {
+       d->add_default_charset = ADD_DEFAULT_CHARSET_ON;
+       d->add_default_charset_name = DEFAULT_ADD_DEFAULT_CHARSET_NAME;
+    }
+    else {
+       d->add_default_charset = ADD_DEFAULT_CHARSET_ON;
+       d->add_default_charset_name = arg;
+    }
+    return NULL;
+}
+
 static const char *set_document_root(cmd_parms *cmd, void *dummy, char *arg)
 {
     void *sconf = cmd->server->module_config;
@@ -2786,6 +2818,8 @@ static const command_rec core_cmds[] = {
 { "GprofDir", set_gprof_dir, NULL, RSRC_CONF, TAKE1,
   "Directory to plop gmon.out files" },
 #endif
+{ "AddDefaultCharset", set_add_default_charset, NULL, OR_FILEINFO, 
+  TAKE1, "The name of the default charset to add to any Content-Type without one or 'Off' to disable" },
 
 /* Old resource config file commands */
   
diff --git a/usr.sbin/httpd/src/main/http_log.c b/usr.sbin/httpd/src/main/http_log.c
index a4927bfb113..4a1e5fe2e72 100644
--- a/usr.sbin/httpd/src/main/http_log.c
+++ b/usr.sbin/httpd/src/main/http_log.c
@@ -487,7 +487,8 @@ API_EXPORT(void) ap_log_rerror(const char *file, int line, int level,
     if (((level & APLOG_LEVELMASK) <= APLOG_WARNING)
 	&& (ap_table_get(r->notes, "error-notes") == NULL)) {
 	ap_table_setn(r->notes, "error-notes",
-		      ap_pvsprintf(r->pool, fmt, args));
+		      ap_escape_html(r->pool, ap_pvsprintf(r->pool, fmt, 
+		      args)));
     }
     va_end(args);
 }
@@ -498,6 +499,9 @@ void ap_log_pid(pool *p, char *fname)
     struct stat finfo;
     static pid_t saved_pid = -1;
     pid_t mypid;
+#ifndef WIN32
+    mode_t u;
+#endif
 
     if (!fname) 
 	return;
@@ -519,12 +523,19 @@ void ap_log_pid(pool *p, char *fname)
 		   );
     }
 
+#ifndef WIN32
+    u = umask(022);
+    (void) umask(u | 022);
+#endif
     if(!(pid_file = fopen(fname, "w"))) {
 	perror("fopen");
         fprintf(stderr, "%s: could not log pid to file %s\n",
 		ap_server_argv0, fname);
         exit(1);
     }
+#ifndef WIN32
+    (void) umask(u);
+#endif
     fprintf(pid_file, "%ld\n", (long)mypid);
     fclose(pid_file);
     saved_pid = mypid;
diff --git a/usr.sbin/httpd/src/main/http_main.c b/usr.sbin/httpd/src/main/http_main.c
index 839f3c60f04..6442b24941b 100644
--- a/usr.sbin/httpd/src/main/http_main.c
+++ b/usr.sbin/httpd/src/main/http_main.c
@@ -1629,7 +1629,7 @@ API_EXPORT(void) ap_unregister_other_child(void *data)
     for (pocr = &other_children; *pocr; pocr = &(*pocr)->next) {
 	if ((*pocr)->data == data) {
 	    nocr = (*pocr)->next;
-	    (*(*pocr)->maintenance) (OC_REASON_UNREGISTER, (*pocr)->data, -1);
+	    (*(*pocr)->maintenance) (OC_REASON_UNREGISTER, (*pocr)->data, (ap_wait_t)-1);
 	    *pocr = nocr;
 	    /* XXX: um, well we've just wasted some space in pconf ? */
 	    return;
@@ -1685,7 +1685,7 @@ static void probe_writable_fds(void)
 	    continue;
 	if (FD_ISSET(ocr->write_fd, &writable_fds))
 	    continue;
-	(*ocr->maintenance) (OC_REASON_UNWRITABLE, ocr->data, -1);
+	(*ocr->maintenance) (OC_REASON_UNWRITABLE, ocr->data, (ap_wait_t)-1);
     }
 }
 
@@ -2507,16 +2507,16 @@ static void reclaim_child_processes(int terminate)
 	    waitret = waitpid(ocr->pid, &status, WNOHANG);
 	    if (waitret == ocr->pid) {
 		ocr->pid = -1;
-		(*ocr->maintenance) (OC_REASON_DEATH, ocr->data, status);
+		(*ocr->maintenance) (OC_REASON_DEATH, ocr->data, (ap_wait_t)status);
 	    }
 	    else if (waitret == 0) {
-		(*ocr->maintenance) (OC_REASON_RESTART, ocr->data, -1);
+		(*ocr->maintenance) (OC_REASON_RESTART, ocr->data, (ap_wait_t)-1);
 		++not_dead_yet;
 	    }
 	    else if (waitret == -1) {
 		/* uh what the heck? they didn't call unregister? */
 		ocr->pid = -1;
-		(*ocr->maintenance) (OC_REASON_LOST, ocr->data, -1);
+		(*ocr->maintenance) (OC_REASON_LOST, ocr->data, (ap_wait_t)-1);
 	    }
 	}
 #endif
@@ -5078,6 +5078,11 @@ int REALMAIN(int argc, char *argv[])
 
     child_timeouts = !ap_standalone || one_process;
 
+#ifdef BEOS
+    /* make sure we're running in single_process mode - Yuck! */
+    one_process = 1;
+#endif
+
 #ifndef TPF
     if (ap_standalone) {
 	ap_open_logs(server_conf, plog);
diff --git a/usr.sbin/httpd/src/main/http_protocol.c b/usr.sbin/httpd/src/main/http_protocol.c
index 1622f08aaa0..76db20ad67b 100644
--- a/usr.sbin/httpd/src/main/http_protocol.c
+++ b/usr.sbin/httpd/src/main/http_protocol.c
@@ -103,6 +103,43 @@
 
 #endif /*CHARSET_EBCDIC*/
 
+/*
+ * Builds the content-type that should be sent to the client from the
+ * content-type specified.  The following rules are followed:
+ *    - if type is NULL, type is set to ap_default_type(r)
+ *    - if charset adding is disabled, stop processing and return type.
+ *    - then, if there are no parameters on type, add the default charset
+ *    - return type
+ */
+static const char *make_content_type(request_rec *r, const char *type) {
+    char *needcset[] = {
+	"text/plain",
+	"text/html",
+	NULL };
+    char **pcset;
+    core_dir_config *conf = (core_dir_config *)ap_get_module_config(
+	r->per_dir_config, &core_module);
+    if (!type) type = ap_default_type(r);
+    if (conf->add_default_charset != ADD_DEFAULT_CHARSET_ON) return type;
+
+    if (ap_strcasestr(type, "charset=") != NULL) {
+	/* already has parameter, do nothing */
+	/* XXX we don't check the validity */
+	;
+    } else {
+    	/* see if it makes sense to add the charset. At present,
+	 * we only add it if the Content-type is one of needcset[]
+	 */
+	for (pcset = needcset; *pcset ; pcset++)
+	    if (ap_strcasestr(type, *pcset) != NULL) {
+		type = ap_pstrcat(r->pool, type, "; charset=", 
+		    conf->add_default_charset_name, NULL);
+		break;
+	    }
+    }
+    return type;
+}
+
 static int parse_byterange(char *range, long clength, long *start, long *end)
 {
     char *dash = strchr(range, '-');
@@ -265,7 +302,7 @@ static int internal_byterange(int realreq, long *tlength, request_rec *r,
     }
 
     if (r->byterange > 1) {
-        const char *ct = r->content_type ? r->content_type : ap_default_type(r);
+        const char *ct = make_content_type(r, r->content_type);
         char ts[MAX_STRING_LEN];
 
         ap_snprintf(ts, sizeof(ts), "%ld-%ld/%ld", range_start, range_end,
@@ -929,7 +966,7 @@ static void get_mime_headers(request_rec *r)
             r->status = HTTP_BAD_REQUEST;
             ap_table_setn(r->notes, "error-notes", ap_pstrcat(r->pool,
                 "Size of a request header field exceeds server limit.
      \n"
-                "
      \n", field, "
      \n", NULL));
+                "
      \n", ap_escape_html(r->pool, field), "
      \n", NULL));
             return;
         }
         copy = ap_palloc(r->pool, len + 1);
@@ -939,7 +976,7 @@ static void get_mime_headers(request_rec *r)
             r->status = HTTP_BAD_REQUEST;       /* or abort the bad request */
             ap_table_setn(r->notes, "error-notes", ap_pstrcat(r->pool,
                 "Request header field is missing colon separator.
      \n"
-                "
      \n", copy, "
      \n", NULL));
+                "
      \n", ap_escape_html(r->pool, copy), "
      \n", NULL));
             return;
         }
 
@@ -1645,10 +1682,8 @@ API_EXPORT(void) ap_send_http_header(request_rec *r)
         ap_table_setn(r->headers_out, "Content-Type",
                   ap_pstrcat(r->pool, "multipart", use_range_x(r) ? "/x-" : "/",
                           "byteranges; boundary=", r->boundary, NULL));
-    else if (r->content_type)
-        ap_table_setn(r->headers_out, "Content-Type", r->content_type);
-    else
-        ap_table_setn(r->headers_out, "Content-Type", ap_default_type(r));
+    else ap_table_setn(r->headers_out, "Content-Type", make_content_type(r, 
+	r->content_type));
 
     if (r->content_encoding)
         ap_table_setn(r->headers_out, "Content-Encoding", r->content_encoding);
@@ -2559,7 +2594,7 @@ API_EXPORT(void) ap_send_error_response(request_rec *r, int recursive_error)
         r->content_languages = NULL;
         r->content_encoding = NULL;
         r->clength = 0;
-        r->content_type = "text/html";
+        r->content_type = "text/html; charset=iso-8859-1";
 
         if ((status == METHOD_NOT_ALLOWED) || (status == NOT_IMPLEMENTED))
             ap_table_setn(r->headers_out, "Allow", make_allow(r));
diff --git a/usr.sbin/httpd/src/main/util.c b/usr.sbin/httpd/src/main/util.c
index c4fff1c8138..5b8fba06d67 100644
--- a/usr.sbin/httpd/src/main/util.c
+++ b/usr.sbin/httpd/src/main/util.c
@@ -127,6 +127,8 @@ API_EXPORT(char *) ap_field_noparam(pool *p, const char *intype)
 {
     const char *semi;
 
+    if (intype == NULL) return NULL;
+
     semi = strchr(intype, ';');
     if (semi == NULL) {
 	return ap_pstrdup(p, intype);
@@ -301,6 +303,38 @@ API_EXPORT(int) ap_is_matchexp(const char *str)
     return 0;
 }
 
+/*
+ * Similar to standard strstr() but we ignore case in this version.
+ * Based on the strstr() implementation further below.
+ */
+API_EXPORT(char *) ap_strcasestr(const char *s1, const char *s2)
+{
+    char *p1, *p2;
+    if (*s2 == '\0') {
+	/* an empty s2 */
+        return((char *)s1);
+    }
+    while(1) {
+	for ( ; (*s1 != '\0') && (ap_tolower(*s1) != ap_tolower(*s2)); s1++);
+	if (*s1 == '\0') return(NULL);
+	/* found first character of s2, see if the rest matches */
+        p1 = (char *)s1;
+        p2 = (char *)s2;
+        while (ap_tolower(*++p1) == ap_tolower(*++p2)) {
+            if (*p1 == '\0') {
+                /* both strings ended together */
+                return((char *)s1);
+            }
+        }
+        if (*p2 == '\0') {
+            /* second string ended, a match */
+            break;
+        }
+	/* didn't find a match here, try starting at next character in s1 */
+        s1++;
+    }
+    return((char *)s1);
+}
 /* 
  * Apache stub function for the regex libraries regexec() to make sure the
  * whole regex(3) API is available through the Apache (exported) namespace.
@@ -807,7 +841,11 @@ API_EXPORT(configfile_t *) ap_pcfg_openfile(pool *p, const char *name)
         return NULL;
     }
 
+#ifdef FOPEN_REQUIRES_T
     file = ap_pfopen(p, name, "rt");
+#else
+    file = ap_pfopen(p, name, "r");
+#endif
 #ifdef DEBUG
     saved_errno = errno;
     ap_log_error(APLOG_MARK, APLOG_DEBUG | APLOG_NOERRNO, NULL,
diff --git a/usr.sbin/httpd/src/modules/experimental/mod_auth_digest.c b/usr.sbin/httpd/src/modules/experimental/mod_auth_digest.c
index 2f0fa8366a0..18312aea94e 100644
--- a/usr.sbin/httpd/src/modules/experimental/mod_auth_digest.c
+++ b/usr.sbin/httpd/src/modules/experimental/mod_auth_digest.c
@@ -87,7 +87,7 @@
  * Name: digest_auth_module
  * ConfigStart
 
-    RULE_DEV_RANDOM=`sh helpers/CutRule DEV_RANDOM $file`
+    RULE_DEV_RANDOM=`./helpers/CutRule DEV_RANDOM $file`
     if [ "$RULE_DEV_RANDOM" = "default" ]; then
 	if [ -r "/dev/random" ]; then
 	    RULE_DEV_RANDOM="/dev/random"
diff --git a/usr.sbin/httpd/src/modules/proxy/mod_proxy.c b/usr.sbin/httpd/src/modules/proxy/mod_proxy.c
index 0587ec319f6..ea2b0da71bd 100644
--- a/usr.sbin/httpd/src/modules/proxy/mod_proxy.c
+++ b/usr.sbin/httpd/src/modules/proxy/mod_proxy.c
@@ -247,6 +247,10 @@ static int proxy_fixup(request_rec *r)
 static void proxy_init(server_rec *r, pool *p)
 {
     ap_proxy_garbage_init(r, p);
+#ifdef EAPI
+    ap_hook_use("ap::mod_proxy::init", 
+                AP_HOOK_SIG3(void,ptr,ptr), AP_HOOK_ALL, r, p);
+#endif
 }
 
