10. FAQ

10.1 Apache-SSL Àº Çѵ¿¾È ¾÷µ¥ÀÌÆ® µÇÁö ¾Ê¾Ò´Ù - ÀÌ°Ç ³°¾Ò´Ù(out-of-date)´Â ¸»Àΰ¡?

¾Æ´Ï´Ù, À§¸»Àº ±×°Í(Apache-SSL)ÀÌ »ç¶÷µéÀÌ ¿øÇÏ´Â ¸¸Å­ Àß ÀÛµ¿ÇÑ´Ù´Â ¶æÀÌ´Ù. ¿ì¸®´Â °íÃÄÁ®¾ß ÇÒ ¹ö±×°¡ ÀÖÀ»¶§¿Í »õ ¹öÀüÀÇ Apache(ÀÌÇÏ ¾ÆÆÄÄ¡)°¡ ³ª¿Ã¶§, ¶Ç´Â ´©±º°¡°¡ »õ·Î¿î ±â´ÉÀ» ¿øÇÒ¶§¸¸ ¾÷µ¥ÀÌÆ® ÇÑ´Ù.

10.2 ³» ºê¶ó¿ìÀú´Â ¿Ö Apache-SSL¿¡ Á¢¼ÓÇÒ ¶§ ¸ØÃçÀֱ⸸ Çϳª?

https: ´ë½Å¿¡ http:¸¦ »ç¿ëÇ߱⠶§¹®ÀÌ´Ù. ¶Ç, ¿¡·¯ ·Î±×¿¡¼­ ´ÙÀ½ ¸Þ½ÃÁö¸¦ º»°Ô µÈ´Ù¸é ¿ª½Ã À§¿Í°°Àº ÀÌÀ¯¿¡¼­´Ù.

  SSL_Accept failed error:140760EB:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

10.3 ÆÐÄ¡°¡ Àû¿ëÀÌ ¾ÈµÇ´Âµ¥, ¹¹°¡ À߸øµÈ°Ç°¡?

´ÙÀ½°ú °°Àº °á°ú¸¦ ¾ò´Â´Ù¸é,

$patch < SSLpatch
  Looks like a new-style context diff.
  File to patch:

10.4 HTTP°¡ Æ÷Æ®(port) 80À» ¾²´Â°Ç ¾Æ´Âµ¥, HTTPS´Â?

´ç½ÅÀº HTTPS¸¦ ¾Æ¹« Æ÷Æ®¿¡¼­³ª µ¹¸± ¼ö ÀÖÁö¸¸, ´ëºÎºÐÀÇ ºê¶ó¿ìÀú°¡ ±âº»À¸·Î ã´Â Ç¥ÁØ Æ÷Æ®´Â 443ÀÌ´Ù. ³Ê(Çä.. ¾ðÁ¦ºÎÅÍ.. --;)´Â ´ÙÀ½°ú °°ÀÌ URL¿¡ Æ÷Æ®¹øÈ£¸¦ ÁöÁ¤Çؼ­ ºê¶ó¿ìÀú°¡ °­Á¦·Î ãµµ·Ï ÇÒ ¼ö ÀÖ´Ù.

https://secure.server.hell:666

10.5 ³ª´Â ÇÑ ¸Ó½Å¿¡¼­ º¸¾È(secure), ºñº¸¾È(non-secure) ¼­¹ö¸¦ °°ÀÌ µ¹¸®°í ½Í´Ù. °¡´ÉÇÑ°¡?

µÎ°¡Áö ¹æ¹ýÀÌ ÀÖ´Ù. µÎ°³ÀÇ ¼­¹ö ´ë¸óÀ» µ¹¸®°Å³ª, ÇÑ ´ë¸ó¿¡¼­ µÎ°¡Áö ¼­ºñ½º¸¦ µ¿½Ã¿¡ Çϰųª. µÎ ´ë¸ó¸¦ µ¹¸®´Â ÁÁÀº ÀÌÀ¯°¡ ÀÖ´õ¶óµµ, º¸Åë °¡Àå °£´ÜÇÏ°Ô ÇÑ ¼­¹ö¸¦ µ¹¸®°í SSLÀÌ ÇÊ¿ä¾ø´Â ºÎºÐÀº °¡»óÈ£½ºÆ®(virtual host)·Î ±× ±â´ÉÀ» ²¨¹ö¸®¸é µÈ´Ù. ¸¸¾à µÎ°³ÀÇ ´ë¸óÀ» µ¹¸®°í ½Í´Ù¸é °¢ ¼­¹ö°¡ Á¤ÇØÁø Æ÷Æ®(º¸Åë ºñº¸¾ÈÀº Æ÷Æ® 80, º¸¾ÈÀº 443) ÇÏ°í¸¸ ¿¬°á µÇµµ·Ï ÇØ¾ß ÇÑ´Ù. ÇϳªÀÇ ¼­¹ö¸¸ µ¹¸®°í ½Í´Ù¸é, ¾î¶»°Ô ¼³Á¤ÇÏ´ÂÁö ¿©±â ¿¹Á¦ ¼³Á¤ ÆÄÀÏÀÌ ÀÖ´Ù.

10.6 ÀÌÁ¦ ¸· ¼­¹ö¸¦ ¼³Ä¡ Çß´Ù. Å×½ºÆ® Áõ¸í¼­´Â ¾î¶»°Ô ¸¸µå³ª?

