mod_ssl.html.en revision f28cb43e0ae51d68dee099bbf7ddbc84252cbd7e
1b05bdb88b90d3c947351f262d7ae7d68f0a4a6fTill Mossakowski<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
c06dd8856a03b72f6b3f69e874f8700f10cb8522Christian Maeder<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
75a6279dbae159d018ef812185416cf6df386c10Till Mossakowski XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
97018cf5fa25b494adffd7e9b4e87320dae6bf47Christian Maeder This file is generated from xml source: DO NOT EDIT
c06dd8856a03b72f6b3f69e874f8700f10cb8522Christian Maeder XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowski<link href="/style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<link href="/style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
f3a94a197960e548ecd6520bb768cb0d547457bbChristian Maeder<link href="/style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" />
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<link href="/images/favicon.ico" rel="shortcut icon" /></head>
1bb1684c83317dfd1692ab53415027b67d8f2faeTill Mossakowski<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="/faq/">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<p class="apache">Apache HTTP Server Version 2.3</p>
1bb1684c83317dfd1692ab53415027b67d8f2faeTill Mossakowski<img alt="" src="/images/feather.gif" /></div>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<div class="up"><a href="./"><img title="<-" alt="<-" src="/images/left.gif" /></a></div>
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.3</a> > <a href="./">Modules</a></div>
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski<div id="preamble"><h1>Apache Module mod_ssl</h1>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<p><span>Available Languages: </span><a href="/en/mod/mod_ssl.html" title="English"> en </a></p>
e3c9174a782e90f965a0b080c22861c3ef5af12dTill Mossakowski<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Strong cryptography using the Secure Sockets
70e2af8d4bf21bcdfb53e9a0414e27173b577a1eTill MossakowskiLayer (SSL) and Transport Layer Security (TLS) protocols</td></tr>
70e2af8d4bf21bcdfb53e9a0414e27173b577a1eTill Mossakowski<tr><th><a href="module-dict.html#Status">Status:</a></th><td>Extension</td></tr>
2b4130336e941b7d01c78a6da55449a4c6eca609Till Mossakowski<tr><th><a href="module-dict.html#ModuleIdentifier">Module�Identifier:</a></th><td>ssl_module</td></tr>
2b4130336e941b7d01c78a6da55449a4c6eca609Till Mossakowski<tr><th><a href="module-dict.html#SourceFile">Source�File:</a></th><td>mod_ssl.c</td></tr></table>
82d681fe6950e2a35f28fdefb874d060632faccaTill Mossakowski<p>This module provides SSL v2/v3 and TLS v1 support for the Apache
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian MaederHTTP Server. It was contributed by Ralf S. Engelschall based on his
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maedermod_ssl project and originally derived from work by Ben Laurie.</p>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<p>This module relies on <a href="http://www.openssl.org/">OpenSSL</a>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maederto provide the cryptography engine.</p>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<p>Further details, discussion, and examples are provided in the
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<div id="quickview"><h3 class="directives">Directives</h3>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<li><img alt="" src="/images/down.gif" /> <a href="#sslcacertificatefile">SSLCACertificateFile</a></li>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<li><img alt="" src="/images/down.gif" /> <a href="#sslcacertificatepath">SSLCACertificatePath</a></li>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<li><img alt="" src="/images/down.gif" /> <a href="#sslcadnrequestfile">SSLCADNRequestFile</a></li>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<li><img alt="" src="/images/down.gif" /> <a href="#sslcadnrequestpath">SSLCADNRequestPath</a></li>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<li><img alt="" src="/images/down.gif" /> <a href="#sslcarevocationfile">SSLCARevocationFile</a></li>
c529224e0ec191fbaa87261f05c34f89c17b3f3aTill Mossakowski<li><img alt="" src="/images/down.gif" /> <a href="#sslcarevocationpath">SSLCARevocationPath</a></li>
c529224e0ec191fbaa87261f05c34f89c17b3f3aTill Mossakowski<li><img alt="" src="/images/down.gif" /> <a href="#sslcertificatechainfile">SSLCertificateChainFile</a></li>
c529224e0ec191fbaa87261f05c34f89c17b3f3aTill Mossakowski<li><img alt="" src="/images/down.gif" /> <a href="#sslcertificatefile">SSLCertificateFile</a></li>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<li><img alt="" src="/images/down.gif" /> <a href="#sslcertificatekeyfile">SSLCertificateKeyFile</a></li>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<li><img alt="" src="/images/down.gif" /> <a href="#sslciphersuite">SSLCipherSuite</a></li>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<li><img alt="" src="/images/down.gif" /> <a href="#sslcryptodevice">SSLCryptoDevice</a></li>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<li><img alt="" src="/images/down.gif" /> <a href="#sslengine">SSLEngine</a></li>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<li><img alt="" src="/images/down.gif" /> <a href="#sslfips">SSLFIPS</a></li>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<li><img alt="" src="/images/down.gif" /> <a href="#sslhonorcipherorder">SSLHonorCipherOrder</a></li>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<li><img alt="" src="/images/down.gif" /> <a href="#sslinsecurerenegotiation">SSLInsecureRenegotiation</a></li>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<li><img alt="" src="/images/down.gif" /> <a href="#sslocspdefaultresponder">SSLOCSPDefaultResponder</a></li>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<li><img alt="" src="/images/down.gif" /> <a href="#sslocspenable">SSLOCSPEnable</a></li>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<li><img alt="" src="/images/down.gif" /> <a href="#sslocspoverrideresponder">SSLOCSPOverrideResponder</a></li>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<li><img alt="" src="/images/down.gif" /> <a href="#ssloptions">SSLOptions</a></li>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<li><img alt="" src="/images/down.gif" /> <a href="#sslpassphrasedialog">SSLPassPhraseDialog</a></li>
bfa9e03532243ceb487f0384d0f6a447f1ce7670Till Mossakowski<li><img alt="" src="/images/down.gif" /> <a href="#sslprotocol">SSLProtocol</a></li>
bfa9e03532243ceb487f0384d0f6a447f1ce7670Till Mossakowski<li><img alt="" src="/images/down.gif" /> <a href="#sslproxycacertificatefile">SSLProxyCACertificateFile</a></li>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<li><img alt="" src="/images/down.gif" /> <a href="#sslproxycacertificatepath">SSLProxyCACertificatePath</a></li>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<li><img alt="" src="/images/down.gif" /> <a href="#sslproxycarevocationfile">SSLProxyCARevocationFile</a></li>
e3c9174a782e90f965a0b080c22861c3ef5af12dTill Mossakowski<li><img alt="" src="/images/down.gif" /> <a href="#sslproxycarevocationpath">SSLProxyCARevocationPath</a></li>
bfa9e03532243ceb487f0384d0f6a447f1ce7670Till Mossakowski<li><img alt="" src="/images/down.gif" /> <a href="#sslproxycheckpeercn">SSLProxyCheckPeerCN</a></li>
8fe1a8e240ccd5f3682a936ef2fa4c22fee973bcTill Mossakowski<li><img alt="" src="/images/down.gif" /> <a href="#sslproxycheckpeerexpire">SSLProxyCheckPeerExpire</a></li>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<li><img alt="" src="/images/down.gif" /> <a href="#sslproxyciphersuite">SSLProxyCipherSuite</a></li>
c0380b947eef252db81ee562246bb732555427f4Till Mossakowski<li><img alt="" src="/images/down.gif" /> <a href="#sslproxyengine">SSLProxyEngine</a></li>
c0380b947eef252db81ee562246bb732555427f4Till Mossakowski<li><img alt="" src="/images/down.gif" /> <a href="#sslproxymachinecertificatefile">SSLProxyMachineCertificateFile</a></li>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<li><img alt="" src="/images/down.gif" /> <a href="#sslproxymachinecertificatepath">SSLProxyMachineCertificatePath</a></li>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<li><img alt="" src="/images/down.gif" /> <a href="#sslproxyprotocol">SSLProxyProtocol</a></li>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<li><img alt="" src="/images/down.gif" /> <a href="#sslproxyverify">SSLProxyVerify</a></li>
1bb1684c83317dfd1692ab53415027b67d8f2faeTill Mossakowski<li><img alt="" src="/images/down.gif" /> <a href="#sslproxyverifydepth">SSLProxyVerifyDepth</a></li>
1bb1684c83317dfd1692ab53415027b67d8f2faeTill Mossakowski<li><img alt="" src="/images/down.gif" /> <a href="#sslrandomseed">SSLRandomSeed</a></li>
1bb1684c83317dfd1692ab53415027b67d8f2faeTill Mossakowski<li><img alt="" src="/images/down.gif" /> <a href="#sslrenegbuffersize">SSLRenegBufferSize</a></li>
1bb1684c83317dfd1692ab53415027b67d8f2faeTill Mossakowski<li><img alt="" src="/images/down.gif" /> <a href="#sslrequire">SSLRequire</a></li>
1bb1684c83317dfd1692ab53415027b67d8f2faeTill Mossakowski<li><img alt="" src="/images/down.gif" /> <a href="#sslrequiressl">SSLRequireSSL</a></li>
1bb1684c83317dfd1692ab53415027b67d8f2faeTill Mossakowski<li><img alt="" src="/images/down.gif" /> <a href="#sslsessioncache">SSLSessionCache</a></li>
1bb1684c83317dfd1692ab53415027b67d8f2faeTill Mossakowski<li><img alt="" src="/images/down.gif" /> <a href="#sslsessioncachetimeout">SSLSessionCacheTimeout</a></li>
1bb1684c83317dfd1692ab53415027b67d8f2faeTill Mossakowski<li><img alt="" src="/images/down.gif" /> <a href="#sslstrictsnivhostcheck">SSLStrictSNIVHostCheck</a></li>
7297175957c5ad3c0498032190b1dee9ec5fb873Christian Maeder<li><img alt="" src="/images/down.gif" /> <a href="#sslusername">SSLUserName</a></li>
7297175957c5ad3c0498032190b1dee9ec5fb873Christian Maeder<li><img alt="" src="/images/down.gif" /> <a href="#sslverifyclient">SSLVerifyClient</a></li>
1bb1684c83317dfd1692ab53415027b67d8f2faeTill Mossakowski<li><img alt="" src="/images/down.gif" /> <a href="#sslverifydepth">SSLVerifyDepth</a></li>
1bb1684c83317dfd1692ab53415027b67d8f2faeTill Mossakowski<li><img alt="" src="/images/down.gif" /> <a href="#envvars">Environment Variables</a></li>
1bb1684c83317dfd1692ab53415027b67d8f2faeTill Mossakowski<li><img alt="" src="/images/down.gif" /> <a href="#logformats">Custom Log Formats</a></li>
7297175957c5ad3c0498032190b1dee9ec5fb873Christian Maeder<li><img alt="" src="/images/down.gif" /> <a href="#notes">Request Notes</a></li>
7297175957c5ad3c0498032190b1dee9ec5fb873Christian Maeder<li><img alt="" src="/images/down.gif" /> <a href="#authzproviders">Authorization providers for use with Require</a></li>
7297175957c5ad3c0498032190b1dee9ec5fb873Christian Maeder<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
1bb1684c83317dfd1692ab53415027b67d8f2faeTill Mossakowski<h2><a name="envvars" id="envvars">Environment Variables</a></h2>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<p>This module provides a lot of SSL information as additional environment
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maedervariables to the SSI and CGI namespace. The generated variables are listed in
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maederthe table below. For backward compatibility the information can
7297175957c5ad3c0498032190b1dee9ec5fb873Christian Maederbe made available under different names, too. Look in the <a href="/ssl/ssl_compat.html">Compatibility</a> chapter for details on the
7297175957c5ad3c0498032190b1dee9ec5fb873Christian Maedercompatibility variables.</p>
43b4c41fbb07705c9df321221ab9cb9832460407Christian Maeder <th><a name="table3">Variable Name:</a></th>
ba904a15082557e939db689fcfba0c68c9a4f740Christian Maeder<tr><td><code>HTTPS</code></td> <td>flag</td> <td>HTTPS is being used.</td></tr>
ba904a15082557e939db689fcfba0c68c9a4f740Christian Maeder<tr><td><code>SSL_PROTOCOL</code></td> <td>string</td> <td>The SSL protocol version (SSLv2, SSLv3, TLSv1)</td></tr>
ba904a15082557e939db689fcfba0c68c9a4f740Christian Maeder<tr><td><code>SSL_SESSION_ID</code></td> <td>string</td> <td>The hex-encoded SSL session id</td></tr>
