diff --git a/build/exe/doliwamp/.cvsignore b/build/exe/doliwamp/.cvsignore
index 98e6ef67fad8af56cb3721edbd420b3d6fcc0bb1..2c52e4ff5ddd7c59105f1bec4c353c21a4622b78 100644
--- a/build/exe/doliwamp/.cvsignore
+++ b/build/exe/doliwamp/.cvsignore
@@ -1 +1,2 @@
*.db
+ca_dolibarr.key
diff --git a/build/exe/doliwamp/builddemosslfiles.bat b/build/exe/doliwamp/builddemosslfiles.bat
new file mode 100644
index 0000000000000000000000000000000000000000..452f5d2c56bbc9cdbfc07d05055f16a54c28fccf
--- /dev/null
+++ b/build/exe/doliwamp/builddemosslfiles.bat
@@ -0,0 +1,23 @@
+@echo off
+REM Launch Dolibarr demo SSL key generation
+REM ---------------------------------------
+
+REM Build private key
+WAMPROOT\bin\apache\apacheWAMPAPACHEVERSION\bin\openssl genrsa -out myserver.key 512
+
+REM Set permissions on file
+REM chmod 400 myserver.key
+
+REM Create CSR file
+WAMPROOT\bin\apache\apacheWAMPAPACHEVERSION\bin\openssl req -config openssl.conf -new -key myserver.key -out myserver.csr
+
+REM Create empty dir and files
+echo 01 > tmp\serial
+touch tmp\index.txt
+touch tmp\index.txt.attr
+
+REM Certify request
+WAMPROOT\bin\apache\apacheWAMPAPACHEVERSION\bin\openssl ca -config openssl.conf -out myserver.crt -infiles myserver.csr
+
+REM Check everything is OK
+WAMPROOT\bin\apache\apacheWAMPAPACHEVERSION\bin\openssl verify -CAfile ca_demo_dolibarr.crt myserver.crt
diff --git a/build/exe/doliwamp/ca_demo_dolibarr.crt b/build/exe/doliwamp/ca_demo_dolibarr.crt
new file mode 100644
index 0000000000000000000000000000000000000000..0c68cd5725653127c2fb3d349a9aaa853d469c11
--- /dev/null
+++ b/build/exe/doliwamp/ca_demo_dolibarr.crt
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICozCCAk2gAwIBAgIJALGFnnUnBWt7MA0GCSqGSIb3DQEBBQUAMGwxCzAJBgNV
+BAYTAkZSMQwwCgYDVQQIEwNJREYxDjAMBgNVBAcTBVBhcmlzMREwDwYDVQQKEwhE
+b2xpYmFycjEUMBIGA1UECxMLRG9saWJhcnIgQ0ExFjAUBgNVBAMTDURvbGliYXJy
+IHRlYW0wHhcNMDkwODE5MjMzNzEwWhcNMzcwMTA0MjMzNzEwWjBsMQswCQYDVQQG
+EwJGUjEMMAoGA1UECBMDSURGMQ4wDAYDVQQHEwVQYXJpczERMA8GA1UEChMIRG9s
+aWJhcnIxFDASBgNVBAsTC0RvbGliYXJyIENBMRYwFAYDVQQDEw1Eb2xpYmFyciB0
+ZWFtMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANZnbCPyab6x4BRWZbKc8zssC1Lt
+5DfrnOiUWNyw71AfW5Kvyk0RJIvjHLWz8+2kEqCmohjD0qo1ATQLotrx3BcCAwEA
+AaOB0TCBzjAdBgNVHQ4EFgQUjMdLdKeYrp9gvezCv+PTUdtrZrwwgZ4GA1UdIwSB
+ljCBk4AUjMdLdKeYrp9gvezCv+PTUdtrZryhcKRuMGwxCzAJBgNVBAYTAkZSMQww
+CgYDVQQIEwNJREYxDjAMBgNVBAcTBVBhcmlzMREwDwYDVQQKEwhEb2xpYmFycjEU
+MBIGA1UECxMLRG9saWJhcnIgQ0ExFjAUBgNVBAMTDURvbGliYXJyIHRlYW2CCQCx
+hZ51JwVrezAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA0EAX9IDUlhFvorE
+dNxiWODKGsZy+UirzLwVZnEZNcgfOggL9VJfhqJcks+8nNflGHsWP8ciPb2itYEb
+teSYLelgaA==
+-----END CERTIFICATE-----
diff --git a/build/exe/doliwamp/ca_demo_dolibarr.key b/build/exe/doliwamp/ca_demo_dolibarr.key
new file mode 100644
index 0000000000000000000000000000000000000000..300e7cbd419870ce9d3c4a6d16925d0298428251
--- /dev/null
+++ b/build/exe/doliwamp/ca_demo_dolibarr.key
@@ -0,0 +1,9 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBPAIBAAJBANZnbCPyab6x4BRWZbKc8zssC1Lt5DfrnOiUWNyw71AfW5Kvyk0R
+JIvjHLWz8+2kEqCmohjD0qo1ATQLotrx3BcCAwEAAQJBAI9D7G7YvPA/y4vLb4k6
