1 <?xml version="1.0" encoding="ISO-8859-1"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5 This file is generated from xml source: DO NOT EDIT
6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
7 --><title>mod_ssl - Apache HTTP Server</title><link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /><link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /><link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link href="../images/favicon.ico" rel="shortcut icon" /></head><body><div id="page-header"><p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p><p class="apache">Apache HTTP Server Version 2.0</p><img alt="" src="../images/feather.gif" /></div><div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div><div id="path"><a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs-project/">Documentation</a> > <a href="../">Version 2.0</a> > <a href="./">Modules</a></div><div id="page-content"><div id="preamble"><h1>Apache Module mod_ssl</h1><table class="module"><tr><th><a href="module-dict.html#Description">Description:
8 </a></th><td>Strong cryptography using the Secure Sockets
9 Layer (SSL) and Transport Layer Security (TLS) protocols</td></tr><tr><th><a href="module-dict.html#Status">Status:
10 </a></th><td>Extension</td></tr><tr><th><a href="module-dict.html#ModuleIdentifier">Module Identifier:
11 </a></th><td>ssl_module</td></tr><tr><th><a href="module-dict.html#SourceFile">Source File:
12 </a></th><td>mod_ssl.c</td></tr></table><h3>Summary</h3>
13 <p>This module provides SSL v2/v3 and TLS v1 support for the Apache
14 HTTP Server. It was contributed by Ralf S. Engeschall based on his
15 mod_ssl project and originally derived from work by Ben Laurie.</p>
17 <p>This module relies on <a href="http://www.openssl.org/">OpenSSL</a>
18 to provide the cryptography engine.</p>
20 <p>Further details, discussion, and examples are provided in the
21 <a href="../ssl/">SSL documentation</a>.</p>
22 </div><div id="quickview"><h3 class="directives">Directives</h3><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#sslcacertificatefile">SSLCACertificateFile</a></li>
23 <li><img alt="" src="../images/down.gif" /> <a href="#sslcacertificatepath">SSLCACertificatePath</a></li>
24 <li><img alt="" src="../images/down.gif" /> <a href="#sslcarevocationfile">SSLCARevocationFile</a></li>
25 <li><img alt="" src="../images/down.gif" /> <a href="#sslcarevocationpath">SSLCARevocationPath</a></li>
26 <li><img alt="" src="../images/down.gif" /> <a href="#sslcertificatechainfile">SSLCertificateChainFile</a></li>
27 <li><img alt="" src="../images/down.gif" /> <a href="#sslcertificatefile">SSLCertificateFile</a></li>
28 <li><img alt="" src="../images/down.gif" /> <a href="#sslcertificatekeyfile">SSLCertificateKeyFile</a></li>
29 <li><img alt="" src="../images/down.gif" /> <a href="#sslciphersuite">SSLCipherSuite</a></li>
30 <li><img alt="" src="../images/down.gif" /> <a href="#sslengine">SSLEngine</a></li>
31 <li><img alt="" src="../images/down.gif" /> <a href="#sslmutex">SSLMutex</a></li>
32 <li><img alt="" src="../images/down.gif" /> <a href="#ssloptions">SSLOptions</a></li>
33 <li><img alt="" src="../images/down.gif" /> <a href="#sslpassphrasedialog">SSLPassPhraseDialog</a></li>
34 <li><img alt="" src="../images/down.gif" /> <a href="#sslprotocol">SSLProtocol</a></li>
35 <li><img alt="" src="../images/down.gif" /> <a href="#sslproxycacertificatefile">SSLProxyCACertificateFile</a></li>
36 <li><img alt="" src="../images/down.gif" /> <a href="#sslproxycacertificatepath">SSLProxyCACertificatePath</a></li>
37 <li><img alt="" src="../images/down.gif" /> <a href="#sslproxycarevocationfile">SSLProxyCARevocationFile</a></li>
38 <li><img alt="" src="../images/down.gif" /> <a href="#sslproxycarevocationpath">SSLProxyCARevocationPath</a></li>
39 <li><img alt="" src="../images/down.gif" /> <a href="#sslproxyciphersuite">SSLProxyCipherSuite</a></li>
40 <li><img alt="" src="../images/down.gif" /> <a href="#sslproxyengine">SSLProxyEngine</a></li>
41 <li><img alt="" src="../images/down.gif" /> <a href="#sslproxymachinecertificatefile">SSLProxyMachineCertificateFile</a></li>
42 <li><img alt="" src="../images/down.gif" /> <a href="#sslproxymachinecertificatepath">SSLProxyMachineCertificatePath</a></li>
43 <li><img alt="" src="../images/down.gif" /> <a href="#sslproxyprotocol">SSLProxyProtocol</a></li>
44 <li><img alt="" src="../images/down.gif" /> <a href="#sslproxyverify">SSLProxyVerify</a></li>
45 <li><img alt="" src="../images/down.gif" /> <a href="#sslproxyverifydepth">SSLProxyVerifyDepth</a></li>
46 <li><img alt="" src="../images/down.gif" /> <a href="#sslrandomseed">SSLRandomSeed</a></li>
47 <li><img alt="" src="../images/down.gif" /> <a href="#sslrequire">SSLRequire</a></li>
48 <li><img alt="" src="../images/down.gif" /> <a href="#sslrequiressl">SSLRequireSSL</a></li>
49 <li><img alt="" src="../images/down.gif" /> <a href="#sslsessioncache">SSLSessionCache</a></li>
50 <li><img alt="" src="../images/down.gif" /> <a href="#sslsessioncachetimeout">SSLSessionCacheTimeout</a></li>
51 <li><img alt="" src="../images/down.gif" /> <a href="#sslverifyclient">SSLVerifyClient</a></li>
52 <li><img alt="" src="../images/down.gif" /> <a href="#sslverifydepth">SSLVerifyDepth</a></li>
53 </ul><h3>Topics</h3><ul id="topics"><li><img alt="" src="../images/down.gif" /> Environment Variables</li><li><img alt="" src="../images/down.gif" /> Custom Log Formats</li></ul></div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="section"><h2>Environment Variables</h2>
55 <p>This module provides a lot of SSL information as additional environment
56 variables to the SSI and CGI namespace. The generated variables are listed in
57 the table below. For backward compatibility the information can
58 be made available under different names, too. Look in the <a href="../ssl/ssl_compat.html">Compatibility</a> chapter for details on the
59 compatibility variables.</p>
61 <table class="bordered">
63 <th>Variable Name:</th>
67 <tr><td><code>HTTPS</code></td> <td>flag</td> <td>HTTPS is being used.</td></tr>
68 <tr><td><code>SSL_PROTOCOL</code></td> <td>string</td> <td>The SSL protocol version (SSLv2, SSLv3, TLSv1)</td></tr>
69 <tr><td><code>SSL_SESSION_ID</code></td> <td>string</td> <td>The hex-encoded SSL session id</td></tr>
70 <tr><td><code>SSL_CIPHER</code></td> <td>string</td> <td>The cipher specification name</td></tr>
71 <tr><td><code>SSL_CIPHER_EXPORT</code></td> <td>string</td> <td><code>true</code> if cipher is an export cipher</td></tr>
72 <tr><td><code>SSL_CIPHER_USEKEYSIZE</code></td> <td>number</td> <td>Number of cipher bits (actually used)</td></tr>
73 <tr><td><code>SSL_CIPHER_ALGKEYSIZE</code></td> <td>number</td> <td>Number of cipher bits (possible)</td></tr>
74 <tr><td><code>SSL_VERSION_INTERFACE</code></td> <td>string</td> <td>The mod_ssl program version</td></tr>
75 <tr><td><code>SSL_VERSION_LIBRARY</code></td> <td>string</td> <td>The OpenSSL program version</td></tr>
76 <tr><td><code>SSL_CLIENT_M_VERSION</code></td> <td>string</td> <td>The version of the client certificate</td></tr>
77 <tr><td><code>SSL_CLIENT_M_SERIAL</code></td> <td>string</td> <td>The serial of the client certificate</td></tr>
78 <tr><td><code>SSL_CLIENT_S_DN</code></td> <td>string</td> <td>Subject DN in client's certificate</td></tr>
79 <tr><td><code>SSL_CLIENT_S_DN_</code><em>x509</em></td> <td>string</td> <td>Component of client's Subject DN</td></tr>
80 <tr><td><code>SSL_CLIENT_I_DN</code></td> <td>string</td> <td>Issuer DN of client's certificate</td></tr>
81 <tr><td><code>SSL_CLIENT_I_DN_</code><em>x509</em></td> <td>string</td> <td>Component of client's Issuer DN</td></tr>
82 <tr><td><code>SSL_CLIENT_V_START</code></td> <td>string</td> <td>Validity of client's certificate (start time)</td></tr>
83 <tr><td><code>SSL_CLIENT_V_END</code></td> <td>string</td> <td>Validity of client's certificate (end time)</td></tr>
84 <tr><td><code>SSL_CLIENT_A_SIG</code></td> <td>string</td> <td>Algorithm used for the signature of client's certificate</td></tr>
