mod_ssl.xml revision c668ba618761ec81a1ee079106036454e8a88c96
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<!DOCTYPE modulesynopsis SYSTEM "/style/modulesynopsis.dtd">
e942c741056732f50da2074b36fe59805d370650slive<?xml-stylesheet type="text/xsl" href="/style/manual.en.xsl"?>
c668ba618761ec81a1ee079106036454e8a88c96jorton<!-- $Revision: 1.31 $ -->
6fbd2e53c97ea6976d93e0ac521adabc55e0fb73nd Copyright 2002-2004 The Apache Software Foundation
d5d794fc2f4cc9ca6d6da17cfa2cdcd8d244bacdnd Licensed under the Apache License, Version 2.0 (the "License");
d5d794fc2f4cc9ca6d6da17cfa2cdcd8d244bacdnd you may not use this file except in compliance with the License.
d5d794fc2f4cc9ca6d6da17cfa2cdcd8d244bacdnd You may obtain a copy of the License at
d5d794fc2f4cc9ca6d6da17cfa2cdcd8d244bacdnd Unless required by applicable law or agreed to in writing, software
d5d794fc2f4cc9ca6d6da17cfa2cdcd8d244bacdnd distributed under the License is distributed on an "AS IS" BASIS,
d5d794fc2f4cc9ca6d6da17cfa2cdcd8d244bacdnd WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
d5d794fc2f4cc9ca6d6da17cfa2cdcd8d244bacdnd See the License for the specific language governing permissions and
d5d794fc2f4cc9ca6d6da17cfa2cdcd8d244bacdnd limitations under the License.
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<description>Strong cryptography using the Secure Sockets
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveLayer (SSL) and Transport Layer Security (TLS) protocols</description>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<p>This module provides SSL v2/v3 and TLS v1 support for the Apache
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveHTTP Server. It was contributed by Ralf S. Engeschall based on his
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivemod_ssl project and originally derived from work by Ben Laurie.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<p>This module relies on <a href="http://www.openssl.org/">OpenSSL</a>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveto provide the cryptography engine.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<p>Further details, discussion, and examples are provided in the
53bae66d3dc14a667e14a451f7bc65a893dd450fnd<section id="envvars"><title>Environment Variables</title>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<p>This module provides a lot of SSL information as additional environment
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivevariables to the SSI and CGI namespace. The generated variables are listed in
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivethe table below. For backward compatibility the information can
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivebe made available under different names, too. Look in the <a
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivehref="/ssl/ssl_compat.html">Compatibility</a> chapter for details on the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivecompatibility variables.</p>
1597043cec6ad37fa4154bf09b0fccdabed1a239slive<columnspec><column width=".3"/><column width=".2"/><column width=".5"/>
1597043cec6ad37fa4154bf09b0fccdabed1a239slive</columnspec>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>HTTPS</code></td> <td>flag</td> <td>HTTPS is being used.</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSL_PROTOCOL</code></td> <td>string</td> <td>The SSL protocol version (SSLv2, SSLv3, TLSv1)</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSL_SESSION_ID</code></td> <td>string</td> <td>The hex-encoded SSL session id</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSL_CIPHER</code></td> <td>string</td> <td>The cipher specification name</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSL_CIPHER_EXPORT</code></td> <td>string</td> <td><code>true</code> if cipher is an export cipher</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSL_CIPHER_USEKEYSIZE</code></td> <td>number</td> <td>Number of cipher bits (actually used)</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSL_CIPHER_ALGKEYSIZE</code></td> <td>number</td> <td>Number of cipher bits (possible)</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSL_VERSION_INTERFACE</code></td> <td>string</td> <td>The mod_ssl program version</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSL_VERSION_LIBRARY</code></td> <td>string</td> <td>The OpenSSL program version</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSL_CLIENT_M_VERSION</code></td> <td>string</td> <td>The version of the client certificate</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSL_CLIENT_M_SERIAL</code></td> <td>string</td> <td>The serial of the client certificate</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSL_CLIENT_S_DN</code></td> <td>string</td> <td>Subject DN in client's certificate</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSL_CLIENT_S_DN_</code><em>x509</em></td> <td>string</td> <td>Component of client's Subject DN</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSL_CLIENT_I_DN</code></td> <td>string</td> <td>Issuer DN of client's certificate</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSL_CLIENT_I_DN_</code><em>x509</em></td> <td>string</td> <td>Component of client's Issuer DN</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSL_CLIENT_V_START</code></td> <td>string</td> <td>Validity of client's certificate (start time)</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSL_CLIENT_V_END</code></td> <td>string</td> <td>Validity of client's certificate (end time)</td></tr>
8514af9d926a1c330756d11eb71acfcf6e8e56bdjorton<tr><td><code>SSL_CLIENT_V_REMAIN</code></td> <td>string</td> <td>Number of days until client's certificate expires</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSL_CLIENT_A_SIG</code></td> <td>string</td> <td>Algorithm used for the signature of client's certificate</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSL_CLIENT_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of client's certificate</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSL_CLIENT_CERT</code></td> <td>string</td> <td>PEM-encoded client certificate</td></tr>
256c9fec76025218e564ad19e100d4a38da10f42jorton<tr><td><code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em></td> <td>string</td> <td>PEM-encoded certificates in client certificate chain</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSL_CLIENT_VERIFY</code></td> <td>string</td> <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS</code> or <code>FAILED:</code><em>reason</em></td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSL_SERVER_M_VERSION</code></td> <td>string</td> <td>The version of the server certificate</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSL_SERVER_M_SERIAL</code></td> <td>string</td> <td>The serial of the server certificate</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSL_SERVER_S_DN</code></td> <td>string</td> <td>Subject DN in server's certificate</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSL_SERVER_S_DN_</code><em>x509</em></td> <td>string</td> <td>Component of server's Subject DN</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSL_SERVER_I_DN</code></td> <td>string</td> <td>Issuer DN of server's certificate</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSL_SERVER_I_DN_</code><em>x509</em></td> <td>string</td> <td>Component of server's Issuer DN</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSL_SERVER_V_START</code></td> <td>string</td> <td>Validity of server's certificate (start time)</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSL_SERVER_V_END</code></td> <td>string</td> <td>Validity of server's certificate (end time)</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSL_SERVER_A_SIG</code></td> <td>string</td> <td>Algorithm used for the signature of server's certificate</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSL_SERVER_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of server's certificate</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSL_SERVER_CERT</code></td> <td>string</td> <td>PEM-encoded server certificate</td></tr>
48a0d431b5507ffaedacaea4f5d134c8f2f118f2jorton<p><em>x509</em> specifies a component of an X.509 DN; one of
48a0d431b5507ffaedacaea4f5d134c8f2f118f2jorton<code>C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email</code>. In Apache 2.1 and
48a0d431b5507ffaedacaea4f5d134c8f2f118f2jortonlater, <em>x509</em> may also include a numeric <code>_n</code>
48a0d431b5507ffaedacaea4f5d134c8f2f118f2jortonsuffix. If the DN in question contains multiple attributes of the
48a0d431b5507ffaedacaea4f5d134c8f2f118f2jortonsame name, this suffix is used as an index to select a particular
48a0d431b5507ffaedacaea4f5d134c8f2f118f2jortonattribute. For example, where the server certificate subject DN
48a0d431b5507ffaedacaea4f5d134c8f2f118f2jortonincluded two OU fields, <code>SSL_SERVER_S_DN_OU_0</code> and
48a0d431b5507ffaedacaea4f5d134c8f2f118f2jorton<code>SSL_SERVER_S_DN_OU_1</code> could be used to reference each.</p>
8514af9d926a1c330756d11eb71acfcf6e8e56bdjorton<p><code>SSL_CLIENT_V_REMAIN</code> is only available in version 2.1
8514af9d926a1c330756d11eb71acfcf6e8e56bdjortonand later.</p>
53bae66d3dc14a667e14a451f7bc65a893dd450fnd<section id="logformats"><title>Custom Log Formats</title>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<p>When <module>mod_ssl</module> is built into Apache or at least
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveloaded (under DSO situation) additional functions exist for the <a
199a8ee5984e3708982fab1ba6ebb0a5feaea90cndhref="mod_log_config.html#formats">Custom Log Format</a> of
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveadditional ``<code>%{</code><em>varname</em><code>}x</code>''
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveeXtension format function which can be used to expand any variables
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveprovided by any module, especially those provided by mod_ssl which can
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveyou find in the above table.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveFor backward compatibility there is additionally a special
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive``<code>%{</code><em>name</em><code>}c</code>'' cryptography format function
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveprovided. Information about this function is provided in the <a
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivehref="/ssl/ssl_compat.html">Compatibility</a> chapter.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<description>Type of pass phrase dialog for encrypted private
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivekeys</description>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<contextlist><context>server config</context></contextlist>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveWhen Apache starts up it has to read the various Certificate (see
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<directive module="mod_ssl">SSLCertificateFile</directive>) and
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivePrivate Key (see <directive
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivemodule="mod_ssl">SSLCertificateKeyFile</directive>) files of the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveSSL-enabled virtual servers. Because for security reasons the Private
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveKey files are usually encrypted, mod_ssl needs to query the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveadministrator for a Pass Phrase in order to decrypt those files. This
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivequery can be done in two ways which can be configured by
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive This is the default where an interactive terminal dialog occurs at startup
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive time just before Apache detaches from the terminal. Here the administrator
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive has to manually enter the Pass Phrase for each encrypted Private Key file.