ba904a15082557e939db689fcfba0c68c9a4f740Christian Maeder<tr><td><code>SSL_SESSION_RESUMED</code></td> <td>string</td> <td>Initial or Resumed SSL Session. Note: multiple requests may be served over the same (Initial or Resumed) SSL session if HTTP KeepAlive is in use</td></tr>
ba904a15082557e939db689fcfba0c68c9a4f740Christian Maeder<tr><td><code>SSL_SECURE_RENEG</code></td> <td>string</td> <td><code>true</code> if secure renegotiation is supported, else <code>false</code></td></tr>
ba904a15082557e939db689fcfba0c68c9a4f740Christian Maeder<tr><td><code>SSL_CIPHER</code></td> <td>string</td> <td>The cipher specification name</td></tr>
0799b5dc3f06d2640e66e9ab54b8b217348fd719Christian Maeder<tr><td><code>SSL_CIPHER_EXPORT</code></td> <td>string</td> <td><code>true</code> if cipher is an export cipher</td></tr>
0c2a90cbfb63865ff485c3fbe20a14589a5914beTill Mossakowski<tr><td><code>SSL_CIPHER_USEKEYSIZE</code></td> <td>number</td> <td>Number of cipher bits (actually used)</td></tr>
c616e681da8c052b62e14247fea522da099ac0e4Christian Maeder<tr><td><code>SSL_CIPHER_ALGKEYSIZE</code></td> <td>number</td> <td>Number of cipher bits (possible)</td></tr>
88ece6e49930670e8fd3ee79c89a2e918d2fbd0cChristian Maeder<tr><td><code>SSL_COMPRESS_METHOD</code></td> <td>string</td> <td>SSL compression method negotiated</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><td><code>SSL_VERSION_INTERFACE</code></td> <td>string</td> <td>The mod_ssl program version</td></tr>
ba904a15082557e939db689fcfba0c68c9a4f740Christian Maeder<tr><td><code>SSL_VERSION_LIBRARY</code></td> <td>string</td> <td>The OpenSSL program version</td></tr>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><td><code>SSL_CLIENT_M_VERSION</code></td> <td>string</td> <td>The version of the client certificate</td></tr>
c0380b947eef252db81ee562246bb732555427f4Till Mossakowski<tr><td><code>SSL_CLIENT_M_SERIAL</code></td> <td>string</td> <td>The serial of the client certificate</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><td><code>SSL_CLIENT_S_DN</code></td> <td>string</td> <td>Subject DN in client's certificate</td></tr>
0799b5dc3f06d2640e66e9ab54b8b217348fd719Christian Maeder<tr><td><code>SSL_CLIENT_S_DN_</code><em>x509</em></td> <td>string</td> <td>Component of client's Subject DN</td></tr>
de6c4edf5694b8bad67ecec910c492eaf1129dc8Christian Maeder<tr><td><code>SSL_CLIENT_I_DN</code></td> <td>string</td> <td>Issuer DN of client's certificate</td></tr>
de6c4edf5694b8bad67ecec910c492eaf1129dc8Christian Maeder<tr><td><code>SSL_CLIENT_I_DN_</code><em>x509</em></td> <td>string</td> <td>Component of client's Issuer DN</td></tr>
de6c4edf5694b8bad67ecec910c492eaf1129dc8Christian Maeder<tr><td><code>SSL_CLIENT_V_START</code></td> <td>string</td> <td>Validity of client's certificate (start time)</td></tr>
de6c4edf5694b8bad67ecec910c492eaf1129dc8Christian Maeder<tr><td><code>SSL_CLIENT_V_END</code></td> <td>string</td> <td>Validity of client's certificate (end time)</td></tr>
0799b5dc3f06d2640e66e9ab54b8b217348fd719Christian Maeder<tr><td><code>SSL_CLIENT_V_REMAIN</code></td> <td>string</td> <td>Number of days until client's certificate expires</td></tr>
1b05bdb88b90d3c947351f262d7ae7d68f0a4a6fTill Mossakowski<tr><td><code>SSL_CLIENT_A_SIG</code></td> <td>string</td> <td>Algorithm used for the signature of client's certificate</td></tr>
1b05bdb88b90d3c947351f262d7ae7d68f0a4a6fTill Mossakowski<tr><td><code>SSL_CLIENT_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of client's certificate</td></tr>
1b05bdb88b90d3c947351f262d7ae7d68f0a4a6fTill Mossakowski<tr><td><code>SSL_CLIENT_CERT</code></td> <td>string</td> <td>PEM-encoded client certificate</td></tr>
31c49f2fa23d4ac089f35145d80a224deb6ea7e4Till Mossakowski<tr><td><code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em></td> <td>string</td> <td>PEM-encoded certificates in client certificate chain</td></tr>
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowski<tr><td><code>SSL_CLIENT_VERIFY</code></td> <td>string</td> <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS</code> or <code>FAILED:</code><em>reason</em></td></tr>
6a57a555c8ef0a79aa5d20e1d721400dbffa564aMaciek Makowski<tr><td><code>SSL_SERVER_M_VERSION</code></td> <td>string</td> <td>The version of the server certificate</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><td><code>SSL_SERVER_M_SERIAL</code></td> <td>string</td> <td>The serial of the server certificate</td></tr>
6a57a555c8ef0a79aa5d20e1d721400dbffa564aMaciek Makowski<tr><td><code>SSL_SERVER_S_DN</code></td> <td>string</td> <td>Subject DN in server's certificate</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><td><code>SSL_SERVER_S_DN_</code><em>x509</em></td> <td>string</td> <td>Component of server's Subject DN</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><td><code>SSL_SERVER_I_DN</code></td> <td>string</td> <td>Issuer DN of server's certificate</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><td><code>SSL_SERVER_I_DN_</code><em>x509</em></td> <td>string</td> <td>Component of server's Issuer DN</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><td><code>SSL_SERVER_V_START</code></td> <td>string</td> <td>Validity of server's certificate (start time)</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><td><code>SSL_SERVER_V_END</code></td> <td>string</td> <td>Validity of server's certificate (end time)</td></tr>
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski<tr><td><code>SSL_SERVER_A_SIG</code></td> <td>string</td> <td>Algorithm used for the signature of server's certificate</td></tr>
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder<tr><td><code>SSL_SERVER_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of server's certificate</td></tr>
7297175957c5ad3c0498032190b1dee9ec5fb873Christian Maeder<tr><td><code>SSL_SERVER_CERT</code></td> <td>string</td> <td>PEM-encoded server certificate</td></tr>
1b05bdb88b90d3c947351f262d7ae7d68f0a4a6fTill Mossakowski<p><em>x509</em> specifies a component of an X.509 DN; one of
1b05bdb88b90d3c947351f262d7ae7d68f0a4a6fTill Mossakowski<code>C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email</code>. In Apache 2.1 and
1b05bdb88b90d3c947351f262d7ae7d68f0a4a6fTill Mossakowskilater, <em>x509</em> may also include a numeric <code>_n</code>
1b05bdb88b90d3c947351f262d7ae7d68f0a4a6fTill Mossakowskisuffix. If the DN in question contains multiple attributes of the
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowskisame name, this suffix is used as an index to select a particular
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowskiattribute. For example, where the server certificate subject DN
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maederincluded two OU fields, <code>SSL_SERVER_S_DN_OU_0</code> and
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<code>SSL_SERVER_S_DN_OU_1</code> could be used to reference each.</p>
242691238a8d1a89581751d782af87ec5d7470c0Till Mossakowski<p><code>SSL_CLIENT_V_REMAIN</code> is only available in version 2.1
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<p>A number of additional environment variables can also be used
0799b5dc3f06d2640e66e9ab54b8b217348fd719Christian Maederin <code class="directive">SSLRequire</code> expressions, or in custom log
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski<div class="note"><pre>HTTP_USER_AGENT PATH_INFO AUTH_TYPE
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian MaederHTTP_REFERER QUERY_STRING SERVER_SOFTWARE
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian MaederHTTP_COOKIE REMOTE_HOST API_VERSION
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian MaederHTTP_FORWARDED REMOTE_IDENT TIME_YEAR
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian MaederHTTP_HOST IS_SUBREQ TIME_MON
f534c0116096e25659ceaa57de030c497ce9345aTill MossakowskiHTTP_PROXY_CONNECTION DOCUMENT_ROOT TIME_DAY
e379124f467e5d0ef7d3c0ca238bff0521f70831Till MossakowskiHTTP_ACCEPT SERVER_ADMIN TIME_HOUR
e379124f467e5d0ef7d3c0ca238bff0521f70831Till MossakowskiTHE_REQUEST SERVER_NAME TIME_MIN
e379124f467e5d0ef7d3c0ca238bff0521f70831Till MossakowskiREQUEST_FILENAME SERVER_PORT TIME_SEC
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian MaederREQUEST_METHOD SERVER_PROTOCOL TIME_WDAY
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian MaederREQUEST_SCHEME REMOTE_ADDR TIME
a89e661aad28f1b39f4fc9f9f9a4d46074234123Christian Maeder<p>In these contexts, two special formats can also be used:</p>
52aad0502f0ddd332a28ae3fcd3327fa66d002f7Till Mossakowski <dt><code>ENV:<em>variablename</em></code></dt>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder <dd>This will expand to the standard environment
c0380b947eef252db81ee562246bb732555427f4Till Mossakowski <dt><code>HTTP:<em>headername</em></code></dt>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder <dd>This will expand to the value of the request header with name
7f4c380d6b38e229de365db3c84be767515a3386Jorina Freya Gerken</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<h2><a name="logformats" id="logformats">Custom Log Formats</a></h2>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<p>When <code class="module"><a href="/mod/mod_ssl.html">mod_ssl</a></code> is built into Apache or at least
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maederloaded (under DSO situation) additional functions exist for the <a href="mod_log_config.html#formats">Custom Log Format</a> of
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<code class="module"><a href="/mod/mod_log_config.html">mod_log_config</a></code>. First there is an
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maederadditional ``<code>%{</code><em>varname</em><code>}x</code>''
c0380b947eef252db81ee562246bb732555427f4Till MossakowskieXtension format function which can be used to expand any variables
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowskiprovided by any module, especially those provided by mod_ssl which can
f534c0116096e25659ceaa57de030c497ce9345aTill Mossakowskiyou find in the above table.</p>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian MaederFor backward compatibility there is additionally a special
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder``<code>%{</code><em>name</em><code>}c</code>'' cryptography format function
c0380b947eef252db81ee562246bb732555427f4Till Mossakowskiprovided. Information about this function is provided in the <a href="/ssl/ssl_compat.html">Compatibility</a> chapter.</p>
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowski<div class="example"><h3>Example</h3><p><code>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<h2><a name="notes" id="notes">Request Notes</a></h2>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<p><code class="module"><a href="/mod/mod_ssl.html">mod_ssl</a></code> sets "notes" for the request which can be
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maederused in logging with the <code>%{<em>name</em>}n</code> format
c0380b947eef252db81ee562246bb732555427f4Till Mossakowskistring in <code class="module"><a href="/mod/mod_log_config.html">mod_log_config</a></code>.</p>
242691238a8d1a89581751d782af87ec5d7470c0Till Mossakowski <dd>This note is set to the value <code>1</code> if access was
7f4c380d6b38e229de365db3c84be767515a3386Jorina Freya Gerken denied due to an <code class="directive">SSLRequire</code>
7f4c380d6b38e229de365db3c84be767515a3386Jorina Freya Gerken or <code class="directive">SSLRequireSSL</code> directive.</dd>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder <dd>If <code class="module"><a href="/mod/mod_ssl.html">mod_ssl</a></code> is built against a version of
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder OpenSSL which supports the secure renegotiation extension, this note
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder is set to the value <code>1</code> if SSL is in used for the current
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder connection, and the client also supports the secure renegotiation
c0380b947eef252db81ee562246bb732555427f4Till Mossakowski extension. If the client does not support the secure renegotiation
c0380b947eef252db81ee562246bb732555427f4Till Mossakowski extension, the note is set to the value <code>0</code>.
