General Changes
Stronghold Web Server 3.0 (SH3) is based on mod_ssl and OpenSSL. Stronghold Web Server 2.4.2 (SH2.4.2)
was based on our own internal SSL module and a customised version of the
SSLeay library.
In SH3, the binary name is httpd. The binary is located in the
/ServerRoot/bin/ directory. The binary name was httpsd in SH2.4.2;
the binary was located in the /ServerRoot/ directory.
SH3 is based on Apache 1.3.12 (http://http://apache.org/httpd.html).
SH2.4.2 was based on Apache 1.3.6. The differences between the two versions
of Apache are explained in Apache Week.
The status page in SH3 no longer contains a client certificate DN column
and the SSL column has been updated to give the SSL cipher in use as well as
the protocol.
SH2.4.2 used to display the certificate details for each SSL virtual host on
startup. This is no longer done in SH3.
When using the SSL proxying capability, no extra headers are sent
to the back end server, unless the SSLProxyPassEnv directive,
introduced with Stronghold Web Server 3.0 build code 3012, is used. Stronghold Web Server
2 contained various SP_ headers.
Modules such as mod_rewrite are unable to access the SSL environment
variables originally used by Stronghold Web Server 2. We recommend that the
new replacement variables are used instead. This was a design
decision to prevent compromising efficiency when processing these
variables. Please refer to the table below
for a list of the old variable names against their equivalent names
in the new version.
Unlike previous Stronghold Web Server releases, Stronghold Web Server 3.0 doesn't display on the
terminal error messages relating to the SSL engine's initialisation.
Instead, these now appear in the logs/ssl/ssl_engine_log log
file as a permanent record. The bin/start-server or
bin/strongholdctl scripts will indicate if the service has
failed to initialise.
New Pre-compiled Modules
-
SH3 has two of the most popular Apache modules, PHP3.0.16 & mod_perl,
built-in by default:
PHP3.0.16 is compiled as a Dynamic Shared Object (DSO) in the
/ServerRoot/modules/libexec directory. DSO support allows the server to
load modules on demand instead of having them statically compiled into the
binary. DSO Apache modules are only loaded into httpd processes which have
received client requests requiring those modules. The rest of the httpd
processes without the DSO Apache modules will be smaller, and will take up
less memory. This decreases SH3's memory usage and allows for a higher
number of httpd processes with the same amount of memory. SH2.4.2 had
PHP2.0 statically precompiled by default.
Mod_perl is precompiled statically because mod_perl 1.22 does not fully
support DSO. Mod_perl had to be added manually after installation in
SH2.4.2.
SH3 has built-in APXS support, so users can recompile modules for use with
SH3. APXS had to be added to SH2.4.2 after installation.
New Directives
For additional information about directives, consult the output of the
command: httpd -L
Replaced Directives
Modified Directives
Removed Directives
The following directives are no longer present in SH3. They have not been
replaced with any new directives:
SSLClientCAFile
SSLErrorFile
SSL_CertFileType - pem|asn1
SSL_KeyFileType - pem|asn1
These were old Sioux directives that were not mentioned in SH2.4.2 but
left in only for compatibility:
SSL_LogX509Attributes
SSL_ProxyX509VerifyPolicy
SSL_X509VerifyDir
SSL_X509VerifyPolicy
SSL_FetchKeyPhraseFrom
SSL_LogX509Attributes
SSL_X509VerifyPolicy
SSL_KeyFileType
SSL_CertFileType
Changed Environment Variables
Here is a table of the environment variable changes between SH2.4.2 & SH3:
|
Old (SH2) environment variable
|
Equivalent SH3 variable
|
| SSL_PROTOCOL_VERSION |
SSL_PROTOCOL |
| SSLEAY_VERSION |
SSL_VERSION_LIBRARY |
| HTTPS_SECRETKEYSIZE |
SSL_CIPHER_USEKEYSIZE |
| HTTPS_KEYSIZE |
SSL_CIPHER_ALGKEYSIZE |
| HTTPS_CIPHER |
SSL_CIPHER |
| HTTPS_EXPORT |
SSL_CIPHER_EXPORT |
| SSL_SERVER_KEY_SIZE |
SSL_CIPHER_ALGKEYSIZE |
| SSL_SERVER_CERTIFICATE |
SSL_SERVER_CERT |
| SSL_SERVER_CERT_START |