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive Because a lot of SSL-enabled virtual hosts can be configured, the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive following reuse-scheme is used to minimize the dialog: When a Private Key
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive file is encrypted, all known Pass Phrases (at the beginning there are
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive none, of course) are tried. If one of those known Pass Phrases succeeds no
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive dialog pops up for this particular Private Key file. If none succeeded,
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive another Pass Phrase is queried on the terminal and remembered for the next
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive round (where it perhaps can be reused).</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive This scheme allows mod_ssl to be maximally flexible (because for N encrypted
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive Private Key files you <em>can</em> use N different Pass Phrases - but then
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive you have to enter all of them, of course) while minimizing the terminal
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive dialog (i.e. when you use a single Pass Phrase for all N Private Key files
c668ba618761ec81a1ee079106036454e8a88c96jorton <p>This mode allows an external program to be used which acts as a
c668ba618761ec81a1ee079106036454e8a88c96jorton pipe to a particular input device; the program is sent the standard
c668ba618761ec81a1ee079106036454e8a88c96jorton prompt text used for the <code>builtin</code> mode on
c668ba618761ec81a1ee079106036454e8a88c96jorton <code>stdin</code>, and is expected to write password strings on
c668ba618761ec81a1ee079106036454e8a88c96jorton <code>stdout</code>. If several passwords are needed (or an
c668ba618761ec81a1ee079106036454e8a88c96jorton incorrect password is entered), additional prompt text will be
c668ba618761ec81a1ee079106036454e8a88c96jorton written subsequent to the first password being returned, and more
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive Here an external program is configured which is called at startup for each
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive encrypted Private Key file. It is called with two arguments (the first is
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive of the form ``<code>servername:portnumber</code>'', the second is either
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive ``<code>RSA</code>'' or ``<code>DSA</code>''), which indicate for which
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive server and algorithm it has to print the corresponding Pass Phrase to
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive <code>stdout</code>. The intent is that this external program first runs
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive security checks to make sure that the system is not compromised by an
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive attacker, and only when these checks were passed successfully it provides
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive the Pass Phrase.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive Both these security checks, and the way the Pass Phrase is determined, can
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive be as complex as you like. Mod_ssl just defines the interface: an
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive executable program which provides the Pass Phrase on <code>stdout</code>.
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive Nothing more or less! So, if you're really paranoid about security, here
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive is your interface. Anything else has to be left as an exercise to the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive administrator, because local security requirements are so different.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive The reuse-algorithm above is used here, too. In other words: The external
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive program is called only once per unique Pass Phrase.</p></li>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveSSLPassPhraseDialog exec:/usr/local/apache/sbin/pp-filter
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive</directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<description>Semaphore for internal mutual exclusion of
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveoperations</description>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<contextlist><context>server config</context></contextlist>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveThis configures the SSL engine's semaphore (aka. lock) which is used for mutual
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveexclusion of operations which have to be done in a synchronized way between the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivepre-forked Apache server processes. This directive can only be used in the
2da44b982e748bd80d4017f1b53bda806ce9b4e1jimglobal server context because it's only useful to have one global mutex.
2da44b982e748bd80d4017f1b53bda806ce9b4e1jimThis directive is designed to closely match the
2da44b982e748bd80d4017f1b53bda806ce9b4e1jim<a href="http://httpd.apache.org/docs-2.0/mod/mpm_common.html#acceptmutex">AcceptMutex</a> directive</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive This is the default where no Mutex is used at all. Use it at your own
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive risk. But because currently the Mutex is mainly used for synchronizing
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive write access to the SSL Session Cache you can live without it as long
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive as you accept a sometimes garbled Session Cache. So it's not recommended
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive to leave this the default. Instead configure a real Mutex.</p></li>
2da44b982e748bd80d4017f1b53bda806ce9b4e1jim This is an elegant Mutex variant where a Posix Semaphore is used when possible.
2da44b982e748bd80d4017f1b53bda806ce9b4e1jim It is only available when the underlying platform
2da44b982e748bd80d4017f1b53bda806ce9b4e1jim This is a somewhat elegant Mutex variant where a SystemV IPC Semaphore is used when
2da44b982e748bd80d4017f1b53bda806ce9b4e1jim possible. It is possible to "leak" SysV semaphores if processes crash before
2da44b982e748bd80d4017f1b53bda806ce9b4e1jim the semaphore is removed. It is only available when the underlying platform
2da44b982e748bd80d4017f1b53bda806ce9b4e1jim This directive tells the SSL Module to pick the "best" semaphore implementation
2da44b982e748bd80d4017f1b53bda806ce9b4e1jim available to it, choosing between Posix and SystemV IPC, in that order. It is only
2da44b982e748bd80d4017f1b53bda806ce9b4e1jim available when the underlying platform and APR supports at least one of the 2.</p></li>
2da44b982e748bd80d4017f1b53bda806ce9b4e1jim This directive tells the SSL Module to use Posix thread mutexes. It is only available
2da44b982e748bd80d4017f1b53bda806ce9b4e1jim if the underlying platform and APR supports it.</p></li>
2da44b982e748bd80d4017f1b53bda806ce9b4e1jim This is a portable Mutex variant where a physical (lock-)file and the <code>fcntl()</code>
2da44b982e748bd80d4017f1b53bda806ce9b4e1jim fucntion are used as the Mutex.
2da44b982e748bd80d4017f1b53bda806ce9b4e1jim Always use a local disk filesystem for <code>/path/to/mutex</code> and never a file
2da44b982e748bd80d4017f1b53bda806ce9b4e1jim residing on a NFS- or AFS-filesystem. It is only available when the underlying platform
2da44b982e748bd80d4017f1b53bda806ce9b4e1jim and APR supports it. Note: Internally, the Process ID (PID) of the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive Apache parent process is automatically appended to
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive <code>/path/to/mutex</code> to make it unique, so you don't have to worry
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive about conflicts yourself. Notice that this type of mutex is not available
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive under the Win32 environment. There you <em>have</em> to use the semaphore
2da44b982e748bd80d4017f1b53bda806ce9b4e1jim This is similar to the <code>fcntl:/path/to/mutex</code> method with the
2da44b982e748bd80d4017f1b53bda806ce9b4e1jim exception that the <code>flock()</code> function is used to provide file
2da44b982e748bd80d4017f1b53bda806ce9b4e1jim locking. It is only available when the underlying platform
2da44b982e748bd80d4017f1b53bda806ce9b4e1jim This directive tells the SSL Module to pick the "best" file locking implementation
2da44b982e748bd80d4017f1b53bda806ce9b4e1jim available to it, choosing between <code>fcntl</code> and <code>flock</code>,
2da44b982e748bd80d4017f1b53bda806ce9b4e1jim in that order. It is only available when the underlying platform and APR supports
2da44b982e748bd80d4017f1b53bda806ce9b4e1jim This directive tells the SSL Module to pick the default locking implementation
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive</directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<description>Pseudo Random Number Generator (PRNG) seeding
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivesource</description>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<contextlist><context>server config</context></contextlist>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveThis configures one or more sources for seeding the Pseudo Random Number
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveGenerator (PRNG) in OpenSSL at startup time (<em>context</em> is
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<code>startup</code>) and/or just before a new SSL connection is established
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive(<em>context</em> is <code>connect</code>). This directive can only be used
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivein the global server context because the PRNG is a global facility.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveThe following <em>source</em> variants are available:</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive <p> This is the always available builtin seeding source. It's usage
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive consumes minimum CPU cycles under runtime and hence can be always used
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive without drawbacks. The source used for seeding the PRNG contains of the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive current time, the current process id and (when applicable) a randomly
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive choosen 1KB extract of the inter-process scoreboard structure of Apache.