f534c0116096e25659ceaa57de030c497ce9345aTill Mossakowski If <code class="module"><a href="/mod/mod_ssl.html">mod_ssl</a></code> is not built against a version of
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder OpenSSL which supports secure renegotiation, or if SSL is not in use
d08907a7832988612fbc0682b216e150d1e738d2Christian Maeder for the current connection, the note is not set.</dd>
d08907a7832988612fbc0682b216e150d1e738d2Christian Maeder</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
d08907a7832988612fbc0682b216e150d1e738d2Christian Maeder<h2><a name="authzproviders" id="authzproviders">Authorization providers for use with Require</a></h2>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski <p><code class="module"><a href="/mod/mod_ssl.html">mod_ssl</a></code> provides a few authentication providers for use
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski with <code class="module"><a href="/mod/mod_authz_core.html">mod_authz_core</a></code>'s
0799b5dc3f06d2640e66e9ab54b8b217348fd719Christian Maeder <code class="directive"><a href="/mod/mod_authz_core.html#require">Require</a></code> directive.</p>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski <h3><a name="reqssl" id="reqssl">Require ssl</a></h3>
242691238a8d1a89581751d782af87ec5d7470c0Till Mossakowski <p>The <code>ssl</code> provider denies access if a connection is not
7f4c380d6b38e229de365db3c84be767515a3386Jorina Freya Gerken encrypted with SSL. This is similar to the
7f4c380d6b38e229de365db3c84be767515a3386Jorina Freya Gerken <code class="directive">SSLRequireSSL</code> directive.</p>
f534c0116096e25659ceaa57de030c497ce9345aTill Mossakowski <h3><a name="reqverifyclient" id="reqverifyclient">Require ssl-verify-client</a></h3>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski <p>The <code>ssl</code> provider allows access if the user is
0799b5dc3f06d2640e66e9ab54b8b217348fd719Christian Maeder authenticated with a valid client certificate. This is only
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder useful if <code>SSLVerifyClient optional</code> is in effect.</p>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski <p>The following example grants access if the user is authenticated
242691238a8d1a89581751d782af87ec5d7470c0Till Mossakowski either with a client certificate or by username and password.</p>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder Require ssl-verify-client<br />
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder Require valid-user
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
242691238a8d1a89581751d782af87ec5d7470c0Till Mossakowski<div class="directive-section"><h2><a name="SSLCACertificateFile" id="SSLCACertificateFile">SSLCACertificateFile</a> <a name="sslcacertificatefile" id="sslcacertificatefile">Directive</a></h2>
7f4c380d6b38e229de365db3c84be767515a3386Jorina Freya Gerken<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>File of concatenated PEM-encoded CA Certificates
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCACertificateFile <em>file-path</em></code></td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
f534c0116096e25659ceaa57de030c497ce9345aTill MossakowskiThis directive sets the <em>all-in-one</em> file where you can assemble the
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian MaederCertificates of Certification Authorities (CA) whose <em>clients</em> you deal
f534c0116096e25659ceaa57de030c497ce9345aTill Mossakowskiwith. These are used for Client Authentication. Such a file is simply the
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maederconcatenation of the various PEM-encoded Certificate files, in order of
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maederpreference. This can be used alternatively and/or additionally to
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<code class="directive"><a href="#sslcacertificatepath">SSLCACertificatePath</a></code>.</p>
c0380b947eef252db81ee562246bb732555427f4Till Mossakowski<div class="example"><h3>Example</h3><p><code>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian MaederSSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-client.crt
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowski<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
c0380b947eef252db81ee562246bb732555427f4Till Mossakowski<div class="directive-section"><h2><a name="SSLCACertificatePath" id="SSLCACertificatePath">SSLCACertificatePath</a> <a name="sslcacertificatepath" id="sslcacertificatepath">Directive</a></h2>
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowski<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Directory of PEM-encoded CA Certificates for
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCACertificatePath <em>directory-path</em></code></td></tr>
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian Maeder<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
c0380b947eef252db81ee562246bb732555427f4Till Mossakowski<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill MossakowskiThis directive sets the directory where you keep the Certificates of
242691238a8d1a89581751d782af87ec5d7470c0Till MossakowskiCertification Authorities (CAs) whose clients you deal with. These are used to
7f4c380d6b38e229de365db3c84be767515a3386Jorina Freya Gerkenverify the client certificate on Client Authentication.</p>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian MaederThe files in this directory have to be PEM-encoded and are accessed through
0799b5dc3f06d2640e66e9ab54b8b217348fd719Christian Maederhash filenames. So usually you can't just place the Certificate files
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowskithere: you also have to create symbolic links named
c0380b947eef252db81ee562246bb732555427f4Till Mossakowski<em>hash-value</em><code>.N</code>. And you should always make sure this directory
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maedercontains the appropriate symbolic links. Use the <code>Makefile</code> which
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowskicomes with mod_ssl to accomplish this task.</p>
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski<div class="example"><h3>Example</h3><p><code>
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till MossakowskiSSLCACertificatePath /usr/local/apache2/conf/ssl.crt/
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski<div class="directive-section"><h2><a name="SSLCADNRequestFile" id="SSLCADNRequestFile">SSLCADNRequestFile</a> <a name="sslcadnrequestfile" id="sslcadnrequestfile">Directive</a></h2>
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>File of concatenated PEM-encoded CA Certificates
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCADNRequestFile <em>file-path</em></code></td></tr>
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowski<p>When a client certificate is requested by mod_ssl, a list of
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowski<em>acceptable Certificate Authority names</em> is sent to the client
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowskiin the SSL handshake. These CA names can be used by the client to
21dae7237ac384abdb94a81e00b3f099873ec623Till Mossakowskiselect an appropriate client certificate out of those it has
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowskiavailable.</p>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<p>If neither of the directives <code class="directive"><a href="#sslcadnrequestpath">SSLCADNRequestPath</a></code> or <code class="directive"><a href="#sslcadnrequestfile">SSLCADNRequestFile</a></code> are given, then the
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian Maederset of acceptable CA names sent to the client is the names of all the
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian MaederCA certificates given by the <code class="directive"><a href="#sslcacertificatefile">SSLCACertificateFile</a></code> and <code class="directive"><a href="#sslcacertificatepath">SSLCACertificatePath</a></code> directives; in other
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian Maederwords, the names of the CAs which will actually be used to verify the
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian Maederclient certificate.</p>
1a7b7802544aa94828d7f4e7be5788501c572934Till Mossakowski<p>In some circumstances, it is useful to be able to send a set of
6a57a555c8ef0a79aa5d20e1d721400dbffa564aMaciek Makowskiacceptable CA names which differs from the actual CAs used to verify
c1168130136b44bcfa8946dbda76be553aa7344bTill Mossakowskithe client certificate - for example, if the client certificates are
c1168130136b44bcfa8946dbda76be553aa7344bTill Mossakowskisigned by intermediate CAs. In such cases, <code class="directive"><a href="#sslcadnrequestpath">SSLCADNRequestPath</a></code> and/or <code class="directive"><a href="#sslcadnrequestfile">SSLCADNRequestFile</a></code> can be used; the
c1168130136b44bcfa8946dbda76be553aa7344bTill Mossakowskiacceptable CA names are then taken from the complete set of
c1168130136b44bcfa8946dbda76be553aa7344bTill Mossakowskicertificates in the directory and/or file specified by this pair of
c1168130136b44bcfa8946dbda76be553aa7344bTill Mossakowskidirectives.</p>
c1168130136b44bcfa8946dbda76be553aa7344bTill Mossakowski<p><code class="directive"><a href="#sslcadnrequestfile">SSLCADNRequestFile</a></code> must
c1168130136b44bcfa8946dbda76be553aa7344bTill Mossakowskispecify an <em>all-in-one</em> file containing a concatenation of
c1168130136b44bcfa8946dbda76be553aa7344bTill MossakowskiPEM-encoded CA certificates.</p>
c1168130136b44bcfa8946dbda76be553aa7344bTill Mossakowski<div class="example"><h3>Example</h3><p><code>
c1168130136b44bcfa8946dbda76be553aa7344bTill MossakowskiSSLCADNRequestFile /usr/local/apache2/conf/ca-names.crt
c1168130136b44bcfa8946dbda76be553aa7344bTill Mossakowski<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
c1168130136b44bcfa8946dbda76be553aa7344bTill Mossakowski<div class="directive-section"><h2><a name="SSLCADNRequestPath" id="SSLCADNRequestPath">SSLCADNRequestPath</a> <a name="sslcadnrequestpath" id="sslcadnrequestpath">Directive</a></h2>
c1168130136b44bcfa8946dbda76be553aa7344bTill Mossakowski<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Directory of PEM-encoded CA Certificates for
c1168130136b44bcfa8946dbda76be553aa7344bTill Mossakowski<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCADNRequestPath <em>directory-path</em></code></td></tr>
f534c0116096e25659ceaa57de030c497ce9345aTill Mossakowski<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
1a7b7802544aa94828d7f4e7be5788501c572934Till Mossakowski<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
6be12b57d589b1ee2d41d8c26502a68013fdf9adTill Mossakowski<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
c1168130136b44bcfa8946dbda76be553aa7344bTill Mossakowski<p>This optional directive can be used to specify the set of
c1168130136b44bcfa8946dbda76be553aa7344bTill Mossakowski<em>acceptable CA names</em> which will be sent to the client when a
c1168130136b44bcfa8946dbda76be553aa7344bTill Mossakowskiclient certificate is requested. See the <code class="directive"><a href="#sslcadnrequestfile">SSLCADNRequestFile</a></code> directive for more
c1168130136b44bcfa8946dbda76be553aa7344bTill Mossakowski<p>The files in this directory have to be PEM-encoded and are accessed
c1168130136b44bcfa8946dbda76be553aa7344bTill Mossakowskithrough hash filenames. So usually you can't just place the
c1168130136b44bcfa8946dbda76be553aa7344bTill MossakowskiCertificate files there: you also have to create symbolic links named
c1168130136b44bcfa8946dbda76be553aa7344bTill Mossakowski<em>hash-value</em><code>.N</code>. And you should always make sure
c1168130136b44bcfa8946dbda76be553aa7344bTill Mossakowskithis directory contains the appropriate symbolic links. Use the
c1168130136b44bcfa8946dbda76be553aa7344bTill Mossakowski<code>Makefile</code> which comes with mod_ssl to accomplish this
c1168130136b44bcfa8946dbda76be553aa7344bTill Mossakowski<div class="example"><h3>Example</h3><p><code>
c1168130136b44bcfa8946dbda76be553aa7344bTill MossakowskiSSLCADNRequestPath /usr/local/apache2/conf/ca-names.crt/
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
c0380b947eef252db81ee562246bb732555427f4Till Mossakowski<div class="directive-section"><h2><a name="SSLCARevocationFile" id="SSLCARevocationFile">SSLCARevocationFile</a> <a name="sslcarevocationfile" id="sslcarevocationfile">Directive</a></h2>
a89e661aad28f1b39f4fc9f9f9a4d46074234123Christian Maeder<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>File of concatenated PEM-encoded CA CRLs for
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCARevocationFile <em>file-path</em></code></td></tr>
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian Maeder<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
c0380b947eef252db81ee562246bb732555427f4Till Mossakowski<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill MossakowskiThis directive sets the <em>all-in-one</em> file where you can
7f4c380d6b38e229de365db3c84be767515a3386Jorina Freya Gerkenassemble the Certificate Revocation Lists (CRL) of Certification
7f4c380d6b38e229de365db3c84be767515a3386Jorina Freya GerkenAuthorities (CA) whose <em>clients</em> you deal with. These are used
242691238a8d1a89581751d782af87ec5d7470c0Till Mossakowskifor Client Authentication. Such a file is simply the concatenation of
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maederthe various PEM-encoded CRL files, in order of preference. This can be
0799b5dc3f06d2640e66e9ab54b8b217348fd719Christian Maederused alternatively and/or additionally to <code class="directive"><a href="#sslcarevocationpath">SSLCARevocationPath</a></code>.</p>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<div class="example"><h3>Example</h3><p><code>
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till MossakowskiSSLCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle-client.crl
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowski<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
f534c0116096e25659ceaa57de030c497ce9345aTill Mossakowski<div class="directive-section"><h2><a name="SSLCARevocationPath" id="SSLCARevocationPath">SSLCARevocationPath</a> <a name="sslcarevocationpath" id="sslcarevocationpath">Directive</a></h2>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Directory of PEM-encoded CA CRLs for
c0380b947eef252db81ee562246bb732555427f4Till Mossakowski<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCARevocationPath <em>directory-path</em></code></td></tr>
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowski<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
a89e661aad28f1b39f4fc9f9f9a4d46074234123Christian Maeder<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
c0380b947eef252db81ee562246bb732555427f4Till MossakowskiThis directive sets the directory where you keep the Certificate Revocation
3476beb5baf84bef7cc7d627b130de9d48700399Christian MaederLists (CRL) of Certification Authorities (CAs) whose clients you deal with.
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian MaederThese are used to revoke the client certificate on Client Authentication.</p>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill MossakowskiThe files in this directory have to be PEM-encoded and are accessed through
242691238a8d1a89581751d782af87ec5d7470c0Till Mossakowskihash filenames. So usually you have not only to place the CRL files there.