85 <tr><td><code>SSL_CLIENT_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of client's certificate</td></tr>
86 <tr><td><code>SSL_CLIENT_CERT</code></td> <td>string</td> <td>PEM-encoded client certificate</td></tr>
87 <tr><td><code>SSL_CLIENT_CERT_CHAIN</code><em>n</em></td> <td>string</td> <td>PEM-encoded certificates in client certificate chain</td></tr>
88 <tr><td><code>SSL_CLIENT_VERIFY</code></td> <td>string</td> <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS</code> or <code>FAILED:</code><em>reason</em></td></tr>
89 <tr><td><code>SSL_SERVER_M_VERSION</code></td> <td>string</td> <td>The version of the server certificate</td></tr>
90 <tr><td><code>SSL_SERVER_M_SERIAL</code></td> <td>string</td> <td>The serial of the server certificate</td></tr>
91 <tr><td><code>SSL_SERVER_S_DN</code></td> <td>string</td> <td>Subject DN in server's certificate</td></tr>
92 <tr><td><code>SSL_SERVER_S_DN_</code><em>x509</em></td> <td>string</td> <td>Component of server's Subject DN</td></tr>
93 <tr><td><code>SSL_SERVER_I_DN</code></td> <td>string</td> <td>Issuer DN of server's certificate</td></tr>
94 <tr><td><code>SSL_SERVER_I_DN_</code><em>x509</em></td> <td>string</td> <td>Component of server's Issuer DN</td></tr>
95 <tr><td><code>SSL_SERVER_V_START</code></td> <td>string</td> <td>Validity of server's certificate (start time)</td></tr>
96 <tr><td><code>SSL_SERVER_V_END</code></td> <td>string</td> <td>Validity of server's certificate (end time)</td></tr>
97 <tr><td><code>SSL_SERVER_A_SIG</code></td> <td>string</td> <td>Algorithm used for the signature of server's certificate</td></tr>
98 <tr><td><code>SSL_SERVER_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of server's certificate</td></tr>
99 <tr><td><code>SSL_SERVER_CERT</code></td> <td>string</td> <td>PEM-encoded server certificate</td></tr>
100 <tr><td colspan="3">[ where <em>x509</em> is a component of a X.509 DN:
101 <code>C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email</code> ]</td></tr>
103 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="section"><h2>Custom Log Formats</h2>
105 <p>When <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> is built into Apache or at least
106 loaded (under DSO situation) additional functions exist for the <a href="mod_log_config.html#formats">Custom Log Format</a> of
107 <code class="module"><a href="../mod/mod_log_config.html">mod_log_config</a></code>. First there is an
108 additional ``<code>%{</code><em>varname</em><code>}x</code>''
109 eXtension format function which can be used to expand any variables
110 provided by any module, especially those provided by mod_ssl which can
111 you find in the above table.</p>
113 For backward compatibility there is additionally a special
114 ``<code>%{</code><em>name</em><code>}c</code>'' cryptography format function
115 provided. Information about this function is provided in the <a href="../ssl/ssl_compat.html">Compatibility</a> chapter.</p>
118 <div class="example"><p><code>
119 CustomLog logs/ssl_request_log \
120 "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
122 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="SSLCACertificateFile" id="SSLCACertificateFile">SSLCACertificateFile</a> <a name="sslcacertificatefile" id="sslcacertificatefile">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
123 </a></th><td>File of concatenated PEM-encoded CA Certificates
124 for Client Auth</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
125 </a></th><td><code>SSLCACertificateFile <em>file-path</em></code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
126 </a></th><td>server config, virtual host</td></tr><tr><th><a href="directive-dict.html#Status">Status:
127 </a></th><td>Extension</td></tr><tr><th><a href="directive-dict.html#Module">Module:
128 </a></th><td>mod_ssl</td></tr></table>
130 This directive sets the <em>all-in-one</em> file where you can assemble the
131 Certificates of Certification Authorities (CA) whose <em>clients</em> you deal
132 with. These are used for Client Authentication. Such a file is simply the
133 concatenation of the various PEM-encoded Certificate files, in order of
134 preference. This can be used alternatively and/or additionally to
135 <code class="directive"><a href="#sslcacertificatepath">SSLCACertificatePath</a></code>.</p>
136 <div class="example"><h3>Example</h3><p><code>
137 SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca-bundle-client.crt
139 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="SSLCACertificatePath" id="SSLCACertificatePath">SSLCACertificatePath</a> <a name="sslcacertificatepath" id="sslcacertificatepath">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
140 </a></th><td>Directory of PEM-encoded CA Certificates for
141 Client Auth</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
142 </a></th><td><code>SSLCACertificatePath <em>directory-path</em></code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
143 </a></th><td>server config, virtual host</td></tr><tr><th><a href="directive-dict.html#Status">Status:
144 </a></th><td>Extension</td></tr><tr><th><a href="directive-dict.html#Module">Module:
145 </a></th><td>mod_ssl</td></tr></table>
147 This directive sets the directory where you keep the Certificates of
148 Certification Authorities (CAs) whose clients you deal with. These are used to
149 verify the client certificate on Client Authentication.</p>
151 The files in this directory have to be PEM-encoded and are accessed through
152 hash filenames. So usually you can't just place the Certificate files
153 there: you also have to create symbolic links named
154 <em>hash-value</em><code>.N</code>. And you should always make sure this directory
155 contains the appropriate symbolic links. Use the <code>Makefile</code> which
156 comes with mod_ssl to accomplish this task.</p>
157 <div class="example"><h3>Example</h3><p><code>
158 SSLCACertificatePath /usr/local/apache/conf/ssl.crt/
160 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="SSLCARevocationFile" id="SSLCARevocationFile">SSLCARevocationFile</a> <a name="sslcarevocationfile" id="sslcarevocationfile">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
161 </a></th><td>File of concatenated PEM-encoded CA CRLs for
162 Client Auth</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
163 </a></th><td><code>SSLCARevocationFile <em>file-path</em></code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
164 </a></th><td>server config, virtual host</td></tr><tr><th><a href="directive-dict.html#Status">Status:
165 </a></th><td>Extension</td></tr><tr><th><a href="directive-dict.html#Module">Module:
166 </a></th><td>mod_ssl</td></tr></table>
168 This directive sets the <em>all-in-one</em> file where you can
169 assemble the Certificate Revocation Lists (CRL) of Certification
170 Authorities (CA) whose <em>clients</em> you deal with. These are used
171 for Client Authentication. Such a file is simply the concatenation of
172 the various PEM-encoded CRL files, in order of preference. This can be
173 used alternatively and/or additionally to <code class="directive"><a href="#sslcarevocationpath">SSLCARevocationPath</a></code>.</p>
174 <div class="example"><h3>Example</h3><p><code>
175 SSLCARevocationFile /usr/local/apache/conf/ssl.crl/ca-bundle-client.crl
177 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="SSLCARevocationPath" id="SSLCARevocationPath">SSLCARevocationPath</a> <a name="sslcarevocationpath" id="sslcarevocationpath">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
178 </a></th><td>Directory of PEM-encoded CA CRLs for
179 Client Auth</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
180 </a></th><td><code>SSLCARevocationPath <em>directory-path</em></code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
181 </a></th><td>server config, virtual host</td></tr><tr><th><a href="directive-dict.html#Status">Status:
182 </a></th><td>Extension</td></tr><tr><th><a href="directive-dict.html#Module">Module:
183 </a></th><td>mod_ssl</td></tr></table>
185 This directive sets the directory where you keep the Certificate Revocation
186 Lists (CRL) of Certification Authorities (CAs) whose clients you deal with.
187 These are used to revoke the client certificate on Client Authentication.</p>
189 The files in this directory have to be PEM-encoded and are accessed through
190 hash filenames. So usually you have not only to place the CRL files there.
191 Additionally you have to create symbolic links named
192 <em>hash-value</em><code>.rN</code>. And you should always make sure this directory
193 contains the appropriate symbolic links. Use the <code>Makefile</code> which
194 comes with <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> to accomplish this task.</p>
195 <div class="example"><h3>Example</h3><p><code>
196 SSLCARevocationPath /usr/local/apache/conf/ssl.crl/
198 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="SSLCertificateChainFile" id="SSLCertificateChainFile">SSLCertificateChainFile</a> <a name="sslcertificatechainfile" id="sslcertificatechainfile">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
199 </a></th><td>File of PEM-encoded Server CA Certificates</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
200 </a></th><td><code>SSLCertificateChainFile <em>file-path</em></code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
201 </a></th><td>server config, virtual host</td></tr><tr><th><a href="directive-dict.html#Status">Status:
202 </a></th><td>Extension</td></tr><tr><th><a href="directive-dict.html#Module">Module:
203 </a></th><td>mod_ssl</td></tr></table>
205 This directive sets the optional <em>all-in-one</em> file where you can
206 assemble the certificates of Certification Authorities (CA) which form the
207 certificate chain of the server certificate. This starts with the issuing CA
208 certificate of of the server certificate and can range up to the root CA
209 certificate. Such a file is simply the concatenation of the various
210 PEM-encoded CA Certificate files, usually in certificate chain order.</p>
212 This should be used alternatively and/or additionally to <code class="directive"><a href="#sslcacertificatepath">SSLCACertificatePath</a></code> for explicitly
213 constructing the server certificate chain which is sent to the browser
214 in addition to the server certificate. It is especially useful to
215 avoid conflicts with CA certificates when using client
216 authentication. Because although placing a CA certificate of the
217 server certificate chain into <code class="directive"><a href="#sslcacertificatepath">SSLCACertificatePath</a></code> has the same effect
218 for the certificate chain construction, it has the side-effect that
219 client certificates issued by this same CA certificate are also
220 accepted on client authentication. That's usually not one expect.</p>
222 But be careful: Providing the certificate chain works only if you are using a
223 <em>single</em> (either RSA <em>or</em> DSA) based server certificate. If you are
224 using a coupled RSA+DSA certificate pair, this will work only if actually both
225 certificates use the <em>same</em> certificate chain. Else the browsers will be
226 confused in this situation.</p>
227 <div class="example"><h3>Example</h3><p><code>
228 SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/ca.crt
230 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="SSLCertificateFile" id="SSLCertificateFile">SSLCertificateFile</a> <a name="sslcertificatefile" id="sslcertificatefile">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
231 </a></th><td>Server PEM-encoded X.509 Certificate file</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
232 </a></th><td><code>SSLCertificateFile <em>file-path</em></code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
233 </a></th><td>server config, virtual host</td></tr><tr><th><a href="directive-dict.html#Status">Status:
234 </a></th><td>Extension</td></tr><tr><th><a href="directive-dict.html#Module">Module:
235 </a></th><td>mod_ssl</td></tr></table>
237 This directive points to the PEM-encoded Certificate file for the server and
238 optionally also to the corresponding RSA or DSA Private Key file for it
239 (contained in the same file). If the contained Private Key is encrypted the
240 Pass Phrase dialog is forced at startup time. This directive can be used up to
241 two times (referencing different filenames) when both a RSA and a DSA based
242 server certificate is used in parallel.</p>
243 <div class="example"><h3>Example</h3><p><code>
244 SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
246 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="SSLCertificateKeyFile" id="SSLCertificateKeyFile">SSLCertificateKeyFile</a> <a name="sslcertificatekeyfile" id="sslcertificatekeyfile">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
247 </a></th><td>Server PEM-encoded Private Key file</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
248 </a></th><td><code>SSLCertificateKeyFile <em>file-path</em></code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
249 </a></th><td>server config, virtual host</td></tr><tr><th><a href="directive-dict.html#Status">Status:
250 </a></th><td>Extension</td></tr><tr><th><a href="directive-dict.html#Module">Module:
251 </a></th><td>mod_ssl</td></tr></table>
253 This directive points to the PEM-encoded Private Key file for the
254 server. If the Private Key is not combined with the Certificate in the
255 <code class="directive">SSLCertificateFile</code>, use this additional directive to
256 point to the file with the stand-alone Private Key. When
257 <code class="directive">SSLCertificateFile</code> is used and the file
258 contains both the Certificate and the Private Key this directive need
259 not be used. But we strongly discourage this practice. Instead we
260 recommend you to separate the Certificate and the Private Key. If the
261 contained Private Key is encrypted, the Pass Phrase dialog is forced
262 at startup time. This directive can be used up to two times
263 (referencing different filenames) when both a RSA and a DSA based
264 private key is used in parallel.</p>
265 <div class="example"><h3>Example</h3><p><code>
266 SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
268 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="SSLCipherSuite" id="SSLCipherSuite">SSLCipherSuite</a> <a name="sslciphersuite" id="sslciphersuite">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
269 </a></th><td>Cipher Suite available for negotiation in SSL
270 handshake</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
271 </a></th><td><code>SSLCipherSuite <em>cipher-spec</em></code></td></tr><tr><th><a href="directive-dict.html#Default">Default:
272 </a></th><td><code>SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
273 </a></th><td>server config, virtual host, directory, .htaccess</td></tr><tr><th><a href="directive-dict.html#Override">Override:
274 </a></th><td>AuthConfig</td></tr><tr><th><a href="directive-dict.html#Status">Status:
275 </a></th><td>Extension</td></tr><tr><th><a href="directive-dict.html#Module">Module:
276 </a></th><td>mod_ssl</td></tr></table>
278 This complex directive uses a colon-separated <em>cipher-spec</em> string
279 consisting of OpenSSL cipher specifications to configure the Cipher Suite the
280 client is permitted to negotiate in the SSL handshake phase. Notice that this
281 directive can be used both in per-server and per-directory context. In
282 per-server context it applies to the standard SSL handshake when a connection
283 is established. In per-directory context it forces a SSL renegotation with the
284 reconfigured Cipher Suite after the HTTP request was read but before the HTTP