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive The drawback is that this is not really a strong source and at startup
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive time (where the scoreboard is still not available) this source just
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive produces a few bytes of entropy. So you should always, at least for the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive This variant uses an external file <code>/path/to/source</code> as the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive source for seeding the PRNG. When <em>bytes</em> is specified, only the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive first <em>bytes</em> number of bytes of the file form the entropy (and
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive <em>bytes</em> is given to <code>/path/to/source</code> as the first
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive argument). When <em>bytes</em> is not specified the whole file forms the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive entropy (and <code>0</code> is given to <code>/path/to/source</code> as
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive the first argument). Use this especially at startup time, for instance
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive <code>/dev/urandom</code> devices (which usually exist on modern Unix
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive derivates like FreeBSD and Linux).</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive <em>But be careful</em>: Usually <code>/dev/random</code> provides only as
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive much entropy data as it actually has, i.e. when you request 512 bytes of
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive entropy, but the device currently has only 100 bytes available two things
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive can happen: On some platforms you receive only the 100 bytes while on
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive other platforms the read blocks until enough bytes are available (which
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive can take a long time). Here using an existing <code>/dev/urandom</code> is
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive better, because it never blocks and actually gives the amount of requested
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive data. The drawback is just that the quality of the received data may not
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive be the best.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive On some platforms like FreeBSD one can even control how the entropy is
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive actually generated, i.e. by which system interrupts. More details one can
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive find under <em>rndcontrol(8)</em> on those platforms. Alternatively, when
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive your system lacks such a random device, you can use tool
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive like <a href="http://www.lothar.com/tech/crypto/">EGD</a>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive (Entropy Gathering Daemon) and run it's client program with the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive <code>exec:/path/to/program/</code> variant (see below) or use
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive <code>egd:/path/to/egd-socket</code> (see below).</p></li>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive This variant uses an external executable
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive <code>/path/to/program</code> as the source for seeding the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive PRNG. When <em>bytes</em> is specified, only the first
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive <em>bytes</em> number of bytes of its <code>stdout</code> contents
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive form the entropy. When <em>bytes</em> is not specified, the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive entirety of the data produced on <code>stdout</code> form the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive entropy. Use this only at startup time when you need a very strong
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive seeding with the help of an external program (for instance as in
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive the example above with the <code>truerand</code> utility you can
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive find in the mod_ssl distribution which is based on the AT&T
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive <em>truerand</em> library). Using this in the connection context
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive slows down the server too dramatically, of course. So usually you
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive should avoid using external programs in that context.</p></li>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive This variant uses the Unix domain socket of the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive external Entropy Gathering Daemon (EGD) (see <a
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive href="http://www.lothar.com/tech/crypto/">http://www.lothar.com/tech
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive /crypto/</a>) to seed the PRNG. Use this if no random device exists
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveSSLRandomSeed startup builtin<br />
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveSSLRandomSeed startup exec:/usr/local/bin/truerand 16<br />
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveSSLRandomSeed connect builtin<br />
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive</directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<description>Type of the global/inter-process SSL Session
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveCache</description>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<contextlist><context>server config</context></contextlist>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveThis configures the storage type of the global/inter-process SSL Session
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveCache. This cache is an optional facility which speeds up parallel request
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveprocessing. For requests to the same server process (via HTTP keep-alive),
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveOpenSSL already caches the SSL session information locally. But because modern
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveclients request inlined images and other data via parallel requests (usually
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveup to four parallel requests are common) those requests are served by
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<em>different</em> pre-forked server processes. Here an inter-process cache
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivehelps to avoid unneccessary session handshakes.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveThe following two storage <em>type</em>s are currently supported:</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive This is the default and just disables the global/inter-process Session
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive Cache. There is no drawback in functionality, but a noticeable speed
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive This makes use of a DBM hashfile on the local disk to synchronize the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive local OpenSSL memory caches of the server processes. The slight increase
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive in I/O on the server results in a visible request speedup for your
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive clients, so this type of storage is generally recommended.</p></li>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<li><code>shm:/path/to/datafile</code>[<code>(</code><em>size</em><code>)</code>]
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive This makes use of a high-performance hash table (approx. <em>size</em> bytes
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive in size) inside a shared memory segment in RAM (established via
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive <code>/path/to/datafile</code>) to synchronize the local OpenSSL memory
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive caches of the server processes. This storage type is not available on all
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveSSLSessionCache dbm:/usr/local/apache/logs/ssl_gcache_data<br />
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveSSLSessionCache shm:/usr/local/apache/logs/ssl_gcache_data(512000)
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive</directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<description>Number of seconds before an SSL session expires
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivein the Session Cache</description>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<syntax>SSLSessionCacheTimeout <em>seconds</em></syntax>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveThis directive sets the timeout in seconds for the information stored in the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveglobal/inter-process SSL Session Cache and the OpenSSL internal memory cache.
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveIt can be set as low as 15 for testing, but should be set to higher
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivevalues like 300 in real life.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveSSLSessionCacheTimeout 600
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive</directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveThis directive toggles the usage of the SSL/TLS Protocol Engine. This
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivetype="section">VirtualHost</directive> section to enable SSL/TLS for a
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveparticular virtual host. By default the SSL/TLS Protocol Engine is
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivedisabled for both the main server and all configured virtual hosts.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<VirtualHost _default_:443><br />
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveSSLEngine on<br />
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive</VirtualHost>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive</directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<description>Configure usable SSL protocol flavors</description>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<syntax>SSLProtocol [+|-]<em>protocol</em> ...</syntax>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<usage><!-- XXX Why does this have an override and not .htaccess context? -->
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveThis directive can be used to control the SSL protocol flavors mod_ssl should
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveuse when establishing its server environment. Clients then can only connect
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivewith one of the provided protocols.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveThe available (case-insensitive) <em>protocol</em>s are:</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive This is the Secure Sockets Layer (SSL) protocol, version 2.0. It is the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive original SSL protocol as designed by Netscape Corporation.</p></li>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive This is the Secure Sockets Layer (SSL) protocol, version 3.0. It is the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive successor to SSLv2 and the currently (as of February 1999) de-facto
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive standardized SSL protocol from Netscape Corporation. It's supported by
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive This is the Transport Layer Security (TLS) protocol, version 1.0. It is the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive successor to SSLv3 and currently (as of February 1999) still under
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive construction by the Internet Engineering Task Force (IETF). It's still
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive This is a shortcut for ``<code>+SSLv2 +SSLv3 +TLSv1</code>'' and a
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive convinient way for enabling all protocols except one when used in
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive combination with the minus sign on a protocol as the example above
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive# enable SSLv3 and TLSv1, but not SSLv2<br />
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveSSLProtocol all -SSLv2
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive</directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<description>Cipher Suite available for negotiation in SSL
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivehandshake</description>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<default>SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</default>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveThis complex directive uses a colon-separated <em>cipher-spec</em> string
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveconsisting of OpenSSL cipher specifications to configure the Cipher Suite the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveclient is permitted to negotiate in the SSL handshake phase. Notice that this
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivedirective can be used both in per-server and per-directory context. In
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveper-server context it applies to the standard SSL handshake when a connection
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveis established. In per-directory context it forces a SSL renegotation with the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivereconfigured Cipher Suite after the HTTP request was read but before the HTTP
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveresponse is sent.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveAn SSL cipher specification in <em>cipher-spec</em> is composed of 4 major
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveattributes plus a few extra minor ones:</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive RSA or Diffie-Hellman variants.
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive RSA, Diffie-Hellman, DSS or none.
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive DES, Triple-DES, RC4, RC2, IDEA or none.
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive MD5, SHA or SHA1.
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<p>An SSL cipher can also be an export cipher and is either a SSLv2 or SSLv3/TLSv1
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivecipher (here TLSv1 is equivalent to SSLv3). To specify which ciphers to use,
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveone can either specify all the Ciphers, one at a time, or use aliases to
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivespecify the preference and order for the ciphers (see <a href="#table1">Table
1597043cec6ad37fa4154bf09b0fccdabed1a239slive<columnspec><column width=".5"/><column width=".5"/></columnspec>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td colspan="2"><em>Key Exchange Algorithm:</em></td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>kRSA</code></td> <td>RSA key exchange</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>kDHr</code></td> <td>Diffie-Hellman key exchange with RSA key</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>kDHd</code></td> <td>Diffie-Hellman key exchange with DSA key</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>kEDH</code></td> <td>Ephemeral (temp.key) Diffie-Hellman key exchange (no cert)</td> </tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td colspan="2"><em>Authentication Algorithm:</em></td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>aNULL</code></td> <td>No authentication</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>aRSA</code></td> <td>RSA authentication</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>aDSS</code></td> <td>DSS authentication</td> </tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>aDH</code></td> <td>Diffie-Hellman authentication</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td colspan="2"><em>Cipher Encoding Algorithm:</em></td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>eNULL</code></td> <td>No encoding</td> </tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>DES</code></td> <td>DES encoding</td> </tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>3DES</code></td> <td>Triple-DES encoding</td> </tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>RC4</code></td> <td>RC4 encoding</td> </tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>RC2</code></td> <td>RC2 encoding</td> </tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>IDEA</code></td> <td>IDEA encoding</td> </tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td colspan="2"><em>MAC Digest Algorithm</em>:</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>MD5</code></td> <td>MD5 hash function</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SHA1</code></td> <td>SHA1 hash function</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SHA</code></td> <td>SHA hash function</td> </tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSLv2</code></td> <td>all SSL version 2.0 ciphers</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>SSLv3</code></td> <td>all SSL version 3.0 ciphers</td> </tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>TLSv1</code></td> <td>all TLS version 1.0 ciphers</td> </tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>EXP</code></td> <td>all export ciphers</td> </tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>EXPORT40</code></td> <td>all 40-bit export ciphers only</td> </tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>EXPORT56</code></td> <td>all 56-bit export ciphers only</td> </tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>LOW</code></td> <td>all low strength ciphers (no export, single DES)</td></tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>MEDIUM</code></td> <td>all ciphers with 128 bit encryption</td> </tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>HIGH</code></td> <td>all ciphers using Triple-DES</td> </tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>RSA</code></td> <td>all ciphers using RSA key exchange</td> </tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>DH</code></td> <td>all ciphers using Diffie-Hellman key exchange</td> </tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>EDH</code></td> <td>all ciphers using Ephemeral Diffie-Hellman key exchange</td> </tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>ADH</code></td> <td>all ciphers using Anonymous Diffie-Hellman key exchange</td> </tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>DSS</code></td> <td>all ciphers using DSS authentication</td> </tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>NULL</code></td> <td>all ciphers using no encryption</td> </tr>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveNow where this becomes interesting is that these can be put together
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveto specify the order and ciphers you wish to use. To speed this up
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivethere are also aliases (<code>SSLv2, SSLv3, TLSv1, EXP, LOW, MEDIUM,
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveHIGH</code>) for certain groups of ciphers. These tags can be joined
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivetogether with prefixes to form the <em>cipher-spec</em>. Available
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveprefixes are:</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<li><code>+</code>: add ciphers to list and pull them to current location in list</li>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<li><code>-</code>: remove cipher from list (can be added later again)</li>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<li><code>!</code>: kill cipher from list completely (can <strong>not</strong> be added later again)</li>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<p>A simpler way to look at all of this is to use the ``<code>openssl ciphers
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive-v</code>'' command which provides a nice way to successively create the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivecorrect <em>cipher-spec</em> string. The default <em>cipher-spec</em> string
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveis ``<code>ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</code>'' which
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivemeans the following: first, remove from consideration any ciphers that do not
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveauthenticate, i.e. for SSL only the Anonymous Diffie-Hellman ciphers. Next,
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveuse ciphers using RC4 and RSA. Next include the high, medium and then the low
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivesecurity ciphers. Finally <em>pull</em> all SSLv2 and export ciphers to the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveend of the list.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive$ openssl ciphers -v 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP'
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveNULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveNULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveEDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive... ... ... ... ...
