mod_ssl.xml revision fe9dca85c9e1544931fb420615372c10c0181ea7
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance<!DOCTYPE modulesynopsis SYSTEM "/style/modulesynopsis.dtd">
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance<?xml-stylesheet type="text/xsl" href="/style/manual.en.xsl"?>
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance<!-- $LastChangedRevision$ -->
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance Copyright 2002-2005 The Apache Software Foundation or its licensors,
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance as applicable.
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance Licensed under the Apache License, Version 2.0 (the "License");
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance you may not use this file except in compliance with the License.
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance You may obtain a copy of the License at
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance http://www.apache.org/licenses/LICENSE-2.0
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance Unless required by applicable law or agreed to in writing, software
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance distributed under the License is distributed on an "AS IS" BASIS,
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance See the License for the specific language governing permissions and
808e2693447ecc5a311a2b9de6b81ca07f193778Felix Gabriel Mance limitations under the License.
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance<modulesynopsis metafile="mod_ssl.xml.meta">
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<description>Strong cryptography using the Secure Sockets
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel ManceLayer (SSL) and Transport Layer Security (TLS) protocols</description>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<p>This module provides SSL v2/v3 and TLS v1 support for the Apache
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel ManceHTTP Server. It was contributed by Ralf S. Engeschall based on his
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mancemod_ssl project and originally derived from work by Ben Laurie.</p>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<p>This module relies on <a href="http://www.openssl.org/">OpenSSL</a>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Manceto provide the cryptography engine.</p>
808e2693447ecc5a311a2b9de6b81ca07f193778Felix Gabriel Mance<p>Further details, discussion, and examples are provided in the
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<a href="/ssl/">SSL documentation</a>.</p>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<section id="envvars"><title>Environment Variables</title>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<p>This module provides a lot of SSL information as additional environment
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mancevariables to the SSI and CGI namespace. The generated variables are listed in
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mancethe table below. For backward compatibility the information can
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mancebe made available under different names, too. Look in the <a
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mancehref="/ssl/ssl_compat.html">Compatibility</a> chapter for details on the
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mancecompatibility variables.</p>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<columnspec><column width=".3"/><column width=".2"/><column width=".5"/>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance <th><a name="table3">Variable Name:</a></th>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>HTTPS</code></td> <td>flag</td> <td>HTTPS is being used.</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_PROTOCOL</code></td> <td>string</td> <td>The SSL protocol version (SSLv2, SSLv3, TLSv1)</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_SESSION_ID</code></td> <td>string</td> <td>The hex-encoded SSL session id</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_CIPHER</code></td> <td>string</td> <td>The cipher specification name</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_CIPHER_EXPORT</code></td> <td>string</td> <td><code>true</code> if cipher is an export cipher</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_CIPHER_USEKEYSIZE</code></td> <td>number</td> <td>Number of cipher bits (actually used)</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_CIPHER_ALGKEYSIZE</code></td> <td>number</td> <td>Number of cipher bits (possible)</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_VERSION_INTERFACE</code></td> <td>string</td> <td>The mod_ssl program version</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_VERSION_LIBRARY</code></td> <td>string</td> <td>The OpenSSL program version</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_CLIENT_M_VERSION</code></td> <td>string</td> <td>The version of the client certificate</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_CLIENT_M_SERIAL</code></td> <td>string</td> <td>The serial of the client certificate</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_CLIENT_S_DN</code></td> <td>string</td> <td>Subject DN in client's certificate</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_CLIENT_S_DN_</code><em>x509</em></td> <td>string</td> <td>Component of client's Subject DN</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_CLIENT_I_DN</code></td> <td>string</td> <td>Issuer DN of client's certificate</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_CLIENT_I_DN_</code><em>x509</em></td> <td>string</td> <td>Component of client's Issuer DN</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_CLIENT_V_START</code></td> <td>string</td> <td>Validity