285 response is sent.</p>
287 An SSL cipher specification in <em>cipher-spec</em> is composed of 4 major
288 attributes plus a few extra minor ones:</p>
290 <li><em>Key Exchange Algorithm</em>:<br />
291 RSA or Diffie-Hellman variants.
293 <li><em>Authentication Algorithm</em>:<br />
294 RSA, Diffie-Hellman, DSS or none.
296 <li><em>Cipher/Encryption Algorithm</em>:<br />
297 DES, Triple-DES, RC4, RC2, IDEA or none.
299 <li><em>MAC Digest Algorithm</em>:<br />
303 <p>An SSL cipher can also be an export cipher and is either a SSLv2 or SSLv3/TLSv1
304 cipher (here TLSv1 is equivalent to SSLv3). To specify which ciphers to use,
305 one can either specify all the Ciphers, one at a time, or use aliases to
306 specify the preference and order for the ciphers (see <a href="#table1">Table
309 <table class="bordered">
310 <tr><th>Tag</th> <th>Description</th></tr>
311 <tr><td colspan="2"><em>Key Exchange Algorithm:</em></td></tr>
312 <tr><td><code>kRSA</code></td> <td>RSA key exchange</td></tr>
313 <tr><td><code>kDHr</code></td> <td>Diffie-Hellman key exchange with RSA key</td></tr>
314 <tr><td><code>kDHd</code></td> <td>Diffie-Hellman key exchange with DSA key</td></tr>
315 <tr><td><code>kEDH</code></td> <td>Ephemeral (temp.key) Diffie-Hellman key exchange (no cert)</td> </tr>
316 <tr><td colspan="2"><em>Authentication Algorithm:</em></td></tr>
317 <tr><td><code>aNULL</code></td> <td>No authentication</td></tr>
318 <tr><td><code>aRSA</code></td> <td>RSA authentication</td></tr>
319 <tr><td><code>aDSS</code></td> <td>DSS authentication</td> </tr>
320 <tr><td><code>aDH</code></td> <td>Diffie-Hellman authentication</td></tr>
321 <tr><td colspan="2"><em>Cipher Encoding Algorithm:</em></td></tr>
322 <tr><td><code>eNULL</code></td> <td>No encoding</td> </tr>
323 <tr><td><code>DES</code></td> <td>DES encoding</td> </tr>
324 <tr><td><code>3DES</code></td> <td>Triple-DES encoding</td> </tr>
325 <tr><td><code>RC4</code></td> <td>RC4 encoding</td> </tr>
326 <tr><td><code>RC2</code></td> <td>RC2 encoding</td> </tr>
327 <tr><td><code>IDEA</code></td> <td>IDEA encoding</td> </tr>
328 <tr><td colspan="2"><em>MAC Digest Algorithm</em>:</td></tr>
329 <tr><td><code>MD5</code></td> <td>MD5 hash function</td></tr>
330 <tr><td><code>SHA1</code></td> <td>SHA1 hash function</td></tr>
331 <tr><td><code>SHA</code></td> <td>SHA hash function</td> </tr>
332 <tr><td colspan="2"><em>Aliases:</em></td></tr>
333 <tr><td><code>SSLv2</code></td> <td>all SSL version 2.0 ciphers</td></tr>
334 <tr><td><code>SSLv3</code></td> <td>all SSL version 3.0 ciphers</td> </tr>
335 <tr><td><code>TLSv1</code></td> <td>all TLS version 1.0 ciphers</td> </tr>
336 <tr><td><code>EXP</code></td> <td>all export ciphers</td> </tr>
337 <tr><td><code>EXPORT40</code></td> <td>all 40-bit export ciphers only</td> </tr>
338 <tr><td><code>EXPORT56</code></td> <td>all 56-bit export ciphers only</td> </tr>
339 <tr><td><code>LOW</code></td> <td>all low strength ciphers (no export, single DES)</td></tr>
340 <tr><td><code>MEDIUM</code></td> <td>all ciphers with 128 bit encryption</td> </tr>
341 <tr><td><code>HIGH</code></td> <td>all ciphers using Triple-DES</td> </tr>
342 <tr><td><code>RSA</code></td> <td>all ciphers using RSA key exchange</td> </tr>
343 <tr><td><code>DH</code></td> <td>all ciphers using Diffie-Hellman key exchange</td> </tr>
344 <tr><td><code>EDH</code></td> <td>all ciphers using Ephemeral Diffie-Hellman key exchange</td> </tr>
345 <tr><td><code>ADH</code></td> <td>all ciphers using Anonymous Diffie-Hellman key exchange</td> </tr>
346 <tr><td><code>DSS</code></td> <td>all ciphers using DSS authentication</td> </tr>
347 <tr><td><code>NULL</code></td> <td>all ciphers using no encryption</td> </tr>
350 Now where this becomes interesting is that these can be put together
351 to specify the order and ciphers you wish to use. To speed this up
352 there are also aliases (<code>SSLv2, SSLv3, TLSv1, EXP, LOW, MEDIUM,
353 HIGH</code>) for certain groups of ciphers. These tags can be joined
354 together with prefixes to form the <em>cipher-spec</em>. Available
357 <li>none: add cipher to list</li>
358 <li><code>+</code>: add ciphers to list and pull them to current location in list</li>
359 <li><code>-</code>: remove cipher from list (can be added later again)</li>
360 <li><code>!</code>: kill cipher from list completely (can <strong>not</strong> be added later again)</li>
362 <p>A simpler way to look at all of this is to use the ``<code>openssl ciphers
363 -v</code>'' command which provides a nice way to successively create the
364 correct <em>cipher-spec</em> string. The default <em>cipher-spec</em> string
365 is ``<code>ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</code>'' which
366 means the following: first, remove from consideration any ciphers that do not
367 authenticate, i.e. for SSL only the Anonymous Diffie-Hellman ciphers. Next,
368 use ciphers using RC4 and RSA. Next include the high, medium and then the low
369 security ciphers. Finally <em>pull</em> all SSLv2 and export ciphers to the
371 <div class="example"><pre>
372 $ openssl ciphers -v 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP'
373 NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1
374 NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5
375 EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
377 EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
378 EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
379 EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
381 <p>The complete list of particular RSA & DH ciphers for SSL is given in <a href="#table2">Table 2</a>.</p>
382 <div class="example"><h3>Example</h3><p><code>
383 SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW
385 <table class="bordered">
386 <tr><th>Cipher-Tag</th> <th>Protocol</th> <th>Key Ex.</th> <th>Auth.</th> <th>Enc.</th> <th>MAC</th> <th>Type</th> </tr>
387 <tr><td colspan="7"><em>RSA Ciphers:</em></td></tr>
388 <tr><td><code>DES-CBC3-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>3DES(168)</td> <td>SHA1</td> <td /> </tr>
389 <tr><td><code>DES-CBC3-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>3DES(168)</td> <td>MD5</td> <td /> </tr>
390 <tr><td><code>IDEA-CBC-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>IDEA(128)</td> <td>SHA1</td> <td /> </tr>
391 <tr><td><code>RC4-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>RC4(128)</td> <td>SHA1</td> <td /> </tr>
392 <tr><td><code>RC4-MD5</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>RC4(128)</td> <td>MD5</td> <td /> </tr>
393 <tr><td><code>IDEA-CBC-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>IDEA(128)</td> <td>MD5</td> <td /> </tr>
394 <tr><td><code>RC2-CBC-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>RC2(128)</td> <td>MD5</td> <td /> </tr>
395 <tr><td><code>RC4-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>RC4(128)</td> <td>MD5</td> <td /> </tr>
396 <tr><td><code>DES-CBC-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>DES(56)</td> <td>SHA1</td> <td /> </tr>
397 <tr><td><code>RC4-64-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>RC4(64)</td> <td>MD5</td> <td /> </tr>
398 <tr><td><code>DES-CBC-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>DES(56)</td> <td>MD5</td> <td /> </tr>
399 <tr><td><code>EXP-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>RSA(512)</td> <td>RSA</td> <td>DES(40)</td> <td>SHA1</td> <td> export</td> </tr>
400 <tr><td><code>EXP-RC2-CBC-MD5</code></td> <td>SSLv3</td> <td>RSA(512)</td> <td>RSA</td> <td>RC2(40)</td> <td>MD5</td> <td> export</td> </tr>
401 <tr><td><code>EXP-RC4-MD5</code></td> <td>SSLv3</td> <td>RSA(512)</td> <td>RSA</td> <td>RC4(40)</td> <td>MD5</td> <td> export</td> </tr>
402 <tr><td><code>EXP-RC2-CBC-MD5</code></td> <td>SSLv2</td> <td>RSA(512)</td> <td>RSA</td> <td>RC2(40)</td> <td>MD5</td> <td> export</td> </tr>
403 <tr><td><code>EXP-RC4-MD5</code></td> <td>SSLv2</td> <td>RSA(512)</td> <td>RSA</td> <td>RC4(40)</td> <td>MD5</td> <td> export</td> </tr>