7f4c380d6b38e229de365db3c84be767515a3386Jorina Freya GerkenAdditionally you have to create symbolic links named
7f4c380d6b38e229de365db3c84be767515a3386Jorina Freya Gerken<em>hash-value</em><code>.rN</code>. And you should always make sure this directory
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maedercontains the appropriate symbolic links. Use the <code>Makefile</code> which
0799b5dc3f06d2640e66e9ab54b8b217348fd719Christian Maedercomes with <code class="module"><a href="/mod/mod_ssl.html">mod_ssl</a></code> to accomplish this task.</p>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<div class="example"><h3>Example</h3><p><code>
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till MossakowskiSSLCARevocationPath /usr/local/apache2/conf/ssl.crl/
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowski<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
f534c0116096e25659ceaa57de030c497ce9345aTill Mossakowski<div class="directive-section"><h2><a name="SSLCertificateChainFile" id="SSLCertificateChainFile">SSLCertificateChainFile</a> <a name="sslcertificatechainfile" id="sslcertificatechainfile">Directive</a></h2>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>File of PEM-encoded Server CA Certificates</td></tr>
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCertificateChainFile <em>file-path</em></code></td></tr>
c0380b947eef252db81ee562246bb732555427f4Till Mossakowski<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
c0380b947eef252db81ee562246bb732555427f4Till Mossakowski<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowski<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian MaederThis directive sets the optional <em>all-in-one</em> file where you can
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maederassemble the certificates of Certification Authorities (CA) which form the
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maedercertificate chain of the server certificate. This starts with the issuing CA
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maedercertificate of the server certificate and can range up to the root CA
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maedercertificate. Such a file is simply the concatenation of the various
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian MaederPEM-encoded CA Certificate files, usually in certificate chain order.</p>
9d34a8049237647d0188ee2ec88db2dc45f1f848Till MossakowskiThis should be used alternatively and/or additionally to <code class="directive"><a href="#sslcacertificatepath">SSLCACertificatePath</a></code> for explicitly
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowskiconstructing the server certificate chain which is sent to the browser
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maederin addition to the server certificate. It is especially useful to
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maederavoid conflicts with CA certificates when using client
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maederauthentication. Because although placing a CA certificate of the
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian Maederserver certificate chain into <code class="directive"><a href="#sslcacertificatepath">SSLCACertificatePath</a></code> has the same effect
7297175957c5ad3c0498032190b1dee9ec5fb873Christian Maederfor the certificate chain construction, it has the side-effect that
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maederclient certificates issued by this same CA certificate are also
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowskiaccepted on client authentication.</p>
c0380b947eef252db81ee562246bb732555427f4Till MossakowskiBut be careful: Providing the certificate chain works only if you are using a
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<em>single</em> RSA <em>or</em> DSA based server certificate. If you are
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maederusing a coupled RSA+DSA certificate pair, this will work only if actually both
7297175957c5ad3c0498032190b1dee9ec5fb873Christian Maedercertificates use the <em>same</em> certificate chain. Else the browsers will be
88ece6e49930670e8fd3ee79c89a2e918d2fbd0cChristian Maederconfused in this situation.</p>
7297175957c5ad3c0498032190b1dee9ec5fb873Christian Maeder<div class="example"><h3>Example</h3><p><code>
7297175957c5ad3c0498032190b1dee9ec5fb873Christian MaederSSLCertificateChainFile /usr/local/apache2/conf/ssl.crt/ca.crt
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<div class="directive-section"><h2><a name="SSLCertificateFile" id="SSLCertificateFile">SSLCertificateFile</a> <a name="sslcertificatefile" id="sslcertificatefile">Directive</a></h2>
d290f2ee3d1a4d60c77c5dd06979453f3fa34fafJorina Freya Gerken<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Server PEM-encoded X.509 Certificate file</td></tr>
242691238a8d1a89581751d782af87ec5d7470c0Till Mossakowski<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCertificateFile <em>file-path</em></code></td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
0799b5dc3f06d2640e66e9ab54b8b217348fd719Christian Maeder<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian MaederThis directive points to the PEM-encoded Certificate file for the server and
c0380b947eef252db81ee562246bb732555427f4Till Mossakowskioptionally also to the corresponding RSA or DSA Private Key file for it
c0380b947eef252db81ee562246bb732555427f4Till Mossakowski(contained in the same file). If the contained Private Key is encrypted the
3476beb5baf84bef7cc7d627b130de9d48700399Christian MaederPass Phrase dialog is forced at startup time. This directive can be used up to
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowskitwo times (referencing different filenames) when both a RSA and a DSA based
f534c0116096e25659ceaa57de030c497ce9345aTill Mossakowskiserver certificate is used in parallel.</p>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<div class="example"><h3>Example</h3><p><code>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian MaederSSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski<div class="directive-section"><h2><a name="SSLCertificateKeyFile" id="SSLCertificateKeyFile">SSLCertificateKeyFile</a> <a name="sslcertificatekeyfile" id="sslcertificatekeyfile">Directive</a></h2>
a89e661aad28f1b39f4fc9f9f9a4d46074234123Christian Maeder<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Server PEM-encoded Private Key file</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCertificateKeyFile <em>file-path</em></code></td></tr>
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
c0380b947eef252db81ee562246bb732555427f4Till MossakowskiThis directive points to the PEM-encoded Private Key file for the
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowskiserver. If the Private Key is not combined with the Certificate in the
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder<code class="directive">SSLCertificateFile</code>, use this additional directive to
0799b5dc3f06d2640e66e9ab54b8b217348fd719Christian Maederpoint to the file with the stand-alone Private Key. When
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<code class="directive">SSLCertificateFile</code> is used and the file
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maedercontains both the Certificate and the Private Key this directive need
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowskinot be used. But we strongly discourage this practice. Instead we
242691238a8d1a89581751d782af87ec5d7470c0Till Mossakowskirecommend you to separate the Certificate and the Private Key. If the
7f4c380d6b38e229de365db3c84be767515a3386Jorina Freya Gerkencontained Private Key is encrypted, the Pass Phrase dialog is forced
7f4c380d6b38e229de365db3c84be767515a3386Jorina Freya Gerkenat startup time. This directive can be used up to two times
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder(referencing different filenames) when both a RSA and a DSA based
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowskiprivate key is used in parallel.</p>
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski<div class="example"><h3>Example</h3><p><code>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian MaederSSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski<div class="directive-section"><h2><a name="SSLCipherSuite" id="SSLCipherSuite">SSLCipherSuite</a> <a name="sslciphersuite" id="sslciphersuite">Directive</a></h2>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Cipher Suite available for negotiation in SSL
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowski<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCipherSuite <em>cipher-spec</em></code></td></tr>
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowski<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</code></td></tr>
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
a89e661aad28f1b39f4fc9f9f9a4d46074234123Christian MaederThis complex directive uses a colon-separated <em>cipher-spec</em> string
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowskiconsisting of OpenSSL cipher specifications to configure the Cipher Suite the
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowskiclient is permitted to negotiate in the SSL handshake phase. Notice that this
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowskidirective can be used both in per-server and per-directory context. In
a89e661aad28f1b39f4fc9f9f9a4d46074234123Christian Maederper-server context it applies to the standard SSL handshake when a connection
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowskiis established. In per-directory context it forces a SSL renegotiation with the
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowskireconfigured Cipher Suite after the HTTP request was read but before the HTTP
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowskiresponse is sent.</p>
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian MaederAn SSL cipher specification in <em>cipher-spec</em> is composed of 4 major
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowskiattributes plus a few extra minor ones:</p>
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski RSA or Diffie-Hellman variants.
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski<li><em>Authentication Algorithm</em>:<br />
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski RSA, Diffie-Hellman, DSS or none.
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski<li><em>Cipher/Encryption Algorithm</em>:<br />
7f4c380d6b38e229de365db3c84be767515a3386Jorina Freya Gerken DES, Triple-DES, RC4, RC2, IDEA or none.
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski MD5, SHA or SHA1.
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski<p>An SSL cipher can also be an export cipher and is either an SSLv2 or SSLv3/TLSv1
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowskicipher (here TLSv1 is equivalent to SSLv3). To specify which ciphers to use,
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowskione can either specify all the Ciphers, one at a time, or use aliases to
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowskispecify the preference and order for the ciphers (see <a href="#table1">Table
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski<tr><th><a name="table1">Tag</a></th> <th>Description</th></tr>
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski<tr><td colspan="2"><em>Key Exchange Algorithm:</em></td></tr>
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski<tr><td><code>kRSA</code></td> <td>RSA key exchange</td></tr>
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski<tr><td><code>kDHr</code></td> <td>Diffie-Hellman key exchange with RSA key</td></tr>
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski<tr><td><code>kDHd</code></td> <td>Diffie-Hellman key exchange with DSA key</td></tr>
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski<tr><td><code>kEDH</code></td> <td>Ephemeral (temp.key) Diffie-Hellman key exchange (no cert)</td> </tr>
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski<tr><td colspan="2"><em>Authentication Algorithm:</em></td></tr>
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski<tr><td><code>aNULL</code></td> <td>No authentication</td></tr>
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowski<tr><td><code>aRSA</code></td> <td>RSA authentication</td></tr>
6a57a555c8ef0a79aa5d20e1d721400dbffa564aMaciek Makowski<tr><td><code>aDSS</code></td> <td>DSS authentication</td> </tr>
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowski<tr><td><code>aDH</code></td> <td>Diffie-Hellman authentication</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><td colspan="2"><em>Cipher Encoding Algorithm:</em></td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><td><code>eNULL</code></td> <td>No encoding</td> </tr>
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian Maeder<tr><td><code>DES</code></td> <td>DES encoding</td> </tr>
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian Maeder<tr><td><code>3DES</code></td> <td>Triple-DES encoding</td> </tr>
c616e681da8c052b62e14247fea522da099ac0e4Christian Maeder<tr><td><code>RC4</code></td> <td>RC4 encoding</td> </tr>
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowski<tr><td><code>RC2</code></td> <td>RC2 encoding</td> </tr>
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder<tr><td><code>IDEA</code></td> <td>IDEA encoding</td> </tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><td colspan="2"><em>MAC Digest Algorithm</em>:</td></tr>
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowski<tr><td><code>MD5</code></td> <td>MD5 hash function</td></tr>
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder<tr><td><code>SHA1</code></td> <td>SHA1 hash function</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><td><code>SHA</code></td> <td>SHA hash function</td> </tr>
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowski<tr><td colspan="2"><em>Aliases:</em></td></tr>
74e82e43f5787027c5d4e523397525a259d6d001Christian Maeder<tr><td><code>SSLv2</code></td> <td>all SSL version 2.0 ciphers</td></tr>
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder<tr><td><code>SSLv3</code></td> <td>all SSL version 3.0 ciphers</td> </tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><td><code>TLSv1</code></td> <td>all TLS version 1.0 ciphers</td> </tr>
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowski<tr><td><code>EXP</code></td> <td>all export ciphers</td> </tr>
74e82e43f5787027c5d4e523397525a259d6d001Christian Maeder<tr><td><code>EXPORT40</code></td> <td>all 40-bit export ciphers only</td> </tr>
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder<tr><td><code>EXPORT56</code></td> <td>all 56-bit export ciphers only</td> </tr>
95656e84acc96386173c1d6fc068aa2fb8820020Till Mossakowski<tr><td><code>LOW</code></td> <td>all low strength ciphers (no export, single DES)</td></tr>
95656e84acc96386173c1d6fc068aa2fb8820020Till Mossakowski<tr><td><code>MEDIUM</code></td> <td>all ciphers with 128 bit encryption</td> </tr>
95656e84acc96386173c1d6fc068aa2fb8820020Till Mossakowski<tr><td><code>HIGH</code></td> <td>all ciphers using Triple-DES</td> </tr>
95656e84acc96386173c1d6fc068aa2fb8820020Till Mossakowski<tr><td><code>RSA</code></td> <td>all ciphers using RSA key exchange</td> </tr>
c0380b947eef252db81ee562246bb732555427f4Till Mossakowski<tr><td><code>DH</code></td> <td>all ciphers using Diffie-Hellman key exchange</td> </tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><td><code>EDH</code></td> <td>all ciphers using Ephemeral Diffie-Hellman key exchange</td> </tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><td><code>ADH</code></td> <td>all ciphers using Anonymous Diffie-Hellman key exchange</td> </tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><td><code>DSS</code></td> <td>all ciphers using DSS authentication</td> </tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><td><code>NULL</code></td> <td>all ciphers using no encryption</td> </tr>
c0380b947eef252db81ee562246bb732555427f4Till MossakowskiNow where this becomes interesting is that these can be put together
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maederto specify the order and ciphers you wish to use. To speed this up
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maederthere are also aliases (<code>SSLv2, SSLv3, TLSv1, EXP, LOW, MEDIUM,
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian MaederHIGH</code>) for certain groups of ciphers. These tags can be joined
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowskitogether with prefixes to form the <em>cipher-spec</em>. Available
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowskiprefixes are:</p>
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowski<li><code>+</code>: add ciphers to list and pull them to current location in list</li>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<li><code>-</code>: remove cipher from list (can be added later again)</li>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<li><code>!</code>: kill cipher from list completely (can <strong>not</strong> be added later again)</li>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<p>A simpler way to look at all of this is to use the ``<code>openssl ciphers
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder-v</code>'' command which provides a nice way to successively create the
0799b5dc3f06d2640e66e9ab54b8b217348fd719Christian Maedercorrect <em>cipher-spec</em> string. The default <em>cipher-spec</em> string
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowskiis ``<code>ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</code>'' which
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowskimeans the following: first, remove from consideration any ciphers that do not
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowskiauthenticate, i.e. for SSL only the Anonymous Diffie-Hellman ciphers. Next,
242691238a8d1a89581751d782af87ec5d7470c0Till Mossakowskiuse ciphers using RC4 and RSA. Next include the high, medium and then the low
7f4c380d6b38e229de365db3c84be767515a3386Jorina Freya Gerkensecurity ciphers. Finally <em>pull</em> all SSLv2 and export ciphers to the
7f4c380d6b38e229de365db3c84be767515a3386Jorina Freya Gerkenend of the list.</p>
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski$ openssl ciphers -v 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP'
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till MossakowskiNULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till MossakowskiNULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till MossakowskiEDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski... ... ... ... ...