of client's certificate (start time)</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_CLIENT_V_END</code></td> <td>string</td> <td>Validity of client's certificate (end time)</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_CLIENT_V_REMAIN</code></td> <td>string</td> <td>Number of days until client's certificate expires</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_CLIENT_A_SIG</code></td> <td>string</td> <td>Algorithm used for the signature of client's certificate</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_CLIENT_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of client's certificate</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_CLIENT_CERT</code></td> <td>string</td> <td>PEM-encoded client certificate</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em></td> <td>string</td> <td>PEM-encoded certificates in client certificate chain</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_CLIENT_VERIFY</code></td> <td>string</td> <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS</code> or <code>FAILED:</code><em>reason</em></td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_SERVER_M_VERSION</code></td> <td>string</td> <td>The version of the server certificate</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_SERVER_M_SERIAL</code></td> <td>string</td> <td>The serial of the server certificate</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_SERVER_S_DN</code></td> <td>string</td> <td>Subject DN in server's certificate</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_SERVER_S_DN_</code><em>x509</em></td> <td>string</td> <td>Component of server's Subject DN</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_SERVER_I_DN</code></td> <td>string</td> <td>Issuer DN of server's certificate</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_SERVER_I_DN_</code><em>x509</em></td> <td>string</td> <td>Component of server's Issuer DN</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_SERVER_V_START</code></td> <td>string</td> <td>Validity of server's certificate (start time)</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_SERVER_V_END</code></td> <td>string</td> <td>Validity of server's certificate (end time)</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_SERVER_A_SIG</code></td> <td>string</td> <td>Algorithm used for the signature of server's certificate</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_SERVER_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of server's certificate</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<tr><td><code>SSL_SERVER_CERT</code></td> <td>string</td> <td>PEM-encoded server certificate</td></tr>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<p><em>x509</em> specifies a component of an X.509 DN; one of
808e2693447ecc5a311a2b9de6b81ca07f193778Felix Gabriel Mance<code>C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email</code>. In Apache 2.1 and
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mancelater, <em>x509</em> may also include a numeric <code>_n</code>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mancesuffix. If the DN in question contains multiple attributes of the
4440f5c4ab1cb6dfd445da97f87a72d87d24c25aFelix Gabriel Mancesame name, this suffix is used as an index to select a particular
ce5d83770556362fe2c8b567975c2a3758888358Felix Gabriel Manceattribute. For example, where the server certificate subject DN
ce5d83770556362fe2c8b567975c2a3758888358Felix Gabriel Manceincluded two OU fields, <code>SSL_SERVER_S_DN_OU_0</code> and
808e2693447ecc5a311a2b9de6b81ca07f193778Felix Gabriel Mance<code>SSL_SERVER_S_DN_OU_1</code> could be used to reference each.</p>
ce5d83770556362fe2c8b567975c2a3758888358Felix Gabriel Mance<p><code>SSL_CLIENT_V_REMAIN</code> is only available in version 2.1
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<section id="logformats"><title>Custom Log Formats</title>
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Mance<p>When <module>mod_ssl</module> is built into Apache or at least
ae2e84ab0a53874417f01b792cbc6907ee6d09f6Felix Gabriel Manceloaded (under DSO situation) additional functions exist for the <a
ce5d83770556362fe2c8b567975c2a3758888358Felix Gabriel Mancehref="mod_log_config.html#formats">Custom Log Format</a> of
ce5d83770556362fe2c8b567975c2a3758888358Felix Gabriel Mance<module>mod_log_config</module>. First there is an
ce5d83770556362fe2c8b567975c2a3758888358Felix Gabriel Manceadditional ``<code>%{</code><em>varname</em><code>}x</code>''
ce5d83770556362fe2c8b567975c2a3758888358Felix Gabriel ManceeXtension format function which can be used to expand any variables
ce5d83770556362fe2c8b567975c2a3758888358Felix Gabriel Manceprovided by any module, especially those provided by mod_ssl which can
ce5d83770556362fe2c8b567975c2a3758888358Felix Gabriel Manceyou find in the above table.</p>
ce5d83770556362fe2c8b567975c2a3758888358Felix Gabriel ManceFor backward compatibility there is additionally a special
ce5d83770556362fe2c8b567975c2a3758888358Felix Gabriel Mance``<code>%{</code><em>name</em><code>}c</code>'' cryptography format function
ce5d83770556362fe2c8b567975c2a3758888358Felix Gabriel Manceprovided. Information about this function is provided in the <a
ce5d83770556362fe2c8b567975c2a3758888358Felix Gabriel Mancehref="/ssl/ssl_compat.html">Compatibility</a> chapter.</p>
ce5d83770556362fe2c8b567975c2a3758888358Felix Gabriel Mance "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
ce5d83770556362fe2c8b567975c2a3758888358Felix Gabriel Mance<directivesynopsis>
ce5d83770556362fe2c8b567975c2a3758888358Felix Gabriel Mance<description>Type of pass phrase dialog for encrypted private
ce5d83770556362fe2c8b567975c2a3758888358Felix Gabriel Mancekeys</description>