404 <tr><td><code>NULL-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>None</td> <td>SHA1</td> <td /> </tr>
405 <tr><td><code>NULL-MD5</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>None</td> <td>MD5</td> <td /> </tr>
406 <tr><td colspan="7"><em>Diffie-Hellman Ciphers:</em></td></tr>
407 <tr><td><code>ADH-DES-CBC3-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>None</td> <td>3DES(168)</td> <td>SHA1</td> <td /> </tr>
408 <tr><td><code>ADH-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>None</td> <td>DES(56)</td> <td>SHA1</td> <td /> </tr>
409 <tr><td><code>ADH-RC4-MD5</code></td> <td>SSLv3</td> <td>DH</td> <td>None</td> <td>RC4(128)</td> <td>MD5</td> <td /> </tr>
410 <tr><td><code>EDH-RSA-DES-CBC3-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>RSA</td> <td>3DES(168)</td> <td>SHA1</td> <td /> </tr>
411 <tr><td><code>EDH-DSS-DES-CBC3-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>DSS</td> <td>3DES(168)</td> <td>SHA1</td> <td /> </tr>
412 <tr><td><code>EDH-RSA-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>RSA</td> <td>DES(56)</td> <td>SHA1</td> <td /> </tr>
413 <tr><td><code>EDH-DSS-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>DSS</td> <td>DES(56)</td> <td>SHA1</td> <td /> </tr>
414 <tr><td><code>EXP-EDH-RSA-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH(512)</td> <td>RSA</td> <td>DES(40)</td> <td>SHA1</td> <td> export</td> </tr>
415 <tr><td><code>EXP-EDH-DSS-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH(512)</td> <td>DSS</td> <td>DES(40)</td> <td>SHA1</td> <td> export</td> </tr>
416 <tr><td><code>EXP-ADH-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH(512)</td> <td>None</td> <td>DES(40)</td> <td>SHA1</td> <td> export</td> </tr>
417 <tr><td><code>EXP-ADH-RC4-MD5</code></td> <td>SSLv3</td> <td>DH(512)</td> <td>None</td> <td>RC4(40)</td> <td>MD5</td> <td> export</td> </tr>
419 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="SSLEngine" id="SSLEngine">SSLEngine</a> <a name="sslengine" id="sslengine">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
420 </a></th><td>SSL Engine Operation Switch</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
421 </a></th><td><code>SSLEngine on|off</code></td></tr><tr><th><a href="directive-dict.html#Default">Default:
422 </a></th><td><code>SSLEngine off</code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
423 </a></th><td>server config, virtual host</td></tr><tr><th><a href="directive-dict.html#Status">Status:
424 </a></th><td>Extension</td></tr><tr><th><a href="directive-dict.html#Module">Module:
425 </a></th><td>mod_ssl</td></tr></table>
427 This directive toggles the usage of the SSL/TLS Protocol Engine. This
428 is usually used inside a <code class="directive"><a href="../mod/core.html#virtualhost"><VirtualHost></a></code> section to enable SSL/TLS for a
429 particular virtual host. By default the SSL/TLS Protocol Engine is
430 disabled for both the main server and all configured virtual hosts.</p>
431 <div class="example"><h3>Example</h3><p><code>
432 <VirtualHost _default_:443><br />
437 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="SSLMutex" id="SSLMutex">SSLMutex</a> <a name="sslmutex" id="sslmutex">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
438 </a></th><td>Semaphore for internal mutual exclusion of
439 operations</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
440 </a></th><td><code>SSLMutex <em>type</em></code></td></tr><tr><th><a href="directive-dict.html#Default">Default:
441 </a></th><td><code>SSLMutex none</code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
442 </a></th><td>server config</td></tr><tr><th><a href="directive-dict.html#Status">Status:
443 </a></th><td>Extension</td></tr><tr><th><a href="directive-dict.html#Module">Module:
444 </a></th><td>mod_ssl</td></tr></table>
446 This configures the SSL engine's semaphore (aka. lock) which is used for mutual
447 exclusion of operations which have to be done in a synchronized way between the
448 pre-forked Apache server processes. This directive can only be used in the
449 global server context because it's only useful to have one global mutex.</p>
451 The following Mutex <em>types</em> are available:</p>
453 <li><code>none</code>
455 This is the default where no Mutex is used at all. Use it at your own
456 risk. But because currently the Mutex is mainly used for synchronizing
457 write access to the SSL Session Cache you can live without it as long
458 as you accept a sometimes garbled Session Cache. So it's not recommended
459 to leave this the default. Instead configure a real Mutex.</p></li>
460 <li><code>file:/path/to/mutex</code>
462 This is the portable and (under Unix) always provided Mutex variant where
463 a physical (lock-)file is used as the Mutex. Always use a local disk
464 filesystem for <code>/path/to/mutex</code> and never a file residing on a
465 NFS- or AFS-filesystem. Note: Internally, the Process ID (PID) of the
466 Apache parent process is automatically appended to
467 <code>/path/to/mutex</code> to make it unique, so you don't have to worry
468 about conflicts yourself. Notice that this type of mutex is not available
469 under the Win32 environment. There you <em>have</em> to use the semaphore
473 This is the most elegant but also most non-portable Mutex variant where a
474 SysV IPC Semaphore (under Unix) and a Windows Mutex (under Win32) is used
475 when possible. It is only available when the underlying platform
476 supports it.</p></li>
478 <div class="example"><h3>Example</h3><p><code>
479 SSLMutex file:/usr/local/apache/logs/ssl_mutex
481 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="SSLOptions" id="SSLOptions">SSLOptions</a> <a name="ssloptions" id="ssloptions">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
482 </a></th><td>Configure various SSL engine run-time options</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
483 </a></th><td><code>SSLOptions [+|-]<em>option</em> ...</code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
484 </a></th><td>server config, virtual host, directory, .htaccess</td></tr><tr><th><a href="directive-dict.html#Override">Override:
485 </a></th><td>Options</td></tr><tr><th><a href="directive-dict.html#Status">Status:
486 </a></th><td>Extension</td></tr><tr><th><a href="directive-dict.html#Module">Module:
487 </a></th><td>mod_ssl</td></tr></table>
489 This directive can be used to control various run-time options on a
490 per-directory basis. Normally, if multiple <code>SSLOptions</code>
491 could apply to a directory, then the most specific one is taken
492 completely; the options are not merged. However if <em>all</em> the
493 options on the <code>SSLOptions</code> directive are preceded by a
494 plus (<code>+</code>) or minus (<code>-</code>) symbol, the options
495 are merged. Any options preceded by a <code>+</code> are added to the
496 options currently in force, and any options preceded by a
497 <code>-</code> are removed from the options currently in force.</p>
499 The available <em>option</em>s are:</p>
501 <li><code>StdEnvVars</code>
503 When this option is enabled, the standard set of SSL related CGI/SSI
504 environment variables are created. This per default is disabled for
505 performance reasons, because the information extraction step is a
506 rather expensive operation. So one usually enables this option for
507 CGI and SSI requests only.</p>
509 <li><code>CompatEnvVars</code>
511 When this option is enabled, additional CGI/SSI environment variables are
512 created for backward compatibility to other Apache SSL solutions. Look in
513 the <a href="../ssl/ssl_compat.html">Compatibility</a> chapter for details
514 on the particular variables generated.</p>
516 <li><code>ExportCertData</code>
518 When this option is enabled, additional CGI/SSI environment variables are
519 created: <code>SSL_SERVER_CERT</code>, <code>SSL_CLIENT_CERT</code> and
520 <code>SSL_CLIENT_CERT_CHAIN</code><em>n</em> (with <em>n</em> = 0,1,2,..).
