modules/ssl/README - httpd - Git at Google

 SYNOPSIS

  This Apache module provides strong cryptography for the Apache 2 webserver
  via the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS
  v1) protocols by the help of the SSL/TLS implementation library OpenSSL which
  is based on SSLeay from Eric A. Young and Tim J. Hudson.

  The mod_ssl package was created in April 1998 by Ralf S. Engelschall
  and was originally derived from software developed by Ben Laurie for
  use in the Apache-SSL HTTP server project.  The mod_ssl implementation
  for Apache 1.3 continues to be supported by the modssl project
  <http://www.modssl.org/>.

 SOURCES

  See the top-level LAYOUT file for file descriptions.

  The source files are written in clean ANSI C and pass the ``gcc -O -g
  -ggdb3 -Wall -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
  -Wmissing-declarations -Wnested-externs -Winline'' compiler test
  (assuming `gcc' is GCC 2.95.2 or newer) without any complains. When
  you make changes or additions make sure the source still passes this
  compiler test.

 FUNCTIONS

  Inside the source code you will be confronted with the following types of
  functions which can be identified by their prefixes:

    ap_xxxx() ............... Apache API function
    ssl_xxxx() .............. mod_ssl function
    SSL_xxxx() .............. OpenSSL function (SSL library)
    OpenSSL_xxxx() .......... OpenSSL function (SSL library)
    X509_xxxx() ............. OpenSSL function (Crypto library)
    PEM_xxxx() .............. OpenSSL function (Crypto library)
    EVP_xxxx() .............. OpenSSL function (Crypto library)
    RSA_xxxx() .............. OpenSSL function (Crypto library)

 DATA STRUCTURES

  Inside the source code you will be confronted with the following
  data structures:

    server_rec .............. Apache (Virtual) Server
    conn_rec ................ Apache Connection
    request_rec ............. Apache Request
    SSLModConfig ............ mod_ssl (Global)  Module Configuration
    SSLSrvConfig ............ mod_ssl (Virtual) Server Configuration
    SSLDirConfig ............ mod_ssl Directory Configuration
    SSLConnConfig ........... mod_ssl Connection Configuration
    SSLFilterRec ............ mod_ssl Filter Context
    SSL_CTX ................. OpenSSL Context
    SSL_METHOD .............. OpenSSL Protocol Method
    SSL_CIPHER .............. OpenSSL Cipher
    SSL_SESSION ............. OpenSSL Session
    SSL ..................... OpenSSL Connection
    BIO ..................... OpenSSL Connection Buffer

  For an overview how these are related and chained together have a look at the
  page in README.dsov.{fig,ps}. It contains overview diagrams for those data
  structures. It's designed for DIN A4 paper size, but you can easily generate
  a smaller version inside XFig by specifing a magnification on the Export
  panel.

 INCOMPATIBILITIES

  The following intentional incompatibilities exist between mod_ssl 2.x
  from Apache 1.3 and this mod_ssl version for Apache 2:

  o The complete EAPI-based SSL_VENDOR stuff was removed.
  o The complete EAPI-based SSL_COMPAT stuff was removed.
  o The <IfDefine> variable MOD_SSL is no longer provided automatically

 MAJOR CHANGES

  For a complete history of changes for Apache 2 mod_ssl, see the
  CHANGES file in the top-level directory.  The following
  is a condensed summary of the major changes were made between
  mod_ssl 2.x from Apache 1.3 and this mod_ssl version for Apache 2:

  o The DBM based session cache is now based on APR's DBM API only.
  o The shared memory based session cache is now based on APR's APIs.
  o SSL I/O is now implemented in terms of filters rather than BUFF
  o Eliminated ap_global_ctx. Storing Persistant information in
    process_rec->pool->user_data. The ssl_pphrase_Handle_CB() and
    ssl_config_global_* () functions have an extra parameter now -
    "server_rec *" -  which is used to retrieve the SSLModConfigRec.
  o Properly support restarts, allowing mod_ssl to be added to a server
    that is already running and to change server certs/keys on restart
  o Various performance enhancements
  o proxy support is no longer an "extension", much of the mod_ssl core
    was re-written (ssl_engine_{init,kernel,config}.c) to be generic so
    it could be re-used in proxy mode.
    - the optional function ssl_proxy_enable is provide for mod_proxy
      to enable proxy support
    - proxy support now requires 'SSLProxyEngine on' to be configured
    - proxy now supports SSLProxyCARevocation{Path,File} in addition to
      the original SSLProxy* directives
  o per-directory SSLCACertificate{File,Path} is now thread-safe but
    requires SSL_set_cert_store patch to OpenSSL
  o the ssl_engine_{ds,ext}.c source files are obsolete and no longer
    exist

 TODO

  See the top-level STATUS file for current efforts and goals.
	SYNOPSIS

	This Apache module provides strong cryptography for the Apache 2 webserver
	via the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS
	v1) protocols by the help of the SSL/TLS implementation library OpenSSL which
	is based on SSLeay from Eric A. Young and Tim J. Hudson.