+dw1DEQ4JCEaVmfOPrRFK6Z6PHGbEMPwOO4tKyZO4dOJXJ2cwLpfo7zZ3egvun7t3
+7wECIQDvPIbwMJKhOU3jTcyv8hJ07V9JWva7znZsMB7iUSydiQIhAOVtciL43Nfq
+EcglY7UwKFWYk9KpRfxkW28dUKu2/uSfAiBrp24FWaYx/Kpq9dB9AE6D5Wkyhkdv
+PboWdxT+vI56GQIhANo0RLjETm7AfZcJEJLUMZhvXDCgtCJ/ZIMCs6YNjtHrAiEA
+2odSzx9oUC00Ir7l5JeiUH/InpuU7Hd1Y/74OvaUYKM=
+-----END RSA PRIVATE KEY-----
diff --git a/build/exe/doliwamp/httpd.conf.install b/build/exe/doliwamp/httpd.conf.install
index 491eb921d4a167fc25f62beca23ee5e7aaa4f0e0..7fc0e3752b31cae27b3408bd8d03ce877823caa9 100644
--- a/build/exe/doliwamp/httpd.conf.install
+++ b/build/exe/doliwamp/httpd.conf.install
@@ -51,7 +51,7 @@ ServerRoot "WAMPROOT/bin/apache/apache2.2.6"
#
#Listen 12.34.56.78:80
Listen WAMPAPACHEPORT
-Listen 444
+Listen WAMPAPACHEPORTSSL
#
# Dynamic Shared Object (DSO) Support
@@ -156,7 +156,17 @@ ServerAdmin webmaster@localhost
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
-ServerName localhost:81
+ServerName localhost
+
+#
+# ServerTokens
+# This directive configures what you return as the Server HTTP response
+# Header. The default is 'Full' which sends information about the OS-Type
+# and compiled in modules.
+# Set to one of: Full | OS | Minor | Minimal | Major | Prod
+# where Full conveys the most information, and Prod the least.
+#
+#ServerTokens Prod
#
# DocumentRoot: The directory out of which you will serve your
@@ -505,4 +515,194 @@ SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
-Include "WAMPROOT/alias/*"
\ No newline at end of file
+
+
+##
+## SSL Global Context
+##
+## All SSL configuration in this context applies both to
+## the main server and all SSL-enabled virtual hosts.
+##
+
+#
+# Some MIME-types for downloading Certificates and CRLs
+#
+AddType application/x-x509-ca-cert .crt
+AddType application/x-pkcs7-crl .crl
+
+# Pass Phrase Dialog:
+# Configure the pass phrase gathering process.
+# The filtering dialog program (`builtin' is a internal
+# terminal dialog) has to provide the pass phrase on stdout.
+#SSLPassPhraseDialog builtin
+
+# Inter-Process Session Cache:
+# Configure the SSL Session Cache: First the mechanism
+# to use and second the expiring timeout (in seconds).
+#SSLSessionCache "dbm:C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_scache"
+#SSLSessionCache "shmcb:C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)"
+#SSLSessionCacheTimeout 300
+
+# Semaphore:
+# Configure the path to the mutual exclusion semaphore the
+# SSL engine uses internally for inter-process synchronization.
+#SSLMutex "file:C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_mutex"
+
+##
+## SSL Virtual Host Context
+##
+
+<VirtualHost _default_:444>
+
+# SSL Engine Switch:
+# Enable/Disable SSL for this virtual host.
+SSLEngine on
+
+# General setup for the virtual host
+DocumentRoot "WAMPROOT/www/"
+ServerName localhost:444
+ServerAdmin admin@localhost
+ErrorLog "WAMPROOT/logs/apache_error_ssl.log"
+TransferLog "WAMPROOT/logs/apache_transfer_ssl.log"
+CustomLog "WAMPROOT/logs/apache_access_ssl.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+# SSL Cipher Suite:
+# List the ciphers that the client is permitted to negotiate.