ce5d83770556362fe2c8b567975c2a3758888358Felix Gabriel Mance<syntax>SSLPassPhraseDialog <em>type</em></syntax>
ce5d83770556362fe2c8b567975c2a3758888358Felix Gabriel Mance<default>SSLPassPhraseDialog builtin</default>
ce5d83770556362fe2c8b567975c2a3758888358Felix Gabriel Mance<contextlist><context>server config</context></contextlist>
e615997caa046409fc68114cd72e10a528a4bb71Felix Gabriel ManceWhen Apache starts up it has to read the various Certificate (see
e615997caa046409fc68114cd72e10a528a4bb71Felix Gabriel Mance<directive module="mod_ssl">SSLCertificateFile</directive>) and
e615997caa046409fc68114cd72e10a528a4bb71Felix Gabriel MancePrivate Key (see <directive
e615997caa046409fc68114cd72e10a528a4bb71Felix Gabriel Mancemodule="mod_ssl">SSLCertificateKeyFile</directive>) files of the
e615997caa046409fc68114cd72e10a528a4bb71Felix Gabriel ManceSSL-enabled virtual servers. Because for security reasons the Private
e615997caa046409fc68114cd72e10a528a4bb71Felix Gabriel ManceKey files are usually encrypted, mod_ssl needs to query the
e615997caa046409fc68114cd72e10a528a4bb71Felix Gabriel Manceadministrator for a Pass Phrase in order to decrypt those files. This
e615997caa046409fc68114cd72e10a528a4bb71Felix Gabriel Mancequery can be done in two ways which can be configured by
e615997caa046409fc68114cd72e10a528a4bb71Felix Gabriel Mance This is the default where an interactive terminal dialog occurs at startup
4440f5c4ab1cb6dfd445da97f87a72d87d24c25aFelix Gabriel Mance time just before Apache detaches from the terminal. Here the administrator
4440f5c4ab1cb6dfd445da97f87a72d87d24c25aFelix Gabriel Mance has to manually enter the Pass Phrase for each encrypted Private Key file.
4440f5c4ab1cb6dfd445da97f87a72d87d24c25aFelix Gabriel Mance Because a lot of SSL-enabled virtual hosts can be configured, the
4440f5c4ab1cb6dfd445da97f87a72d87d24c25aFelix Gabriel Mance following reuse-scheme is used to minimize the dialog: When a Private Key
4440f5c4ab1cb6dfd445da97f87a72d87d24c25aFelix Gabriel Mance file is encrypted, all known Pass Phrases (at the beginning there are
4440f5c4ab1cb6dfd445da97f87a72d87d24c25aFelix Gabriel Mance none, of course) are tried. If one of those known Pass Phrases succeeds no
4440f5c4ab1cb6dfd445da97f87a72d87d24c25aFelix Gabriel Mance dialog pops up for this particular Private Key file. If none succeeded,
4440f5c4ab1cb6dfd445da97f87a72d87d24c25aFelix Gabriel Mance another Pass Phrase is queried on the terminal and remembered for the next
4440f5c4ab1cb6dfd445da97f87a72d87d24c25aFelix Gabriel Mance round (where it perhaps can be reused).</p>
4440f5c4ab1cb6dfd445da97f87a72d87d24c25aFelix Gabriel Mance This scheme allows mod_ssl to be maximally flexible (because for N encrypted
4440f5c4ab1cb6dfd445da97f87a72d87d24c25aFelix Gabriel Mance Private Key files you <em>can</em> use N different Pass Phrases - but then
4440f5c4ab1cb6dfd445da97f87a72d87d24c25aFelix Gabriel Mance you have to enter all of them, of course) while minimizing the terminal
4440f5c4ab1cb6dfd445da97f87a72d87d24c25aFelix Gabriel Mance dialog (i.e. when you use a single Pass Phrase for all N Private Key files
4440f5c4ab1cb6dfd445da97f87a72d87d24c25aFelix Gabriel Mance this Pass Phrase is queried only once).</p></li>
4440f5c4ab1cb6dfd445da97f87a72d87d24c25aFelix Gabriel Mance<li><code>|/path/to/program [args...]</code>
e615997caa046409fc68114cd72e10a528a4bb71Felix Gabriel Mance <p>This mode allows an external program to be used which acts as a
e615997caa046409fc68114cd72e10a528a4bb71Felix Gabriel Mance pipe to a particular input device; the program is sent the standard
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance prompt text used for the <code>builtin</code> mode on
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance <code>stdin</code>, and is expected to write password strings on
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance <code>stdout</code>. If several passwords are needed (or an
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance incorrect password is entered), additional prompt text will be
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance written subsequent to the first password being returned, and more
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance passwords must then be written back.</p></li>
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance Here an external program is configured which is called at startup for each
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance encrypted Private Key file. It is called with two arguments (the first is
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance of the form ``<code>servername:portnumber</code>'', the second is either
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance ``<code>RSA</code>'' or ``<code>DSA</code>''), which indicate for which
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance server and algorithm it has to print the corresponding Pass Phrase to
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance <code>stdout</code>. The intent is that this external program first runs
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance security checks to make sure that the system is not compromised by an
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance attacker, and only when these checks were passed successfully it provides
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance the Pass Phrase.</p>
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance Both these security checks, and the way the Pass Phrase is determined, can
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance be as complex as you like. Mod_ssl just defines the interface: an
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance executable program which provides the Pass Phrase on <code>stdout</code>.