521 These contain the PEM-encoded X.509 Certificates of server and client for
522 the current HTTPS connection and can be used by CGI scripts for deeper
523 Certificate checking. Additionally all other certificates of the client
524 certificate chain are provided, too. This bloats up the environment a
525 little bit which is why you have to use this option to enable it on
528 <li><code>FakeBasicAuth</code>
530 When this option is enabled, the Subject Distinguished Name (DN) of the
531 Client X509 Certificate is translated into a HTTP Basic Authorization
532 username. This means that the standard Apache authentication methods can
533 be used for access control. The user name is just the Subject of the
534 Client's X509 Certificate (can be determined by running OpenSSL's
535 <code>openssl x509</code> command: <code>openssl x509 -noout -subject -in
536 </code><em>certificate</em><code>.crt</code>). Note that no password is
537 obtained from the user. Every entry in the user file needs this password:
538 ``<code>xxj31ZMTZzkVA</code>'', which is the DES-encrypted version of the
539 word `<code>password</code>''. Those who live under MD5-based encryption
540 (for instance under FreeBSD or BSD/OS, etc.) should use the following MD5
541 hash of the same word: ``<code>$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/</code>''.</p>
543 <li><code>StrictRequire</code>
545 This <em>forces</em> forbidden access when <code>SSLRequireSSL</code> or
546 <code>SSLRequire</code> successfully decided that access should be
547 forbidden. Usually the default is that in the case where a ``<code>Satisfy
548 any</code>'' directive is used, and other access restrictions are passed,
549 denial of access due to <code>SSLRequireSSL</code> or
550 <code>SSLRequire</code> is overridden (because that's how the Apache
551 <code>Satisfy</code> mechanism should work.) But for strict access restriction
552 you can use <code>SSLRequireSSL</code> and/or <code>SSLRequire</code> in
553 combination with an ``<code>SSLOptions +StrictRequire</code>''. Then an
554 additional ``<code>Satisfy Any</code>'' has no chance once mod_ssl has
555 decided to deny access.</p>
557 <li><code>OptRenegotiate</code>
559 This enables optimized SSL connection renegotiation handling when SSL
560 directives are used in per-directory context. By default a strict
561 scheme is enabled where <em>every</em> per-directory reconfiguration of
562 SSL parameters causes a <em>full</em> SSL renegotiation handshake. When this
563 option is used mod_ssl tries to avoid unnecessary handshakes by doing more
564 granular (but still safe) parameter checks. Nevertheless these granular
565 checks sometimes maybe not what the user expects, so enable this on a
566 per-directory basis only, please.</p>
569 <div class="example"><h3>Example</h3><p><code>
570 SSLOptions +FakeBasicAuth -StrictRequire<br />
571 <Files ~ "\.(cgi|shtml)$"><br />
572 SSLOptions +StdEnvVars +CompatEnvVars -ExportCertData<br />
575 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="SSLPassPhraseDialog" id="SSLPassPhraseDialog">SSLPassPhraseDialog</a> <a name="sslpassphrasedialog" id="sslpassphrasedialog">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
576 </a></th><td>Type of pass phrase dialog for encrypted private
577 keys</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
578 </a></th><td><code>SSLPassPhraseDialog <em>type</em></code></td></tr><tr><th><a href="directive-dict.html#Default">Default:
579 </a></th><td><code>SSLPassPhraseDialog builtin</code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
580 </a></th><td>server config</td></tr><tr><th><a href="directive-dict.html#Status">Status:
581 </a></th><td>Extension</td></tr><tr><th><a href="directive-dict.html#Module">Module:
582 </a></th><td>mod_ssl</td></tr></table>
584 When Apache starts up it has to read the various Certificate (see
585 <code class="directive"><a href="#sslcertificatefile">SSLCertificateFile</a></code>) and
586 Private Key (see <code class="directive"><a href="#sslcertificatekeyfile">SSLCertificateKeyFile</a></code>) files of the
587 SSL-enabled virtual servers. Because for security reasons the Private
588 Key files are usually encrypted, mod_ssl needs to query the
589 administrator for a Pass Phrase in order to decrypt those files. This
590 query can be done in two ways which can be configured by
593 <li><code>builtin</code>
595 This is the default where an interactive terminal dialog occurs at startup
596 time just before Apache detaches from the terminal. Here the administrator
597 has to manually enter the Pass Phrase for each encrypted Private Key file.
598 Because a lot of SSL-enabled virtual hosts can be configured, the
599 following reuse-scheme is used to minimize the dialog: When a Private Key
600 file is encrypted, all known Pass Phrases (at the beginning there are
601 none, of course) are tried. If one of those known Pass Phrases succeeds no
602 dialog pops up for this particular Private Key file. If none succeeded,
603 another Pass Phrase is queried on the terminal and remembered for the next
604 round (where it perhaps can be reused).</p>
606 This scheme allows mod_ssl to be maximally flexible (because for N encrypted
607 Private Key files you <em>can</em> use N different Pass Phrases - but then
608 you have to enter all of them, of course) while minimizing the terminal
609 dialog (i.e. when you use a single Pass Phrase for all N Private Key files
610 this Pass Phrase is queried only once).</p></li>
612 <li><code>exec:/path/to/program</code>
614 Here an external program is configured which is called at startup for each
615 encrypted Private Key file. It is called with two arguments (the first is
616 of the form ``<code>servername:portnumber</code>'', the second is either
617 ``<code>RSA</code>'' or ``<code>DSA</code>''), which indicate for which
618 server and algorithm it has to print the corresponding Pass Phrase to
619 <code>stdout</code>. The intent is that this external program first runs
620 security checks to make sure that the system is not compromised by an
621 attacker, and only when these checks were passed successfully it provides
624 Both these security checks, and the way the Pass Phrase is determined, can
625 be as complex as you like. Mod_ssl just defines the interface: an
626 executable program which provides the Pass Phrase on <code>stdout</code>.