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till MossakowskiEXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
f534c0116096e25659ceaa57de030c497ce9345aTill MossakowskiEXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till MossakowskiEXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<p>The complete list of particular RSA & DH ciphers for SSL is given in <a href="#table2">Table 2</a>.</p>
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski<div class="example"><h3>Example</h3><p><code>
3476beb5baf84bef7cc7d627b130de9d48700399Christian MaederSSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski<tr><th><a name="table2">Cipher-Tag</a></th> <th>Protocol</th> <th>Key Ex.</th> <th>Auth.</th> <th>Enc.</th> <th>MAC</th> <th>Type</th> </tr>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><td colspan="7"><em>RSA Ciphers:</em></td></tr>
242691238a8d1a89581751d782af87ec5d7470c0Till Mossakowski<tr><td><code>DES-CBC3-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>3DES(168)</td> <td>SHA1</td> <td /> </tr>
7f4c380d6b38e229de365db3c84be767515a3386Jorina Freya Gerken<tr><td><code>DES-CBC3-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>3DES(168)</td> <td>MD5</td> <td /> </tr>
7f4c380d6b38e229de365db3c84be767515a3386Jorina Freya Gerken<tr><td><code>IDEA-CBC-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>IDEA(128)</td> <td>SHA1</td> <td /> </tr>
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski<tr><td><code>RC4-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>RC4(128)</td> <td>SHA1</td> <td /> </tr>
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski<tr><td><code>RC4-MD5</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>RC4(128)</td> <td>MD5</td> <td /> </tr>
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski<tr><td><code>IDEA-CBC-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>IDEA(128)</td> <td>MD5</td> <td /> </tr>
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski<tr><td><code>RC2-CBC-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>RC2(128)</td> <td>MD5</td> <td /> </tr>
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski<tr><td><code>RC4-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>RC4(128)</td> <td>MD5</td> <td /> </tr>
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski<tr><td><code>DES-CBC-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>DES(56)</td> <td>SHA1</td> <td /> </tr>
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski<tr><td><code>RC4-64-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>RC4(64)</td> <td>MD5</td> <td /> </tr>
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski<tr><td><code>DES-CBC-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>DES(56)</td> <td>MD5</td> <td /> </tr>
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski<tr><td><code>EXP-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>RSA(512)</td> <td>RSA</td> <td>DES(40)</td> <td>SHA1</td> <td> export</td> </tr>
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski<tr><td><code>EXP-RC2-CBC-MD5</code></td> <td>SSLv3</td> <td>RSA(512)</td> <td>RSA</td> <td>RC2(40)</td> <td>MD5</td> <td> export</td> </tr>
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski<tr><td><code>EXP-RC4-MD5</code></td> <td>SSLv3</td> <td>RSA(512)</td> <td>RSA</td> <td>RC4(40)</td> <td>MD5</td> <td> export</td> </tr>
f534c0116096e25659ceaa57de030c497ce9345aTill Mossakowski<tr><td><code>EXP-RC2-CBC-MD5</code></td> <td>SSLv2</td> <td>RSA(512)</td> <td>RSA</td> <td>RC2(40)</td> <td>MD5</td> <td> export</td> </tr>
f534c0116096e25659ceaa57de030c497ce9345aTill Mossakowski<tr><td><code>EXP-RC4-MD5</code></td> <td>SSLv2</td> <td>RSA(512)</td> <td>RSA</td> <td>RC4(40)</td> <td>MD5</td> <td> export</td> </tr>
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski<tr><td><code>NULL-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>None</td> <td>SHA1</td> <td /> </tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><td><code>NULL-MD5</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>None</td> <td>MD5</td> <td /> </tr>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><td colspan="7"><em>Diffie-Hellman Ciphers:</em></td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><td><code>ADH-DES-CBC3-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>None</td> <td>3DES(168)</td> <td>SHA1</td> <td /> </tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><td><code>ADH-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>None</td> <td>DES(56)</td> <td>SHA1</td> <td /> </tr>
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowski<tr><td><code>ADH-RC4-MD5</code></td> <td>SSLv3</td> <td>DH</td> <td>None</td> <td>RC4(128)</td> <td>MD5</td> <td /> </tr>
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowski<tr><td><code>EDH-RSA-DES-CBC3-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>RSA</td> <td>3DES(168)</td> <td>SHA1</td> <td /> </tr>
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowski<tr><td><code>EDH-DSS-DES-CBC3-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>DSS</td> <td>3DES(168)</td> <td>SHA1</td> <td /> </tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><td><code>EDH-RSA-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>RSA</td> <td>DES(56)</td> <td>SHA1</td> <td /> </tr>
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski<tr><td><code>EDH-DSS-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>DSS</td> <td>DES(56)</td> <td>SHA1</td> <td /> </tr>
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski<tr><td><code>EXP-EDH-RSA-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH(512)</td> <td>RSA</td> <td>DES(40)</td> <td>SHA1</td> <td> export</td> </tr>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><td><code>EXP-EDH-DSS-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH(512)</td> <td>DSS</td> <td>DES(40)</td> <td>SHA1</td> <td> export</td> </tr>
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder<tr><td><code>EXP-ADH-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH(512)</td> <td>None</td> <td>DES(40)</td> <td>SHA1</td> <td> export</td> </tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><td><code>EXP-ADH-RC4-MD5</code></td> <td>SSLv3</td> <td>DH(512)</td> <td>None</td> <td>RC4(40)</td> <td>MD5</td> <td> export</td> </tr>
0799b5dc3f06d2640e66e9ab54b8b217348fd719Christian Maeder<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<div class="directive-section"><h2><a name="SSLCryptoDevice" id="SSLCryptoDevice">SSLCryptoDevice</a> <a name="sslcryptodevice" id="sslcryptodevice">Directive</a></h2>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enable use of a cryptographic hardware accelerator</td></tr>
242691238a8d1a89581751d782af87ec5d7470c0Till Mossakowski<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCryptoDevice <em>engine</em></code></td></tr>
7f4c380d6b38e229de365db3c84be767515a3386Jorina Freya Gerken<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLCryptoDevice builtin</code></td></tr>
7f4c380d6b38e229de365db3c84be767515a3386Jorina Freya Gerken<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian MaederThis directive enables use of a cryptographic hardware accelerator
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maederboard to offload some of the SSL processing overhead. This directive
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maedercan only be used if the SSL toolkit is built with "engine" support;
f534c0116096e25659ceaa57de030c497ce9345aTill MossakowskiOpenSSL 0.9.7 and later releases have "engine" support by default, the
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maederseparate "-engine" releases of OpenSSL 0.9.6 must be used.</p>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<p>To discover which engine names are supported, run the command
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowski<div class="example"><h3>Example</h3><p><code>
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowski# For a Broadcom accelerator:<br />
e379124f467e5d0ef7d3c0ca238bff0521f70831Till MossakowskiSSLCryptoDevice ubsec
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
f534c0116096e25659ceaa57de030c497ce9345aTill Mossakowski<div class="directive-section"><h2><a name="SSLEngine" id="SSLEngine">SSLEngine</a> <a name="sslengine" id="sslengine">Directive</a></h2>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>SSL Engine Operation Switch</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLEngine on|off|optional</code></td></tr>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLEngine off</code></td></tr>
ed20c3b1e992d174a2cbb2077e61817527f8e061Christian Maeder<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
c0380b947eef252db81ee562246bb732555427f4Till Mossakowski<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
ed20c3b1e992d174a2cbb2077e61817527f8e061Christian Maeder<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian MaederThis directive toggles the usage of the SSL/TLS Protocol Engine. This
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowskiis should be used inside a <code class="directive"><a href="/mod/core.html#virtualhost"><VirtualHost></a></code> section to enable SSL/TLS for a
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maederthat virtual host. By default the SSL/TLS Protocol Engine is
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowskidisabled for both the main server and all configured virtual hosts.</p>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<div class="example"><h3>Example</h3><p><code>
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowski<VirtualHost _default_:443><br />
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian MaederSSLEngine on<br />
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder</VirtualHost>
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowski<p>In Apache 2.1 and later, <code class="directive">SSLEngine</code> can be set to
74e82e43f5787027c5d4e523397525a259d6d001Christian Maeder<code>optional</code>. This enables support for
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder<a href="http://www.ietf.org/rfc/rfc2817.txt">RFC 2817</a>, Upgrading to TLS
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian MaederWithin HTTP/1.1. At this time no web browsers support RFC 2817.</p>
b3dca469a9e267d6d71acfdeca7bf284d0581dc7Till Mossakowski<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
e3c9174a782e90f965a0b080c22861c3ef5af12dTill Mossakowski<div class="directive-section"><h2><a name="SSLFIPS" id="SSLFIPS">SSLFIPS</a> <a name="sslfips" id="sslfips">Directive</a></h2>
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian Maeder<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>SSL FIPS mode Switch</td></tr>
a89e661aad28f1b39f4fc9f9f9a4d46074234123Christian Maeder<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLFIPS on|off</code></td></tr>
b3dca469a9e267d6d71acfdeca7bf284d0581dc7Till Mossakowski<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLFIPS off</code></td></tr>
b3dca469a9e267d6d71acfdeca7bf284d0581dc7Till Mossakowski<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
21dae7237ac384abdb94a81e00b3f099873ec623Till Mossakowski<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowski<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
49b9a9cbf17489cbaf97431247161f42e9fc5ae0Till MossakowskiThis directive toggles the usage of the SSL library FIPS_mode flag.
b3dca469a9e267d6d71acfdeca7bf284d0581dc7Till MossakowskiIt must be set in the global server context and cannot be configured
a89e661aad28f1b39f4fc9f9f9a4d46074234123Christian Maederwith conflicting settings (SSLFIPS on followed by SSLFIPS off or
a89e661aad28f1b39f4fc9f9f9a4d46074234123Christian Maedersimilar). The mode applies to all SSL library operations.
db7143998eee23e3d781f1f1e97e953bb831df1fTill MossakowskiIf httpd was compiled against an SSL library which did not support
1df33829303cbf924aa018ac5ce9a28e69c17d22Till Mossakowskithe FIPS_mode flag, <code>SSLFIPS on</code> will fail. Refer to the
b3dca469a9e267d6d71acfdeca7bf284d0581dc7Till MossakowskiFIPS 140-2 Security Policy document of the SSL provider library for
7f4c380d6b38e229de365db3c84be767515a3386Jorina Freya Gerkenspecific requirements to use mod_ssl in a FIPS 140-2 approved mode
7f4c380d6b38e229de365db3c84be767515a3386Jorina Freya Gerkenof operation; note that mod_ssl itself is not validated, but may be
5b1394673f35f4d23cfe08175841ab414a39678eMarkus Roggenbachdescribed as using FIPS 140-2 validated cryptographic module, when
0799b5dc3f06d2640e66e9ab54b8b217348fd719Christian Maederall components are assembled and operated under the guidelines imposed
e3c9174a782e90f965a0b080c22861c3ef5af12dTill Mossakowskiby the applicable Security Policy.