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance Nothing more or less! So, if you're really paranoid about security, here
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance is your interface. Anything else has to be left as an exercise to the
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance administrator, because local security requirements are so different.</p>
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance The reuse-algorithm above is used here, too. In other words: The external
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance program is called only once per unique Pass Phrase.</p></li>
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel ManceSSLPassPhraseDialog exec:/usr/local/apache/sbin/pp-filter
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance</directivesynopsis>
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance<directivesynopsis>
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance<description>Semaphore for internal mutual exclusion of
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Manceoperations</description>
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance<contextlist><context>server config</context></contextlist>
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel ManceThis configures the SSL engine's semaphore (aka. lock) which is used for mutual
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Manceexclusion of operations which have to be done in a synchronized way between the
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mancepre-forked Apache server processes. This directive can only be used in the
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Manceglobal server context because it's only useful to have one global mutex.
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel ManceThis directive is designed to closely match the
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance<a href="http://httpd.apache.org/docs-2.0/mod/mpm_common.html#acceptmutex">AcceptMutex</a> directive</p>
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel ManceThe following Mutex <em>types</em> are available:</p>
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance This is the default where no Mutex is used at all. Use it at your own
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance risk. But because currently the Mutex is mainly used for synchronizing
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance write access to the SSL Session Cache you can live without it as long
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance as you accept a sometimes garbled Session Cache. So it's not recommended
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance to leave this the default. Instead configure a real Mutex.</p></li>
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance This is an elegant Mutex variant where a Posix Semaphore is used when possible.
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance It is only available when the underlying platform
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance This is a somewhat elegant Mutex variant where a SystemV IPC Semaphore is used when
fae04f4a69922eb1ddf0f46b34fa15a5a080b693Felix Gabriel Mance possible. It is possible to "leak" SysV semaphores if processes crash before
much entropy data as it actually has, i.e. when you request 512 bytes of
actually generated, i.e. by which system interrupts. More details one can
<tr><td><code>kEDH</code></td> <td>Ephemeral (temp.key) Diffie-Hellman key exchange (no cert)</td> </tr>
<tr><td><code>EDH</code></td> <td>all ciphers using Ephemeral Diffie-Hellman key exchange</td> </tr>
<tr><td><code>ADH</code></td> <td>all ciphers using Anonymous Diffie-Hellman key exchange</td> </tr>
<li><code>!</code>: kill cipher from list completely (can <strong>not</strong> be added later again)</li>
authenticate, i.e. for SSL only the Anonymous Diffie-Hellman ciphers. Next,
<tr><th><a name="table2">Cipher-Tag</a></th> <th>Protocol</th> <th>Key Ex.</th> <th>Auth.</th> <th>Enc.</th> <th>MAC</th> <th>Type</th> </tr>
<tr><td><code>DES-CBC3-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>3DES(168)</td> <td>SHA1</td> <td></td> </tr>