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveEXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveEXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveEXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<p>The complete list of particular RSA & DH ciphers for SSL is given in <a
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveSSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW
1597043cec6ad37fa4154bf09b0fccdabed1a239slive<columnspec><column width=".3"/><column width=".1"/><column width=".13"/>
1597043cec6ad37fa4154bf09b0fccdabed1a239slive<column width=".1"/><column width=".13"/><column width=".1"/>
97a9a944b5887e91042b019776c41d5dd74557aferikabele<tr><th>Cipher-Tag</th> <th>Protocol</th> <th>Key Ex.</th> <th>Auth.</th> <th>Enc.</th> <th>MAC</th> <th>Type</th> </tr>
97a9a944b5887e91042b019776c41d5dd74557aferikabele<tr><td><code>DES-CBC3-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>3DES(168)</td> <td>SHA1</td> <td></td> </tr>
97a9a944b5887e91042b019776c41d5dd74557aferikabele<tr><td><code>DES-CBC3-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>3DES(168)</td> <td>MD5</td> <td></td> </tr>
97a9a944b5887e91042b019776c41d5dd74557aferikabele<tr><td><code>IDEA-CBC-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>IDEA(128)</td> <td>SHA1</td> <td></td> </tr>
97a9a944b5887e91042b019776c41d5dd74557aferikabele<tr><td><code>RC4-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>RC4(128)</td> <td>SHA1</td> <td></td> </tr>
97a9a944b5887e91042b019776c41d5dd74557aferikabele<tr><td><code>RC4-MD5</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>RC4(128)</td> <td>MD5</td> <td></td> </tr>
97a9a944b5887e91042b019776c41d5dd74557aferikabele<tr><td><code>IDEA-CBC-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>IDEA(128)</td> <td>MD5</td> <td></td> </tr>
97a9a944b5887e91042b019776c41d5dd74557aferikabele<tr><td><code>RC2-CBC-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>RC2(128)</td> <td>MD5</td> <td></td> </tr>
97a9a944b5887e91042b019776c41d5dd74557aferikabele<tr><td><code>RC4-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>RC4(128)</td> <td>MD5</td> <td></td> </tr>
97a9a944b5887e91042b019776c41d5dd74557aferikabele<tr><td><code>DES-CBC-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>DES(56)</td> <td>SHA1</td> <td></td> </tr>
97a9a944b5887e91042b019776c41d5dd74557aferikabele<tr><td><code>RC4-64-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>RC4(64)</td> <td>MD5</td> <td></td> </tr>
97a9a944b5887e91042b019776c41d5dd74557aferikabele<tr><td><code>DES-CBC-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>DES(56)</td> <td>MD5</td> <td></td> </tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>EXP-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>RSA(512)</td> <td>RSA</td> <td>DES(40)</td> <td>SHA1</td> <td> export</td> </tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>EXP-RC2-CBC-MD5</code></td> <td>SSLv3</td> <td>RSA(512)</td> <td>RSA</td> <td>RC2(40)</td> <td>MD5</td> <td> export</td> </tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>EXP-RC4-MD5</code></td> <td>SSLv3</td> <td>RSA(512)</td> <td>RSA</td> <td>RC4(40)</td> <td>MD5</td> <td> export</td> </tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>EXP-RC2-CBC-MD5</code></td> <td>SSLv2</td> <td>RSA(512)</td> <td>RSA</td> <td>RC2(40)</td> <td>MD5</td> <td> export</td> </tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>EXP-RC4-MD5</code></td> <td>SSLv2</td> <td>RSA(512)</td> <td>RSA</td> <td>RC4(40)</td> <td>MD5</td> <td> export</td> </tr>
97a9a944b5887e91042b019776c41d5dd74557aferikabele<tr><td><code>NULL-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>None</td> <td>SHA1</td> <td></td> </tr>
97a9a944b5887e91042b019776c41d5dd74557aferikabele<tr><td><code>NULL-MD5</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>None</td> <td>MD5</td> <td></td> </tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td colspan="7"><em>Diffie-Hellman Ciphers:</em></td></tr>
97a9a944b5887e91042b019776c41d5dd74557aferikabele<tr><td><code>ADH-DES-CBC3-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>None</td> <td>3DES(168)</td> <td>SHA1</td> <td></td> </tr>
97a9a944b5887e91042b019776c41d5dd74557aferikabele<tr><td><code>ADH-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>None</td> <td>DES(56)</td> <td>SHA1</td> <td></td> </tr>
97a9a944b5887e91042b019776c41d5dd74557aferikabele<tr><td><code>ADH-RC4-MD5</code></td> <td>SSLv3</td> <td>DH</td> <td>None</td> <td>RC4(128)</td> <td>MD5</td> <td></td> </tr>
97a9a944b5887e91042b019776c41d5dd74557aferikabele<tr><td><code>EDH-RSA-DES-CBC3-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>RSA</td> <td>3DES(168)</td> <td>SHA1</td> <td></td> </tr>
97a9a944b5887e91042b019776c41d5dd74557aferikabele<tr><td><code>EDH-DSS-DES-CBC3-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>DSS</td> <td>3DES(168)</td> <td>SHA1</td> <td></td> </tr>
97a9a944b5887e91042b019776c41d5dd74557aferikabele<tr><td><code>EDH-RSA-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>RSA</td> <td>DES(56)</td> <td>SHA1</td> <td></td> </tr>
97a9a944b5887e91042b019776c41d5dd74557aferikabele<tr><td><code>EDH-DSS-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>DSS</td> <td>DES(56)</td> <td>SHA1</td> <td></td> </tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>EXP-EDH-RSA-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH(512)</td> <td>RSA</td> <td>DES(40)</td> <td>SHA1</td> <td> export</td> </tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>EXP-EDH-DSS-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH(512)</td> <td>DSS</td> <td>DES(40)</td> <td>SHA1</td> <td> export</td> </tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>EXP-ADH-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH(512)</td> <td>None</td> <td>DES(40)</td> <td>SHA1</td> <td> export</td> </tr>
a5da9d9dfc593837aca771df70ad124a37e22abapatrikj<tr><td><code>EXP-ADH-RC4-MD5</code></td> <td>SSLv3</td> <td>DH(512)</td> <td>None</td> <td>RC4(40)</td> <td>MD5</td> <td> export</td> </tr>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive</directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<description>Server PEM-encoded X.509 Certificate file</description>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveThis directive points to the PEM-encoded Certificate file for the server and
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveoptionally also to the corresponding RSA or DSA Private Key file for it
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive(contained in the same file). If the contained Private Key is encrypted the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivePass Phrase dialog is forced at startup time. This directive can be used up to
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivetwo times (referencing different filenames) when both a RSA and a DSA based
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveserver certificate is used in parallel.</p>
e22983c2cda01e5df1a8a6b72c2ff687370975aaerikabeleSSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive</directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<description>Server PEM-encoded Private Key file</description>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<syntax>SSLCertificateKeyFile <em>file-path</em></syntax>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveThis directive points to the PEM-encoded Private Key file for the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveserver. If the Private Key is not combined with the Certificate in the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<directive>SSLCertificateFile</directive>, use this additional directive to
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivepoint to the file with the stand-alone Private Key. When
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<directive>SSLCertificateFile</directive> is used and the file
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivecontains both the Certificate and the Private Key this directive need
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivenot be used. But we strongly discourage this practice. Instead we
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliverecommend you to separate the Certificate and the Private Key. If the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivecontained Private Key is encrypted, the Pass Phrase dialog is forced
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveat startup time. This directive can be used up to two times
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive(referencing different filenames) when both a RSA and a DSA based
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveprivate key is used in parallel.</p>
e22983c2cda01e5df1a8a6b72c2ff687370975aaerikabeleSSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive</directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<description>File of PEM-encoded Server CA Certificates</description>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<syntax>SSLCertificateChainFile <em>file-path</em></syntax>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveThis directive sets the optional <em>all-in-one</em> file where you can
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveassemble the certificates of Certification Authorities (CA) which form the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivecertificate chain of the server certificate. This starts with the issuing CA
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivecertificate of of the server certificate and can range up to the root CA
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivecertificate. Such a file is simply the concatenation of the various
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivePEM-encoded CA Certificate files, usually in certificate chain order.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveThis should be used alternatively and/or additionally to <directive
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivemodule="mod_ssl">SSLCACertificatePath</directive> for explicitly
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveconstructing the server certificate chain which is sent to the browser
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivein addition to the server certificate. It is especially useful to
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveavoid conflicts with CA certificates when using client
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveauthentication. Because although placing a CA certificate of the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveserver certificate chain into <directive
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivemodule="mod_ssl">SSLCACertificatePath</directive> has the same effect
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivefor the certificate chain construction, it has the side-effect that
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveclient certificates issued by this same CA certificate are also
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveaccepted on client authentication. That's usually not one expect.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveBut be careful: Providing the certificate chain works only if you are using a
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<em>single</em> (either RSA <em>or</em> DSA) based server certificate. If you are
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveusing a coupled RSA+DSA certificate pair, this will work only if actually both
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivecertificates use the <em>same</em> certificate chain. Else the browsers will be
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveconfused in this situation.</p>
e22983c2cda01e5df1a8a6b72c2ff687370975aaerikabeleSSLCertificateChainFile /usr/local/apache2/conf/ssl.crt/ca.crt
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive</directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<description>Directory of PEM-encoded CA Certificates for
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveClient Auth</description>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<syntax>SSLCACertificatePath <em>directory-path</em></syntax>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveThis directive sets the directory where you keep the Certificates of
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveCertification Authorities (CAs) whose clients you deal with. These are used to
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveverify the client certificate on Client Authentication.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveThe files in this directory have to be PEM-encoded and are accessed through
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivehash filenames. So usually you can't just place the Certificate files
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivethere: you also have to create symbolic links named
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<em>hash-value</em><code>.N</code>. And you should always make sure this directory
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivecontains the appropriate symbolic links. Use the <code>Makefile</code> which
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivecomes with mod_ssl to accomplish this task.</p>
e22983c2cda01e5df1a8a6b72c2ff687370975aaerikabeleSSLCACertificatePath /usr/local/apache2/conf/ssl.crt/
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive</directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<description>File of concatenated PEM-encoded CA Certificates
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivefor Client Auth</description>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<syntax>SSLCACertificateFile <em>file-path</em></syntax>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveThis directive sets the <em>all-in-one</em> file where you can assemble the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveCertificates of Certification Authorities (CA) whose <em>clients</em> you deal
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivewith. These are used for Client Authentication. Such a file is simply the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveconcatenation of the various PEM-encoded Certificate files, in order of
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivepreference. This can be used alternatively and/or additionally to
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<directive module="mod_ssl">SSLCACertificatePath</directive>.</p>
e22983c2cda01e5df1a8a6b72c2ff687370975aaerikabeleSSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-client.crt
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive</directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<description>Directory of PEM-encoded CA CRLs for
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveClient Auth</description>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<syntax>SSLCARevocationPath <em>directory-path</em></syntax>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveThis directive sets the directory where you keep the Certificate Revocation
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveLists (CRL) of Certification Authorities (CAs) whose clients you deal with.