 #ifdef EAPI
diff --git a/usr.sbin/httpd/src/modules/proxy/proxy_http.c b/usr.sbin/httpd/src/modules/proxy/proxy_http.c
index 78a889a6b26..b08dca9b518 100644
--- a/usr.sbin/httpd/src/modules/proxy/proxy_http.c
+++ b/usr.sbin/httpd/src/modules/proxy/proxy_http.c
@@ -189,6 +189,9 @@ int ap_proxy_http_handler(request_rec *r, cache_req *c, char *url,
     const char *urlptr = NULL;
     const char *datestr;
     struct tbl_do_args tdo;
+#ifdef EAPI
+    char *peer;
+#endif
 
     void *sconf = r->server->module_config;
     proxy_server_conf *conf =
@@ -249,12 +252,18 @@ int ap_proxy_http_handler(request_rec *r, cache_req *c, char *url,
 	err = ap_proxy_host2addr(proxyhost, &server_hp);
 	if (err != NULL)
 	    return DECLINED;	/* try another */
+#ifdef EAPI
+	peer = ap_psprintf(p, "%s:%u", proxyhost, proxyport);  
+#endif
     }
     else {
 	server.sin_port = htons(destport);
 	err = ap_proxy_host2addr(desthost, &server_hp);
 	if (err != NULL)
 	    return ap_proxyerror(r, HTTP_INTERNAL_SERVER_ERROR, err);
+#ifdef EAPI
+	peer =  ap_psprintf(p, "%s:%u", desthost, destport);  
+#endif
     }
 
     sock = ap_psocket(p, PF_INET, SOCK_STREAM, IPPROTO_TCP);
@@ -315,9 +324,9 @@ int ap_proxy_http_handler(request_rec *r, cache_req *c, char *url,
     {
         char *errmsg = NULL;
         ap_hook_use("ap::mod_proxy::http::handler::new_connection", 
-                    AP_HOOK_SIG3(ptr,ptr,ptr), 
+                    AP_HOOK_SIG4(ptr,ptr,ptr,ptr), 
                     AP_HOOK_DECLINE(NULL),
-                    &errmsg, r, f);
+                    &errmsg, r, f, peer);
         if (errmsg != NULL)
             return ap_proxyerror(r, HTTP_BAD_GATEWAY, errmsg);
     }
diff --git a/usr.sbin/httpd/src/modules/proxy/proxy_util.c b/usr.sbin/httpd/src/modules/proxy/proxy_util.c
index 52f8f50aaee..d1d47208070 100644
--- a/usr.sbin/httpd/src/modules/proxy/proxy_util.c
+++ b/usr.sbin/httpd/src/modules/proxy/proxy_util.c
@@ -844,11 +844,15 @@ int ap_proxyerror(request_rec *r, int statuscode, const char *message)
     ap_table_setn(r->notes, "error-notes",
 		  ap_pstrcat(r->pool, 
 			     "The proxy server could not handle the request "
-			     "uri, "\">",
-			     r->method, " ", r->uri, ".
      \n"
-			     "Reason: ", message, "", NULL));
-
-    /* Allow the "error-notes" string to be printed by ap_send_error_response() */
+			     "pool, r->uri),
+			     "\">", ap_escape_html(r->pool, r->method),
+			     " ", 
+			     ap_escape_html(r->pool, r->uri), ".
      \n"
+			     "Reason: ",
+			     ap_escape_html(r->pool, message), 
+			     "", NULL));
+
+    /* Allow "error-notes" string to be printed by ap_send_error_response() */
     ap_table_setn(r->notes, "verbose-error-to", ap_pstrdup(r->pool, "*"));
 
     r->status_line = ap_psprintf(r->pool, "%3.3u Proxy Error", statuscode);
diff --git a/usr.sbin/httpd/src/modules/ssl/Makefile.tmpl b/usr.sbin/httpd/src/modules/ssl/Makefile.tmpl
index 503ad23725e..a960a3e1c1a 100644
--- a/usr.sbin/httpd/src/modules/ssl/Makefile.tmpl
+++ b/usr.sbin/httpd/src/modules/ssl/Makefile.tmpl
@@ -171,6 +171,16 @@ ssl_expr_parse.c ssl_expr_parse.h: ssl_expr_parse.y
 	sed -e 's;yy;ssl_expr_yy;g' \
 	    ssl_expr_parse.h && rm -f y.tab.h
 
+nocons:
+	@$(MAKE) $(MFLAGS) $(MFLAGS_STATIC) \
+	     SSL_CFLAGS="`echo $(SSL_CFLAGS) |\
+	     sed -e 's;-DSSL_CONSERVATIVE;;'`" all
+
+cons:
+	@$(MAKE) $(MFLAGS) $(MFLAGS_STATIC) \
+	     SSL_CFLAGS="`echo $(SSL_CFLAGS) |\
+	     sed -e 's;-DSSL_CONSERVATIVE;;' \
+	         -e 's;^;-DSSL_CONSERVATIVE ;'`" all
 noexp:
 	@$(MAKE) $(MFLAGS) $(MFLAGS_STATIC) \
 	     SSL_CFLAGS="`echo $(SSL_CFLAGS) |\
diff --git a/usr.sbin/httpd/src/modules/ssl/README b/usr.sbin/httpd/src/modules/ssl/README
index 416af28176d..4b6679efbcb 100644
--- a/usr.sbin/httpd/src/modules/ssl/README
+++ b/usr.sbin/httpd/src/modules/ssl/README
@@ -7,7 +7,7 @@
  mod_ssl                               ``Ralf Engelschall has released an
  Apache Interface to OpenSSL             excellent module that integrates
  http://www.modssl.org/                  Apache and SSLeay.''                 
- Version 2.5                                               -- Tim J. Hudson
+ Version 2.6                                               -- Tim J. Hudson
                                            
  SYNOPSIS
 
diff --git a/usr.sbin/httpd/src/modules/ssl/libssl.module b/usr.sbin/httpd/src/modules/ssl/libssl.module
index d30b2d3302d..dbb0248c20c 100644
--- a/usr.sbin/httpd/src/modules/ssl/libssl.module
+++ b/usr.sbin/httpd/src/modules/ssl/libssl.module
@@ -142,11 +142,11 @@ ConfigStart
         my_rule_SSL_CONSERVATIVE=$SSL_CONSERVATIVE
         my_rule_SSL_VENDOR=$SSL_VENDOR
     else
-        my_rule_SSL_COMPAT=`sh helpers/CutRule SSL_COMPAT $file`
-        my_rule_SSL_SDBM=`sh helpers/CutRule SSL_SDBM $file`
-        my_rule_SSL_EXPERIMENTAL=`sh helpers/CutRule SSL_EXPERIMENTAL $file`
-        my_rule_SSL_CONSERVATIVE=`sh helpers/CutRule SSL_CONSERVATIVE $file`
-        my_rule_SSL_VENDOR=`sh helpers/CutRule SSL_VENDOR $file`
+        my_rule_SSL_COMPAT=`./helpers/CutRule SSL_COMPAT $file`
+        my_rule_SSL_SDBM=`./helpers/CutRule SSL_SDBM $file`
+        my_rule_SSL_EXPERIMENTAL=`./helpers/CutRule SSL_EXPERIMENTAL $file`
+        my_rule_SSL_CONSERVATIVE=`./helpers/CutRule SSL_CONSERVATIVE $file`
+        my_rule_SSL_VENDOR=`./helpers/CutRule SSL_VENDOR $file`
     fi
 
     #
@@ -208,7 +208,7 @@ ConfigStart
         if [ ".$DBM_LIB" != . ]; then
             LIBS_ORIG="$LIBS"
             LIBS="$LIBS $DBM_LIB"
-            if sh helpers/TestCompile func dbm_open; then
+            if ./helpers/TestCompile func dbm_open; then
                 SSL_DBM_NAME="Configured DBM ($DBM_LIB)"
                 SSL_DBM_FLAG="$DBM_LIB"
             fi
@@ -216,13 +216,13 @@ ConfigStart
         fi
         #   2. check for various vendor DBM libs
         if [ ".$SSL_DBM_NAME" = . ]; then
-            if sh helpers/TestCompile func dbm_open; then
+            if ./helpers/TestCompile func dbm_open; then
                 SSL_DBM_NAME='Vendor DBM (libc)'
                 SSL_DBM_FLAG=''
-            elif sh helpers/TestCompile lib dbm dbm_open; then
+            elif ./helpers/TestCompile lib dbm dbm_open; then
                 SSL_DBM_NAME='Vendor DBM (libdbm)'
                 SSL_DBM_FLAG='-ldbm'
-            elif sh helpers/TestCompile lib ndbm dbm_open; then
+            elif ./helpers/TestCompile lib ndbm dbm_open; then
                 SSL_DBM_NAME='Vendor DBM (libndbm)'
                 SSL_DBM_FLAG='-lndbm'
             fi
@@ -272,7 +272,11 @@ ConfigStart
     if [ ".$SSL_BASE" = . ]; then
         SSL_BASE=`egrep '^SSL_BASE=' $file | tail -1 | awk -F= '{print $2}'`
         if [ ".$SSL_BASE" = . ]; then
-            SSL_BASE="/usr/local/ssl"
+            if [ -d /usr/local/ssl ]; then
+                SSL_BASE="/usr/local/ssl"
+            else
+                SSL_BASE="SYSTEM"
+            fi
         fi
     fi
     case $SSL_BASE in
@@ -391,10 +395,10 @@ ConfigStart
             exit 1
         fi
     else
-        if [ -f "$SSL_BASE/libssl.a" ]; then
+        if [ -f "$SSL_BASE/libssl.a" -o -f "$SSL_BASE/libssl.so" ]; then
             SSL_LIBDIR='$(SSL_BASE)'
             my_real_ssl_libdir="$SSL_BASE"
-        elif [ -f "$SSL_BASE/lib/libssl.a" ]; then
+        elif [ -f "$SSL_BASE/lib/libssl.a" -o -f "$SSL_BASE/lib/libssl.so" ]; then
             SSL_LIBDIR='$(SSL_BASE)/lib'
             my_real_ssl_libdir="$SSL_BASE/lib"
         else
diff --git a/usr.sbin/httpd/src/modules/ssl/libssl.version b/usr.sbin/httpd/src/modules/ssl/libssl.version
index 352a795ba42..f772c9fffa1 100644
--- a/usr.sbin/httpd/src/modules/ssl/libssl.version
+++ b/usr.sbin/httpd/src/modules/ssl/libssl.version
@@ -1 +1 @@
-mod_ssl/2.5.0-1.3.11
+mod_ssl/2.6.2-1.3.12
diff --git a/usr.sbin/httpd/src/modules/ssl/mod_ssl.c b/usr.sbin/httpd/src/modules/ssl/mod_ssl.c
index 92ebad83622..d872b6701e4 100644
--- a/usr.sbin/httpd/src/modules/ssl/mod_ssl.c
+++ b/usr.sbin/httpd/src/modules/ssl/mod_ssl.c
@@ -74,7 +74,7 @@
  *  identify the module to SCCS `what' and RCS `ident' commands
  */
 static char const sccsid[] = "@(#) mod_ssl/" MOD_SSL_VERSION " >";
-static char const rcsid[]  = "$Id: mod_ssl.c,v 1.3 2000/01/25 18:29:53 beck Exp $";
+static char const rcsid[]  = "$Id: mod_ssl.c,v 1.4 2000/03/19 11:17:20 beck Exp $";
 
 /*
  *  the table of configuration directives we provide
@@ -154,6 +154,36 @@ static command_rec ssl_config_cmds[] = {
                "Enable or disable various SSL protocols"
                "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
 
+#ifdef SSL_EXPERIMENTAL
+    /* 
+     * Proxy configuration for remote SSL connections
+     */
+    AP_SRV_CMD(ProxyProtocol, RAW_ARGS,
+               "SSL Proxy: enable or disable SSL protocol flavors "
+               "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
+    AP_SRV_CMD(ProxyCipherSuite, TAKE1,
+               "SSL Proxy: colon-delimited list of permitted SSL ciphers "
+               "(`XXX:...:XXX' - see manual)")
+    AP_SRV_CMD(ProxyVerify, FLAG,
+               "SSL Proxy: whether to verify the remote certificate "
+               "(`on' or `off')")
+    AP_SRV_CMD(ProxyVerifyDepth, TAKE1,
+               "SSL Proxy: maximum certificate verification depth "
+               "(`N' - number of intermediate certificates)")
+    AP_SRV_CMD(ProxyCACertificateFile, TAKE1,
+               "SSL Proxy: file containing server certificates "
+               "(`/path/to/file' - PEM encoded certificates)")
+    AP_SRV_CMD(ProxyCACertificatePath, TAKE1,
+               "SSL Proxy: directory containing server certificates "
+               "(`/path/to/dir' - contains PEM encoded certificates)")
+    AP_SRV_CMD(ProxyMachineCertificateFile, TAKE1,
+               "SSL Proxy: file containing client certificates "
+               "(`/path/to/file' - PEM encoded certificates)")
+    AP_SRV_CMD(ProxyMachineCertificatePath, TAKE1,
+               "SSL Proxy: directory containing client certificates "
+               "(`/path/to/dir' - contains PEM encoded certificates)")
+#endif
+
     /*
      * Per-directory context configuration directives
      */
diff --git a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h
index d564b66406c..3725844c3d0 100644
--- a/usr.sbin/httpd/src/modules/ssl/mod_ssl.h
+++ b/usr.sbin/httpd/src/modules/ssl/mod_ssl.h
@@ -82,11 +82,15 @@
 #include 
 #include 
 #include 
+#include 
+#include 
 #include 
 #ifndef WIN32
 #include 
 #endif
-#include 
+#ifdef WIN32
+#include 
+#endif
 