1df33829303cbf924aa018ac5ce9a28e69c17d22Till Mossakowski<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
b3dca469a9e267d6d71acfdeca7bf284d0581dc7Till Mossakowski<div class="directive-section"><h2><a name="SSLHonorCipherOrder" id="SSLHonorCipherOrder">SSLHonorCipherOrder</a> <a name="sslhonorcipherorder" id="sslhonorcipherorder">Directive</a></h2>
1df33829303cbf924aa018ac5ce9a28e69c17d22Till Mossakowski<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Option to prefer the server's cipher preference order</td></tr>
1df33829303cbf924aa018ac5ce9a28e69c17d22Till Mossakowski<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLHonorCipherOrder <em>flag</em></code></td></tr>
b3dca469a9e267d6d71acfdeca7bf284d0581dc7Till Mossakowski<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
21dae7237ac384abdb94a81e00b3f099873ec623Till Mossakowski<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
21dae7237ac384abdb94a81e00b3f099873ec623Till Mossakowski<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
21dae7237ac384abdb94a81e00b3f099873ec623Till Mossakowski<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.1 and later, if using OpenSSL 0.9.7 or later</td></tr>
b3dca469a9e267d6d71acfdeca7bf284d0581dc7Till Mossakowski<p>When choosing a cipher during an SSLv3 or TLSv1 handshake, normally
5b1394673f35f4d23cfe08175841ab414a39678eMarkus Roggenbachthe client's preference is used. If this directive is enabled, the
e3c9174a782e90f965a0b080c22861c3ef5af12dTill Mossakowskiserver's preference will be used instead.</p>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<div class="example"><h3>Example</h3><p><code>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian MaederSSLHonorCipherOrder on
c0380b947eef252db81ee562246bb732555427f4Till Mossakowski<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian Maeder<div class="directive-section"><h2><a name="SSLInsecureRenegotiation" id="SSLInsecureRenegotiation">SSLInsecureRenegotiation</a> <a name="sslinsecurerenegotiation" id="sslinsecurerenegotiation">Directive</a></h2>
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian Maeder<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Option to enable support for insecure renegotiation</td></tr>
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian Maeder<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLInsecureRenegotiation <em>flag</em></code></td></tr>
a89e661aad28f1b39f4fc9f9f9a4d46074234123Christian Maeder<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLInsecureRenegotiation off</code></td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian Maeder<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian Maeder<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
52aad0502f0ddd332a28ae3fcd3327fa66d002f7Till Mossakowski<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.2.15 and later, if using OpenSSL 0.9.8m or later</td></tr>
52aad0502f0ddd332a28ae3fcd3327fa66d002f7Till Mossakowski<p>As originally specified, all versions of the SSL and TLS protocols
52aad0502f0ddd332a28ae3fcd3327fa66d002f7Till Mossakowski(up to and including TLS/1.2) were vulnerable to a Man-in-the-Middle
52aad0502f0ddd332a28ae3fcd3327fa66d002f7Till Mossakowski(<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555">CVE-2009-3555</a>)
52aad0502f0ddd332a28ae3fcd3327fa66d002f7Till Mossakowskiduring a renegotiation. This vulnerability allowed an attacker to
52aad0502f0ddd332a28ae3fcd3327fa66d002f7Till Mossakowski"prefix" a chosen plaintext to the HTTP request as seen by the web
52aad0502f0ddd332a28ae3fcd3327fa66d002f7Till Mossakowskiserver. A protocol extension was developed which fixed this
52aad0502f0ddd332a28ae3fcd3327fa66d002f7Till Mossakowskivulnerability if supported by both client and server.</p>
52aad0502f0ddd332a28ae3fcd3327fa66d002f7Till Mossakowski<p>If <code class="module"><a href="/mod/mod_ssl.html">mod_ssl</a></code> is linked against OpenSSL version 0.9.8m
52aad0502f0ddd332a28ae3fcd3327fa66d002f7Till Mossakowskior later, by default renegotiation is only supported with
52aad0502f0ddd332a28ae3fcd3327fa66d002f7Till Mossakowskiclients supporting the new protocol extension. If this directive is
52aad0502f0ddd332a28ae3fcd3327fa66d002f7Till Mossakowskienabled, renegotiation will be allowed with old (unpatched) clients,
52aad0502f0ddd332a28ae3fcd3327fa66d002f7Till Mossakowskialbeit insecurely.</p>
52aad0502f0ddd332a28ae3fcd3327fa66d002f7Till Mossakowski<div class="warning"><h3>Security warning</h3>
a89e661aad28f1b39f4fc9f9f9a4d46074234123Christian Maeder<p>If this directive is enabled, SSL connections will be vulnerable to
a89e661aad28f1b39f4fc9f9f9a4d46074234123Christian Maederthe Man-in-the-Middle prefix attack as described
52aad0502f0ddd332a28ae3fcd3327fa66d002f7Till Mossakowskiin <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555">CVE-2009-3555</a>.</p>
52aad0502f0ddd332a28ae3fcd3327fa66d002f7Till Mossakowski<div class="example"><h3>Example</h3><p><code>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian MaederSSLInsecureRenegotiation on
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian Maeder<p>The <code>SSL_SECURE_RENEG</code> environment variable can be used
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian Maederfrom an SSI or CGI script to determine whether secure renegotiation is
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian Maedersupported for a given SSL connection.</p>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<div class="directive-section"><h2><a name="SSLOCSPDefaultResponder" id="SSLOCSPDefaultResponder">SSLOCSPDefaultResponder</a> <a name="sslocspdefaultresponder" id="sslocspdefaultresponder">Directive</a></h2>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Set the default responder URI for OCSP validation</td></tr>
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian Maeder<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLOCSDefaultResponder <em>uri</em></code></td></tr>
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian Maeder<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
4184cb191a9081cb2a9cf3ef5f060f56f0ca5922Till Mossakowski<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
4184cb191a9081cb2a9cf3ef5f060f56f0ca5922Till Mossakowski<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.3 and later, if using OpenSSL 0.9.7 or later</td></tr>
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian Maeder<p>This option sets the default OCSP responder to use. If <code class="directive"><a href="#sslocspoverrideresponder">SSLOCSPOverrideResponder</a></code> is not enabled,
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maederthe URI given will be used only if no responder URI is specified in
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowskithe certificate being verified.</p>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian Maeder<div class="directive-section"><h2><a name="SSLOCSPEnable" id="SSLOCSPEnable">SSLOCSPEnable</a> <a name="sslocspenable" id="sslocspenable">Directive</a></h2>
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian Maeder<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enable OCSP validation of the client certificate chain</td></tr>
a89e661aad28f1b39f4fc9f9f9a4d46074234123Christian Maeder<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLOCSPEnable <em>flag</em></code></td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
a89e661aad28f1b39f4fc9f9f9a4d46074234123Christian Maeder<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian Maeder<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian Maeder<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.3 and later, if using OpenSSL 0.9.7 or later</td></tr>
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian Maeder<p>This option enables OCSP validation of the client certificate
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian Maederchain. If this option is enabled, certificates in the client's
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maedercertificate chain will be validated against an OCSP responder after
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maedernormal verification (including CRL checks) have taken place.</p>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<p>The OCSP responder used is either extracted from the certificate
6a57a555c8ef0a79aa5d20e1d721400dbffa564aMaciek Makowskiitself, or derived by configuration; see the
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<code class="directive"><a href="#sslocspdefaultresponder">SSLOCSPDefaultResponder</a></code> and
6a57a555c8ef0a79aa5d20e1d721400dbffa564aMaciek Makowski<code class="directive"><a href="#sslocspoverrideresponder">SSLOCSPOverrideResponder</a></code>
7297175957c5ad3c0498032190b1dee9ec5fb873Christian Maederdirectives.</p>
6a57a555c8ef0a79aa5d20e1d721400dbffa564aMaciek Makowski<div class="example"><h3>Example</h3><p><code>
6a57a555c8ef0a79aa5d20e1d721400dbffa564aMaciek MakowskiSSLVerifyClient on<br />
6a57a555c8ef0a79aa5d20e1d721400dbffa564aMaciek MakowskiSSLOCSPEnable on<br />
bfa9e03532243ceb487f0384d0f6a447f1ce7670Till MossakowskiSSLOCSPDefaultResponder http://responder.example.com:8888/responder<br />
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian MaederSSLOCSPOverrideResponder on
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
c0380b947eef252db81ee562246bb732555427f4Till Mossakowski<div class="directive-section"><h2><a name="SSLOCSPOverrideResponder" id="SSLOCSPOverrideResponder">SSLOCSPOverrideResponder</a> <a name="sslocspoverrideresponder" id="sslocspoverrideresponder">Directive</a></h2>
bfa9e03532243ceb487f0384d0f6a447f1ce7670Till Mossakowski<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Force use of the default responder URI for OCSP validation</td></tr>
79ee6b8eb396ed31807784a4bb1c9cc2ce094835Till Mossakowski<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLOCSPOverrideResponder <em>flag</em></code></td></tr>
79ee6b8eb396ed31807784a4bb1c9cc2ce094835Till Mossakowski<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
b645cf3dc1e449038ed291bbd11fcc6e02b2fc7fChristian Maeder<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.3 and later, if using OpenSSL 0.9.7 or later</td></tr>
0c2a90cbfb63865ff485c3fbe20a14589a5914beTill Mossakowski<p>This option forces the configured default OCSP responder to be used
0c2a90cbfb63865ff485c3fbe20a14589a5914beTill Mossakowskiduring OCSP certificate validation, regardless of whether the
79ee6b8eb396ed31807784a4bb1c9cc2ce094835Till Mossakowskicertificate being validated references an OCSP responder.</p>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<div class="directive-section"><h2><a name="SSLOptions" id="SSLOptions">SSLOptions</a> <a name="ssloptions" id="ssloptions">Directive</a></h2>
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Configure various SSL engine run-time options</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLOptions [+|-]<em>option</em> ...</code></td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>Options</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
c0380b947eef252db81ee562246bb732555427f4Till Mossakowski<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
c0380b947eef252db81ee562246bb732555427f4Till MossakowskiThis directive can be used to control various run-time options on a
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowskiper-directory basis. Normally, if multiple <code>SSLOptions</code>
587fb54160b66128cf17e4c9bca7494a7f2c3c4aChristian Maedercould apply to a directory, then the most specific one is taken
587fb54160b66128cf17e4c9bca7494a7f2c3c4aChristian Maedercompletely; the options are not merged. However if <em>all</em> the
587fb54160b66128cf17e4c9bca7494a7f2c3c4aChristian Maederoptions on the <code>SSLOptions</code> directive are preceded by a
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maederplus (<code>+</code>) or minus (<code>-</code>) symbol, the options
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowskiare merged. Any options preceded by a <code>+</code> are added to the
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maederoptions currently in force, and any options preceded by a
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<code>-</code> are removed from the options currently in force.</p>
a89e661aad28f1b39f4fc9f9f9a4d46074234123Christian Maeder When this option is enabled, the standard set of SSL related CGI/SSI
587fb54160b66128cf17e4c9bca7494a7f2c3c4aChristian Maeder environment variables are created. This per default is disabled for
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski performance reasons, because the information extraction step is a
a89e661aad28f1b39f4fc9f9f9a4d46074234123Christian Maeder rather expensive operation. So one usually enables this option for
7297175957c5ad3c0498032190b1dee9ec5fb873Christian Maeder CGI and SSI requests only.</p>
587fb54160b66128cf17e4c9bca7494a7f2c3c4aChristian Maeder When this option is enabled, additional CGI/SSI environment variables are
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder created: <code>SSL_SERVER_CERT</code>, <code>SSL_CLIENT_CERT</code> and
a89e661aad28f1b39f4fc9f9f9a4d46074234123Christian Maeder <code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em> (with <em>n</em> = 0,1,2,..).
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder These contain the PEM-encoded X.509 Certificates of server and client for
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder the current HTTPS connection and can be used by CGI scripts for deeper
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder Certificate checking. Additionally all other certificates of the client
a89e661aad28f1b39f4fc9f9f9a4d46074234123Christian Maeder certificate chain are provided, too. This bloats up the environment a
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder little bit which is why you have to use this option to enable it on
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder When this option is enabled, the Subject Distinguished Name (DN) of the
022f4e4f5488defedc48581e87f0222f82d5afe4Jorina Freya Gerken Client X509 Certificate is translated into a HTTP Basic Authorization
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder username. This means that the standard Apache authentication methods can
587fb54160b66128cf17e4c9bca7494a7f2c3c4aChristian Maeder be used for access control. The user name is just the Subject of the
f534c0116096e25659ceaa57de030c497ce9345aTill Mossakowski Client's X509 Certificate (can be determined by running OpenSSL's
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder <code>openssl x509</code> command: <code>openssl x509 -noout -subject -in
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder </code><em>certificate</em><code>.crt</code>). Note that no password is
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder obtained from the user. Every entry in the user file needs this password:
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowski ``<code>xxj31ZMTZzkVA</code>'', which is the DES-encrypted version of the
587fb54160b66128cf17e4c9bca7494a7f2c3c4aChristian Maeder word `<code>password</code>''. Those who live under MD5-based encryption
587fb54160b66128cf17e4c9bca7494a7f2c3c4aChristian Maeder (for instance under FreeBSD or BSD/OS, etc.) should use the following MD5
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski hash of the same word: ``<code>$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/</code>''.</p>
2b346670d3e146788fa056a4b0fafa357d8bf31bTill Mossakowski This <em>forces</em> forbidden access when <code>SSLRequireSSL</code> or
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder <code>SSLRequire</code> successfully decided that access should be
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski forbidden. Usually the default is that in the case where a ``<code>Satisfy
2b346670d3e146788fa056a4b0fafa357d8bf31bTill Mossakowski any</code>'' directive is used, and other access restrictions are passed,
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski denial of access due to <code>SSLRequireSSL</code> or
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder <code>SSLRequire</code> is overridden (because that's how the Apache
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski <code>Satisfy</code> mechanism should work.) But for strict access restriction
2b346670d3e146788fa056a4b0fafa357d8bf31bTill Mossakowski you can use <code>SSLRequireSSL</code> and/or <code>SSLRequire</code> in
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski combination with an ``<code>SSLOptions +StrictRequire</code>''. Then an
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder additional ``<code>Satisfy Any</code>'' has no chance once mod_ssl has
95656e84acc96386173c1d6fc068aa2fb8820020Till Mossakowski decided to deny access.</p>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski This enables optimized SSL connection renegotiation handling when SSL
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder directives are used in per-directory context. By default a strict
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski scheme is enabled where <em>every</em> per-directory reconfiguration of
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder SSL parameters causes a <em>full</em> SSL renegotiation handshake. When this
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski option is used mod_ssl tries to avoid unnecessary handshakes by doing more
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder granular (but still safe) parameter checks. Nevertheless these granular
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski checks sometimes maybe not what the user expects, so enable this on a
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski per-directory basis only, please.</p>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<div class="example"><h3>Example</h3><p><code>
9d34a8049237647d0188ee2ec88db2dc45f1f848Till MossakowskiSSLOptions +FakeBasicAuth -StrictRequire<br />
d08907a7832988612fbc0682b216e150d1e738d2Christian Maeder<Files ~ "\.(cgi|shtml)$"><br />
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski SSLOptions +StdEnvVars -ExportCertData<br />
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<div class="directive-section"><h2><a name="SSLPassPhraseDialog" id="SSLPassPhraseDialog">SSLPassPhraseDialog</a> <a name="sslpassphrasedialog" id="sslpassphrasedialog">Directive</a></h2>
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowski<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Type of pass phrase dialog for encrypted private
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLPassPhraseDialog <em>type</em></code></td></tr>
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLPassPhraseDialog builtin</code></td></tr>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill MossakowskiWhen Apache starts up it has to read the various Certificate (see
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<code class="directive"><a href="#sslcertificatefile">SSLCertificateFile</a></code>) and
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill MossakowskiPrivate Key (see <code class="directive"><a href="#sslcertificatekeyfile">SSLCertificateKeyFile</a></code>) files of the
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill MossakowskiSSL-enabled virtual servers. Because for security reasons the Private
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill MossakowskiKey files are usually encrypted, mod_ssl needs to query the
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowskiadministrator for a Pass Phrase in order to decrypt those files. This
f534c0116096e25659ceaa57de030c497ce9345aTill Mossakowskiquery can be done in two ways which can be configured by
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski This is the default where an interactive terminal dialog occurs at startup
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowski time just before Apache detaches from the terminal. Here the administrator
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski has to manually enter the Pass Phrase for each encrypted Private Key file.