627 Nothing more or less! So, if you're really paranoid about security, here
628 is your interface. Anything else has to be left as an exercise to the
629 administrator, because local security requirements are so different.</p>
631 The reuse-algorithm above is used here, too. In other words: The external
632 program is called only once per unique Pass Phrase.</p></li>
636 <div class="example"><p><code>
637 SSLPassPhraseDialog exec:/usr/local/apache/sbin/pp-filter
639 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="SSLProtocol" id="SSLProtocol">SSLProtocol</a> <a name="sslprotocol" id="sslprotocol">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
640 </a></th><td>Configure usable SSL protocol flavors</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
641 </a></th><td><code>SSLProtocol [+|-]<em>protocol</em> ...</code></td></tr><tr><th><a href="directive-dict.html#Default">Default:
642 </a></th><td><code>SSLProtocol all</code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
643 </a></th><td>server config, virtual host</td></tr><tr><th><a href="directive-dict.html#Override">Override:
644 </a></th><td>Options</td></tr><tr><th><a href="directive-dict.html#Status">Status:
645 </a></th><td>Extension</td></tr><tr><th><a href="directive-dict.html#Module">Module:
646 </a></th><td>mod_ssl</td></tr></table>
648 This directive can be used to control the SSL protocol flavors mod_ssl should
649 use when establishing its server environment. Clients then can only connect
650 with one of the provided protocols.</p>
652 The available (case-insensitive) <em>protocol</em>s are:</p>
654 <li><code>SSLv2</code>
656 This is the Secure Sockets Layer (SSL) protocol, version 2.0. It is the
657 original SSL protocol as designed by Netscape Corporation.</p></li>
659 <li><code>SSLv3</code>
661 This is the Secure Sockets Layer (SSL) protocol, version 3.0. It is the
662 successor to SSLv2 and the currently (as of February 1999) de-facto
663 standardized SSL protocol from Netscape Corporation. It's supported by
664 almost all popular browsers.</p></li>
666 <li><code>TLSv1</code>
668 This is the Transport Layer Security (TLS) protocol, version 1.0. It is the
669 successor to SSLv3 and currently (as of February 1999) still under
670 construction by the Internet Engineering Task Force (IETF). It's still
671 not supported by any popular browsers.</p></li>
675 This is a shortcut for ``<code>+SSLv2 +SSLv3 +TLSv1</code>'' and a
676 convinient way for enabling all protocols except one when used in
677 combination with the minus sign on a protocol as the example above
680 <div class="example"><h3>Example</h3><p><code>
681 # enable SSLv3 and TLSv1, but not SSLv2<br />
682 SSLProtocol all -SSLv2
684 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="SSLProxyCACertificateFile" id="SSLProxyCACertificateFile">SSLProxyCACertificateFile</a> <a name="sslproxycacertificatefile" id="sslproxycacertificatefile">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
685 </a></th><td>File of concatenated PEM-encoded CA Certificates
686 for Remote Server Auth</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
687 </a></th><td><code>SSLProxyCACertificateFile <em>file-path</em></code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
688 </a></th><td>server config, virtual host</td></tr><tr><th><a href="directive-dict.html#Status">Status:
689 </a></th><td>Extension</td></tr><tr><th><a href="directive-dict.html#Module">Module:
690 </a></th><td>mod_ssl</td></tr></table>
692 This directive sets the <em>all-in-one</em> file where you can assemble the
693 Certificates of Certification Authorities (CA) whose <em>remote servers</em> you deal
694 with. These are used for Remote Server Authentication. Such a file is simply the
695 concatenation of the various PEM-encoded Certificate files, in order of
696 preference. This can be used alternatively and/or additionally to
697 <code class="directive"><a href="#sslproxycacertificatepath">SSLProxyCACertificatePath</a></code>.</p>
698 <div class="example"><h3>Example</h3><p><code>
699 SSLProxyCACertificateFile /usr/local/apache/conf/ssl.crt/ca-bundle-remote-server.crt
701 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="SSLProxyCACertificatePath" id="SSLProxyCACertificatePath">SSLProxyCACertificatePath</a> <a name="sslproxycacertificatepath" id="sslproxycacertificatepath">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
702 </a></th><td>Directory of PEM-encoded CA Certificates for
703 Remote Server Auth</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
704 </a></th><td><code>SSLProxyCACertificatePath <em>directory-path</em></code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
705 </a></th><td>server config, virtual host</td></tr><tr><th><a href="directive-dict.html#Status">Status:
706 </a></th><td>Extension</td></tr><tr><th><a href="directive-dict.html#Module">Module:
707 </a></th><td>mod_ssl</td></tr></table>
709 This directive sets the directory where you keep the Certificates of
710 Certification Authorities (CAs) whose remote servers you deal with. These are used to
711 verify the remote server certificate on Remote Server Authentication.</p>
713 The files in this directory have to be PEM-encoded and are accessed through
714 hash filenames. So usually you can't just place the Certificate files
715 there: you also have to create symbolic links named
716 <em>hash-value</em><code>.N</code>. And you should always make sure this directory
717 contains the appropriate symbolic links. Use the <code>Makefile</code> which
718 comes with mod_ssl to accomplish this task.</p>
719 <div class="example"><h3>Example</h3><p><code>
720 SSLProxyCACertificatePath /usr/local/apache/conf/ssl.crt/
722 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="SSLProxyCARevocationFile" id="SSLProxyCARevocationFile">SSLProxyCARevocationFile</a> <a name="sslproxycarevocationfile" id="sslproxycarevocationfile">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
723 </a></th><td>File of concatenated PEM-encoded CA CRLs for
724 Remote Server Auth</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
725 </a></th><td><code>SSLProxyCARevocationFile <em>file-path</em></code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
726 </a></th><td>server config, virtual host</td></tr><tr><th><a href="directive-dict.html#Status">Status:
727 </a></th><td>Extension</td></tr><tr><th><a href="directive-dict.html#Module">Module:
728 </a></th><td>mod_ssl</td></tr></table>
730 This directive sets the <em>all-in-one</em> file where you can
731 assemble the Certificate Revocation Lists (CRL) of Certification
732 Authorities (CA) whose <em>remote servers</em> you deal with. These are used
733 for Remote Server Authentication. Such a file is simply the concatenation of
734 the various PEM-encoded CRL files, in order of preference. This can be
735 used alternatively and/or additionally to <code class="directive"><a href="#sslproxycarevocationpath">SSLProxyCARevocationPath</a></code>.</p>
736 <div class="example"><h3>Example</h3><p><code>
737 SSLProxyCARevocationFile /usr/local/apache/conf/ssl.crl/ca-bundle-remote-server.crl
739 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="SSLProxyCARevocationPath" id="SSLProxyCARevocationPath">SSLProxyCARevocationPath</a> <a name="sslproxycarevocationpath" id="sslproxycarevocationpath">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
740 </a></th><td>Directory of PEM-encoded CA CRLs for
741 Remote Server Auth</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
742 </a></th><td><code>SSLProxyCARevocationPath <em>directory-path</em></code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
743 </a></th><td>server config, virtual host</td></tr><tr><th><a href="directive-dict.html#Status">Status:
744 </a></th><td>Extension</td></tr><tr><th><a href="directive-dict.html#Module">Module:
745 </a></th><td>mod_ssl</td></tr></table>
747 This directive sets the directory where you keep the Certificate Revocation
748 Lists (CRL) of Certification Authorities (CAs) whose remote servers you deal with.
749 These are used to revoke the remote server certificate on Remote Server Authentication.</p>
751 The files in this directory have to be PEM-encoded and are accessed through
752 hash filenames. So usually you have not only to place the CRL files there.