 /* OpenSSL headers */
 #include 
@@ -497,6 +501,9 @@ typedef enum {
     SSL_RSSRC_BUILTIN = 1,
     SSL_RSSRC_FILE    = 2,
     SSL_RSSRC_EXEC    = 3
+#if SSL_LIBRARY_VERSION >= 0x00905100
+   ,SSL_RSSRC_EGD     = 4
+#endif
 } ssl_rssrc_t;
 typedef struct {
     ssl_rsctx_t  nCtx;
@@ -572,6 +579,19 @@ typedef struct {
     char        *szCARevocationPath;
     char        *szCARevocationFile;
     X509_STORE  *pRevocationStore;
+#ifdef SSL_EXPERIMENTAL
+    /* Configuration details for proxy operation */
+    ssl_proto_t  nProxyProtocol;
+    int          bProxyVerify;
+    int          nProxyVerifyDepth;
+    char        *szProxyCACertificatePath;
+    char        *szProxyCACertificateFile;
+    char        *szProxyClientCertificateFile;
+    char        *szProxyClientCertificatePath;
+    char        *szProxyCipherSuite;
+    SSL_CTX     *pSSLProxyCtx;
+    STACK_OF(X509_INFO) *skProxyClientCerts;
+#endif
 #ifdef SSL_VENDOR
     ap_ctx      *ctx;
 #endif
@@ -637,6 +657,16 @@ const char  *ssl_cmd_SSLProtocol(cmd_parms *, char *, const char *);
 const char  *ssl_cmd_SSLOptions(cmd_parms *, SSLDirConfigRec *, const char *);
 const char  *ssl_cmd_SSLRequireSSL(cmd_parms *, SSLDirConfigRec *, char *);
 const char  *ssl_cmd_SSLRequire(cmd_parms *, SSLDirConfigRec *, char *);
+#ifdef SSL_EXPERIMENTAL
+const char  *ssl_cmd_SSLProxyProtocol(cmd_parms *, char *, const char *);
+const char  *ssl_cmd_SSLProxyCipherSuite(cmd_parms *, char *, char *);
+const char  *ssl_cmd_SSLProxyVerify(cmd_parms *, char *, int);
+const char  *ssl_cmd_SSLProxyVerifyDepth(cmd_parms *, char *, char *);
+const char  *ssl_cmd_SSLProxyCACertificatePath(cmd_parms *, char *, char *);
+const char  *ssl_cmd_SSLProxyCACertificateFile(cmd_parms *, char *, char *);
+const char  *ssl_cmd_SSLProxyMachineCertificatePath(cmd_parms *, char *, char *);
+const char  *ssl_cmd_SSLProxyMachineCertificateFile(cmd_parms *, char *, char *);
+#endif
 
 /*  module initialization  */
 void         ssl_init_Module(server_rec *, pool *);
@@ -753,12 +783,12 @@ char        *ssl_var_lookup(pool *, server_rec *, conn_rec *, request_rec *, cha
 void         ssl_io_register(void);
 void         ssl_io_unregister(void);
 long         ssl_io_data_cb(BIO *, int, const char *, int, long, long);
-#ifdef SSL_EXPERIMENTAL
+#ifndef SSL_CONSERVATIVE
 void         ssl_io_suck(request_rec *, SSL *);
 #endif
 
 /*  PRNG  */
-int          ssl_rand_seed(server_rec *, pool *, ssl_rsctx_t);
+int          ssl_rand_seed(server_rec *, pool *, ssl_rsctx_t, char *);
 
 /*  Extensions  */
 void         ssl_ext_register(void);
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_compat.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_compat.c
index de92ab89574..1f44f4440d9 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_compat.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_compat.c
@@ -78,6 +78,7 @@
  * The mapping of obsolete directives to official ones...
  */
 
+static char *ssl_compat_RequireSSL(pool *, const char *, const char *, const char *);
 static char *ssl_compat_SSLSessionLockFile(pool *, const char *, const char *, const char *);
 static char *ssl_compat_SSLCacheDisable(pool *, const char *, const char *, const char *);
 static char *ssl_compat_SSLRequireCipher(pool *, const char *, const char *, const char *);
@@ -152,23 +153,39 @@ static struct {
     CRM_ENTRY( CRM_CMD("SSLClientCAfile"),           CRM_SUB("SSLCACertificateFile")          )
     CRM_ENTRY( CRM_CMD("SSLSessionLockFile"),        CRM_CAL(ssl_compat_SSLSessionLockFile)   )
     CRM_ENTRY( CRM_CMD("SSLCacheDisable"),           CRM_CAL(ssl_compat_SSLCacheDisable)      )
-    CRM_ENTRY( CRM_CMD("RequireSSL"),                CRM_SUB("SSLRequireSSL")                 )
+    CRM_ENTRY( CRM_CMD("RequireSSL"),                CRM_CAL(ssl_compat_RequireSSL)           )
     CRM_ENTRY( CRM_CMD("SSLCipherList"),             CRM_SUB("SSLCipherSuite")                )
     CRM_ENTRY( CRM_CMD("SSLErrorFile"),              CRM_LOG("Not needed for mod_ssl")        )
     CRM_ENTRY( CRM_CMD("SSLRoot"),                   CRM_LOG("Not supported by mod_ssl")      )
     CRM_ENTRY( CRM_CMD("SSL_CertificateLogDir"),     CRM_LOG("Not supported by mod_ssl")      )
     CRM_ENTRY( CRM_CMD("AuthCertDir"),               CRM_LOG("Not supported by mod_ssl")      )
     CRM_ENTRY( CRM_CMD("SSL_Group"),                 CRM_LOG("Not supported by mod_ssl")      )
+#ifndef SSL_EXPERIMENTAL
     CRM_ENTRY( CRM_CMD("SSLProxyMachineCertPath"),   CRM_LOG("Not supported by mod_ssl")      )
     CRM_ENTRY( CRM_CMD("SSLProxyMachineCertFile"),   CRM_LOG("Not supported by mod_ssl")      )
     CRM_ENTRY( CRM_CMD("SSLProxyCACertificatePath"), CRM_LOG("Not supported by mod_ssl")      )
     CRM_ENTRY( CRM_CMD("SSLProxyCACertificateFile"), CRM_LOG("Not supported by mod_ssl")      )
     CRM_ENTRY( CRM_CMD("SSLProxyVerifyDepth"),       CRM_LOG("Not supported by mod_ssl")      )
     CRM_ENTRY( CRM_CMD("SSLProxyCipherList"),        CRM_LOG("Not supported by mod_ssl")      )
+#else
+    CRM_ENTRY( CRM_CMD("SSLProxyCipherList"),        CRM_SUB("SSLProxyCipherSuite")           )
+#endif
 
     CRM_END
 };
 
+static char *ssl_compat_RequireSSL(
+    pool *p, const char *oline, const char *cmd, const char *args)
+{
+    char *cp;
+    
+    for (cp = (char *)args; ap_isspace(*cp); cp++)
+        ;
+    if (strcEQ(cp, "on"))
+        return "SSLRequireSSL";
+    return "";
+}
+
 static char *ssl_compat_SSLSessionLockFile(
     pool *p, const char *oline, const char *cmd, const char *args)
 {
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c
index 3fdc86efb58..9f62ee6c216 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_config.c
@@ -206,6 +206,18 @@ void *ssl_config_server_create(pool *p, server_rec *s)
     sc->szCARevocationFile     = NULL;
     sc->pRevocationStore       = NULL;
 
+#ifdef SSL_EXPERIMENTAL
+    sc->nProxyVerifyDepth             = UNSET;
+    sc->szProxyCACertificatePath      = NULL;
+    sc->szProxyCACertificateFile      = NULL;
+    sc->szProxyClientCertificateFile  = NULL;
+    sc->szProxyClientCertificatePath  = NULL;
+    sc->szProxyCipherSuite            = NULL;
+    sc->nProxyProtocol                = SSL_PROTOCOL_ALL & ~SSL_PROTOCOL_TLSV1;
+    sc->bProxyVerify                  = UNSET;
+    sc->pSSLProxyCtx                  = NULL;
+#endif
+
     (void)memset(sc->szPublicCertFile, 0, SSL_AIDX_MAX*sizeof(char *));
     (void)memset(sc->szPrivateKeyFile, 0, SSL_AIDX_MAX*sizeof(char *));
     (void)memset(sc->pPublicCert, 0, SSL_AIDX_MAX*sizeof(X509 *));
@@ -264,6 +276,18 @@ void *ssl_config_server_merge(pool *p, void *basev, void *addv)
                 p, base, add, new);
 #endif
 
+#ifdef SSL_EXPERIMENTAL
+    cfgMergeInt(nProxyVerifyDepth);
+    cfgMergeString(szProxyCACertificatePath);
+    cfgMergeString(szProxyCACertificateFile);
+    cfgMergeString(szProxyClientCertificateFile);
+    cfgMergeString(szProxyClientCertificatePath);
+    cfgMergeString(szProxyCipherSuite);
+    cfgMerge(nProxyProtocol, (SSL_PROTOCOL_ALL & ~SSL_PROTOCOL_TLSV1));
+    cfgMergeBool(bProxyVerify);
+    cfgMerge(pSSLProxyCtx, NULL);
+#endif
+
     return new;
 }
 
@@ -443,6 +467,12 @@ const char *ssl_cmd_SSLRandomSeed(
         pRS->nSrc   = SSL_RSSRC_EXEC;
         pRS->cpPath = ap_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, arg2+5));
     }
+#if SSL_LIBRARY_VERSION >= 0x00905100
+    else if (strlen(arg2) > 4 && strEQn(arg2, "egd:", 4)) {
+        pRS->nSrc   = SSL_RSSRC_EGD;
+        pRS->cpPath = ap_pstrdup(mc->pPool, ap_server_root_relative(cmd->pool, arg2+4));
+    }
+#endif
     else if (strcEQ(arg2, "builtin")) {
         pRS->nSrc   = SSL_RSSRC_BUILTIN;
         pRS->cpPath = NULL;
@@ -872,3 +902,133 @@ const char *ssl_cmd_SSLProtocol(
     return NULL;
 }
 
+#ifdef SSL_EXPERIMENTAL
+
+const char *ssl_cmd_SSLProxyProtocol(
+    cmd_parms *cmd, char *struct_ptr, const char *opt)
+{
+    SSLSrvConfigRec *sc;
+    ssl_proto_t options, thisopt;
+    char action;
+    char *w;
+
+    sc = mySrvConfig(cmd->server);
+    options = SSL_PROTOCOL_NONE;
+    while (opt[0] != NUL) {
+        w = ap_getword_conf(cmd->pool, &opt);
+
+        action = NUL;
+        if (*w == '+' || *w == '-')
+            action = *(w++);
+
+        if (strcEQ(w, "SSLv2"))
+            thisopt = SSL_PROTOCOL_SSLV2;
+        else if (strcEQ(w, "SSLv3"))
+            thisopt = SSL_PROTOCOL_SSLV3;
+        else if (strcEQ(w, "TLSv1"))
+            thisopt = SSL_PROTOCOL_TLSV1;
+        else if (strcEQ(w, "all"))
+            thisopt = SSL_PROTOCOL_ALL;
+        else
+            return ap_pstrcat(cmd->pool, "SSLProxyProtocol: "
+                              "Illegal protocol '", w, "'", NULL);
+        if (action == '-')
+            options &= ~thisopt;
+        else if (action == '+')
+            options |= thisopt;
+        else
+            options = thisopt;
+    }
+    sc->nProxyProtocol = options;
+    return NULL;
+}
+
+const char *ssl_cmd_SSLProxyCipherSuite(
+    cmd_parms *cmd, char *struct_ptr, char *arg)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+    sc->szProxyCipherSuite = arg;
+    return NULL;
+}
+
+const char *ssl_cmd_SSLProxyVerify(
+    cmd_parms *cmd, char *struct_ptr, int flag)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+    sc->bProxyVerify = (flag ? TRUE : FALSE);
+    return NULL;
+}
+
+const char *ssl_cmd_SSLProxyVerifyDepth(
+    cmd_parms *cmd, char *struct_ptr, char *arg)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    int d;
+
+    d = atoi(arg);
+    if (d < 0)
+        return "SSLProxyVerifyDepth: Invalid argument";
+    sc->nProxyVerifyDepth = d;
+    return NULL;
+}
+
+const char *ssl_cmd_SSLProxyCACertificateFile(
+    cmd_parms *cmd, char *struct_ptr, char *arg)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    char *cpPath;
+
+    cpPath = ap_server_root_relative(cmd->pool, arg);
+    if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath))
+        return ap_pstrcat(cmd->pool, "SSLProxyCACertificateFile: file '",
+                          cpPath, "' not exists or empty", NULL);
+    sc->szProxyCACertificateFile = cpPath;
+    return NULL;
+}
+
+const char *ssl_cmd_SSLProxyCACertificatePath(
+    cmd_parms *cmd, char *struct_ptr, char *arg)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    char *cpPath;
+
+    cpPath = ap_server_root_relative(cmd->pool, arg);
+    if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath))
+        return ap_pstrcat(cmd->pool, "SSLProxyCACertificatePath: directory '",
+                          cpPath, "' does not exists", NULL);
+    sc->szProxyCACertificatePath = cpPath;
+    return NULL;
+}
+
+const char *ssl_cmd_SSLProxyMachineCertificateFile(
+    cmd_parms *cmd, char *struct_ptr, char *arg)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    char *cpPath;
+
+    cpPath = ap_server_root_relative(cmd->pool, arg);
+    if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISREG|SSL_PCM_ISNONZERO, cpPath))
+        return ap_pstrcat(cmd->pool, "SSLProxyMachineCertFile: file '",
+                          cpPath, "' not exists or empty", NULL);
+    sc->szProxyClientCertificateFile = cpPath;
+    return NULL;
+}
+
+const char *ssl_cmd_SSLProxyMachineCertificatePath(
+    cmd_parms *cmd, char *struct_ptr, char *arg)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+    char *cpPath;
+
+    cpPath = ap_server_root_relative(cmd->pool, arg);
+    if (!ssl_util_path_check(SSL_PCM_EXISTS|SSL_PCM_ISDIR, cpPath))
+        return ap_pstrcat(cmd->pool, "SSLProxyMachineCertPath: directory '",
+                          cpPath, "' does not exists", NULL);
+    sc->szProxyClientCertificatePath = cpPath;
+    return NULL;
+}
+
+#endif /* SSL_EXPERIMENTAL */
+
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_ext.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_ext.c
index 87a550c2748..47092184c89 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_ext.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_ext.c
@@ -213,18 +213,27 @@ static char *ssl_ext_mr_lookup_variable(request_rec *r, char *var)
 **  _________________________________________________________________
 */
 