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski Because a lot of SSL-enabled virtual hosts can be configured, the
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski following reuse-scheme is used to minimize the dialog: When a Private Key
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowski file is encrypted, all known Pass Phrases (at the beginning there are
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowski none, of course) are tried. If one of those known Pass Phrases succeeds no
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowski dialog pops up for this particular Private Key file. If none succeeded,
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowski another Pass Phrase is queried on the terminal and remembered for the next
0799b5dc3f06d2640e66e9ab54b8b217348fd719Christian Maeder round (where it perhaps can be reused).</p>
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowski This scheme allows mod_ssl to be maximally flexible (because for N encrypted
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski Private Key files you <em>can</em> use N different Pass Phrases - but then
242691238a8d1a89581751d782af87ec5d7470c0Till Mossakowski you have to enter all of them, of course) while minimizing the terminal
7f4c380d6b38e229de365db3c84be767515a3386Jorina Freya Gerken dialog (i.e. when you use a single Pass Phrase for all N Private Key files
7f4c380d6b38e229de365db3c84be767515a3386Jorina Freya Gerken this Pass Phrase is queried only once).</p></li>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<li><code>|/path/to/program [args...]</code>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski <p>This mode allows an external program to be used which acts as a
242691238a8d1a89581751d782af87ec5d7470c0Till Mossakowski pipe to a particular input device; the program is sent the standard
7f4c380d6b38e229de365db3c84be767515a3386Jorina Freya Gerken prompt text used for the <code>builtin</code> mode on
7f4c380d6b38e229de365db3c84be767515a3386Jorina Freya Gerken <code>stdin</code>, and is expected to write password strings on
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski <code>stdout</code>. If several passwords are needed (or an
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski incorrect password is entered), additional prompt text will be
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski written subsequent to the first password being returned, and more
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski passwords must then be written back.</p></li>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski Here an external program is configured which is called at startup for each
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowski encrypted Private Key file. It is called with two arguments (the first is
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski of the form ``<code>servername:portnumber</code>'', the second is either
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski ``<code>RSA</code>'' or ``<code>DSA</code>''), which indicate for which
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski server and algorithm it has to print the corresponding Pass Phrase to
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski <code>stdout</code>. The intent is that this external program first runs
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski security checks to make sure that the system is not compromised by an
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski attacker, and only when these checks were passed successfully it provides
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski the Pass Phrase.</p>
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowski Both these security checks, and the way the Pass Phrase is determined, can
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowski be as complex as you like. Mod_ssl just defines the interface: an
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski executable program which provides the Pass Phrase on <code>stdout</code>.
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowski Nothing more or less! So, if you're really paranoid about security, here
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski is your interface. Anything else has to be left as an exercise to the
f534c0116096e25659ceaa57de030c497ce9345aTill Mossakowski administrator, because local security requirements are so different.</p>
f534c0116096e25659ceaa57de030c497ce9345aTill Mossakowski The reuse-algorithm above is used here, too. In other words: The external
f534c0116096e25659ceaa57de030c497ce9345aTill Mossakowski program is called only once per unique Pass Phrase.</p></li>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<div class="example"><h3>Example</h3><p><code>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill MossakowskiSSLPassPhraseDialog exec:/usr/local/apache/sbin/pp-filter
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<div class="directive-section"><h2><a name="SSLProtocol" id="SSLProtocol">SSLProtocol</a> <a name="sslprotocol" id="sslprotocol">Directive</a></h2>
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowski<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Configure usable SSL protocol versions</td></tr>
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowski<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProtocol [+|-]<em>protocol</em> ...</code></td></tr>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLProtocol all</code></td></tr>
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowski<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill MossakowskiThis directive can be used to control which versions of the SSL protocol
a89e661aad28f1b39f4fc9f9f9a4d46074234123Christian Maederwill be accepted in new connections.</p>
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill MossakowskiThe available (case-insensitive) <em>protocol</em>s are:</p>
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder This is the Secure Sockets Layer (SSL) protocol, version 2.0. It is the
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowski original SSL protocol as designed by Netscape Corporation. Though it's
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski use has been deprecated, because of weaknesses in the security of the protocol.</p></li>
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowski This is the Secure Sockets Layer (SSL) protocol, version 3.0, from
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowski the Netscape Corporation.
0799b5dc3f06d2640e66e9ab54b8b217348fd719Christian Maeder It is the successor to SSLv2 and the predecessor to TLSv1. It's supported by
7f4c380d6b38e229de365db3c84be767515a3386Jorina Freya Gerken This is the Transport Layer Security (TLS) protocol, version 1.0. It is the
7f4c380d6b38e229de365db3c84be767515a3386Jorina Freya Gerken successor to SSLv3 and is defined in <a href="http://www.ietf.org/rfc/rfc2246.txt">RFC2246</a>.
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowski Which has been obsoleted by <a href="http://www.ietf.org/rfc/rfc4346.txt">RFC4346</a>.</p></li>
242691238a8d1a89581751d782af87ec5d7470c0Till Mossakowski This is a shortcut for ``<code>+SSLv2 +SSLv3 +TLSv1</code>'' and a
7f4c380d6b38e229de365db3c84be767515a3386Jorina Freya Gerken convenient way for enabling all protocols except one when used in
7f4c380d6b38e229de365db3c84be767515a3386Jorina Freya Gerken combination with the minus sign on a protocol as the example above
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowski<div class="example"><h3>Example</h3><p><code>
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowski# enable SSLv3 and TLSv1, but not SSLv2<br />
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill MossakowskiSSLProtocol all -SSLv2
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowski<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowski<div class="directive-section"><h2><a name="SSLProxyCACertificateFile" id="SSLProxyCACertificateFile">SSLProxyCACertificateFile</a> <a name="sslproxycacertificatefile" id="sslproxycacertificatefile">Directive</a></h2>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>File of concatenated PEM-encoded CA Certificates
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowski<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProxyCACertificateFile <em>file-path</em></code></td></tr>
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowski<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowski<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowski<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill MossakowskiThis directive sets the <em>all-in-one</em> file where you can assemble the
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill MossakowskiCertificates of Certification Authorities (CA) whose <em>remote servers</em> you deal
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowskiwith. These are used for Remote Server Authentication. Such a file is simply the
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowskiconcatenation of the various PEM-encoded Certificate files, in order of
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowskipreference. This can be used alternatively and/or additionally to
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowski<code class="directive"><a href="#sslproxycacertificatepath">SSLProxyCACertificatePath</a></code>.</p>
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowski<div class="example"><h3>Example</h3><p><code>
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill MossakowskiSSLProxyCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-remote-server.crt
f534c0116096e25659ceaa57de030c497ce9345aTill Mossakowski<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowski<div class="directive-section"><h2><a name="SSLProxyCACertificatePath" id="SSLProxyCACertificatePath">SSLProxyCACertificatePath</a> <a name="sslproxycacertificatepath" id="sslproxycacertificatepath">Directive</a></h2>
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowski<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Directory of PEM-encoded CA Certificates for
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProxyCACertificatePath <em>directory-path</em></code></td></tr>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
ed20c3b1e992d174a2cbb2077e61817527f8e061Christian Maeder<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
3476beb5baf84bef7cc7d627b130de9d48700399Christian MaederThis directive sets the directory where you keep the Certificates of
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill MossakowskiCertification Authorities (CAs) whose remote servers you deal with. These are used to
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowskiverify the remote server certificate on Remote Server Authentication.</p>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill MossakowskiThe files in this directory have to be PEM-encoded and are accessed through
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowskihash filenames. So usually you can't just place the Certificate files
a946fa1fe525f04a8b4e2734fa2082bbe5e6ed3fTill Mossakowskithere: you also have to create symbolic links named
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<em>hash-value</em><code>.N</code>. And you should always make sure this directory
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowskicontains the appropriate symbolic links. Use the <code>Makefile</code> which
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowskicomes with mod_ssl to accomplish this task.</p>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<div class="example"><h3>Example</h3><p><code>
2b346670d3e146788fa056a4b0fafa357d8bf31bTill MossakowskiSSLProxyCACertificatePath /usr/local/apache2/conf/ssl.crt/
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<div class="directive-section"><h2><a name="SSLProxyCARevocationFile" id="SSLProxyCARevocationFile">SSLProxyCARevocationFile</a> <a name="sslproxycarevocationfile" id="sslproxycarevocationfile">Directive</a></h2>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>File of concatenated PEM-encoded CA CRLs for
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProxyCARevocationFile <em>file-path</em></code></td></tr>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill MossakowskiThis directive sets the <em>all-in-one</em> file where you can
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowskiassemble the Certificate Revocation Lists (CRL) of Certification
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill MossakowskiAuthorities (CA) whose <em>remote servers</em> you deal with. These are used
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowskifor Remote Server Authentication. Such a file is simply the concatenation of
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowskithe various PEM-encoded CRL files, in order of preference. This can be
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowskiused alternatively and/or additionally to <code class="directive"><a href="#sslproxycarevocationpath">SSLProxyCARevocationPath</a></code>.</p>
88ece6e49930670e8fd3ee79c89a2e918d2fbd0cChristian Maeder<div class="example"><h3>Example</h3><p><code>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill MossakowskiSSLProxyCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle-remote-server.crl
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<div class="directive-section"><h2><a name="SSLProxyCARevocationPath" id="SSLProxyCARevocationPath">SSLProxyCARevocationPath</a> <a name="sslproxycarevocationpath" id="sslproxycarevocationpath">Directive</a></h2>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Directory of PEM-encoded CA CRLs for
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProxyCARevocationPath <em>directory-path</em></code></td></tr>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill MossakowskiThis directive sets the directory where you keep the Certificate Revocation
3476beb5baf84bef7cc7d627b130de9d48700399Christian MaederLists (CRL) of Certification Authorities (CAs) whose remote servers you deal with.
88ece6e49930670e8fd3ee79c89a2e918d2fbd0cChristian MaederThese are used to revoke the remote server certificate on Remote Server Authentication.</p>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill MossakowskiThe files in this directory have to be PEM-encoded and are accessed through
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maederhash filenames. So usually you have not only to place the CRL files there.
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill MossakowskiAdditionally you have to create symbolic links named
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<em>hash-value</em><code>.rN</code>. And you should always make sure this directory
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maedercontains the appropriate symbolic links. Use the <code>Makefile</code> which
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowskicomes with <code class="module"><a href="/mod/mod_ssl.html">mod_ssl</a></code> to accomplish this task.</p>
88ece6e49930670e8fd3ee79c89a2e918d2fbd0cChristian Maeder<div class="example"><h3>Example</h3><p><code>
3476beb5baf84bef7cc7d627b130de9d48700399Christian MaederSSLProxyCARevocationPath /usr/local/apache2/conf/ssl.crl/
7297175957c5ad3c0498032190b1dee9ec5fb873Christian Maeder<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
7297175957c5ad3c0498032190b1dee9ec5fb873Christian Maeder<div class="directive-section"><h2><a name="SSLProxyCheckPeerCN" id="SSLProxyCheckPeerCN">SSLProxyCheckPeerCN</a> <a name="sslproxycheckpeercn" id="sslproxycheckpeercn">Directive</a></h2>
cf29cb0194d75de2182bfc73fa7da68e90a4a19eMaciek Makowski<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Whether to check the remote server certificates CN field
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProxyCheckPeerCN on|off</code></td></tr>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLProxyCheckPeerCN on</code></td></tr>
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
88ece6e49930670e8fd3ee79c89a2e918d2fbd0cChristian MaederThis directive sets whether the remote server certificates CN field is
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowskicompared against the hostname of the request URL. If both are not equal
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowskia 502 status code (Bad Gateway) is sent.
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<div class="example"><h3>Example</h3><p><code>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill MossakowskiSSLProxyCheckPeerCN on
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder<div class="directive-section"><h2><a name="SSLProxyCheckPeerExpire" id="SSLProxyCheckPeerExpire">SSLProxyCheckPeerExpire</a> <a name="sslproxycheckpeerexpire" id="sslproxycheckpeerexpire">Directive</a></h2>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Whether to check if remote server certificate is expired
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProxyCheckPeerExpire on|off</code></td></tr>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLProxyCheckPeerExpire on</code></td></tr>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill MossakowskiThis directive sets whether it is checked if the remote server certificate
88ece6e49930670e8fd3ee79c89a2e918d2fbd0cChristian Maederis expired or not. If the check fails a 502 status code (Bad Gateway) is
31c49f2fa23d4ac089f35145d80a224deb6ea7e4Till Mossakowski<div class="example"><h3>Example</h3><p><code>
42c01284bba8d7c8d995c8dfb96ace57d28ed1bcTill MossakowskiSSLProxyCheckPeerExpire on
f9690de9acb57e279b8ad5792d71b48ffbb807e7Christian Maeder<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
f9690de9acb57e279b8ad5792d71b48ffbb807e7Christian Maeder<div class="directive-section"><h2><a name="SSLProxyCipherSuite" id="SSLProxyCipherSuite">SSLProxyCipherSuite</a> <a name="sslproxyciphersuite" id="sslproxyciphersuite">Directive</a></h2>
f9690de9acb57e279b8ad5792d71b48ffbb807e7Christian Maeder<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Cipher Suite available for negotiation in SSL
88ece6e49930670e8fd3ee79c89a2e918d2fbd0cChristian Maeder<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProxyCipherSuite <em>cipher-spec</em></code></td></tr>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLProxyCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</code></td></tr>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
42c01284bba8d7c8d995c8dfb96ace57d28ed1bcTill Mossakowski<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
a89e661aad28f1b39f4fc9f9f9a4d46074234123Christian Maeder<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski<p>Equivalent to <code>SSLCipherSuite</code>, but for the proxy connection.
