README for Apache-SSL/1.3.12 Ben-SSL/1.39
-----------------------------------------

(C) 1995, 1996, 1997, 1998, 1999, 2000 Ben Laurie <ben@algroup.co.uk> (https://www.apache-ssl.org/)

These patches interface Apache to OpenSSL.

For further information on Apache see:

	http://www.apache.org
	"Apache: The Definitive Guide" published by O'Reilly
		(http://www.ora.com).

For further information on OpenSSL see:

	http://www.openssl.org/

REMEMBER export and/or import of crypto software or crypto hooks is illegal
in many parts of the world.

Prerequisites
-------------

Apache 1.3.12
OpenSSL 0.9.2b or later
patch 2.1 or 2.5


Files
-----

ben.pgp.key.asc			My PGP public key
EXTRAS.SSL			Documentation on extra features
LICENCE.SSL			A copy of the Apache-SSL licence
README.SSL			This file
SECURITY			Some thoughts about SSL and security
SSLpatch			A patch file to be applied to the Apache source
src/modules/ssl/*		Extra module for Apache
SSLconf/conf/access.conf	Empty (required by Apache)
SSLconf/conf/httpd.conf		Example configuration
SSLconf/conf/srm.conf		Empty (required by Apache)
SSLconf/conf/mime.types		A copy of the the sample mime.types (required)
md5sums				MD5 checksums of all files (using md5sum)
md5sums.asc			My detached signature of md5sums


Installation
------------

0. !!!APPLY THE ENCLOSED OpenSSL PATCH TO OpenSSL AND REBUILD AND INSTALL IT!!!

1. Get hold of OpenSSL (from the sites mentioned above), and compile it.

2. Get hold of Apache 1.3.12 (from ftp://www.apache.org/apache/dist).

3. Unpack it.

4. do "cd apache_1.3.12"

5. Unpack this distribution.

6. (Optional) Run the FixPatch script to try to fix up the OpenSSL paths in the
patch. If you choose not to do this, you'll need to do some extra work in step
8. This step is only optional because its new and I'm waiting for feedback
before eliminating the old methods.

7. do "patch -p1 < SSLpatch" (if you chose not to run FixPatch).

8. Proceed with standard Apache configuration. Note that you'll need to set
SSL_* in src/Configuration to appropriate values, unless you did step 6. If you
point to the SSLeay source tree, then you'll only need to set SSL_BASE.

9. Look at the (very brief) example configuration in SSLconf (yes, access.conf
and srm.conf are supposed to be empty).

10. Make yourself a test certificate by doing "cd src; make certificate".

11. Before using this server for anything serious, read the file SECURITY.

12. Have fun!

13. Email any patches/suggestions to the address above PAYING CLOSE ATTENTION
TO ANY APPLICABLE EXPORT/IMPORT LAWS.

14. If this software doesn't do what you want, and you can't or won't fix it
yourself, I am available for hire. Send me email outlining what you want and
I will quote.


Starting Apache-SSL
-------------------

In general, starting Apache-SSL is just like starting Apache, except the
executable is called httpsd instead of httpd. It used to be that you had to add
a sleep after firing up Apache-SSL. THIS IS NO LONGER TRUE.

If you change a private key file, it is necessary to restart Apache-SSL from
scratch - the key caching will otherwise cause the old version to be reused.

CGI Environment Variables
-------------------------

Name			Value		Desc
----			_____		----
HTTPS			on		HTTPS is being used.
HTTPS_CIPHER		<string>	SSL/TLS cipherspec
SSL_CIPHER		<string>	The same as HTTPS_CIPHER
SSL_PROTOCOL_VERSION	<string>	?	
SSL_SSLEAY_VERSION	<string>	?
HTTPS_KEYSIZE		<number>	Number of bits in the session key
HTTPS_SECRETKEYSIZE	<number>	Number of bits in the secret key
SSL_CLIENT_DN		<string>	DN in client's certificate
SSL_CLIENT_<x509>	<string>	Component of client's DN
SSL_CLIENT_I_DN		<string>	DN of issuer of client's certificate
SSL_CLIENT_I_<x509>	<string>	Component of client's issuer's DN
SSL_SERVER_DN		<string>	DN in server's certificate
SSL_SERVER_<x509>	<string>	Component of server's DN
SSL_SERVER_I_DN		<string>	DN of issuer of server's certificate
SSL_SERVER_I_<x509>	<string>	Component of server's issuer's DN
SSL_CLIENT_CERT         <string>        Base64 encoding of client cert
SSL_CLIENT_CERT_CHAIN_n <string>        Base64 encoding of client cert chain

where <x509> is a component of an X509 DN.


Derived Works
-------------

I have been asked what to do about the version string for derived works. The
comment above the version string in httpd.h spells it out pretty clearly, but,
to reiterate, any derived work's version string should include "Apache/x.y.z"
and "Ben-SSL/x.y" in it.


Compatibility
-------------

This version tested only with Netscape 4.7 on Windows NT.


Credits
-------

Thanks to The Apache Group and the NCSA, for Apache, to Eric Young and Tim
Hudson, for SSLeay, and to Baroness Camilla von Massenbach, for putting up
with me.

Thanks to Brad Eacker (beacker@beakman.cks.com) for providing a port from
Apache-SSL 1.1.3+1.3 to Apache 1.2b8.

Ben Laurie is Technical Director of A.L. Digital Ltd., London, England, who
generously support the development of Apache-SSL.

See http://www.algroup.co.uk/

Sponsorship
-----------

1.2.5+1.13 was sponsored by Virgin Music Group.