ssl_howto.html.en revision 4c73fad880d59291ddf79d9da08783b3bc9b1a09
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari This file is generated from xml source: DO NOT EDIT
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<title>SSL/TLS Strong Encryption: How-To - Apache HTTP Server</title>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<link href="/style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<link href="/style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<link href="/style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" />
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<link href="/images/favicon.ico" rel="shortcut icon" /></head>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<body id="manual-page"><div id="page-header">
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="/faq/">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<p class="apache">Apache HTTP Server Version 2.3</p>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<img alt="" src="/images/feather.gif" /></div>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<div class="up"><a href="./"><img title="<-" alt="<-" src="/images/left.gif" /></a></div>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.3</a> > <a href="./">SSL/TLS</a></div><div id="page-content"><div id="preamble"><h1>SSL/TLS Strong Encryption: How-To</h1>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<p><span>Available Languages: </span><a href="/en/ssl/ssl_howto.html" title="English"> en </a> |
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<a href="/fr/ssl/ssl_howto.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a></p>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<p>The solution to this problem is trivial
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegariand is left as an exercise for the reader.</p>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<p class="cite">-- <cite>Standard textbook cookie</cite></p>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<p>How to solve particular security problems for an SSL-aware
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegariwebserver is not always obvious because of the interactions between SSL,
ab8506c5100f101785452b5047259ec4f17ef436Daniel CalegariHTTP and Apache's way of processing requests. This chapter gives
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegariinstructions on how to solve some typical situations. Treat it as a first
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegaristep to find out the final solution, but always try to understand the
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegaristuff before you use it. Nothing is worse than using a security solution
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegariwithout knowing its restrictions and how it interacts with other systems.</p>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<div id="quickview"><ul id="toc"><li><img alt="" src="/images/down.gif" /> <a href="#configexample">Basic Configuration Example</a></li>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<li><img alt="" src="/images/down.gif" /> <a href="#ciphersuites">Cipher Suites and Enforcing Strong Security</a></li>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<li><img alt="" src="/images/down.gif" /> <a href="#accesscontrol">Client Authentication and Access Control</a></li>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<li><img alt="" src="/images/down.gif" /> <a href="#logging">Logging</a></li>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<h2><a name="configexample" id="configexample">Basic Configuration Example</a></h2>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<p>Your SSL configuration will need to contain, at a minumum, the
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegarifollowing directives.</p>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari Listen 443<br />
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari <VirtualHost _default_:443><br />
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari SSLEngine on<br />
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari SSLCertificateFile /path/to/www.comain.com.cert<br />
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari SSLCertificateKeyFile /path/to/www.domain.com.key<br />
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari </VirtualHost>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<h2><a name="ciphersuites" id="ciphersuites">Cipher Suites and Enforcing Strong Security</a></h2>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<li><a href="#realssl">How can I create a real SSLv2-only server?</a></li>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<li><a href="#onlystrong">How can I create an SSL server which accepts strong encryption only?</a></li>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<li><a href="#upgradeenc">How can I create an SSL server which accepts strong encryption only, but allows
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegariexport browsers to upgrade to stronger encryption?</a></li>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<li><a href="#strongurl">How can I create an SSL server which accepts all types of ciphers in general, but
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegarirequires a strong cipher for access to a particular URL?</a></li>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<h3><a name="realssl" id="realssl">How can I create a real SSLv2-only server?</a></h3>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari <p>The following creates an SSL server which speaks only the SSLv2 protocol and
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari its ciphers.</p>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari <div class="example"><h3>httpd.conf</h3><p><code>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari SSLProtocol -all +SSLv2<br />
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP<br />
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<h3><a name="onlystrong" id="onlystrong">How can I create an SSL server which accepts strong encryption
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari <p>The following enables only the seven strongest ciphers:</p>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari <div class="example"><h3>httpd.conf</h3><p><code>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari SSLProtocol all<br />
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari SSLCipherSuite HIGH:MEDIUM<br />
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari<h3><a name="upgradeenc" id="upgradeenc">How can I create an SSL server which accepts strong encryption
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegarionly, but allows export browsers to upgrade to stronger encryption?</a></h3>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari <p>This facility is called Server Gated Cryptography (SGC) and requires
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari a Global ID server certificate, signed by a special CA certificate
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari from Verisign. This enables strong encryption in 'export' versions of
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari browsers, which traditionally could not support it (because of US export
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari restrictions).</p>
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari <p>When a browser connects with an export cipher, the server sends its Global
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari ID certificate. The browser verifies this, and can then upgrade its
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari cipher suite before any HTTP communication takes place. The problem
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari lies in allowing browsers to upgrade in this fashion, but still requiring
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari strong encryption. In other words, we want browsers to either start a
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari connection with strong encryption, or to start with export ciphers but
ab8506c5100f101785452b5047259ec4f17ef436Daniel Calegari upgrade to strong encryption before beginning HTTP communication.</p>
<h3><a name="strongurl" id="strongurl">How can I create an SSL server which accepts all types of ciphers
<p>Obviously, a server-wide <code class="directive"><a href="/mod/mod_ssl.html#sslciphersuite">SSLCipherSuite</a></code> which restricts
<code class="module"><a href="/mod/mod_ssl.html">mod_ssl</a></code> can be reconfigured within <code>Location</code>
<h3><a name="allclients" id="allclients">How can I force clients to authenticate using certificates?</a></h3>
<h3><a name="arbitraryclients" id="arbitraryclients">How can I force clients to authenticate using certificates for a
<h3><a name="certauthenticate" id="certauthenticate">How can I allow only clients who have certificates to access a
There are two ways to do this, using either <code class="module"><a href="/mod/mod_auth_basic.html">mod_auth_basic</a></code> or
<p>The <code class="module"><a href="/mod/mod_auth_basic.html">mod_auth_basic</a></code> method is generally required when
See the <code class="directive"><a href="/mod/mod_ssl.html#ssloptions">SSLOptions</a></code> docs for more
into the DN, you can match them more easily using <code class="directive"><a href="/mod/mod_ssl.html#sslrequire">SSLRequire</a></code>, as follows:</p>
<p><code class="module"><a href="/mod/mod_ssl.html">mod_ssl</a></code> can log extremely verbose debugging information
to the error log, when its <code class="directive"><a href="/mod/core.html#loglevel">LogLevel</a></code> is
configure the <code class="directive"><a href="/mod/core.html#loglevel">LogLevel</a></code> per module to
<p><span>Available Languages: </span><a href="/en/ssl/ssl_howto.html" title="English"> en </a> |
<a href="/fr/ssl/ssl_howto.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a></p>
<p class="apache">Copyright 2010 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="/faq/">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p></div>