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian MaederPlease refer to <code class="directive"><a href="#sslciphersuite">SSLCipherSuite</a></code>
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowskifor additional information.</p>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<div class="directive-section"><h2><a name="SSLProxyEngine" id="SSLProxyEngine">SSLProxyEngine</a> <a name="sslproxyengine" id="sslproxyengine">Directive</a></h2>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>SSL Proxy Engine Operation Switch</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProxyEngine on|off</code></td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLProxyEngine off</code></td></tr>
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowski<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
1b05bdb88b90d3c947351f262d7ae7d68f0a4a6fTill MossakowskiThis directive toggles the usage of the SSL/TLS Protocol Engine for proxy. This
6a57a555c8ef0a79aa5d20e1d721400dbffa564aMaciek Makowskiis usually used inside a <code class="directive"><a href="/mod/core.html#virtualhost"><VirtualHost></a></code> section to enable SSL/TLS for proxy
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowskiusage in a particular virtual host. By default the SSL/TLS Protocol Engine is
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowskidisabled for proxy image both for the main server and all configured virtual hosts.</p>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<div class="example"><h3>Example</h3><p><code>
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowski<VirtualHost _default_:443><br />
db7143998eee23e3d781f1f1e97e953bb831df1fTill MossakowskiSSLProxyEngine on<br />
c0380b947eef252db81ee562246bb732555427f4Till Mossakowski</VirtualHost>
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowski<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowski<div class="directive-section"><h2><a name="SSLProxyMachineCertificateFile" id="SSLProxyMachineCertificateFile">SSLProxyMachineCertificateFile</a> <a name="sslproxymachinecertificatefile" id="sslproxymachinecertificatefile">Directive</a></h2>
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowski<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>File of concatenated PEM-encoded client certificates and keys to be used by the proxy</td></tr>
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowski<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProxyMachineCertificateFile <em>filename</em></code></td></tr>
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowski<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowski<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>Not applicable</td></tr>
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowski<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
db7143998eee23e3d781f1f1e97e953bb831df1fTill MossakowskiThis directive sets the all-in-one file where you keep the certificates and
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowskikeys used for authentication of the proxy server to remote servers.
e379124f467e5d0ef7d3c0ca238bff0521f70831Till MossakowskiThis referenced file is simply the concatenation of the various PEM-encoded
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowskicertificate files, in order of preference. Use this directive alternatively
9d34a8049237647d0188ee2ec88db2dc45f1f848Till Mossakowskior additionally to <code>SSLProxyMachineCertificatePath</code>.
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowski<p>Currently there is no support for encrypted private keys</p>
242691238a8d1a89581751d782af87ec5d7470c0Till Mossakowski<div class="example"><h3>Example</h3><p><code>
7f4c380d6b38e229de365db3c84be767515a3386Jorina Freya GerkenSSLProxyMachineCertificateFile /usr/local/apache2/conf/ssl.crt/proxy.pem
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski<div class="directive-section"><h2><a name="SSLProxyMachineCertificatePath" id="SSLProxyMachineCertificatePath">SSLProxyMachineCertificatePath</a> <a name="sslproxymachinecertificatepath" id="sslproxymachinecertificatepath">Directive</a></h2>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Directory of PEM-encoded client certificates and keys to be used by the proxy</td></tr>
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProxyMachineCertificatePath <em>directory</em></code></td></tr>
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
3476beb5baf84bef7cc7d627b130de9d48700399Christian Maeder<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>Not applicable</td></tr>
f534c0116096e25659ceaa57de030c497ce9345aTill Mossakowski<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till MossakowskiThis directive sets the directory where you keep the certificates and
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowskikeys used for authentication of the proxy server to remote servers.
b10d6cef708b7a659f2d3b367e8e0db0d03ae3f5Till Mossakowski<p>The files in this directory must be PEM-encoded and are accessed through
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maederhash filenames. Additionally, you must create symbolic links named
6a57a555c8ef0a79aa5d20e1d721400dbffa564aMaciek Makowski<code><em>hash-value</em>.N</code>. And you should always make sure this
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowskidirectory contains the appropriate symbolic links. Use the Makefile which
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowskicomes with mod_ssl to accomplish this task.
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowski<p>Currently there is no support for encrypted private keys</p>
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowski<div class="example"><h3>Example</h3><p><code>
e379124f467e5d0ef7d3c0ca238bff0521f70831Till MossakowskiSSLProxyMachineCertificatePath /usr/local/apache2/conf/proxy.crt/
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowski<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowski<div class="directive-section"><h2><a name="SSLProxyProtocol" id="SSLProxyProtocol">SSLProxyProtocol</a> <a name="sslproxyprotocol" id="sslproxyprotocol">Directive</a></h2>
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowski<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Configure usable SSL protocol flavors for proxy usage</td></tr>
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowski<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProxyProtocol [+|-]<em>protocol</em> ...</code></td></tr>
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowski<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLProxyProtocol all</code></td></tr>
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowski<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
42c01284bba8d7c8d995c8dfb96ace57d28ed1bcTill Mossakowski<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>Options</td></tr>
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowski<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowski<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
1b05bdb88b90d3c947351f262d7ae7d68f0a4a6fTill MossakowskiThis directive can be used to control the SSL protocol flavors mod_ssl should
1b05bdb88b90d3c947351f262d7ae7d68f0a4a6fTill Mossakowskiuse when establishing its server environment for proxy . It will only connect
1b05bdb88b90d3c947351f262d7ae7d68f0a4a6fTill Mossakowskito servers using one of the provided protocols.</p>
1b05bdb88b90d3c947351f262d7ae7d68f0a4a6fTill Mossakowski<p>Please refer to <code class="directive"><a href="#sslprotocol">SSLProtocol</a></code>
1b05bdb88b90d3c947351f262d7ae7d68f0a4a6fTill Mossakowskifor additional information.
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowski<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<div class="directive-section"><h2><a name="SSLProxyVerify" id="SSLProxyVerify">SSLProxyVerify</a> <a name="sslproxyverify" id="sslproxyverify">Directive</a></h2>
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowski<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Type of remote server Certificate verification</td></tr>
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowski<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProxyVerify <em>level</em></code></td></tr>
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowski<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLProxyVerify none</code></td></tr>
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowski<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowski<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
e379124f467e5d0ef7d3c0ca238bff0521f70831Till Mossakowski<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<p>When a proxy is configured to forward requests to a remote SSL
587fb54160b66128cf17e4c9bca7494a7f2c3c4aChristian Maederserver, this directive can be used to configure certificate
587fb54160b66128cf17e4c9bca7494a7f2c3c4aChristian Maederverification of the remote server. </p>
587fb54160b66128cf17e4c9bca7494a7f2c3c4aChristian MaederThe following levels are available for <em>level</em>:</p>
587fb54160b66128cf17e4c9bca7494a7f2c3c4aChristian Maeder no remote server Certificate is required at all</li>
42c01284bba8d7c8d995c8dfb96ace57d28ed1bcTill Mossakowski the remote server <em>may</em> present a valid Certificate</li>
587fb54160b66128cf17e4c9bca7494a7f2c3c4aChristian Maeder the remote server <em>has to</em> present a valid Certificate</li>
7297175957c5ad3c0498032190b1dee9ec5fb873Christian Maeder the remote server may present a valid Certificate<br />
7297175957c5ad3c0498032190b1dee9ec5fb873Christian Maeder but it need not to be (successfully) verifiable.</li>
7297175957c5ad3c0498032190b1dee9ec5fb873Christian Maeder<p>In practice only levels <strong>none</strong> and
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<strong>require</strong> are really interesting, because level
1b05bdb88b90d3c947351f262d7ae7d68f0a4a6fTill Mossakowski<strong>optional</strong> doesn't work with all servers and level
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<strong>optional_no_ca</strong> is actually against the idea of
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maederauthentication (but can be used to establish SSL test pages, etc.)</p>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<div class="example"><h3>Example</h3><p><code>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian MaederSSLProxyVerify require
<div class="directive-section"><h2><a name="SSLProxyVerifyDepth" id="SSLProxyVerifyDepth">SSLProxyVerifyDepth</a> <a name="sslproxyverifydepth" id="sslproxyverifydepth">Directive</a></h2>
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Maximum depth of CA Certificates in Remote Server
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProxyVerifyDepth <em>number</em></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLProxyVerifyDepth 1</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
i.e. the number of CA certificates which are max allowed to be followed while
which is directly known to the server (i.e. the CA's certificate is under
<code class="directive"><a href="#sslproxycacertificatepath">SSLProxyCACertificatePath</a></code>), etc.</p>
<div class="directive-section"><h2><a name="SSLRandomSeed" id="SSLRandomSeed">SSLRandomSeed</a> <a name="sslrandomseed" id="sslrandomseed">Directive</a></h2>
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Pseudo Random Number Generator (PRNG) seeding
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLRandomSeed <em>context</em> <em>source</em>
much entropy data as it actually has, i.e. when you request 512 bytes of
actually generated, i.e. by which system interrupts. More details one can
external Entropy Gathering Daemon (EGD) (see <a href="http://www.lothar.com/tech/crypto/">http://www.lothar.com/tech
<div class="directive-section"><h2><a name="SSLRenegBufferSize" id="SSLRenegBufferSize">SSLRenegBufferSize</a> <a name="sslrenegbuffersize" id="sslrenegbuffersize">Directive</a></h2>
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Set the size for the SSL renegotiation buffer</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLRenegBufferSize <var>bytes</var></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLRenegBufferSize 131072</code></td></tr>
example, any use of <code class="directive"><a href="#sslverifyclient">SSLVerifyClient</a></code> in a Directory or
Location block, then <code class="module"><a href="/mod/mod_ssl.html">mod_ssl</a></code> must buffer any HTTP
<div class="directive-section"><h2><a name="SSLRequire" id="SSLRequire">SSLRequire</a> <a name="sslrequire" id="sslrequire">Directive</a></h2>
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Allow access only when an arbitrarily complex
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLRequire <em>expression</em></code></td></tr>
<p>For <code>varname</code> any of the variables described in <a href="#envvars">Environment Variables</a> can be used. For
<div class="directive-section"><h2><a name="SSLRequireSSL" id="SSLRequireSSL">SSLRequireSSL</a> <a name="sslrequiressl" id="sslrequiressl">Directive</a></h2>
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Deny access when SSL is not used for the
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLRequireSSL</code></td></tr>
This directive forbids access unless HTTP over SSL (i.e. HTTPS) is enabled for
<div class="directive-section"><h2><a name="SSLSessionCache" id="SSLSessionCache">SSLSessionCache</a> <a name="sslsessioncache" id="sslsessioncache">Directive</a></h2>
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Type of the global/inter-process SSL Session
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLSessionCache <em>type</em></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLSessionCache none</code></td></tr>
<div class="directive-section"><h2><a name="SSLSessionCacheTimeout" id="SSLSessionCacheTimeout">SSLSessionCacheTimeout</a> <a name="sslsessioncachetimeout" id="sslsessioncachetimeout">Directive</a></h2>
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Number of seconds before an SSL session expires
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLSessionCacheTimeout <em>seconds</em></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLSessionCacheTimeout 300</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<div class="directive-section"><h2><a name="SSLStrictSNIVHostCheck" id="SSLStrictSNIVHostCheck">SSLStrictSNIVHostCheck</a> <a name="sslstrictsnivhostcheck" id="sslstrictsnivhostcheck">Directive</a></h2>
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Whether to allow non-SNI clients to access a name-based virtual
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLStrictSNIVHostCheck on|off</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLStrictSNIVHostCheck off</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.2.12 and later</td></tr>
<div class="directive-section"><h2><a name="SSLUserName" id="SSLUserName">SSLUserName</a> <a name="sslusername" id="sslusername">Directive</a></h2>
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Variable name to determine user name</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLUserName <em>varname</em></code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.0.51 and later</td></tr>
<div class="directive-section"><h2><a name="SSLVerifyClient" id="SSLVerifyClient">SSLVerifyClient</a> <a name="sslverifyclient" id="sslverifyclient">Directive</a></h2>
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Type of Client Certificate verification</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLVerifyClient <em>level</em></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLVerifyClient none</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
<div class="directive-section"><h2><a name="SSLVerifyDepth" id="SSLVerifyDepth">SSLVerifyDepth</a> <a name="sslverifydepth" id="sslverifydepth">Directive</a></h2>
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Maximum depth of CA Certificates in Client
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLVerifyDepth <em>number</em></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLVerifyDepth 1</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
i.e. the number of CA certificates which are max allowed to be followed while
known to the server (i.e. the CA's certificate is under
<p><span>Available Languages: </span><a href="/en/mod/mod_ssl.html" title="English"> en </a></p>
<p class="apache">Copyright 2010 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="/faq/">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p></div>