+# See the mod_ssl documentation for a complete list.
+#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+
+# Server Certificate:
+# Point SSLCertificateFile at a PEM encoded certificate. If
+# the certificate is encrypted, then you will be prompted for a
+# pass phrase. Note that a kill -HUP will prompt again. Keep
+# in mind that if you have both an RSA and a DSA certificate you
+# can configure both in parallel (to also allow the use of DSA
+# ciphers, etc.)
+SSLCertificateFile "WAMPROOT/server.crt"
+
+# Server Private Key:
+# If the key is not combined with the certificate, use this
+# directive to point at the key file. Keep in mind that if
+# you've both a RSA and a DSA private key you can configure
+# both in parallel (to also allow the use of DSA ciphers, etc.)
+SSLCertificateKeyFile "WAMPROOT/server.key"
+
+# Server Certificate Chain:
+# Point SSLCertificateChainFile at a file containing the
+# concatenation of PEM encoded CA certificates which form the
+# certificate chain for the server certificate. Alternatively
+# the referenced file can be the same as SSLCertificateFile
+# when the CA certificates are directly appended to the server
+# certificate for convinience.
+#SSLCertificateChainFile "WAMPROOT/server-ca.crt"
+
+# Certificate Authority (CA):
+# Set the CA certificate verification path where to find CA
+# certificates for client authentication or alternatively one
+# huge file containing all of them (file must be PEM encoded)
+# Note: Inside SSLCACertificatePath you need hash symlinks
+# to point to the certificate files. Use the provided
+# Makefile to update the hash symlinks after changes.
+#SSLCACertificatePath "WAMPROOT/ssl.crt"
+#SSLCACertificateFile "WAMPROOT/ca-bundle.crt"
+
+# Certificate Revocation Lists (CRL):
+# Set the CA revocation path where to find CA CRLs for client
+# authentication or alternatively one huge file containing all
+# of them (file must be PEM encoded)
+# Note: Inside SSLCARevocationPath you need hash symlinks
+# to point to the certificate files. Use the provided
+# Makefile to update the hash symlinks after changes.
+#SSLCARevocationPath "WAMPROOT/ssl.crl"
+#SSLCARevocationFile "WAMPROOT/ca-bundle.crl"
+
+# Client Authentication (Type):
+# Client certificate verification type and depth. Types are
+# none, optional, require and optional_no_ca. Depth is a
+# number which specifies how deeply to verify the certificate
+# issuer chain before deciding the certificate is not valid.
+#SSLVerifyClient require
+#SSLVerifyDepth 10
+
+# Access Control:
+# With SSLRequire you can do per-directory access control based
+# on arbitrary complex boolean expressions containing server
+# variable checks and other lookup directives. The syntax is a
+# mixture between C and Perl. See the mod_ssl documentation
+# for more details.
+#<Location />
+#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
+# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#</Location>
+
+# SSL Engine Options:
+# Set various options for the SSL engine.
+# o FakeBasicAuth:
+# Translate the client X.509 into a Basic Authorisation. This means that
+# the standard Auth/DBMAuth methods can be used for access control. The
+# user name is the `one line' version of the client's X.509 certificate.
+# Note that no password is obtained from the user. Every entry in the user
+# file needs this password: `xxj31ZMTZzkVA'.
+# o ExportCertData:
+# This exports two additional environment variables: SSL_CLIENT_CERT and
+# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+# server (always existing) and the client (only existing when client
+# authentication is used). This can be used to import the certificates
+# into CGI scripts.
+# o StdEnvVars:
+# This exports the standard SSL/TLS related `SSL_*' environment variables.
+# Per default this exportation is switched off for performance reasons,
+# because the extraction step is an expensive operation and is usually
+# useless for serving static content. So one usually enables the
+# exportation for CGI and SSI requests only.
+# o StrictRequire:
+# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+# under a "Satisfy any" situation, i.e. when it applies access is denied
+# and no other module can change it.
+# o OptRenegotiate:
+# This enables optimized SSL connection renegotiation handling when SSL
+# directives are used in per-directory context.
+#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+#<FilesMatch "\.(cgi|shtml|phtml|php)$">
+# SSLOptions +StdEnvVars
+#</FilesMatch>
+#<Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin">
+# SSLOptions +StdEnvVars
+#</Directory>
+
+# SSL Protocol Adjustments:
+# The safe and default but still SSL/TLS standard compliant shutdown
+# approach is that mod_ssl sends the close notify alert but doesn't wait for
+# the close notify alert from client. When you need a different shutdown
+# approach you can use one of the following variables:
+# o ssl-unclean-shutdown:
+# This forces an unclean shutdown when the connection is closed, i.e. no
+# SSL close notify alert is send or allowed to received. This violates
+# the SSL/TLS standard but is needed for some brain-dead browsers. Use
+# this when you receive I/O errors because of the standard approach where
+# mod_ssl sends the close notify alert.