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveThese are used to revoke the client certificate on Client Authentication.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveThe files in this directory have to be PEM-encoded and are accessed through
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivehash filenames. So usually you have not only to place the CRL files there.
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveAdditionally you have to create symbolic links named
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<em>hash-value</em><code>.rN</code>. And you should always make sure this directory
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivecontains the appropriate symbolic links. Use the <code>Makefile</code> which
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivecomes with <module>mod_ssl</module> to accomplish this task.</p>
e22983c2cda01e5df1a8a6b72c2ff687370975aaerikabeleSSLCARevocationPath /usr/local/apache2/conf/ssl.crl/
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive</directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<description>File of concatenated PEM-encoded CA CRLs for
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveClient Auth</description>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<syntax>SSLCARevocationFile <em>file-path</em></syntax>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveThis directive sets the <em>all-in-one</em> file where you can
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveassemble the Certificate Revocation Lists (CRL) of Certification
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveAuthorities (CA) whose <em>clients</em> you deal with. These are used
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivefor Client Authentication. Such a file is simply the concatenation of
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivethe various PEM-encoded CRL files, in order of preference. This can be
e22983c2cda01e5df1a8a6b72c2ff687370975aaerikabeleSSLCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle-client.crl
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive</directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<description>Type of Client Certificate verification</description>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveThis directive sets the Certificate verification level for the Client
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveAuthentication. Notice that this directive can be used both in per-server and
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveper-directory context. In per-server context it applies to the client
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveauthentication process used in the standard SSL handshake when a connection is
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveestablished. In per-directory context it forces a SSL renegotation with the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivereconfigured client verification level after the HTTP request was read but
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivebefore the HTTP response is sent.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveThe following levels are available for <em>level</em>:</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive no client Certificate is required at all</li>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive the client <em>may</em> present a valid Certificate</li>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive the client <em>has to</em> present a valid Certificate</li>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive the client may present a valid Certificate<br />
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive but it need not to be (successfully) verifiable.</li>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<strong>require</strong> are really interesting, because level
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<strong>optional</strong> doesn't work with all browsers and level
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<strong>optional_no_ca</strong> is actually against the idea of
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveauthentication (but can be used to establish SSL test pages, etc.)</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveSSLVerifyClient require
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive</directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<description>Maximum depth of CA Certificates in Client
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveCertificate verification</description>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveThis directive sets how deeply mod_ssl should verify before deciding that the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveclients don't have a valid certificate. Notice that this directive can be
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveused both in per-server and per-directory context. In per-server context it
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveapplies to the client authentication process used in the standard SSL
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivehandshake when a connection is established. In per-directory context it forces
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivea SSL renegotation with the reconfigured client verification depth after the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveHTTP request was read but before the HTTP response is sent.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveThe depth actually is the maximum number of intermediate certificate issuers,
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivei.e. the number of CA certificates which are max allowed to be followed while
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveverifying the client certificate. A depth of 0 means that self-signed client
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivecertificates are accepted only, the default depth of 1 means the client
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivecertificate can be self-signed or has to be signed by a CA which is directly
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveknown to the server (i.e. the CA's certificate is under
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<directive module="mod_ssl">SSLCACertificatePath</directive>), etc.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveSSLVerifyDepth 10
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive</directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<description>Configure various SSL engine run-time options</description>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveThis directive can be used to control various run-time options on a
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveper-directory basis. Normally, if multiple <code>SSLOptions</code>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivecould apply to a directory, then the most specific one is taken
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivecompletely; the options are not merged. However if <em>all</em> the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveoptions on the <code>SSLOptions</code> directive are preceded by a
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveplus (<code>+</code>) or minus (<code>-</code>) symbol, the options
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveare merged. Any options preceded by a <code>+</code> are added to the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveoptions currently in force, and any options preceded by a
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<code>-</code> are removed from the options currently in force.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive When this option is enabled, the standard set of SSL related CGI/SSI
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive environment variables are created. This per default is disabled for
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive performance reasons, because the information extraction step is a
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive rather expensive operation. So one usually enables this option for
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive CGI and SSI requests only.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive When this option is enabled, additional CGI/SSI environment variables are
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive created for backward compatibility to other Apache SSL solutions. Look in
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive the <a href="/ssl/ssl_compat.html">Compatibility</a> chapter for details
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive on the particular variables generated.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive When this option is enabled, additional CGI/SSI environment variables are
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive created: <code>SSL_SERVER_CERT</code>, <code>SSL_CLIENT_CERT</code> and
256c9fec76025218e564ad19e100d4a38da10f42jorton <code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em> (with <em>n</em> = 0,1,2,..).
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive These contain the PEM-encoded X.509 Certificates of server and client for
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive the current HTTPS connection and can be used by CGI scripts for deeper
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive Certificate checking. Additionally all other certificates of the client
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive certificate chain are provided, too. This bloats up the environment a
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive little bit which is why you have to use this option to enable it on
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive demand.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive When this option is enabled, the Subject Distinguished Name (DN) of the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive Client X509 Certificate is translated into a HTTP Basic Authorization
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive username. This means that the standard Apache authentication methods can
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive be used for access control. The user name is just the Subject of the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive Client's X509 Certificate (can be determined by running OpenSSL's
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive <code>openssl x509</code> command: <code>openssl x509 -noout -subject -in
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive </code><em>certificate</em><code>.crt</code>). Note that no password is
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive obtained from the user. Every entry in the user file needs this password:
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive ``<code>xxj31ZMTZzkVA</code>'', which is the DES-encrypted version of the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive word `<code>password</code>''. Those who live under MD5-based encryption
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive (for instance under FreeBSD or BSD/OS, etc.) should use the following MD5
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive hash of the same word: ``<code>$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/</code>''.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive This <em>forces</em> forbidden access when <code>SSLRequireSSL</code> or
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive <code>SSLRequire</code> successfully decided that access should be
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive forbidden. Usually the default is that in the case where a ``<code>Satisfy
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive any</code>'' directive is used, and other access restrictions are passed,
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive <code>SSLRequire</code> is overridden (because that's how the Apache
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive <code>Satisfy</code> mechanism should work.) But for strict access restriction
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive you can use <code>SSLRequireSSL</code> and/or <code>SSLRequire</code> in
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive combination with an ``<code>SSLOptions +StrictRequire</code>''. Then an
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive additional ``<code>Satisfy Any</code>'' has no chance once mod_ssl has
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive decided to deny access.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive This enables optimized SSL connection renegotiation handling when SSL
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive directives are used in per-directory context. By default a strict
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive scheme is enabled where <em>every</em> per-directory reconfiguration of
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive SSL parameters causes a <em>full</em> SSL renegotiation handshake. When this
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive option is used mod_ssl tries to avoid unnecessary handshakes by doing more
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive granular (but still safe) parameter checks. Nevertheless these granular
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive checks sometimes maybe not what the user expects, so enable this on a
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive per-directory basis only, please.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveSSLOptions +FakeBasicAuth -StrictRequire<br />
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<Files ~ "\.(cgi|shtml)$"><br />
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive SSLOptions +StdEnvVars +CompatEnvVars -ExportCertData<br />
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<Files>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive</directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<description>Deny access when SSL is not used for the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveHTTP request</description>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveThis directive forbids access unless HTTP over SSL (i.e. HTTPS) is enabled for
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivethe current connection. This is very handy inside the SSL-enabled virtual
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivehost or directories for defending against configuration errors that expose
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivestuff that should be protected. When this directive is present all requests
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveare denied which are not using SSL.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveSSLRequireSSL
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive</directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<description>Allow access only when an arbitrarily complex
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveboolean expression is true</description>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveThis directive specifies a general access requirement which has to be
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivefulfilled in order to allow access. It's a very powerful directive because the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliverequirement specification is an arbitrarily complex boolean expression
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivecontaining any number of access checks.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveThe <em>expression</em> must match the following syntax (given as a BNF
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivegrammar notation):</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<blockquote>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveexpr ::= "<strong>true</strong>" | "<strong>false</strong>"
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivecomp ::= word "<strong>==</strong>" word | word "<strong>eq</strong>" word
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive | word "<strong>!=</strong>" word | word "<strong>ne</strong>" word
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive | word "<strong><</strong>" word | word "<strong>lt</strong>" word
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive | word "<strong><=</strong>" word | word "<strong>le</strong>" word
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive | word "<strong>></strong>" word | word "<strong>gt</strong>" word
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive | word "<strong>>=</strong>" word | word "<strong>ge</strong>" word
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive | word "<strong>in</strong>" "<strong>{</strong>" wordlist "<strong>}</strong>"
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivewordlist ::= word
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveword ::= digit
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivedigit ::= [0-9]+
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivecstring ::= "..."