-static int   ssl_ext_mp_canon(request_rec *r, char *url);
-static int   ssl_ext_mp_handler(request_rec *r, void *cr, char *url, char *proxyhost, int proxyport, char *protocol);
-static int   ssl_ext_mp_set_destport(request_rec *r);
-static char *ssl_ext_mp_new_connection(request_rec *r, BUFF *fb);
-static void  ssl_ext_mp_close_connection(void *_fb);
-static int   ssl_ext_mp_write_host_header(request_rec *r, BUFF *fb, char *host, int port, char *portstr);
+static int   ssl_ext_mp_canon(request_rec *, char *);
+static int   ssl_ext_mp_handler(request_rec *, void *, char *, char *, int, char *);
+static int   ssl_ext_mp_set_destport(request_rec *);
+static char *ssl_ext_mp_new_connection(request_rec *, BUFF *, char *);
+static void  ssl_ext_mp_close_connection(void *);
+static int   ssl_ext_mp_write_host_header(request_rec *, BUFF *, char *, int, char *);
+#ifdef SSL_EXPERIMENTAL
+static void  ssl_ext_mp_init(server_rec *, pool *);
+static int   ssl_ext_mp_verify_cb(int, X509_STORE_CTX *);
+static int   ssl_ext_mp_clientcert_cb(SSL *, X509 **, EVP_PKEY **);
+#endif
 
 /*
  * register us ...
  */
 static void ssl_ext_mp_register(void)
 {
+#ifdef SSL_EXPERIMENTAL
+    ap_hook_register("ap::mod_proxy::init",
+                     ssl_ext_mp_init, AP_HOOK_NOCTX);
+#endif
     ap_hook_register("ap::mod_proxy::canon",
                      ssl_ext_mp_canon, AP_HOOK_NOCTX);
     ap_hook_register("ap::mod_proxy::handler",
@@ -240,6 +249,9 @@ static void ssl_ext_mp_register(void)
 
 static void ssl_ext_mp_unregister(void)
 {
+#ifdef SSL_EXPERIMENTAL
+    ap_hook_unregister("ap::mod_proxy::init", ssl_ext_mp_init);
+#endif
     ap_hook_unregister("ap::mod_proxy::canon", ssl_ext_mp_canon);
     ap_hook_unregister("ap::mod_proxy::handler", ssl_ext_mp_handler);
     ap_hook_unregister("ap::mod_proxy::http::handler::set_destport",
@@ -251,6 +263,145 @@ static void ssl_ext_mp_unregister(void)
     return;
 }
 
+/*
+ * SSL proxy initialization
+ */
+#ifdef SSL_EXPERIMENTAL
+static void ssl_ext_mp_init(server_rec *s, pool *p)
+{
+    SSLSrvConfigRec *sc;
+    char *cpVHostID;
+    int nVerify;
+    SSL_CTX *ctx;
+    char *cp;
+    STACK_OF(X509_INFO) *sk;
+
+    /*
+     * Initialize each virtual server 
+     */
+    for (; s != NULL; s = s->next) {
+        sc = mySrvConfig(s);
+        cpVHostID = ssl_util_vhostid(p, s);
+        
+        if (sc->bProxyVerify == UNSET)
+            sc->bProxyVerify = FALSE;
+
+        /*
+         *  Create new SSL context and configure callbacks
+         */
+        if (sc->nProxyProtocol == SSL_PROTOCOL_NONE) {
+            ssl_log(s, SSL_LOG_ERROR,
+                    "Init: (%s) No Proxy SSL protocols available [hint: SSLProxyProtocol]",
+                    cpVHostID);
+            ssl_die();
+        }
+        cp = ap_pstrcat(p, (sc->nProxyProtocol & SSL_PROTOCOL_SSLV2 ? "SSLv2, " : ""), 
+                           (sc->nProxyProtocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""), 
+                           (sc->nProxyProtocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""), NULL);
+        cp[strlen(cp)-2] = NUL;
+        ssl_log(s, SSL_LOG_TRACE, 
+                "Init: (%s) Creating new proxy SSL context (protocols: %s)", 
+                cpVHostID, cp);
+        if (sc->nProxyProtocol == SSL_PROTOCOL_SSLV2)
+            ctx = SSL_CTX_new(SSLv2_client_method());  /* only SSLv2 is left */ 
+        else
+            ctx = SSL_CTX_new(SSLv23_client_method()); /* be more flexible */
+        if (ctx == NULL) {
+            ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+                    "Init: (%s) Unable to create SSL Proxy context", cpVHostID);
+            ssl_die();
+        }
+        sc->pSSLProxyCtx = ctx;
+        SSL_CTX_set_options(ctx, SSL_OP_ALL);
+        if (!(sc->nProxyProtocol & SSL_PROTOCOL_SSLV2))
+            SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+        if (!(sc->nProxyProtocol & SSL_PROTOCOL_SSLV3))
+            SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
+        if (!(sc->nProxyProtocol & SSL_PROTOCOL_TLSV1)) 
+            SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
+
+        if (sc->szProxyClientCertificateFile || sc->szProxyClientCertificatePath) {
+            sk = sk_X509_INFO_new_null();
+            if (sc->szProxyClientCertificateFile) 
+                SSL_load_CrtAndKeyInfo_file(p, sk, sc->szProxyClientCertificateFile);
+            if (sc->szProxyClientCertificatePath)
+                SSL_load_CrtAndKeyInfo_path(p, sk, sc->szProxyClientCertificatePath);
+            ssl_log(s, SSL_LOG_TRACE, "Init: (%s) loaded %d client certs for SSL proxy",
+                    cpVHostID, sk_X509_INFO_num(sk));
+            if (sk_X509_INFO_num(sk) > 0) {
+                SSL_CTX_set_client_cert_cb(ctx, ssl_ext_mp_clientcert_cb);
+                sc->skProxyClientCerts = sk;
+            }
+        }
+
+        /*
+         * Calculate OpenSSL verify type for verifying the remote server
+         * certificate. We either verify it against our list of CA's, or don't
+         * bother at all.
+         */
+        nVerify = SSL_VERIFY_NONE;
+        if (sc->bProxyVerify)
+            nVerify |= SSL_VERIFY_PEER;
+        if (   nVerify & SSL_VERIFY_PEER 
+            && sc->szProxyCACertificateFile == NULL 
+            && sc->szProxyCACertificatePath == NULL) {
+            ssl_log(s, SSL_LOG_ERROR,
+                    "Init: (%s) SSLProxyVerify set to On but no CA certificates configured",
+                    cpVHostID);
+            ssl_die();
+        }
+        if (   nVerify & SSL_VERIFY_NONE
+            && (   sc->szProxyCACertificateFile != NULL
+                || sc->szProxyCACertificatePath != NULL)) {
+            ssl_log(s, SSL_LOG_WARN, 
+                    "init: (%s) CA certificates configured but ignored because SSLProxyVerify is Off",
+                    cpVHostID);
+        }
+        SSL_CTX_set_verify(ctx, nVerify, ssl_ext_mp_verify_cb);
+
+        /*
+         * Enable session caching. We can safely use the same cache
+         * as used for communicating with the other clients.
+         */
+        SSL_CTX_sess_set_new_cb(sc->pSSLProxyCtx,    ssl_callback_NewSessionCacheEntry);
+        SSL_CTX_sess_set_get_cb(sc->pSSLProxyCtx,    ssl_callback_GetSessionCacheEntry);
+        SSL_CTX_sess_set_remove_cb(sc->pSSLProxyCtx, ssl_callback_DelSessionCacheEntry);
+
+        /*
+         *  Configure SSL Cipher Suite
+         */
+        ssl_log(s, SSL_LOG_TRACE,
+                "Init: (%s) Configuring permitted SSL ciphers for SSL proxy", cpVHostID);
+        if (sc->szProxyCipherSuite != NULL) {
+            if (!SSL_CTX_set_cipher_list(sc->pSSLProxyCtx, sc->szProxyCipherSuite)) {
+                ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR,
+                        "Init: (%s) Unable to configure permitted SSL ciphers for SSL Proxy",
+                        cpVHostID);
+                ssl_die();
+            }
+        }
+
+        /*
+         * Configure Client Authentication details
+         */
+        if (sc->szProxyCACertificateFile != NULL || sc->szProxyCACertificatePath != NULL) {
+             ssl_log(s, SSL_LOG_DEBUG, 
+                     "Init: (%s) Configuring client verification locations for SSL Proxy", 
+                     cpVHostID);
+             if (!SSL_CTX_load_verify_locations(sc->pSSLProxyCtx,
+                                                sc->szProxyCACertificateFile,
+                                                sc->szProxyCACertificatePath)) {
+                 ssl_log(s, SSL_LOG_ERROR|SSL_ADD_SSLERR, 
+                         "Init: (%s) Unable to configure SSL verify locations for SSL proxy",
+                         cpVHostID);
+                 ssl_die();
+             }
+        }
+    }
+    return;
+}
+#endif /* SSL_EXPERIMENTAL */
+
 static int ssl_ext_mp_canon(request_rec *r, char *url)
 {
     int rc;
@@ -289,39 +440,66 @@ static int ssl_ext_mp_set_destport(request_rec *r)
         return DEFAULT_HTTP_PORT;
 }
 
-static char *ssl_ext_mp_new_connection(request_rec *r, BUFF *fb)
+static char *ssl_ext_mp_new_connection(request_rec *r, BUFF *fb, char *peer)
 {
+#ifndef SSL_EXPERIMENTAL
     SSL_CTX *ssl_ctx;
+#endif
     SSL *ssl;
     char *errmsg;
     int rc;
     char *cpVHostID;
     char *cpVHostMD5;
+#ifdef SSL_EXPERIMENTAL
+    SSLSrvConfigRec *sc;
+    char *cp;
+#endif
 
     if (ap_ctx_get(r->ctx, "ssl::proxy::enabled") == PFALSE)
         return NULL;
+
+    /*
+     * Find context
+     */
+#ifdef SSL_EXPERIMENTAL
+    sc = mySrvConfig(r->server);
+#endif
     cpVHostID = ssl_util_vhostid(r->pool, r->server);
 
     /*
      * Create a SSL context and handle
      */
+#ifdef SSL_EXPERIMENTAL
+    ssl = SSL_new(sc->pSSLProxyCtx);
+#else
     ssl_ctx = SSL_CTX_new(SSLv23_client_method());
-    if ((ssl = SSL_new(ssl_ctx)) == NULL) {
-        errmsg = ap_pstrcat(r->pool, "SSL new failed (%s): ", cpVHostID,
-                            ERR_reason_error_string(ERR_get_error()), NULL);
+    ssl = SSL_new(ssl_ctx);
+#endif
+    if (ssl == NULL) {
+        errmsg = ap_psprintf(r->pool, "SSL proxy new failed (%s): peer %s: %s",
+                             cpVHostID, peer, ERR_reason_error_string(ERR_get_error()));
         ap_ctx_set(fb->ctx, "ssl", NULL);
         return errmsg;
     }
     SSL_clear(ssl);
     cpVHostMD5 = ap_md5(r->pool, cpVHostID);
     if (!SSL_set_session_id_context(ssl, (unsigned char *)cpVHostMD5, strlen(cpVHostMD5))) {
-        errmsg = ap_pstrcat(r->pool, "Unable to set session id context to `%s': ", cpVHostMD5,
-                            ERR_reason_error_string(ERR_get_error()), NULL);
+        errmsg = ap_psprintf(r->pool, "Unable to set session id context to `%s': peer %s: %s",
+                             cpVHostMD5, peer, ERR_reason_error_string(ERR_get_error()));
         ap_ctx_set(fb->ctx, "ssl", NULL);
         return errmsg;
     }
     SSL_set_fd(ssl, fb->fd);
+#ifdef SSL_EXPERIMENTAL
+    SSL_set_app_data(ssl, fb->ctx);
+#endif
     ap_ctx_set(fb->ctx, "ssl", ssl);
+#ifdef SSL_EXPERIMENTAL
+    ap_ctx_set(fb->ctx, "ssl::proxy::server_rec", r->server);
+    ap_ctx_set(fb->ctx, "ssl::proxy::peer", peer);
+    ap_ctx_set(fb->ctx, "ssl::proxy::servername", cpVHostID);
+    ap_ctx_set(fb->ctx, "ssl::proxy::verifyerror", NULL);
+#endif
 