	The mod_ssl package was created in April 1998 by Ralf S. Engelschall
	and was originally derived from software developed by Ben Laurie for
	use in the Apache-SSL HTTP server project. The mod_ssl implementation
	for Apache 1.3 continues to be supported by the modssl project
	<http://www.modssl.org/>.

	SOURCES

	See the top-level LAYOUT file for file descriptions.

	The source files are written in clean ANSI C and pass the ``gcc -O -g
	-ggdb3 -Wall -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
	-Wmissing-declarations -Wnested-externs -Winline'' compiler test
	(assuming `gcc' is GCC 2.95.2 or newer) without any complains. When
	you make changes or additions make sure the source still passes this
	compiler test.

	FUNCTIONS

	Inside the source code you will be confronted with the following types of
	functions which can be identified by their prefixes:

	ap_xxxx() ............... Apache API function
	ssl_xxxx() .............. mod_ssl function
	SSL_xxxx() .............. OpenSSL function (SSL library)
	OpenSSL_xxxx() .......... OpenSSL function (SSL library)
	X509_xxxx() ............. OpenSSL function (Crypto library)
	PEM_xxxx() .............. OpenSSL function (Crypto library)
	EVP_xxxx() .............. OpenSSL function (Crypto library)
	RSA_xxxx() .............. OpenSSL function (Crypto library)

	DATA STRUCTURES

	Inside the source code you will be confronted with the following
	data structures:

	server_rec .............. Apache (Virtual) Server
	conn_rec ................ Apache Connection
	request_rec ............. Apache Request
	SSLModConfig ............ mod_ssl (Global) Module Configuration
	SSLSrvConfig ............ mod_ssl (Virtual) Server Configuration
	SSLDirConfig ............ mod_ssl Directory Configuration
	SSLConnConfig ........... mod_ssl Connection Configuration
	SSLFilterRec ............ mod_ssl Filter Context
	SSL_CTX ................. OpenSSL Context
	SSL_METHOD .............. OpenSSL Protocol Method
	SSL_CIPHER .............. OpenSSL Cipher
	SSL_SESSION ............. OpenSSL Session
	SSL ..................... OpenSSL Connection
	BIO ..................... OpenSSL Connection Buffer

	For an overview how these are related and chained together have a look at the
	page in README.dsov.{fig,ps}. It contains overview diagrams for those data
	structures. It's designed for DIN A4 paper size, but you can easily generate
	a smaller version inside XFig by specifing a magnification on the Export
	panel.

	INCOMPATIBILITIES

	The following intentional incompatibilities exist between mod_ssl 2.x
	from Apache 1.3 and this mod_ssl version for Apache 2:

	o The complete EAPI-based SSL_VENDOR stuff was removed.
	o The complete EAPI-based SSL_COMPAT stuff was removed.
	o The <IfDefine> variable MOD_SSL is no longer provided automatically

	MAJOR CHANGES

	For a complete history of changes for Apache 2 mod_ssl, see the
	CHANGES file in the top-level directory. The following
	is a condensed summary of the major changes were made between
	mod_ssl 2.x from Apache 1.3 and this mod_ssl version for Apache 2:

	o The DBM based session cache is now based on APR's DBM API only.
	o The shared memory based session cache is now based on APR's APIs.
	o SSL I/O is now implemented in terms of filters rather than BUFF
	o Eliminated ap_global_ctx. Storing Persistant information in
	process_rec->pool->user_data. The ssl_pphrase_Handle_CB() and
	ssl_config_global_* () functions have an extra parameter now -
	"server_rec *" - which is used to retrieve the SSLModConfigRec.
	o Properly support restarts, allowing mod_ssl to be added to a server
	that is already running and to change server certs/keys on restart
	o Various performance enhancements
	o proxy support is no longer an "extension", much of the mod_ssl core
	was re-written (ssl_engine_{init,kernel,config}.c) to be generic so
	it could be re-used in proxy mode.
	- the optional function ssl_proxy_enable is provide for mod_proxy
	to enable proxy support
	- proxy support now requires 'SSLProxyEngine on' to be configured
	- proxy now supports SSLProxyCARevocation{Path,File} in addition to
	the original SSLProxy* directives
	o per-directory SSLCACertificate{File,Path} is now thread-safe but
	requires SSL_set_cert_store patch to OpenSSL
	o the ssl_engine_{ds,ext}.c source files are obsolete and no longer
	exist

	TODO

	See the top-level STATUS file for current efforts and goals.