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivevariable ::= "<strong>%{</strong>" varname "<strong>}</strong>"
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivefunction ::= funcname "<strong>(</strong>" funcargs "<strong>)</strong>"
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive</blockquote>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<code>funcname</code> the following functions are available:</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive This function takes one string argument and expands to the contents of the
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive file. This is especially useful for matching this contents against a
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive regular expression, etc.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive<p>Notice that <em>expression</em> is first parsed into an internal machine
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliverepresentation and then evaluated in a second step. Actually, in Global and
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivePer-Server Class context <em>expression</em> is parsed at startup time and
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveat runtime only the machine representation is executed. For Per-Directory
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slivecontext this is different: here <em>expression</em> has to be parsed and
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveimmediately executed for every request.</p>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveSSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \<br />
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \<br />
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \<br />
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \<br />
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \<br />
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveHTTP_USER_AGENT PATH_INFO AUTH_TYPE
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveHTTP_REFERER QUERY_STRING SERVER_SOFTWARE
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveHTTP_COOKIE REMOTE_HOST API_VERSION
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveHTTP_FORWARDED REMOTE_IDENT TIME_YEAR
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveHTTP_HOST IS_SUBREQ TIME_MON
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveHTTP_PROXY_CONNECTION DOCUMENT_ROOT TIME_DAY
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveHTTP_ACCEPT SERVER_ADMIN TIME_HOUR
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveHTTP:headername SERVER_NAME TIME_MIN
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveTHE_REQUEST SERVER_PORT TIME_SEC
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveREQUEST_METHOD SERVER_PROTOCOL TIME_WDAY
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveREQUEST_SCHEME REMOTE_ADDR TIME
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveREQUEST_URI REMOTE_USER ENV:<strong>variablename</strong>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveREQUEST_FILENAME
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveHTTPS SSL_CLIENT_M_VERSION SSL_SERVER_M_VERSION
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive SSL_CLIENT_M_SERIAL SSL_SERVER_M_SERIAL
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveSSL_PROTOCOL SSL_CLIENT_V_START SSL_SERVER_V_START
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveSSL_SESSION_ID SSL_CLIENT_V_END SSL_SERVER_V_END
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveSSL_CIPHER SSL_CLIENT_S_DN SSL_SERVER_S_DN
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveSSL_CIPHER_EXPORT SSL_CLIENT_S_DN_C SSL_SERVER_S_DN_C
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveSSL_CIPHER_ALGKEYSIZE SSL_CLIENT_S_DN_ST SSL_SERVER_S_DN_ST
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveSSL_CIPHER_USEKEYSIZE SSL_CLIENT_S_DN_L SSL_SERVER_S_DN_L
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveSSL_VERSION_LIBRARY SSL_CLIENT_S_DN_O SSL_SERVER_S_DN_O
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37sliveSSL_VERSION_INTERFACE SSL_CLIENT_S_DN_OU SSL_SERVER_S_DN_OU
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive SSL_CLIENT_S_DN_CN SSL_SERVER_S_DN_CN
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive SSL_CLIENT_S_DN_T SSL_SERVER_S_DN_T
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive SSL_CLIENT_S_DN_I SSL_SERVER_S_DN_I
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive SSL_CLIENT_S_DN_G SSL_SERVER_S_DN_G
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive SSL_CLIENT_S_DN_S SSL_SERVER_S_DN_S
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive SSL_CLIENT_S_DN_D SSL_SERVER_S_DN_D
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive SSL_CLIENT_S_DN_UID SSL_SERVER_S_DN_UID
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive SSL_CLIENT_S_DN_Email SSL_SERVER_S_DN_Email
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive SSL_CLIENT_I_DN SSL_SERVER_I_DN
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive SSL_CLIENT_I_DN_C SSL_SERVER_I_DN_C
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive SSL_CLIENT_I_DN_ST SSL_SERVER_I_DN_ST
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive SSL_CLIENT_I_DN_L SSL_SERVER_I_DN_L
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive SSL_CLIENT_I_DN_O SSL_SERVER_I_DN_O
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive SSL_CLIENT_I_DN_OU SSL_SERVER_I_DN_OU
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive SSL_CLIENT_I_DN_CN SSL_SERVER_I_DN_CN
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive SSL_CLIENT_I_DN_T SSL_SERVER_I_DN_T
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive SSL_CLIENT_I_DN_I SSL_SERVER_I_DN_I
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive SSL_CLIENT_I_DN_G SSL_SERVER_I_DN_G
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive SSL_CLIENT_I_DN_S SSL_SERVER_I_DN_S
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive SSL_CLIENT_I_DN_D SSL_SERVER_I_DN_D
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive SSL_CLIENT_I_DN_UID SSL_SERVER_I_DN_UID
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive SSL_CLIENT_I_DN_Email SSL_SERVER_I_DN_Email
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive SSL_CLIENT_A_SIG SSL_SERVER_A_SIG
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive SSL_CLIENT_A_KEY SSL_SERVER_A_KEY
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive SSL_CLIENT_CERT SSL_SERVER_CERT
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive SSL_CLIENT_VERIFY
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive</directivesynopsis>
d99faa99674be527e7fcc0ab5903463be779934drbowen<directivesynopsis>
65e536f8dab0d8c715fc718e7405fbbac4b0837bmads<description>Directory of PEM-encoded client certificates and keys to be used by the proxy</description>
d99faa99674be527e7fcc0ab5903463be779934drbowen<syntax>SSLProxyMachineCertificatePath <em>directory</em></syntax>
d99faa99674be527e7fcc0ab5903463be779934drbowen<contextlist><context>server config</context></contextlist>
65e536f8dab0d8c715fc718e7405fbbac4b0837bmadsThis directive sets the directory where you keep the certificates and
65e536f8dab0d8c715fc718e7405fbbac4b0837bmadskeys used for authentication of the proxy server to remote servers.
d99faa99674be527e7fcc0ab5903463be779934drbowen<p>The files in this directory must be PEM-encoded and are accessed through
d99faa99674be527e7fcc0ab5903463be779934drbowenhash filenames. Additionally, you must create symbolic links named
d99faa99674be527e7fcc0ab5903463be779934drbowen<code><em>hash-value</em>.N</code>. And you should always make sure this
d99faa99674be527e7fcc0ab5903463be779934drbowendirectory contains the appropriate symbolic links. Use the Makefile which
d99faa99674be527e7fcc0ab5903463be779934drbowencomes with mod_ssl to accomplish this task.
65e536f8dab0d8c715fc718e7405fbbac4b0837bmads<p>Currently there is no support for encrypted private keys</p>
65e536f8dab0d8c715fc718e7405fbbac4b0837bmadsSSLProxyMachineCertificatePath /usr/local/apache2/conf/proxy.crt/
d99faa99674be527e7fcc0ab5903463be779934drbowen</directivesynopsis>
d99faa99674be527e7fcc0ab5903463be779934drbowen<directivesynopsis>
65e536f8dab0d8c715fc718e7405fbbac4b0837bmads<description>File of concatenated PEM-encoded client certificates and keys to be used by the proxy</description>
d99faa99674be527e7fcc0ab5903463be779934drbowen<syntax>SSLProxyMachineCertificateFile <em>filename</em></syntax>
d99faa99674be527e7fcc0ab5903463be779934drbowen<contextlist><context>server config</context></contextlist>
65e536f8dab0d8c715fc718e7405fbbac4b0837bmadsThis directive sets the all-in-one file where you keep the certificates and
65e536f8dab0d8c715fc718e7405fbbac4b0837bmadskeys used for authentication of the proxy server to remote servers.
d99faa99674be527e7fcc0ab5903463be779934drbowenThis referenced file is simply the concatenation of the various PEM-encoded
d99faa99674be527e7fcc0ab5903463be779934drbowencertificate files, in order of preference. Use this directive alternatively
d99faa99674be527e7fcc0ab5903463be779934drbowenor additionally to <code>SSLProxyMachineCertificatePath</code>.