     /*
      * Give us a chance to gracefully close the connection
@@ -333,8 +511,19 @@ static char *ssl_ext_mp_new_connection(request_rec *r, BUFF *fb)
      * Establish the SSL connection
      */
     if ((rc = SSL_connect(ssl)) <= 0) {
-        errmsg = ap_pstrcat(r->pool, "SSL connect failed (%s): ", cpVHostID,
-                            ERR_reason_error_string(ERR_get_error()), NULL);
+#ifdef SSL_EXPERIMENTAL
+        if ((cp = (char *)ap_ctx_get(fb->ctx, "ssl::proxy::verifyerror")) != NULL) {
+            SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN); 
+            SSL_smart_shutdown(ssl);
+            SSL_free(ssl);
+            ap_ctx_set(fb->ctx, "ssl", NULL);
+            ap_bsetflag(fb, B_EOF|B_EOUT, 1);
+            return NULL;
+        }
+#endif
+        errmsg = ap_psprintf(r->pool, "SSL proxy connect failed (%s): peer %s: %s",
+                             cpVHostID, peer, ERR_reason_error_string(ERR_get_error()));
+        ssl_log(r->server, SSL_LOG_ERROR, errmsg);
         SSL_free(ssl);
         ap_ctx_set(fb->ctx, "ssl", NULL);
         return errmsg;
@@ -347,13 +536,17 @@ static void ssl_ext_mp_close_connection(void *_fb)
 {
     BUFF *fb = _fb;
     SSL *ssl;
+    SSL_CTX *ctx;
 
     ssl = ap_ctx_get(fb->ctx, "ssl");
     if (ssl != NULL) {
+        ctx = SSL_get_SSL_CTX(ssl);
         SSL_set_shutdown(ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
         SSL_smart_shutdown(ssl);
         SSL_free(ssl);
         ap_ctx_set(fb->ctx, "ssl", NULL);
+        if (ctx != NULL)
+            SSL_CTX_free(ctx);
     }
     return;
 }
@@ -371,6 +564,183 @@ static int ssl_ext_mp_write_host_header(
     return DECLINED;
 }
 
+#ifdef SSL_EXPERIMENTAL
+
+/* 
+ * Callback for client certificate stuff.
+ * If the remote site sent us a SSLv3 list of acceptable CA's then trawl the
+ * table of client certs and send the first one that matches.
+ */
+static int ssl_ext_mp_clientcert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey) 
+{
+    SSLSrvConfigRec *sc;
+    X509_NAME *xnx;
+    X509_NAME *issuer;
+    X509_INFO *xi;
+    char *peer;
+    char *servername;
+    server_rec *s;
+    ap_ctx *pCtx;
+    STACK_OF(X509_NAME) *sk;
+    STACK_OF(X509_INFO) *pcerts;
+    char *cp;
+    int i, j;
+    
+    pCtx       = (ap_ctx *)SSL_get_app_data(ssl);
+    s          = ap_ctx_get(pCtx, "ssl::proxy::server_rec");
+    peer       = ap_ctx_get(pCtx, "ssl::proxy::peer");
+    servername = ap_ctx_get(pCtx, "ssl::proxy::servername");
+
+    sc         = mySrvConfig(s);
+    pcerts     = sc->skProxyClientCerts;
+
+    ssl_log(s, SSL_LOG_DEBUG, "Proxy client certificate callback: (%s) entered");
+
+    if ((pcerts == NULL) || (sk_X509_INFO_num(pcerts) <= 0)) {
+        ssl_log(s, SSL_LOG_TRACE,
+                "Proxy client certificate callback: (%s) "
+                "site wanted client certificate but none available", 
+                servername);
+        return 0;
+    }                                                                     
+
+    sk = SSL_get_client_CA_list(ssl);
+
+    if ((sk == NULL) || (sk_X509_NAME_num(sk) <= 0)) {
+        /* 
+         * remote site didn't send us a list of acceptable CA certs, 
+         * so lets send the first one we came across 
+         */   
+        xi = sk_X509_INFO_value(pcerts, 0);
+        cp  = X509_NAME_oneline(X509_get_subject_name(xi->x509), NULL, 0);
+        ssl_log(s, SSL_LOG_DEBUG,
+                "SSL Proxy: (%s) no acceptable CA list, sending %s", 
+                servername, cp != NULL ? cp : "-unknown-");
+        free(cp);
+        /* export structures to the caller */
+        *x509 = xi->x509;
+        *pkey = xi->x_pkey->dec_pkey;
+        /* prevent OpenSSL freeing these structures */
+        CRYPTO_add(&((*x509)->references), +1, CRYPTO_LOCK_X509_PKEY);
+        CRYPTO_add(&((*pkey)->references), +1, CRYPTO_LOCK_X509_PKEY);
+        return 1;
+    }         
+
+    for (i = 0; i < sk_X509_NAME_num(sk); i++) {
+        xnx = sk_X509_NAME_value(sk, i);
+        for (j = 0; j < sk_X509_INFO_num(pcerts); j++) {
+            xi = sk_X509_INFO_value(pcerts,j);
+            issuer = X509_get_issuer_name(xi->x509);
+            if (X509_NAME_cmp(issuer, xnx) == 0) {
+                cp = X509_NAME_oneline(X509_get_subject_name(xi->x509), NULL, 0);
+                ssl_log(s, SSL_LOG_DEBUG, "SSL Proxy: (%s) sending %s", 
+                        servername, cp != NULL ? cp : "-unknown-");
+                free(cp);
+                /* export structures to the caller */
+                *x509 = xi->x509;
+                *pkey = xi->x_pkey->dec_pkey;
+                /* prevent OpenSSL freeing these structures */
+                CRYPTO_add(&((*x509)->references), +1, CRYPTO_LOCK_X509_PKEY);
+                CRYPTO_add(&((*pkey)->references), +1, CRYPTO_LOCK_X509_PKEY);
+                return 1;
+            }
+        }
+    }
+    ssl_log(s, SSL_LOG_TRACE,
+            "Proxy client certificate callback: (%s) "
+            "no client certificate found!?", servername);
+    return 0; 
+}
+
+/*
+ * This is the verify callback when we are connecting to a remote SSL server
+ * from the proxy. Information is passed in via the SSL "ctx" app_data
+ * mechanism. We pass in an Apache context in this field, which contains
+ * server_rec of the server making the proxy connection from the
+ * "ssl::proxy::server_rec" context.
+ *
+ * The result of the verification is passed back out to SSLERR via the return
+ * value. We also store the error message in the "proxyverifyfailed" context,
+ * so the caller of SSL_connect() can log a detailed error message.
+ */
+static int ssl_ext_mp_verify_cb(int ok, X509_STORE_CTX *ctx)
+{
+    SSLSrvConfigRec *sc;
+    X509 *xs;
+    int errnum;
+    int errdepth;
+    char *cp, *cp2;
+    ap_ctx *pCtx;
+    server_rec *s;
+    SSL *ssl;
+    char *peer;
+    char *servername;
+
+    ssl        = (SSL *)X509_STORE_CTX_get_app_data(ctx);
+    pCtx       = (ap_ctx *)SSL_get_app_data(ssl);
+    s          = ap_ctx_get(pCtx, "ssl::proxy::server_rec");
+    peer       = ap_ctx_get(pCtx, "ssl::proxy::peer");
+    servername = ap_ctx_get(pCtx, "ssl::proxy::servername");
+    sc         = mySrvConfig(s);
+
+    /*
+     * Get verify ingredients
+     */
+    xs       = X509_STORE_CTX_get_current_cert(ctx);
+    errnum   = X509_STORE_CTX_get_error(ctx);
+    errdepth = X509_STORE_CTX_get_error_depth(ctx);
+
+    /* 
+     * Log verification information
+     */
+    cp  = X509_NAME_oneline(X509_get_subject_name(xs), NULL, 0);
+    cp2 = X509_NAME_oneline(X509_get_issuer_name(xs),  NULL, 0);
+    ssl_log(s, SSL_LOG_DEBUG,
+            "SSL Proxy: (%s) Certificate Verification for remote server %s: "
+            "depth: %d, subject: %s, issuer: %s", 
+            servername, peer != NULL ? peer : "-unknown-",
+            errdepth, cp != NULL ? cp : "-unknown-", 
+            cp2 != NULL ? cp2 : "-unknown");
+    free(cp);
+    free(cp2);
+
+    /*
+     * If we already know it's not ok, log the real reason
+     */
+    if (!ok) {
+        ssl_log(s, SSL_LOG_ERROR,
+                "SSL Proxy: (%s) Certificate Verification failed for %s: "
+                "Error (%d): %s", servername,
+                peer != NULL ? peer : "-unknown-",
+                errnum, X509_verify_cert_error_string(errnum));
+        ap_ctx_set(pCtx, "ssl::proxy::verifyerror", 
+                   (void *)X509_verify_cert_error_string(errnum));
+        return ok;
+    }
+
+    /*
+     * Check the depth of the certificate chain
+     */
+    if (sc->nProxyVerifyDepth > 0) {
+        if (errdepth > sc->nProxyVerifyDepth) {
+            ssl_log(s, SSL_LOG_ERROR,
+                "SSL Proxy: (%s) Certificate Verification failed for %s: "
+                "Certificate Chain too long "
+                "(chain has %d certificates, but maximum allowed are only %d)", 
+                servername, peer, errdepth, sc->nProxyVerifyDepth);
+            ap_ctx_set(pCtx, "ssl::proxy::verifyerror",
+                       (void *)X509_verify_cert_error_string(X509_V_ERR_CERT_CHAIN_TOO_LONG));
+            ok = FALSE;
+        }
+    }
+
+    /*
+     * And finally signal OpenSSL the (perhaps changed) state
+     */
+    return (ok);
+}
+
+#endif /* SSL_EXPERIMENTAL */
 
 /*  _________________________________________________________________
 **
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c
index a59068780a4..0b38b9a4a94 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_init.c
@@ -123,7 +123,6 @@ void ssl_init_Module(server_rec *s, pool *p)
     SSLSrvConfigRec *sc;
     server_rec *s2;
     char *cp;
-    int n;
 
     mc->nInitCount++;
 
@@ -152,6 +151,10 @@ void ssl_init_Module(server_rec *s, pool *p)
             sc->nVerifyClient = SSL_CVERIFY_NONE;
         if (sc->nVerifyDepth == UNSET)
             sc->nVerifyDepth = 1;
+#ifdef SSL_EXPERIMENTAL
+        if (sc->nProxyVerifyDepth == UNSET)
+            sc->nProxyVerifyDepth = 1;
+#endif
         if (sc->nSessionCacheTimeout == UNSET)
             sc->nSessionCacheTimeout = SSL_SESSION_CACHE_TIMEOUT;
         if (sc->nPassPhraseDialogType == SSL_PPTYPE_UNSET)
@@ -265,8 +268,7 @@ void ssl_init_Module(server_rec *s, pool *p)
     /*
      * Seed the Pseudo Random Number Generator (PRNG)
      */
-    n = ssl_rand_seed(s, p, SSL_RSCTX_STARTUP);
-    ssl_log(s, SSL_LOG_INFO, "Init: Seeding PRNG with %d bytes of entropy", n);
+    ssl_rand_seed(s, p, SSL_RSCTX_STARTUP, "Init: ");
 
     /*
      *  allocate the temporary RSA keys and DH params
@@ -342,12 +344,19 @@ void ssl_init_TmpKeysHandle(int action, server_rec *s, pool *p)
     /* Generate Keys and Params */
     if (action == SSL_TKP_GEN) {
 
-        ssl_log(s, SSL_LOG_INFO, "Init: Generating temporary RSA private keys (512/1024 bits)");
+        /* seed PRNG */
+        ssl_rand_seed(s, p, SSL_RSCTX_STARTUP, "Init: ");
 
         /* generate 512 bit RSA key */
+        ssl_log(s, SSL_LOG_INFO, "Init: Generating temporary RSA private keys (512/1024 bits)");
         if ((rsa = RSA_generate_key(512, RSA_F4, NULL, NULL)) == NULL) {
             ssl_log(s, SSL_LOG_ERROR, "Init: Failed to generate temporary 512 bit RSA private key");
+#if 0
             ssl_die();
+#else 
+	    ssl_log(s, SSL_LOG_ERROR, "Init: You probably have no RSA support in libcrypto. See ssl(8)");
+	    return;
+#endif	
         }
         asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc->tTmpKeys, "RSA:512");
         asn1->nData  = i2d_RSAPrivateKey(rsa, NULL);
@@ -540,7 +549,7 @@ void ssl_init_ConfigureServer(server_rec *s, pool *p, SSLSrvConfigRec *sc)
      * Configure additional context ingredients
      */
     SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
-    if (mc->nSessionCacheMode == SSL_SCMODE_UNSET)
+    if (mc->nSessionCacheMode == SSL_SCMODE_NONE)
         SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
     else
         SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER);
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_io.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_io.c
index fc1f0d8ee4d..2c3a4d4cee4 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_io.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_io.c
@@ -248,7 +248,7 @@ void ssl_io_suck(request_rec *r, SSL *ssl)
     return;
 }
     
-/* the SSL_read replacement routine which known about the suck buffer */
+/* the SSL_read replacement routine which knows about the suck buffer */
 static int ssl_io_suck_read(SSL *ssl, char *buf, int len)
 {
     ap_ctx *actx;
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
index ff45e996ff1..50e9f88af9b 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_kernel.c
@@ -137,7 +137,6 @@ void ssl_hook_NewConnection(conn_rec *conn)
     char *cpVHostMD5;
     X509 *xs;
     int rc;
-    int n;
 
     /*
      * Get context
@@ -170,8 +169,7 @@ void ssl_hook_NewConnection(conn_rec *conn)
     /*
      * Seed the Pseudo Random Number Generator (PRNG)
      */
-    n = ssl_rand_seed(srvr, conn->pool, SSL_RSCTX_CONNECT);
-    ssl_log(srvr, SSL_LOG_TRACE, "Seeding PRNG with %d bytes of entropy", n);
+    ssl_rand_seed(srvr, conn->pool, SSL_RSCTX_CONNECT, "");
 
     /*
      * Create a new SSL connection with the configured server SSL context and
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_mutex.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_mutex.c
index 06ed510f15d..dfc4d961f59 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_mutex.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_mutex.c
@@ -156,8 +156,10 @@ void ssl_mutex_file_create(server_rec *s, pool *p)
     ap_pclosef(p, mc->nMutexFD);
 