+# o ssl-accurate-shutdown:
+# This forces an accurate shutdown when the connection is closed, i.e. a
+# SSL close notify alert is send and mod_ssl waits for the close notify
+# alert of the client. This is 100% SSL/TLS standard compliant, but in
+# practice often causes hanging connections with brain-dead browsers. Use
+# this only for browsers where you know that their SSL implementation
+# works correctly.
+# Notice: Most problems of broken clients are also related to the HTTP
+# keep-alive facility, so you usually additionally want to disable
+# keep-alive for those clients, too. Use variable "nokeepalive" for this.
+# Similarly, one has to force some clients to use HTTP/1.0 to workaround
+# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+# "force-response-1.0" for this.
+BrowserMatch ".*MSIE.*" \
+ nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0
+
+</VirtualHost>
+
+
+Include "WAMPROOT/alias/*"
diff --git a/build/exe/doliwamp/index.php.install b/build/exe/doliwamp/index.php.install
index d2e53d6875e7d76226824bafe1326ac098ef0a56..44199db52d0d5317ed459ffa7eb234c9daec526c 100644
--- a/build/exe/doliwamp/index.php.install
+++ b/build/exe/doliwamp/index.php.install
@@ -19,7 +19,9 @@ $appDir = '../apps/';
// we set version of applications
$phpVersion = 'WAMPPHPVERSION';
+if ($phpVersion != phpversion()) $phpVersion .= ' ('.phpversion().')';
$apacheVersion = 'WAMPAPACHEVERSION';
+if ($apacheVersion != $_SERVER["SERVER_SOFTWARE"]) $apacheVersion .= ' ('.$_SERVER["SERVER_SOFTWARE"].')';
$mysqlVersion = 'WAMPMYSQLVERSION';
$apachePort = 'WAMPAPACHEPORT';
diff --git a/build/exe/doliwamp/openssl.conf b/build/exe/doliwamp/openssl.conf
new file mode 100644
index 0000000000000000000000000000000000000000..c053b07c508ece6a9ef329c34370bf02518baa49
--- /dev/null
+++ b/build/exe/doliwamp/openssl.conf
@@ -0,0 +1,90 @@
+####################################################################
+# Sample OpenSSL configuration file #
+####################################################################
+
+RANDFILE = C:\\dolibarr\\tmp\\.rnd
+
+[ ca ]
+default_ca = CA_default # The default ca section
+
+[ CA_default ]
+dir = C:\\dolibarr
+certs = $dir\\certs # Where the issued certs are kept
+crl_dir = $dir\\crl # Where the issued crl are kept
+database = $dir\\tmp\\index.txt # database index file.
+new_certs_dir = $dir\\tmp # default place for new certs.
+certificate = $dir\\ca_demo_dolibarr.crt # The CA certificate
+serial = $dir\\tmp\\serial # The current serial number
+crl = $dir\\crl.pem # The current CRL
+private_key = $dir\\ca_demo_dolibarr.key # The CA private key
+RANDFILE = $dir\\tmp\\.rand # private random number file
+
+x509_extensions = usr_cert # The extentions to add to the cert
+default_days = 7300 # how long to certify for
+default_crl_days = 30 # how long before next CRL
+default_md = md5 # which md to use.
+preserve = no # keep passed DN ordering
+policy = policy_anything
+
+####################################################################
+
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+####################################################################
+[ req ]
+default_bits = 1024
+default_keyfile = myserver.key
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extentions to add to the self signed cert
+string_mask = nombstr
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default =
+countryName_min = 2
+countryName_max = 2
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Some-State
+localityName = Locality Name (eg, city)
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = MyCompany
+organizationalUnitName = Organizational Unit Name (eg, section)
+organizationalUnitName_default = Web administrators
+commonName = Common Name (eg, YOUR name)
+commonName_default = Webmaster
+commonName_max = 64
+emailAddress = Email Address
+emailAddress_max = 40
+
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+unstructuredName = An optional company name
+
+[ usr_cert ]
+basicConstraints = CA:FALSE
+nsComment = "OpenSSL Generated Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+basicConstraints = CA:true
+
+[ crl_ext ]
+authorityKeyIdentifier = keyid:always,issuer:always
+