65e536f8dab0d8c715fc718e7405fbbac4b0837bmads<p>Currently there is no support for encrypted private keys</p>
65e536f8dab0d8c715fc718e7405fbbac4b0837bmadsSSLProxyMachineCertificateFile /usr/local/apache2/conf/ssl.crt/proxy.pem
d99faa99674be527e7fcc0ab5903463be779934drbowen</directivesynopsis>
d99faa99674be527e7fcc0ab5903463be779934drbowen<directivesynopsis>
d99faa99674be527e7fcc0ab5903463be779934drbowen<description>Type of remote server Certificate verification</description>
d99faa99674be527e7fcc0ab5903463be779934drbowenThis directive sets the Certificate verification level for the remote server
d99faa99674be527e7fcc0ab5903463be779934drbowenAuthentication. Notice that this directive can be used both in per-server and
d99faa99674be527e7fcc0ab5903463be779934drbowenper-directory context. In per-server context it applies to the remote server
d99faa99674be527e7fcc0ab5903463be779934drbowenauthentication process used in the standard SSL handshake when a connection is
d99faa99674be527e7fcc0ab5903463be779934drbowenestablished. In per-directory context it forces a SSL renegotation with the
d99faa99674be527e7fcc0ab5903463be779934drbowenreconfigured remote server verification level after the HTTP request was read but
d99faa99674be527e7fcc0ab5903463be779934drbowenbefore the HTTP response is sent.</p>
d99faa99674be527e7fcc0ab5903463be779934drbowenThe following levels are available for <em>level</em>:</p>
d99faa99674be527e7fcc0ab5903463be779934drbowen no remote server Certificate is required at all</li>
d99faa99674be527e7fcc0ab5903463be779934drbowen the remote server <em>may</em> present a valid Certificate</li>
d99faa99674be527e7fcc0ab5903463be779934drbowen the remote server <em>has to</em> present a valid Certificate</li>
d99faa99674be527e7fcc0ab5903463be779934drbowen the remote server may present a valid Certificate<br />
d99faa99674be527e7fcc0ab5903463be779934drbowen but it need not to be (successfully) verifiable.</li>
d99faa99674be527e7fcc0ab5903463be779934drbowen<strong>require</strong> are really interesting, because level
d99faa99674be527e7fcc0ab5903463be779934drbowen<strong>optional</strong> doesn't work with all servers and level
d99faa99674be527e7fcc0ab5903463be779934drbowen<strong>optional_no_ca</strong> is actually against the idea of
d99faa99674be527e7fcc0ab5903463be779934drbowenauthentication (but can be used to establish SSL test pages, etc.)</p>
d99faa99674be527e7fcc0ab5903463be779934drbowenSSLProxyVerify require
d99faa99674be527e7fcc0ab5903463be779934drbowen</directivesynopsis>
d99faa99674be527e7fcc0ab5903463be779934drbowen<directivesynopsis>
d99faa99674be527e7fcc0ab5903463be779934drbowen<description>Maximum depth of CA Certificates in Remote Server
d99faa99674be527e7fcc0ab5903463be779934drbowenCertificate verification</description>
d99faa99674be527e7fcc0ab5903463be779934drbowenThis directive sets how deeply mod_ssl should verify before deciding that the
d99faa99674be527e7fcc0ab5903463be779934drbowenremote server does not have a valid certificate. Notice that this directive can be
d99faa99674be527e7fcc0ab5903463be779934drbowenused both in per-server and per-directory context. In per-server context it
d99faa99674be527e7fcc0ab5903463be779934drbowenapplies to the client authentication process used in the standard SSL
d99faa99674be527e7fcc0ab5903463be779934drbowenhandshake when a connection is established. In per-directory context it forces
d99faa99674be527e7fcc0ab5903463be779934drbowena SSL renegotation with the reconfigured remote server verification depth after the
d99faa99674be527e7fcc0ab5903463be779934drbowenHTTP request was read but before the HTTP response is sent.</p>
d99faa99674be527e7fcc0ab5903463be779934drbowenThe depth actually is the maximum number of intermediate certificate issuers,
d99faa99674be527e7fcc0ab5903463be779934drboweni.e. the number of CA certificates which are max allowed to be followed while
d99faa99674be527e7fcc0ab5903463be779934drbowenverifying the remote server certificate. A depth of 0 means that self-signed
d99faa99674be527e7fcc0ab5903463be779934drbowenremote server certificates are accepted only, the default depth of 1 means
d99faa99674be527e7fcc0ab5903463be779934drbowenthe remote server certificate can be self-signed or has to be signed by a CA
d99faa99674be527e7fcc0ab5903463be779934drbowenwhich is directly known to the server (i.e. the CA's certificate is under
d99faa99674be527e7fcc0ab5903463be779934drbowen<directive module="mod_ssl">SSLProxyCACertificatePath</directive>), etc.</p>
d99faa99674be527e7fcc0ab5903463be779934drbowenSSLProxyVerifyDepth 10
d99faa99674be527e7fcc0ab5903463be779934drbowen</directivesynopsis>
d99faa99674be527e7fcc0ab5903463be779934drbowen<directivesynopsis>
d99faa99674be527e7fcc0ab5903463be779934drbowen<description>SSL Proxy Engine Operation Switch</description>
d99faa99674be527e7fcc0ab5903463be779934drbowenThis directive toggles the usage of the SSL/TLS Protocol Engine for proxy. This
d99faa99674be527e7fcc0ab5903463be779934drbowentype="section">VirtualHost</directive> section to enable SSL/TLS for proxy
d99faa99674be527e7fcc0ab5903463be779934drbowenusage in a particular virtual host. By default the SSL/TLS Protocol Engine is
d99faa99674be527e7fcc0ab5903463be779934drbowendisabled for proxy image both for the main server and all configured virtual hosts.</p>
d99faa99674be527e7fcc0ab5903463be779934drbowen<VirtualHost _default_:443><br />
d99faa99674be527e7fcc0ab5903463be779934drbowenSSLProxyEngine on<br />
d99faa99674be527e7fcc0ab5903463be779934drbowen</VirtualHost>
d99faa99674be527e7fcc0ab5903463be779934drbowen</directivesynopsis>
d99faa99674be527e7fcc0ab5903463be779934drbowen<directivesynopsis>
d99faa99674be527e7fcc0ab5903463be779934drbowen<description>Configure usable SSL protocol flavors for proxy usage</description>
d99faa99674be527e7fcc0ab5903463be779934drbowen<syntax>SSLProxyProtocol [+|-]<em>protocol</em> ...</syntax>
d99faa99674be527e7fcc0ab5903463be779934drbowen<!-- XXX Why does this have an override and not .htaccess context? -->
d99faa99674be527e7fcc0ab5903463be779934drbowenThis directive can be used to control the SSL protocol flavors mod_ssl should
d99faa99674be527e7fcc0ab5903463be779934drbowenuse when establishing its server environment for proxy . It will only connect
d99faa99674be527e7fcc0ab5903463be779934drbowento servers using one of the provided protocols.</p>
d99faa99674be527e7fcc0ab5903463be779934drbowen<p>Please refer to <directive module="mod_ssl">SSLProtocol</directive>
d99faa99674be527e7fcc0ab5903463be779934drbowenfor additional information.
d99faa99674be527e7fcc0ab5903463be779934drbowen</directivesynopsis>
d99faa99674be527e7fcc0ab5903463be779934drbowen<directivesynopsis>
d99faa99674be527e7fcc0ab5903463be779934drbowen<description>Cipher Suite available for negotiation in SSL
d99faa99674be527e7fcc0ab5903463be779934drbowenproxy handshake</description>
d99faa99674be527e7fcc0ab5903463be779934drbowen<syntax>SSLProxyCipherSuite <em>cipher-spec</em></syntax>
d99faa99674be527e7fcc0ab5903463be779934drbowen<default>SSLProxyCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</default>
d99faa99674be527e7fcc0ab5903463be779934drbowen<p>Equivalent to <code>SSLCipherSuite</code>, but for the proxy connection.