     /* make sure the childs have access to this file */
+#ifndef OS2
     if (geteuid() == 0 /* is superuser */)
         chown(mc->szMutexFile, ap_user_id, -1 /* no gid change */);
+#endif
 
     /* open the lockfile for real */
     if ((mc->nMutexFD = ap_popenf(p, mc->szMutexFile,
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_rand.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_rand.c
index 2b50b438122..2af0d20b9db 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_rand.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_rand.c
@@ -74,12 +74,13 @@
 static int ssl_rand_choosenum(int, int);
 static int ssl_rand_feedfp(pool *, FILE *, int);
 
-int ssl_rand_seed(server_rec *s, pool *p, ssl_rsctx_t nCtx)
+int ssl_rand_seed(server_rec *s, pool *p, ssl_rsctx_t nCtx, char *prefix)
 {
     SSLModConfigRec *mc;
     array_header *apRandSeed;
     ssl_randseed_t *pRandSeeds;
     ssl_randseed_t *pRandSeed;
+    unsigned char stackdata[256];
     int nReq, nDone;
     FILE *fp;
     int i, n, l;
@@ -114,6 +115,17 @@ int ssl_rand_seed(server_rec *s, pool *p, ssl_rsctx_t nCtx)
                 nDone += ssl_rand_feedfp(p, fp, pRandSeed->nBytes);
                 ssl_util_ppclose(s, p, fp);
             }
+#if SSL_LIBRARY_VERSION >= 0x00905100
+            else if (pRandSeed->nSrc == SSL_RSSRC_EGD) {
+                /*
+                 * seed in contents provided by the external
+                 * Entropy Gathering Daemon (EGD)
+                 */
+                if ((n = RAND_egd(pRandSeed->cpPath)) == -1)
+                    continue;
+                nDone += n;
+            }
+#endif
             else if (pRandSeed->nSrc == SSL_RSSRC_BUILTIN) {
                 /*
                  * seed in the current time (usually just 4 bytes)
@@ -130,6 +142,13 @@ int ssl_rand_seed(server_rec *s, pool *p, ssl_rsctx_t nCtx)
                 l = sizeof(pid_t);
                 RAND_seed((unsigned char *)&pid, l);
                 nDone += l;
+                
+                /*
+                 * seed in some current state of the run-time stack (128 bytes)
+                 */
+                n = ssl_rand_choosenum(0, sizeof(stackdata)-128-1);
+                RAND_seed(stackdata+n, 128);
+                nDone += 128;
 
                 /*
                  * seed in an 1KB extract of the current scoreboard
@@ -142,6 +161,12 @@ int ssl_rand_seed(server_rec *s, pool *p, ssl_rsctx_t nCtx)
             }
         }
     }
+    ssl_log(s, SSL_LOG_INFO, "%sSeeding PRNG with %d bytes of entropy", prefix, nDone);
+
+#if SSL_LIBRARY_VERSION >= 0x00905100
+    if (RAND_status() == 0)
+        ssl_log(s, SSL_LOG_WARN, "%sPRNG still contains not sufficient entropy!", prefix);
+#endif
     return nDone;
 }
 
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c b/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c
index c08fa8fb26f..f9a3c529f66 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_engine_vars.c
@@ -296,7 +296,7 @@ static char *ssl_var_lookup_ssl(pool *p, conn_rec *c, char *var)
         result = ssl_var_lookup_ssl_version(p, var+8);
     }
     else if (ssl != NULL && strcEQ(var, "PROTOCOL")) {
-        result = SSL_get_version(ssl);
+        result = (char *)SSL_get_version(ssl);
     }
     else if (ssl != NULL && strcEQ(var, "SESSION_ID")) {
         SSL_SESSION *pSession = SSL_get_session(ssl);
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_util.c b/usr.sbin/httpd/src/modules/ssl/ssl_util.c
index bfc9e5fcc3e..ce238a52389 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_util.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_util.c
@@ -241,7 +241,7 @@ int ssl_util_ppopen_child(void *cmd, child_info *pinfo)
     }
 #elif defined(OS2)
     /* IBM OS/2 */
-    execl(SHELL_PATH, SHELL_PATH, "/c", (char *)cmd, NULL);
+    spawnl(P_NOWAIT, SHELL_PATH, SHELL_PATH, "/c", (char *)cmd, NULL);
 #else
     /* Standard Unix */
     execl(SHELL_PATH, SHELL_PATH, "-c", (char *)cmd, NULL);
@@ -269,7 +269,7 @@ char *ssl_util_readfilter(server_rec *s, pool *p, char *cmd)
         return NULL;
     for (k = 0;    read(fileno(fp), &c, 1) == 1
                 && (k < MAX_STRING_LEN-1)       ; ) {
-        if (c == '\n')
+        if (c == '\n' || c == '\r')
             break;
         buf[k++] = c;
     }
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.c b/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.c
index 16f9155249e..d73344abb14 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.c
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.c
@@ -141,13 +141,15 @@ X509 *SSL_read_X509(FILE *fp, X509 **x509, int (*cb)())
     return rc;
 }
 
-static EVP_PKEY *d2i_PrivateKey_bio(BIO *bio, EVP_PKEY *key)
+#if SSL_LIBRARY_VERSION <= 0x00904100
+static EVP_PKEY *d2i_PrivateKey_bio(BIO *bio, EVP_PKEY **key)
 {
      return ((EVP_PKEY *)ASN1_d2i_bio(
              (char *(*)())EVP_PKEY_new, 
              (char *(*)())d2i_PrivateKey, 
              (bio), (unsigned char **)(key)));
 }
+#endif
 
 EVP_PKEY *SSL_read_PrivateKey(FILE *fp, EVP_PKEY **key, int (*cb)())
 {
@@ -388,6 +390,65 @@ BOOL SSL_X509_getCN(pool *p, X509 *xs, char **cppCN)
     return FALSE;
 }
 
+/*  _________________________________________________________________
+**
+**  Low-Level CA Certificate Loading
+**  _________________________________________________________________
+*/
+
+#ifdef SSL_EXPERIMENTAL
+
+BOOL SSL_load_CrtAndKeyInfo_file(pool *p, STACK_OF(X509_INFO) *sk, char *filename)
+{
+    BIO *in;
+
+    if ((in = BIO_new(BIO_s_file())) == NULL)
+        return FALSE;
+    if (BIO_read_filename(in, filename) <= 0) {
+        BIO_free(in);
+        return FALSE;
+    }
+    ERR_clear_error();
+#if SSL_LIBRARY_VERSION < 0x00904000
+    PEM_X509_INFO_read_bio(in, sk, NULL);
+#else
+    PEM_X509_INFO_read_bio(in, sk, NULL, NULL);
+#endif
+    BIO_free(in);
+    return TRUE;
+}
+
+BOOL SSL_load_CrtAndKeyInfo_path(pool *p, STACK_OF(X509_INFO) *sk, char *pathname)
+{
+    struct stat st;
+    DIR *dir;
+    pool *sp;
+    struct dirent *nextent;
+    char *fullname;
+    BOOL ok;
+
+    sp = ap_make_sub_pool(p);
+    if ((dir = ap_popendir(sp, pathname)) == NULL) {
+        ap_destroy_pool(sp);
+        return FALSE;
+    }
+    ok = FALSE;
+    while ((nextent = readdir(dir)) != NULL) {
+        fullname = ap_pstrcat(sp, pathname, "/", nextent->d_name, NULL);
+        if (stat(fullname, &st) != 0)
+            continue;
+        if (!S_ISREG(st.st_mode))
+            continue;
+        if (SSL_load_CrtAndKeyInfo_file(sp, sk, fullname))
+            ok = TRUE;
+    }
+    ap_pclosedir(p, dir);
+    ap_destroy_pool(sp);
+    return ok;
+}              
+
+#endif /* SSL_EXPERIMENTAL */
+
 /*  _________________________________________________________________
 **
 **  Extra Server Certificate Chain Support
diff --git a/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.h b/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.h
index 43866dd461c..56674c3946a 100644
--- a/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.h
+++ b/usr.sbin/httpd/src/modules/ssl/ssl_util_ssl.h
@@ -98,6 +98,10 @@ char       *SSL_make_ciphersuite(pool *, SSL *);
 BOOL        SSL_X509_isSGC(X509 *);
 BOOL        SSL_X509_getBC(X509 *, int *, int *);
 BOOL        SSL_X509_getCN(pool *, X509 *, char **);
+#ifdef SSL_EXPERIMENTAL
+BOOL        SSL_load_CrtAndKeyInfo_file(pool *, STACK_OF(X509_INFO) *, char *);
+BOOL        SSL_load_CrtAndKeyInfo_path(pool *, STACK_OF(X509_INFO) *, char *);
+#endif
 int         SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, int (*)());
 
 #endif /* SSL_UTIL_SSL_H */
diff --git a/usr.sbin/httpd/src/modules/standard/mod_actions.c b/usr.sbin/httpd/src/modules/standard/mod_actions.c
index d5ab4098f1a..4b5aad2b576 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_actions.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_actions.c
@@ -195,7 +195,8 @@ static int action_handler(request_rec *r)
 {
     action_dir_config *conf = (action_dir_config *)
         ap_get_module_config(r->per_dir_config, &action_module);
-    const char *t, *action = r->handler ? r->handler : r->content_type;
+    const char *t, *action = r->handler ? r->handler : 
+	ap_field_noparam(r->pool, r->content_type);
     const char *script;
     int i;
 
diff --git a/usr.sbin/httpd/src/modules/standard/mod_auth.c b/usr.sbin/httpd/src/modules/standard/mod_auth.c
index e07dc453733..bd1b4c2fc2e 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_auth.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_auth.c
@@ -110,7 +110,7 @@ static const command_rec auth_cmds[] =
     {"AuthAuthoritative", ap_set_flag_slot,
      (void *) XtOffsetOf(auth_config_rec, auth_authoritative),
      OR_AUTHCFG, FLAG,
-     "Set to 'no' to allow access control to be passed along to lower modules if the UserID is not known to this module"},
+     "Set to 'off' to allow access control to be passed along to lower modules if the UserID is not known to this module"},
     {NULL}
 };
 
diff --git a/usr.sbin/httpd/src/modules/standard/mod_auth_db.module b/usr.sbin/httpd/src/modules/standard/mod_auth_db.module
index dba647d9a29..4636763b2a7 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_auth_db.module
+++ b/usr.sbin/httpd/src/modules/standard/mod_auth_db.module
@@ -2,19 +2,19 @@ Name: db_auth_module
 ConfigStart
     DB_VERSION=''
     DB_LIB=''
-    if sh helpers/TestCompile func db_create; then
+    if ./helpers/TestCompile func db_create; then
         DB_VERSION='Berkeley-DB/3.x'
-    elif sh helpers/TestCompile lib db db_create; then
+    elif ./helpers/TestCompile lib db db_create; then
         DB_VERSION='Berkeley-DB/3.x'
         DB_LIB='-ldb'
-    elif sh helpers/TestCompile func db_open; then
+    elif ./helpers/TestCompile func db_open; then
         DB_VERSION='Berkeley-DB/2.x'
-    elif sh helpers/TestCompile lib db db_open; then
+    elif ./helpers/TestCompile lib db db_open; then
         DB_VERSION='Berkeley-DB/2.x'
         DB_LIB='-ldb'
-    elif sh helpers/TestCompile func dbopen; then
+    elif ./helpers/TestCompile func dbopen; then
         DB_VERSION='Berkeley-DB/1.x'
-    elif sh helpers/TestCompile lib db dbopen; then
+    elif ./helpers/TestCompile lib db dbopen; then
         DB_VERSION='Berkeley-DB/1.x'
         DB_LIB='-ldb'
     fi
diff --git a/usr.sbin/httpd/src/modules/standard/mod_autoindex.c b/usr.sbin/httpd/src/modules/standard/mod_autoindex.c
index df1365b2ef4..7ca656b06c6 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_autoindex.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_autoindex.c
@@ -732,7 +732,7 @@ struct ent {
 
 static char *find_item(request_rec *r, array_header *list, int path_only)
 {
-    const char *content_type = r->content_type;
+    const char *content_type = ap_field_noparam(r->pool, r->content_type);
     const char *content_encoding = r->content_encoding;
     char *path = r->filename;
 
diff --git a/usr.sbin/httpd/src/modules/standard/mod_cern_meta.c b/usr.sbin/httpd/src/modules/standard/mod_cern_meta.c
index fb7d48b675f..d8101948c72 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_cern_meta.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_cern_meta.c
@@ -169,7 +169,7 @@ module MODULE_VAR_EXPORT cern_meta_module;
 typedef struct {
     char *metadir;
     char *metasuffix;
-    char *metafiles;
+    int metafiles;
 } cern_meta_dir_config;
 
 static void *create_cern_meta_dir_config(pool *p, char *dummy)
@@ -210,7 +210,7 @@ static const char *set_metasuffix(cmd_parms *parms, cern_meta_dir_config * dconf
     return NULL;
 }
 