SSL_SERVER_V_START |
| SSL_SERVER_CERT_END |
SSL_SERVER_V_END |
| SSL_SERVER_CERT_SERIAL |
SSL_SERVER_M_SERIAL |
| SSL_SERVER_SIGNATURE_ALGORITHM |
SSL_SERVER_A_SIG |
| SSL_SERVER_DN |
SSL_SERVER_S_DN |
| SSL_SERVER_CN |
SSL_SERVER_S_DN_CN |
| SSL_SERVER_EMAIL |
SSL_SERVER_S_DN_Email |
| SSL_SERVER_O |
SSL_SERVER_S_DN_O |
| SSL_SERVER_OU |
SSL_SERVER_S_DN_OU |
| SSL_SERVER_C |
SSL_SERVER_S_DN_C |
| SSL_SERVER_SP |
SSL_SERVER_S_DN_SP |
| SSL_SERVER_L |
SSL_SERVER_S_DN_L |
| SSL_SERVER_IDN |
SSL_SERVER_I_DN |
| SSL_SERVER_ICN |
SSL_SERVER_I_DN_CN |
| SSL_SERVER_IEMAIL |
SSL_SERVER_I_DN_Email |
| SSL_SERVER_IO |
SSL_SERVER_I_DN_O |
| SSL_SERVER_IOU |
SSL_SERVER_I_DN_OU |
| SSL_SERVER_IC |
SSL_SERVER_I_DN_C |
| SSL_SERVER_ISP |
SSL_SERVER_I_DN_SP |
| SSL_SERVER_IL |
SSL_SERVER_I_DN_L |
| SSL_CLIENT_CERTIFICATE |
SSL_CLIENT_CERT |
| SSL_CLIENT_CERT_START |
SSL_CLIENT_V_START |
| SSL_CLIENT_CERT_END |
SSL_CLIENT_V_END |
| SSL_CLIENT_CERT_SERIAL |
SSL_CLIENT_M_SERIAL |
| SSL_CLIENT_SIGNATURE_ALGORITHM |
SSL_CLIENT_A_SIG |
| SSL_CLIENT_DN |
SSL_CLIENT_S_DN |
| SSL_CLIENT_CN |
SSL_CLIENT_S_DN_Email |
| SSL_CLIENT_O |
SSL_CLIENT_S_DN_OU |
| SSL_CLIENT_C |
SSL_CLIENT_S_DN_SP |
| SSL_CLIENT_L |
SSL_CLIENT_I_DN |
| SSL_CLIENT_ICN |
SSL_CLIENT_I_DN_Email |
| SSL_CLIENT_IO |
SSL_CLIENT_I_DN_OU |
| SSL_CLIENT_IC |
SSL_CLIENT_I_DN_SP |
| SSL_CLIENT_IL |
SSL_CIPHER_EXPORT |
| SSL_KEYSIZE |
SSL_CIPHER_USEKEYSIZE |
| SSL_SSLEAY_VERSION |
SSL_VERSION_LIBRARY |
To enable the old variables in cgi programs, specify SSLOptions
+CompatEnvVars in httpd.conf
As an example, querying SSL_PROTOCOL_VERSION will give you the same value
as SSL_PROTOCOL, even if StdEnvVars isn't set in SSLOptions.
Ideally, you should be using the new variables.
Unsupported Environment Variables
SSL_STRONG_CRYPTO
SSL_SERVER_SESSIONDIR
SSL_SERVER_CERTFILE
SSL_SERVER_KEYFILETYPE
SSL_CLIENT_KEY_ALGORITHM
Upgrading Your Config File
Required Changes
These steps are for those who want to use their old SH2.4.2 config
(httpd.conf) files with a minimum of configuration directive changes.
There are other differences between the two default config files. If you
want to incorporate all of the new default configuration directives in SH3,
you should start with the SH3 default config file, then import the necessary
configuration differences from your old SH2.4.2 config file. If you are
using additional directives beyond the default, check the information above
to see if their names or syntax have changed.
Here are the minimum steps to upgrade the default SH2.4.2 config file to the
default SH3 config file:
-
Get new SH3 license file and put in ServerRoot and change:
StrongholdLicense sh2license
to
StrongholdLicense sh3license
-
Add:
<IfModule mod_ssl.c>
SSLSessionCache c2shm:logs/ssl/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLMutex file:logs/ssl/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLog logs/ssl/ssl_engine_log
SSLLogLevel warn
</IfModule>
-
Remove:
SSLErrorFile "logs/ssl/ssl_error_log"
-
To add in php3 support so the index page works:
LoadModule php3_module modules/libexec/libphp3.so
<IfModule mod_php3.c>
AddType application/x-httpd-php3 .php3
AddType application/x-httpd-php3-source .phps
</IfModule>
Remember: SH2.4.2 was built with PHP2.0, so if you have any legacy PHP2.0
code, it won't work with SH3. This includes the old "index.php" page.
Optional Changes
-
Before SH3, the paths for keys and certificates were assumed to be relative
to the SSLRoot directory. The default SSLRoot was the /ServerRoot/ssl
directory. In SH3, the default is for SSLRoot not to exist; keys and
certificates are assumed to be relative to the /ServerRoot/ directory. If
you have an SSLRoot directive, keys and certificates are assumed to be
relative to the SSLRoot directory.
-
SH3 is not built with PHP2.0, so if you have any legacy PHP2.0 code, it won't
work with SH3. It will have to be upgraded to PHP3.0.16. Please see the PHP
web site about how to do this at
http://www.php.net/changes.php3.
![[red hat]](logo_rh_home.png){kind=logo}