<tr><td><code>DES-CBC3-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>3DES(168)</td> <td>MD5</td> <td></td> </tr>
<tr><td><code>IDEA-CBC-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>IDEA(128)</td> <td>SHA1</td> <td></td> </tr>
<tr><td><code>RC4-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>RC4(128)</td> <td>SHA1</td> <td></td> </tr>
<tr><td><code>RC4-MD5</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>RC4(128)</td> <td>MD5</td> <td></td> </tr>
<tr><td><code>IDEA-CBC-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>IDEA(128)</td> <td>MD5</td> <td></td> </tr>
<tr><td><code>RC2-CBC-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>RC2(128)</td> <td>MD5</td> <td></td> </tr>
<tr><td><code>RC4-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>RC4(128)</td> <td>MD5</td> <td></td> </tr>
<tr><td><code>DES-CBC-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>DES(56)</td> <td>SHA1</td> <td></td> </tr>
<tr><td><code>RC4-64-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>RC4(64)</td> <td>MD5</td> <td></td> </tr>
<tr><td><code>DES-CBC-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>DES(56)</td> <td>MD5</td> <td></td> </tr>
<tr><td><code>EXP-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>RSA(512)</td> <td>RSA</td> <td>DES(40)</td> <td>SHA1</td> <td> export</td> </tr>
<tr><td><code>EXP-RC2-CBC-MD5</code></td> <td>SSLv3</td> <td>RSA(512)</td> <td>RSA</td> <td>RC2(40)</td> <td>MD5</td> <td> export</td> </tr>
<tr><td><code>EXP-RC4-MD5</code></td> <td>SSLv3</td> <td>RSA(512)</td> <td>RSA</td> <td>RC4(40)</td> <td>MD5</td> <td> export</td> </tr>
<tr><td><code>EXP-RC2-CBC-MD5</code></td> <td>SSLv2</td> <td>RSA(512)</td> <td>RSA</td> <td>RC2(40)</td> <td>MD5</td> <td> export</td> </tr>
<tr><td><code>EXP-RC4-MD5</code></td> <td>SSLv2</td> <td>RSA(512)</td> <td>RSA</td> <td>RC4(40)</td> <td>MD5</td> <td> export</td> </tr>
<tr><td><code>NULL-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>None</td> <td>SHA1</td> <td></td> </tr>
<tr><td><code>NULL-MD5</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>None</td> <td>MD5</td> <td></td> </tr>
<tr><td><code>ADH-DES-CBC3-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>None</td> <td>3DES(168)</td> <td>SHA1</td> <td></td> </tr>
<tr><td><code>ADH-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>None</td> <td>DES(56)</td> <td>SHA1</td> <td></td> </tr>
<tr><td><code>ADH-RC4-MD5</code></td> <td>SSLv3</td> <td>DH</td> <td>None</td> <td>RC4(128)</td> <td>MD5</td> <td></td> </tr>
<tr><td><code>EDH-RSA-DES-CBC3-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>RSA</td> <td>3DES(168)</td> <td>SHA1</td> <td></td> </tr>
<tr><td><code>EDH-DSS-DES-CBC3-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>DSS</td> <td>3DES(168)</td> <td>SHA1</td> <td></td> </tr>
<tr><td><code>EDH-RSA-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>RSA</td> <td>DES(56)</td> <td>SHA1</td> <td></td> </tr>
<tr><td><code>EDH-DSS-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>DSS</td> <td>DES(56)</td> <td>SHA1</td> <td></td> </tr>
<tr><td><code>EXP-EDH-RSA-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH(512)</td> <td>RSA</td> <td>DES(40)</td> <td>SHA1</td> <td> export</td> </tr>
<tr><td><code>EXP-EDH-DSS-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH(512)</td> <td>DSS</td> <td>DES(40)</td> <td>SHA1</td> <td> export</td> </tr>
<tr><td><code>EXP-ADH-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH(512)</td> <td>None</td> <td>DES(40)</td> <td>SHA1</td> <td> export</td> </tr>
<tr><td><code>EXP-ADH-RC4-MD5</code></td> <td>SSLv3</td> <td>DH(512)</td> <td>None</td> <td>RC4(40)</td> <td>MD5</td> <td> export</td> </tr>
i.e. the number of CA certificates which are max allowed to be followed while
known to the server (i.e. the CA's certificate is under
This directive forbids access unless HTTP over SSL (i.e. HTTPS) is enabled for
<description>Directory of PEM-encoded client certificates and keys to be used by the proxy</description>
<description>File of concatenated PEM-encoded client certificates and keys to be used by the proxy</description>
i.e. the number of CA certificates which are max allowed to be followed while
which is directly known to the server (i.e. the CA's certificate is under