-static const char *set_metafiles(cmd_parms *parms, cern_meta_dir_config * dconf, char *arg)
+static const char *set_metafiles(cmd_parms *parms, cern_meta_dir_config * dconf, int arg)
 {
     dconf->metafiles = arg;
     return NULL;
diff --git a/usr.sbin/httpd/src/modules/standard/mod_expires.c b/usr.sbin/httpd/src/modules/standard/mod_expires.c
index 73392bdd2a2..5d1bf13aebf 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_expires.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_expires.c
@@ -437,7 +437,8 @@ static int add_expires(request_rec *r)
     if (r->content_type == NULL)
         code = NULL;
     else
-        code = (char *) ap_table_get(conf->expiresbytype, r->content_type);
+        code = (char *) ap_table_get(conf->expiresbytype, 
+		ap_field_noparam(r->pool, r->content_type));
 
     if (code == NULL) {
         /* no expires defined for that type, is there a default? */
diff --git a/usr.sbin/httpd/src/modules/standard/mod_include.c b/usr.sbin/httpd/src/modules/standard/mod_include.c
index dacf096fc76..65dc18823c4 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_include.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_include.c
@@ -922,6 +922,9 @@ static int handle_echo(FILE *in, request_rec *r, const char *error)
 {
     char tag[MAX_STRING_LEN];
     char *tag_val;
+    enum {E_NONE, E_URL, E_ENTITY} encode;
+
+    encode = E_ENTITY;
 
     while (1) {
         if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) {
@@ -931,7 +934,15 @@ static int handle_echo(FILE *in, request_rec *r, const char *error)
             const char *val = ap_table_get(r->subprocess_env, tag_val);
 
             if (val) {
-                ap_rputs(val, r);
+		if (encode == E_NONE) {
+		    ap_rputs(val, r);
+		}
+		else if (encode == E_URL) {
+		    ap_rputs(ap_escape_uri(r->pool, val), r);
+		}
+		else if (encode == E_ENTITY) {
+		    ap_rputs(ap_escape_html(r->pool, val), r);
+		}
             }
             else {
                 ap_rputs("(none)", r);
@@ -940,6 +951,19 @@ static int handle_echo(FILE *in, request_rec *r, const char *error)
         else if (!strcmp(tag, "done")) {
             return 0;
         }
+	else if (!strcmp(tag, "encoding")) {
+	    if (!strcasecmp(tag_val, "none")) encode = E_NONE;
+	    else if (!strcasecmp(tag_val, "url")) encode = E_URL;
+	    else if (!strcasecmp(tag_val, "entity")) encode = E_ENTITY;
+	    else {
+		ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
+			    "unknown value \"%s\" to parameter \"encoding\" of "
+			    "tag echo in %s",
+			    tag_val, r->filename);
+		ap_rputs(error, r);
+	    }
+	}
+
         else {
             ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
                         "unknown parameter \"%s\" to tag echo in %s",
@@ -2116,7 +2140,8 @@ static int handle_printenv(FILE *in, request_rec *r, const char *error)
     }
     else if (!strcmp(tag, "done")) {
         for (i = 0; i < arr->nelts; ++i) {
-            ap_rvputs(r, elts[i].key, "=", elts[i].val, "\n", NULL);
+            ap_rvputs(r, ap_escape_html(r->pool, elts[i].key), "=", 
+		ap_escape_html(r->pool, elts[i].val), "\n", NULL);
         }
         return 0;
     }
diff --git a/usr.sbin/httpd/src/modules/standard/mod_log_config.c b/usr.sbin/httpd/src/modules/standard/mod_log_config.c
index 78af1c8b968..e92d78b9bb0 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_log_config.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_log_config.c
@@ -394,7 +394,7 @@ static const char *log_header_out(request_rec *r, char *a)
 {
     const char *cp = ap_table_get(r->headers_out, a);
     if (!strcasecmp(a, "Content-type") && r->content_type) {
-        cp = r->content_type;
+        cp = ap_field_noparam(r->pool, r->content_type);
     }
     if (cp) {
         return cp;
diff --git a/usr.sbin/httpd/src/modules/standard/mod_mime.c b/usr.sbin/httpd/src/modules/standard/mod_mime.c
index 134196f1d9e..8b27d141e90 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_mime.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_mime.c
@@ -345,7 +345,7 @@ static int is_token(char c)
 {
     int res;
 
-    res = (ap_isascii(c) && isgraph(c)
+    res = (ap_isascii(c) && ap_isgraph(c)
 	   && (strchr(tspecial, c) == NULL)) ? 1 : -1;
     return res;
 }
diff --git a/usr.sbin/httpd/src/modules/standard/mod_speling.c b/usr.sbin/httpd/src/modules/standard/mod_speling.c
index 328ec9937af..1e3a1b34ff2 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_speling.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_speling.c
@@ -455,7 +455,7 @@ static int check_speling(request_rec *r)
 
 	    *(const char **)ap_push_array(t) =
 			  "The document name you requested (";
-	    *(const char **)ap_push_array(t) = r->uri;
+	    *(const char **)ap_push_array(t) = ap_escape_html(sub_pool, r->uri);
 	    *(const char **)ap_push_array(t) =
 			   ") could not be found on this server.\n"
 			   "However, we found documents with names similar "
@@ -474,15 +474,15 @@ static int check_speling(request_rec *r)
 				      ? r->parsed_uri.query : "",
 				  NULL);
 		*(const char **)ap_push_array(v) = "\"";
-		*(const char **)ap_push_array(v) = vuri;
+		*(const char **)ap_push_array(v) = ap_escape_uri(sub_pool, vuri);
 		*(const char **)ap_push_array(v) = "\";\"";
 		*(const char **)ap_push_array(v) = reason;
 		*(const char **)ap_push_array(v) = "\"";
 
 		*(const char **)ap_push_array(t) = "
    29. ";
-		*(const char **)ap_push_array(t) = vuri;
+		*(const char **)ap_push_array(t) = ap_escape_html(sub_pool, vuri);
 		*(const char **)ap_push_array(t) = " (";
 		*(const char **)ap_push_array(t) = reason;
 		*(const char **)ap_push_array(t) = ")\n";
@@ -509,7 +509,7 @@ static int check_speling(request_rec *r)
                 *(const char **)ap_push_array(t) =
 			       "Please consider informing the owner of the "
 			       "referring page "
 			       "about the broken link.\n";
 	    }
diff --git a/usr.sbin/httpd/src/modules/standard/mod_status.c b/usr.sbin/httpd/src/modules/standard/mod_status.c
index fba55c982f5..c6786a212ab 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_status.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_status.c
@@ -135,24 +135,19 @@ module MODULE_VAR_EXPORT status_module;
  *command-related code. This is here to prevent use of ExtendedStatus
  * without status_module included.
  */
-static const char *set_extended_status(cmd_parms *cmd, void *dummy, char *arg) 
+static const char *set_extended_status(cmd_parms *cmd, void *dummy, int arg) 
 {
     const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
     if (err != NULL) {
         return err;
     }
-    if (!strcasecmp(arg, "off") || !strcmp(arg, "0")) {
-	ap_extended_status = 0;
-    }
-    else {
-	ap_extended_status = 1;
-    }
+    ap_extended_status = arg;
     return NULL;
 }
 
 static const command_rec status_module_cmds[] =
 {
-    { "ExtendedStatus", set_extended_status, NULL, RSRC_CONF, TAKE1,
+    { "ExtendedStatus", set_extended_status, NULL, RSRC_CONF, FLAG,
       "\"On\" to enable extended status information, \"Off\" to disable" },
     {NULL}
 };
@@ -618,9 +613,10 @@ static int status_handler(request_rec *r)
 			format_byte_out(r, bytes);
 			ap_rputs(")\n", r);
 			ap_rprintf(r, " %s {%s} [%s]
      \n\n",
-			    score_record.client,
+			    ap_escape_html(r->pool, score_record.client),
 			    ap_escape_html(r->pool, score_record.request),
-			    vhost ? vhost->server_hostname : "(unavailable)");
+			    vhost ? ap_escape_html(r->pool, 
+				vhost->server_hostname) : "(unavailable)");
 		    }
 		    else {		/* !no_table_report */
 #ifndef NO_PRETTYPRINT
@@ -707,8 +703,9 @@ static int status_handler(request_rec *r)
 #else
 			    ap_rprintf(r,
 			     "
      30. \n\n",
-			     score_record.client,
-			     vhost ? vhost->server_hostname : "(unavailable)",
+			     ap_escape_html(r->pool, score_record.client),
+			     vhost ? ap_escape_html(r->pool, 
+				vhost->server_hostname) : "(unavailable)",
 			     ap_escape_html(r->pool, score_record.request));
 #endif
 		    }		/* no_table_report */
diff --git a/usr.sbin/httpd/src/os/bs2000/ebcdic.h b/usr.sbin/httpd/src/os/bs2000/ebcdic.h
index 9712cfaf00f..3549b26901b 100644
--- a/usr.sbin/httpd/src/os/bs2000/ebcdic.h
+++ b/usr.sbin/httpd/src/os/bs2000/ebcdic.h
@@ -1,5 +1,5 @@
 #ifndef AP_EBCDIC_H
-#define AP_EBCDIC_H  "$Id: ebcdic.h,v 1.2 2000/01/25 18:30:05 beck Exp $"
+#define AP_EBCDIC_H  "$Id: ebcdic.h,v 1.3 2000/03/19 11:17:32 beck Exp $"
 
 #include 
 
diff --git a/usr.sbin/httpd/src/os/win32/registry.c b/usr.sbin/httpd/src/os/win32/registry.c
index 025a5f1a7c1..cb4e4a49518 100644
--- a/usr.sbin/httpd/src/os/win32/registry.c
+++ b/usr.sbin/httpd/src/os/win32/registry.c
@@ -38,7 +38,7 @@
 
 #define VENDOR   "Apache Group"
 #define SOFTWARE "Apache"
-#define VERSION  "1.3.11"
+#define VERSION  "1.3.12"
 
 #define REGKEY "SOFTWARE\\" VENDOR "\\" SOFTWARE "\\" VERSION
 
diff --git a/usr.sbin/httpd/src/support/ab.c b/usr.sbin/httpd/src/support/ab.c
index e1abd8dae91..9135a261378 100644
--- a/usr.sbin/httpd/src/support/ab.c
+++ b/usr.sbin/httpd/src/support/ab.c
@@ -81,7 +81,7 @@
    **    - Cleaned up by Ralf S. Engelschall , March 1998
    **    - POST and verbosity by Kurt Sussman , August 1998
    **    - HTML table output added by David N. Welton , January 1999
-   **    - Added Cookie, Arbitrary header and auth support. , April 199
+   **    - Added Cookie, Arbitrary header and auth support. , April 1999
    **
  */
 
@@ -884,14 +884,14 @@ static void test(void)
 static void copyright(void)
 {
     if (!use_html) {
-	printf("This is ApacheBench, Version %s\n", VERSION " <$Revision: 1.4 $> apache-1.3");
+	printf("This is ApacheBench, Version %s\n", VERSION " <$Revision: 1.5 $> apache-1.3");
 	printf("Copyright (c) 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/\n");
 	printf("Copyright (c) 1998-1999 The Apache Group, http://www.apache.org/\n");
 	printf("\n");
     }
     else {
 	printf("
      \n");
-	printf(" This is ApacheBench, Version %s <%s> apache-1.3
      \n", VERSION, "$Revision: 1.4 $");
+	printf(" This is ApacheBench, Version %s <%s> apache-1.3
      \n", VERSION, "$Revision: 1.5 $");
 	printf(" Copyright (c) 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
      \n");
 	printf(" Copyright (c) 1998-1999 The Apache Group, http://www.apache.org/
      \n");
 	printf("
      \n
      \n");
diff --git a/usr.sbin/httpd/src/support/apxs.pl b/usr.sbin/httpd/src/support/apxs.pl
index a39b9fd15bf..674fd1bce9c 100644
--- a/usr.sbin/httpd/src/support/apxs.pl
+++ b/usr.sbin/httpd/src/support/apxs.pl
@@ -297,7 +297,7 @@ if ($opt_q) {
         )) {
             if ($arg eq $name or $arg eq lc($name)) {
                 my $val = eval "\$CFG_$name";
-                $result .= "${val}::";
+                $result .= "${val}##";
                 $ok = 1;
             }
         }
@@ -306,8 +306,8 @@ if ($opt_q) {
             exit(1);
         }
     }
-    $result =~ s|::$||;
-    $result =~ s|::| |;
+    $result =~ s|##$||;
+    $result =~ s|##| |g;
     print $result;
 }
 
diff --git a/usr.sbin/httpd/src/support/htdigest.c b/usr.sbin/httpd/src/support/htdigest.c
index 6d42bbd4134..cb98a1147d2 100644
--- a/usr.sbin/httpd/src/support/htdigest.c
+++ b/usr.sbin/httpd/src/support/htdigest.c
@@ -72,7 +72,7 @@
 #endif
 #include "ap.h"
 #include "ap_md5.h"
-#if defined(MPE) || defined(QNX) || defined(WIN32) || defined(__TANDEM) || defined(OS390)
+#if defined(MPE) || defined(QNX) || defined(WIN32) || defined(__TANDEM) || defined(OS390) || defined(BEOS)
 #include 
 #else
 #include 
diff --git a/usr.sbin/httpd/src/support/htpasswd.1 b/usr.sbin/httpd/src/support/htpasswd.1
index 1687cde41c2..58b6b338c1e 100644
--- a/usr.sbin/httpd/src/support/htpasswd.1
+++ b/usr.sbin/httpd/src/support/htpasswd.1
@@ -1,5 +1,5 @@
-.TH htpasswd 1 "February 1997"
-.\" Copyright (c) 1997-1999 The Apache Group. All rights reserved.
+.TH htpasswd 1 "February 2000"
+.\" Copyright (c) 1997-2000 The Apache Group. All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
@@ -61,6 +61,12 @@ htpasswd \- Create and update user authentication files
 ] 
 [
 .B \-m
+|
+.B \-d
+|
+.B \-s
+|
+.B \-p
 ] 
 .I passwdfile
 .I username
@@ -72,9 +78,12 @@ htpasswd \- Create and update user authentication files
 ] 
 [
 .B \-m
+|
 .B \-d
-.B \-p
+|
 .B \-s
+|
+.B \-p
 ] 
 .I passwdfile
 .I username
@@ -123,7 +132,10 @@ line.\fP
 Create the \fIpasswdfile\fP. If \fIpasswdfile\fP already exists, it
 is rewritten and truncated.
 .IP \-m 
-Use MD5 encryption for passwords. On Windows and TPF, this is the default.
+Use Apache's modified MD5 algorithm for passwords.  Passwords encrypted
+with this algorithm are transportable to any platform (Windows, Unix,
+BeOS, et cetera) running Apache 1.3.9 or later.  On Windows and TPF,
+this flag is the default.
 .IP \-d
 Use crypt() encryption for passwords. The default on all platforms but
 Windows and TPF. Though possibly supported by
@@ -137,7 +149,7 @@ servers using the LDAP Directory Interchange Format (ldif).
 .IP \-p
 Use plaintext passwords. Though 
 .B htpasswd
-will support creation on all platofrms, the
+will support creation on all platforms, the
 .B httpd
 deamon will only accept plain text passwords on Windows and TPF.
 .IP \fB\fIpasswdfile\fP
diff --git a/usr.sbin/httpd/src/support/logresolve.c b/usr.sbin/httpd/src/support/logresolve.c
index 6b4ae6bc277..2e02e3a80f0 100644
--- a/usr.sbin/httpd/src/support/logresolve.c
+++ b/usr.sbin/httpd/src/support/logresolve.c
@@ -45,8 +45,14 @@
 #include 
 