d99faa99674be527e7fcc0ab5903463be779934drbowenPlease refer to <directive module="mod_ssl">SSLCipherSuite</directive>
2e1789ae4b1b62d36ed53ccdd391f626640d642frbowenfor additional information.</p>
2e1789ae4b1b62d36ed53ccdd391f626640d642frbowen</directivesynopsis>
d99faa99674be527e7fcc0ab5903463be779934drbowen<directivesynopsis>
d99faa99674be527e7fcc0ab5903463be779934drbowen<description>Directory of PEM-encoded CA Certificates for
d99faa99674be527e7fcc0ab5903463be779934drbowenRemote Server Auth</description>
d99faa99674be527e7fcc0ab5903463be779934drbowen<syntax>SSLProxyCACertificatePath <em>directory-path</em></syntax>
d99faa99674be527e7fcc0ab5903463be779934drbowenThis directive sets the directory where you keep the Certificates of
d99faa99674be527e7fcc0ab5903463be779934drbowenCertification Authorities (CAs) whose remote servers you deal with. These are used to
d99faa99674be527e7fcc0ab5903463be779934drbowenverify the remote server certificate on Remote Server Authentication.</p>
d99faa99674be527e7fcc0ab5903463be779934drbowenThe files in this directory have to be PEM-encoded and are accessed through
d99faa99674be527e7fcc0ab5903463be779934drbowenhash filenames. So usually you can't just place the Certificate files
d99faa99674be527e7fcc0ab5903463be779934drbowenthere: you also have to create symbolic links named
d99faa99674be527e7fcc0ab5903463be779934drbowen<em>hash-value</em><code>.N</code>. And you should always make sure this directory
d99faa99674be527e7fcc0ab5903463be779934drbowencontains the appropriate symbolic links. Use the <code>Makefile</code> which
d99faa99674be527e7fcc0ab5903463be779934drbowencomes with mod_ssl to accomplish this task.</p>
e22983c2cda01e5df1a8a6b72c2ff687370975aaerikabeleSSLProxyCACertificatePath /usr/local/apache2/conf/ssl.crt/
d99faa99674be527e7fcc0ab5903463be779934drbowen</directivesynopsis>
d99faa99674be527e7fcc0ab5903463be779934drbowen<directivesynopsis>
d99faa99674be527e7fcc0ab5903463be779934drbowen<description>File of concatenated PEM-encoded CA Certificates
d99faa99674be527e7fcc0ab5903463be779934drbowenfor Remote Server Auth</description>
d99faa99674be527e7fcc0ab5903463be779934drbowen<syntax>SSLProxyCACertificateFile <em>file-path</em></syntax>
d99faa99674be527e7fcc0ab5903463be779934drbowenThis directive sets the <em>all-in-one</em> file where you can assemble the
d99faa99674be527e7fcc0ab5903463be779934drbowenCertificates of Certification Authorities (CA) whose <em>remote servers</em> you deal
d99faa99674be527e7fcc0ab5903463be779934drbowenwith. These are used for Remote Server Authentication. Such a file is simply the
d99faa99674be527e7fcc0ab5903463be779934drbowenconcatenation of the various PEM-encoded Certificate files, in order of
d99faa99674be527e7fcc0ab5903463be779934drbowenpreference. This can be used alternatively and/or additionally to
d99faa99674be527e7fcc0ab5903463be779934drbowen<directive module="mod_ssl">SSLProxyCACertificatePath</directive>.</p>
e22983c2cda01e5df1a8a6b72c2ff687370975aaerikabeleSSLProxyCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-remote-server.crt
d99faa99674be527e7fcc0ab5903463be779934drbowen</directivesynopsis>
d99faa99674be527e7fcc0ab5903463be779934drbowen<directivesynopsis>
d99faa99674be527e7fcc0ab5903463be779934drbowen<description>Directory of PEM-encoded CA CRLs for
d99faa99674be527e7fcc0ab5903463be779934drbowenRemote Server Auth</description>
d99faa99674be527e7fcc0ab5903463be779934drbowen<syntax>SSLProxyCARevocationPath <em>directory-path</em></syntax>
d99faa99674be527e7fcc0ab5903463be779934drbowenThis directive sets the directory where you keep the Certificate Revocation
d99faa99674be527e7fcc0ab5903463be779934drbowenLists (CRL) of Certification Authorities (CAs) whose remote servers you deal with.
d99faa99674be527e7fcc0ab5903463be779934drbowenThese are used to revoke the remote server certificate on Remote Server Authentication.</p>
d99faa99674be527e7fcc0ab5903463be779934drbowenThe files in this directory have to be PEM-encoded and are accessed through
d99faa99674be527e7fcc0ab5903463be779934drbowenhash filenames. So usually you have not only to place the CRL files there.
d99faa99674be527e7fcc0ab5903463be779934drbowenAdditionally you have to create symbolic links named
d99faa99674be527e7fcc0ab5903463be779934drbowen<em>hash-value</em><code>.rN</code>. And you should always make sure this directory
d99faa99674be527e7fcc0ab5903463be779934drbowencontains the appropriate symbolic links. Use the <code>Makefile</code> which
d99faa99674be527e7fcc0ab5903463be779934drbowencomes with <module>mod_ssl</module> to accomplish this task.</p>
e22983c2cda01e5df1a8a6b72c2ff687370975aaerikabeleSSLProxyCARevocationPath /usr/local/apache2/conf/ssl.crl/
d99faa99674be527e7fcc0ab5903463be779934drbowen</directivesynopsis>
d99faa99674be527e7fcc0ab5903463be779934drbowen<directivesynopsis>
d99faa99674be527e7fcc0ab5903463be779934drbowen<description>File of concatenated PEM-encoded CA CRLs for
d99faa99674be527e7fcc0ab5903463be779934drbowenRemote Server Auth</description>
d99faa99674be527e7fcc0ab5903463be779934drbowen<syntax>SSLProxyCARevocationFile <em>file-path</em></syntax>
d99faa99674be527e7fcc0ab5903463be779934drbowenThis directive sets the <em>all-in-one</em> file where you can
d99faa99674be527e7fcc0ab5903463be779934drbowenassemble the Certificate Revocation Lists (CRL) of Certification
d99faa99674be527e7fcc0ab5903463be779934drbowenAuthorities (CA) whose <em>remote servers</em> you deal with. These are used
d99faa99674be527e7fcc0ab5903463be779934drbowenfor Remote Server Authentication. Such a file is simply the concatenation of
d99faa99674be527e7fcc0ab5903463be779934drbowenthe various PEM-encoded CRL files, in order of preference. This can be
d99faa99674be527e7fcc0ab5903463be779934drbowenmodule="mod_ssl">SSLProxyCARevocationPath</directive>.</p>
e22983c2cda01e5df1a8a6b72c2ff687370975aaerikabeleSSLProxyCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle-remote-server.crl
d99faa99674be527e7fcc0ab5903463be779934drbowen</directivesynopsis>
eff8e38d2e04f20febd66366f5bb8a5a640ca4f8jorton<directivesynopsis>
eff8e38d2e04f20febd66366f5bb8a5a640ca4f8jorton<description>Variable name to determine user name</description>
72266eec881e63906c7d415ed0cc3c144c7337b8jorton<compatibility>Available in Apache 2.0.51 and later</compatibility>
eff8e38d2e04f20febd66366f5bb8a5a640ca4f8jortonThis directive sets the "user" field in the Apache request object.
eff8e38d2e04f20febd66366f5bb8a5a640ca4f8jortonThis is used by lower modules to identify the user with a character
eff8e38d2e04f20febd66366f5bb8a5a640ca4f8jortonstring. In particular, this may cause the environment variable
eff8e38d2e04f20febd66366f5bb8a5a640ca4f8jorton<code>REMOTE_USER</code> to be set. The <em>varname</em> can be
eff8e38d2e04f20febd66366f5bb8a5a640ca4f8jortonany of the <a href="#envvars">SSL environment variables</a>.</p>
eff8e38d2e04f20febd66366f5bb8a5a640ca4f8jortonSSLUserName SSL_CLIENT_S_DN_CN
eff8e38d2e04f20febd66366f5bb8a5a640ca4f8jorton</directivesynopsis>
d2e618b3d0951b9f6a590dea8f21b9a2350d26d0jorton<directivesynopsis>
d2e618b3d0951b9f6a590dea8f21b9a2350d26d0jorton<description>Option to prefer the server's cipher preference order</description>
d2e618b3d0951b9f6a590dea8f21b9a2350d26d0jorton<compatibility>Available in Apache 2.1 and later, if using OpenSSL 0.9.7 or later</compatibility>
d2e618b3d0951b9f6a590dea8f21b9a2350d26d0jorton<p>When choosing a cipher during an SSLv3 or TLSv1 handshake, normally
d2e618b3d0951b9f6a590dea8f21b9a2350d26d0jortonthe client's preference is used. If this directive is enabled, the
d2e618b3d0951b9f6a590dea8f21b9a2350d26d0jortonserver's preference will be used instead.</p>
d2e618b3d0951b9f6a590dea8f21b9a2350d26d0jortonSSLHonorCipherOrder on
d2e618b3d0951b9f6a590dea8f21b9a2350d26d0jorton</directivesynopsis>
4cd185b8f43b3014d0ef735b16c733844956c665jorton<directivesynopsis>
4cd185b8f43b3014d0ef735b16c733844956c665jorton<description>Enable use of a cryptographic hardware accelerator</description>
4cd185b8f43b3014d0ef735b16c733844956c665jorton<contextlist><context>server config</context></contextlist>
4cd185b8f43b3014d0ef735b16c733844956c665jorton<compatibility>Available if mod_ssl is built using <code>-DSSL_ENGINE_EXPERIMENTAL</code></compatibility>
4cd185b8f43b3014d0ef735b16c733844956c665jortonThis directive enables use of a cryptographic hardware accelerator
4cd185b8f43b3014d0ef735b16c733844956c665jortonboard to offload some of the SSL processing overhead. This directive
4cd185b8f43b3014d0ef735b16c733844956c665jortoncan only be used if the SSL toolkit is built with "engine" support;
4cd185b8f43b3014d0ef735b16c733844956c665jortonOpenSSL 0.9.7 and later releases have "engine" support by default, the
4cd185b8f43b3014d0ef735b16c733844956c665jortonseparate "-engine" releases of OpenSSL 0.9.6 must be used.</p>
4cd185b8f43b3014d0ef735b16c733844956c665jorton<p>To discover which engine names are supported, run the command
4cd185b8f43b3014d0ef735b16c733844956c665jorton# For a Broadcom accelerator:<br />
4cd185b8f43b3014d0ef735b16c733844956c665jortonSSLCryptoDevice ubsec
4cd185b8f43b3014d0ef735b16c733844956c665jorton</directivesynopsis>
e6469ad7a7dacf318f7ecf393b448b83ad1fdb37slive</modulesynopsis>