´Ü°è Çϳª - Å°(key)¿Í ¿äû(request, û, û±¸.. ¸Ó¾ß.. --;)¸¦ ¸¸µé¾î¶ó.

  openssl req -new > new.cert.csr

´Ü°è µÑ - Å°¿¡¼­ Æнº¹®(passphrase)¸¦ Áö¿ö¶ó(¼±ÅûçÇ×ÀÌ´Ù).

  openssl rsa -in privkey.pem -out new.cert.key

´Ü°è ¼Â - ¿äû(request)À» ¼­¸íµÈ Áõ¸í(cert)À¸·Î ¹Ù²ã¶ó.(¹Ù²ã, ¹Ù²ã, ^^;)

  openssl x509 -in new.cert.csr -out neww.cert.cert -req -signkey new.cert.key -days 365

À§ °á°ú¸¦ Apache-SSLÀÇ Áö½ÃÀÚ·Î ´ÙÀ½°ú °°ÀÌ »ç¿ëÇÑ´Ù.

  SSLCertificateFile /path/to/certs/new.cert.cert
  SSLCertificateKeyFile /path/to/certs/new.cert.key

10.7 Ŭ¶óÀ̾ðÆ® Áõ¸í¼­´Â ¾î¶»°Ô ¸¸µå³ª?

´Ü°è Çϳª - À§ ó·³ CA Áõ¸í/Å° ½ÖÀ» ¸¸µç´Ù.

´Ü°è µÑ - CA Å°·Î °í°´ ¿äû¿¡ ¼­¸íÇÑ´Ù.

  openssl x509 -req -in client.cert.csr -out client.cert.cert -signkey my.CA.key -CA my.CA.cert -CAkey my.CA.key -CAcreateserial -days 365 

´Ü°è ¼Â - 'client.cert.cert' ÆÄÀÏÀ» ¿äûÇÏ´ÂÀÌ¿¡°Ô ³Ñ°ÜÁÖ¶ó.

Apache-SSLÀº ´ÙÀ½À» Ãß°¡ ÇÔÀ¸·Î½á ÀÌ Áõ¸í¼­ÀÇ È®ÀÎÀÌ °¡´ÉÇÏ´Ù.

  SSLCACertificateFile /path/to/certs/my.CA.cert
  SSLVerifyClient 2

10.8 ³» CGI·Î ¾î¶»°Ô Ŭ¶óÀ̾ðÆ® Áõ¸í¿¡ Á¢±ÙÇϴ°¡?

¸±¸®Áî apache_1.3.2+ssl_1.27 À̻󿡼­´Â ´ÙÀ½ Áö½ÃÀÚ¸¦ »ç¿ëÇÑ´Ù.

  SSLExportClientCertificates

10.9 FontPage98 Extensions with Apache-SSLÀº ¾î¶»°Ô ¼³Ä¡Çϳª?

Bertrand Renuart°¡ ÀÌ¿¡ ´ëÇÑ ÀÚ¼¼ÇÑ ³»¿ëÀ» http://www.itma.lu/howto/apache¿¡¼­ ±â¼úÇÏ°í ÀÖ´Ù.

10.10 Verisign cert¸¦ ¼³Ä¡ÇÒ ¶§, ¿Ö "getca", "getverisign"À» ãÀ» ¼ö ¾ø´Â°¡?

Apache-SSL ¸í·É¿¡¼­ VerisignÀº Áö¿øµÇÁö ¾Ê±â ¶§¹®ÀÌ´Ù. »ç¿ëÇÏ°í ½Í´Ù¸é Stronghold(»ó¿ë ¾ÆÆÄÄ¡ ±â¹Ý SSL Áö¿ø ¼­¹ö)¸¦ »ç¿ëÇضó. ´ç½ÅÀÌ ÇØ¾ß ÇÒ ÀÏÀº ´ÜÁö Áõ¸íÀ» ÆÄÀÏ¿¡ ÀúÀåÇÏ°í ±× À̸§À» SSLCertificateFileÁö½ÃÀÚ¿¡ ³Ñ°ÜÁÖ¸é µÈ´Ù. Å°ÆÄÀϵµ ³Ñ°Ü¾ß ÇÏ´Â°É ±â¾ïÇضó.

10.11 ÀϹÝÀûÀÎ ÄÄÆÄÀÏ ¿¡·¯

  gcc -c  -I../os/unix -I../include -I/usr/local/ssl/include   -funsigned-char -DTARGET=\"httpsd\" -DAPACHE_SSL `../apaci` -DAPACHE_SSL buff.c
  buff.c: In function `ap_read':
  buff.c:259: structure has no member named `stats'
  buff.c:267: structure has no member named `stats'
  buff.c:268: structure has no member named `stats'
  buff.c:269: structure has no member named `stats'
  buff.c:271: structure has no member named `stats'
  buff.c: In function `ap_write':
  buff.c:346: warning: passing arg 2 of `SSL_write' discards `const' from pointer target type
  *** Error code 1

10.12 Y2K ¹®Á¦´Â?

Apache-SSL ÇϺÎÀÇ ÄÄÆ÷³ÍÆ®¿¡´Â ³¯Â¥°ü·Ã 󸮰¡ ¾ø¾î¼­ ´ç½Å ½Ã½ºÅÛÀÇ ÀüüÀûÀÎ ÄÄÇöóÀ̾ð½º(compliance)¿£ ¿µÇâÀ» ¹ÞÁö ¾Ê´Â´Ù. ¸ÞÀÎ ÄÄÆ÷³ÍÆ®ÀÎ ¾ÆÆÄÄ¡´Â Y2K¿¡ ´ëÇؼ­ ÀÌ·¸°Ô À̾߱â ÇÏ°í ÀÖ´Ù. ¶ÇÇÑ ´ç½ÅÀº OS, Çϵå¿þ¾î¿Í ´Ù¸¥ ¸ðµâÀ» °Ë»çÇØ¾ß ÇÑ´Ù.