 #ifndef MPE
+#ifndef BEOS
 #include 
-#endif
+#else
+/* BeOS lacks the necessary files until we get the new networking */
+#include 
+#define NO_ADDRESS 4
+#endif /* BEOS */
+#endif /* MPE */
 
 static void cgethost(struct in_addr ipnum, char *string, int check);
 static int getline(char *s, int n);
diff --git a/usr.sbin/httpd/src/support/mkcert.sh b/usr.sbin/httpd/src/support/mkcert.sh
index 5c5ca5d9053..46e44eea6c0 100644
--- a/usr.sbin/httpd/src/support/mkcert.sh
+++ b/usr.sbin/httpd/src/support/mkcert.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 ##
-##  mkcert.sh -- Make SSL Certificate Files for `make certificate' command
+##  mkcert.sh -- SSL Certificate Generation Utility
 ##  Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved. 
 ##
 
@@ -96,9 +96,8 @@ fi
 #   (do not use /dev/random here, because this device 
 #   doesn't work as expected on all platforms)
 randfiles=''
-for file in /var/log/messages /var/adm/messages \
-            /kernel /vmunix /vmlinuz \
-            /etc/hosts /etc/resolv.conf; do
+for file in /var/log/messages /var/adm/messages /var/log/system.log \
+            /kernel /vmunix /vmlinuz /mach /etc/hosts /etc/resolv.conf; do
     if [ -f $file ]; then
         if [ ".$randfiles" = . ]; then
             randfiles="$file"
@@ -108,6 +107,15 @@ for file in /var/log/messages /var/adm/messages \
     fi
 done
 
+#   initialize random file
+if [ -f $HOME/.rnd ]; then
+    RANDFILE="$HOME/.rnd"
+else
+    RANDFILE=".mkcert.rnd"
+    touch $RANDFILE
+fi
+export RANDFILE
+
 #   canonicalize parameters
 case "x$type" in
     x ) type=test ;;
@@ -140,12 +148,11 @@ case $type in
         fi
         if [ ".$algo" = .RSA ]; then
             cp $sslcrtdir/snakeoil-rsa.crt $sslcrtdir/server.crt
-            cp $sslkeydir/snakeoil-rsa.key $sslkeydir/server.key
+            (umask 077; cp $sslkeydir/snakeoil-rsa.key $sslkeydir/server.key)
         else
             cp $sslcrtdir/snakeoil-dsa.crt $sslcrtdir/server.crt
-            cp $sslkeydir/snakeoil-dsa.key $sslkeydir/server.key
+            (umask 077; cp $sslkeydir/snakeoil-dsa.key $sslkeydir/server.key)
         fi
-        chmod 600 $sslkeydir/server.key
         echo "${T_MD}RESULT: Server Certification Files${T_ME}"
         echo ""
         echo "o  ${T_MD}conf/ssl.key/server.key${T_ME}"
@@ -203,9 +210,6 @@ case $type in
         echo "______________________________________________________________________"
         echo ""
         echo "${T_MD}STEP 1: Generating $algo private key (1024 bit) [server.key]${T_ME}"
-        if [ ! -f $HOME/.rnd ]; then
-            touch $HOME/.rnd
-        fi
         if [ ".$algo" = .RSA ]; then
             if [ ".$randfiles" != . ]; then
                 $openssl genrsa -rand $randfiles -out $sslkeydir/server.key 1024
@@ -219,16 +223,20 @@ case $type in
         else
             echo "Generating DSA private key via SnakeOil CA DSA parameters"
             if [ ".$randfiles" != . ]; then
-                $openssl gendsa -rand $randfiles -out $sslkeydir/server.key $sslprmdir/snakeoil-ca-dsa.prm
+                (umask 077
+                 $openssl gendsa -rand $randfiles \
+                                 -out $sslkeydir/server.key \
+                                 $sslprmdir/snakeoil-ca-dsa.prm)
             else
-                $openssl gendsa -out $sslkeydir/server.key $sslprmdir/snakeoil-ca-dsa.prm
+                (umask 077
+                 $openssl gendsa -out $sslkeydir/server.key \
+                                 $sslprmdir/snakeoil-ca-dsa.prm)
             fi
             if [ $? -ne 0 ]; then
                 echo "mkcert.sh:Error: Failed to generate DSA private key" 1>&2
                 exit 1
             fi
         fi
-        chmod 600 $sslkeydir/server.key
         echo "______________________________________________________________________"
         echo ""
         echo "${T_MD}STEP 2: Generating X.509 certificate signing request [server.csr]${T_ME}"
@@ -353,21 +361,22 @@ EOT
         done
         if [ ".$rc" = .y ]; then
             if [ ".$algo" = .RSA ]; then
-                $openssl rsa -des3 \
-                             -in  $sslkeydir/server.key \
-                             -out $sslkeydir/server.key.crypt
+                (umask 077
+                 $openssl rsa -des3 \
+                              -in  $sslkeydir/server.key \
+                              -out $sslkeydir/server.key.crypt)
             else
-                $openssl dsa -des3 \
-                             -in  $sslkeydir/server.key \
-                             -out $sslkeydir/server.key.crypt
+                (umask 077
+                 $openssl dsa -des3 \
+                              -in  $sslkeydir/server.key \
+                              -out $sslkeydir/server.key.crypt)
             fi
             if [ $? -ne 0 ]; then
                 echo "mkcert.sh:Error: Failed to encrypt $algo private key" 1>&2
                 exit 1
             fi
-            cp $sslkeydir/server.key.crypt $sslkeydir/server.key
+            (umask 077; cp $sslkeydir/server.key.crypt $sslkeydir/server.key)
             rm -f $sslkeydir/server.key.crypt
-            chmod 600 $sslkeydir/server.key
             echo "Fine, you're using an encrypted $algo private key."
         else
             echo "Warning, you're using an unencrypted $algo private key."
@@ -438,9 +447,6 @@ EOT
         echo "______________________________________________________________________"
         echo ""
         echo "${T_MD}STEP 1: Generating $algo private key for CA (1024 bit) [ca.key]${T_ME}"
-        if [ ! -f $HOME/.rnd ]; then
-            touch $HOME/.rnd
-        fi
         if [ ".$algo" = .RSA ]; then
             if [ ".$randfiles" != . ]; then
                 $openssl genrsa -rand $randfiles -out $sslkeydir/ca.key 1024
@@ -455,18 +461,19 @@ EOT
             if [ ".$randfiles" != . ]; then
                 $openssl dsaparam -rand $randfiles -out $sslprmdir/ca.prm 1024
                 echo "Generating DSA private key:"
-                $openssl gendsa   -rand $randfiles -out $sslkeydir/ca.key $sslprmdir/ca.prm
+                (umask 077
+                 $openssl gendsa -rand $randfiles -out $sslkeydir/ca.key $sslprmdir/ca.prm)
             else
                 $openssl dsaparam -out $sslprmdir/ca.prm 1024
                 echo "Generating DSA private key:"
-                $openssl gendsa   -out $sslkeydir/ca.key $sslprmdir/ca.prm
+                (umask 077
+                 $openssl gendsa -out $sslkeydir/ca.key $sslprmdir/ca.prm)
             fi
             if [ $? -ne 0 ]; then
                 echo "mkcert.sh:Error: Failed to generate DSA private key" 1>&2
                 exit 1
             fi
         fi
-        chmod 600 $sslkeydir/ca.key
         echo "______________________________________________________________________"
         echo ""
         echo "${T_MD}STEP 2: Generating X.509 certificate signing request for CA [ca.csr]${T_ME}"
@@ -556,9 +563,6 @@ EOT
         echo "______________________________________________________________________"
         echo ""
         echo "${T_MD}STEP 4: Generating $algo private key for SERVER (1024 bit) [server.key]${T_ME}"
-        if [ ! -f $HOME/.rnd ]; then
-            touch $HOME/.rnd
-        fi
         if [ ".$algo" = .RSA ]; then
             if [ ".$randfiles" != . ]; then
                 $openssl genrsa -rand $randfiles -out $sslkeydir/server.key 1024
@@ -571,16 +575,18 @@ EOT
             fi
         else
             if [ ".$randfiles" != . ]; then
-                $openssl gendsa -rand $randfiles -out $sslkeydir/server.key $sslprmdir/ca.prm
+                (umask 077
+                 $openssl gendsa -rand $randfiles \
+                                 -out $sslkeydir/server.key $sslprmdir/ca.prm)
             else
-                $openssl gendsa -out $sslkeydir/server.key $sslprmdir/ca.prm
+                (umask 077
+                 $openssl gendsa -out $sslkeydir/server.key $sslprmdir/ca.prm)
             fi
             if [ $? -ne 0 ]; then
                 echo "mkcert.sh:Error: Failed to generate DSA private key" 1>&2
                 exit 1
             fi
         fi
-        chmod 600 $sslkeydir/server.key
         echo "______________________________________________________________________"
         echo ""
         echo "${T_MD}STEP 5: Generating X.509 certificate signing request for SERVER [server.csr]${T_ME}"
@@ -691,21 +697,22 @@ EOT
         done
         if [ ".$rc" = .y ]; then
             if [ ".$algo" = .RSA ]; then
-                $openssl rsa -des3 \
-                             -in  $sslkeydir/ca.key \
-                             -out $sslkeydir/ca.key.crypt
+                (umask 077
+                 $openssl rsa -des3 \
+                              -in  $sslkeydir/ca.key \
+                              -out $sslkeydir/ca.key.crypt)
             else
-                $openssl dsa -des3 \
-                             -in  $sslkeydir/ca.key \
-                             -out $sslkeydir/ca.key.crypt
+                (umask 077
+                 $openssl dsa -des3 \
+                              -in  $sslkeydir/ca.key \
+                              -out $sslkeydir/ca.key.crypt)
             fi
             if [ $? -ne 0 ]; then
                 echo "mkcert.sh:Error: Failed to encrypt $algo private key" 1>&2
                 exit 1
             fi
-            cp $sslkeydir/ca.key.crypt $sslkeydir/ca.key
+            (umask 077; cp $sslkeydir/ca.key.crypt $sslkeydir/ca.key)
             rm -f $sslkeydir/ca.key.crypt
-            chmod 600 $sslkeydir/ca.key
             echo "Fine, you're using an encrypted private key."
         else
             echo "Warning, you're using an unencrypted private key."
@@ -731,21 +738,22 @@ EOT
         done
         if [ ".$rc" = .y ]; then
             if [ ".$algo" = .RSA ]; then
-                $openssl rsa -des3 \
-                             -in  $sslkeydir/server.key \
-                             -out $sslkeydir/server.key.crypt
+                (umask 077
+                 $openssl rsa -des3 \
+                              -in  $sslkeydir/server.key \
+                              -out $sslkeydir/server.key.crypt)
             else
-                $openssl dsa -des3 \
-                             -in  $sslkeydir/server.key \
-                             -out $sslkeydir/server.key.crypt
+                (umask 077
+                 $openssl dsa -des3 \
+                              -in  $sslkeydir/server.key \
+                              -out $sslkeydir/server.key.crypt)
             fi
             if [ $? -ne 0 ]; then
                 echo "mkcert.sh:Error: Failed to encrypt $algo private key" 1>&2
                 exit 1
             fi
-            cp $sslkeydir/server.key.crypt $sslkeydir/server.key
+            (umask 077; cp $sslkeydir/server.key.crypt $sslkeydir/server.key)
             rm -f $sslkeydir/server.key.crypt
-            chmod 600 $sslkeydir/server.key
             echo "Fine, you're using an encrypted $algo private key."
         else
             echo "Warning, you're using an unencrypted $algo private key."
@@ -805,15 +813,16 @@ EOT
                 exit 1
             fi
             cp $crt $sslcrtdir/server.crt
-            cp $key $sslkeydir/server.key
+            (umask 077; cp $key $sslkeydir/server.key)
         else
             key=$crt
+            umask 077
+            touch $sslkeydir/server.key
             sed -e '/-----BEGIN CERTIFICATE/,/-----END CERTIFICATE/p' -e '/.*/d' \
                 <$crt >$sslcrtdir/server.crt
             sed -e '/-----BEGIN ... PRIVATE KEY/,/-----END ... PRIVATE KEY/p' -e '/.*/d' \
                 <$key >$sslkeydir/server.key
         fi
-        chmod 600 $sslkeydir/server.key
         $openssl x509 -noout -in $sslcrtdir/server.crt
         if [ $? -ne 0 ]; then
             echo "mkcert.sh:Error: Failed to check certificate contents: $crt" 1>&2
-- 
2.20.1


      
         
      
         
-        mod_ssl 2.5, User Manual
      
+        mod_ssl 2.6, User Manual
      
         The Apache Interface to OpenSSL
               
         
      
         \
          
-        mod_ssl 2.5, User Manual
      
+        mod_ssl 2.6, User Manual
      
         The Apache Interface to OpenSSL
               
               		%s%s%s