753 Additionally you have to create symbolic links named
754 <em>hash-value</em><code>.rN</code>. And you should always make sure this directory
755 contains the appropriate symbolic links. Use the <code>Makefile</code> which
756 comes with <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> to accomplish this task.</p>
757 <div class="example"><h3>Example</h3><p><code>
758 SSLProxyCARevocationPath /usr/local/apache/conf/ssl.crl/
760 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="SSLProxyCipherSuite" id="SSLProxyCipherSuite">SSLProxyCipherSuite</a> <a name="sslproxyciphersuite" id="sslproxyciphersuite">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
761 </a></th><td>Cipher Suite available for negotiation in SSL
762 proxy handshake</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
763 </a></th><td><code>SSLProxyCipherSuite <em>cipher-spec</em></code></td></tr><tr><th><a href="directive-dict.html#Default">Default:
764 </a></th><td><code>SSLProxyCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
765 </a></th><td>server config, virtual host, directory, .htaccess</td></tr><tr><th><a href="directive-dict.html#Override">Override:
766 </a></th><td>AuthConfig</td></tr><tr><th><a href="directive-dict.html#Status">Status:
767 </a></th><td>Extension</td></tr><tr><th><a href="directive-dict.html#Module">Module:
768 </a></th><td>mod_ssl</td></tr></table>
769 <p>Equivalent to <code>SSLCipherSuite</code>, but for the proxy connection.
770 Please refer to <code class="directive"><a href="#sslciphersuite">SSLCipherSuite</a></code>
771 for additional information.</p>
772 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="SSLProxyEngine" id="SSLProxyEngine">SSLProxyEngine</a> <a name="sslproxyengine" id="sslproxyengine">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
773 </a></th><td>SSL Proxy Engine Operation Switch</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
774 </a></th><td><code>SSLProxyEngine on|off</code></td></tr><tr><th><a href="directive-dict.html#Default">Default:
775 </a></th><td><code>SSLProxyEngine off</code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
776 </a></th><td>server config, virtual host</td></tr><tr><th><a href="directive-dict.html#Status">Status:
777 </a></th><td>Extension</td></tr><tr><th><a href="directive-dict.html#Module">Module:
778 </a></th><td>mod_ssl</td></tr></table>
780 This directive toggles the usage of the SSL/TLS Protocol Engine for proxy. This
781 is usually used inside a <code class="directive"><a href="../mod/core.html#virtualhost"><VirtualHost></a></code> section to enable SSL/TLS for proxy
782 usage in a particular virtual host. By default the SSL/TLS Protocol Engine is
783 disabled for proxy image both for the main server and all configured virtual hosts.</p>
784 <div class="example"><h3>Example</h3><p><code>
785 <VirtualHost _default_:443><br />
786 SSLProxyEngine on<br />
790 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="SSLProxyMachineCertificateFile" id="SSLProxyMachineCertificateFile">SSLProxyMachineCertificateFile</a> <a name="sslproxymachinecertificatefile" id="sslproxymachinecertificatefile">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
791 </a></th><td>File of concatenated PEM-encoded CA certificates for proxy server client certificates</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
792 </a></th><td><code>SSLProxyMachineCertificateFile <em>filename</em></code></td></tr><tr><th><a href="directive-dict.html#Default">Default:
793 </a></th><td><code>None</code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
794 </a></th><td>server config</td></tr><tr><th><a href="directive-dict.html#Override">Override:
795 </a></th><td>Not applicable</td></tr><tr><th><a href="directive-dict.html#Status">Status:
796 </a></th><td>Extension</td></tr><tr><th><a href="directive-dict.html#Module">Module:
797 </a></th><td>mod_ssl</td></tr></table>
799 This directive sets the all-in-one file where you keep the certificates of
800 Certification Authorities (CAs) whose proxy client certificates are used for
801 authentication of the proxy server to remote servers.
804 This referenced file is simply the concatenation of the various PEM-encoded
805 certificate files, in order of preference. Use this directive alternatively
806 or additionally to <code>SSLProxyMachineCertificatePath</code>.
810 <div class="example"><p><code>
811 SSLProxyMachineCertificatePath /usr/local/apache/conf/ssl.crt/
813 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="SSLProxyMachineCertificatePath" id="SSLProxyMachineCertificatePath">SSLProxyMachineCertificatePath</a> <a name="sslproxymachinecertificatepath" id="sslproxymachinecertificatepath">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
814 </a></th><td>Directory of PEM-encoded CA certificates for proxy server client certificates</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
815 </a></th><td><code>SSLProxyMachineCertificatePath <em>directory</em></code></td></tr><tr><th><a href="directive-dict.html#Default">Default:
816 </a></th><td><code>None</code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
817 </a></th><td>server config</td></tr><tr><th><a href="directive-dict.html#Override">Override:
818 </a></th><td>Not applicable</td></tr><tr><th><a href="directive-dict.html#Status">Status:
819 </a></th><td>Extension</td></tr><tr><th><a href="directive-dict.html#Module">Module:
820 </a></th><td>mod_ssl</td></tr></table>
822 This directive sets the directory where you keep the certificates of
823 Certification Authorities (CAs) whose proxy client certificates are used for
824 authentication of the proxy server to remote servers.
826 <p>The files in this directory must be PEM-encoded and are accessed through
827 hash filenames. Additionally, you must create symbolic links named
828 <code><em>hash-value</em>.N</code>. And you should always make sure this
829 directory contains the appropriate symbolic links. Use the Makefile which
830 comes with mod_ssl to accomplish this task.
834 <div class="example"><p><code>
835 SSLProxyMachineCertificatePath /usr/local/apache/conf/ssl.crt/
837 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="SSLProxyProtocol" id="SSLProxyProtocol">SSLProxyProtocol</a> <a name="sslproxyprotocol" id="sslproxyprotocol">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
838 </a></th><td>Configure usable SSL protocol flavors for proxy usage</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
839 </a></th><td><code>SSLProxyProtocol [+|-]<em>protocol</em> ...</code></td></tr><tr><th><a href="directive-dict.html#Default">Default:
840 </a></th><td><code>SSLProxyProtocol all</code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
841 </a></th><td>server config, virtual host</td></tr><tr><th><a href="directive-dict.html#Override">Override:
842 </a></th><td>Options</td></tr><tr><th><a href="directive-dict.html#Status">Status:
843 </a></th><td>Extension</td></tr><tr><th><a href="directive-dict.html#Module">Module:
844 </a></th><td>mod_ssl</td></tr></table>
847 This directive can be used to control the SSL protocol flavors mod_ssl should
848 use when establishing its server environment for proxy . It will only connect
849 to servers using one of the provided protocols.</p>
850 <p>Please refer to <code class="directive"><a href="#sslprotocol">SSLProtocol</a></code>
851 for additional information.
853 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="SSLProxyVerify" id="SSLProxyVerify">SSLProxyVerify</a> <a name="sslproxyverify" id="sslproxyverify">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
854 </a></th><td>Type of remote server Certificate verification</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
855 </a></th><td><code>SSLProxyVerify <em>level</em></code></td></tr><tr><th><a href="directive-dict.html#Default">Default:
856 </a></th><td><code>SSLProxyVerify none</code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
857 </a></th><td>server config, virtual host, directory, .htaccess</td></tr><tr><th><a href="directive-dict.html#Override">Override:
858 </a></th><td>AuthConfig</td></tr><tr><th><a href="directive-dict.html#Status">Status:
859 </a></th><td>Extension</td></tr><tr><th><a href="directive-dict.html#Module">Module:
860 </a></th><td>mod_ssl</td></tr></table>
862 This directive sets the Certificate verification level for the remote server
863 Authentication. Notice that this directive can be used both in per-server and
864 per-directory context. In per-server context it applies to the remote server
865 authentication process used in the standard SSL handshake when a connection is
866 established. In per-directory context it forces a SSL renegotation with the
867 reconfigured remote server verification level after the HTTP request was read but
868 before the HTTP response is sent.</p>
870 The following levels are available for <em>level</em>:</p>
872 <li><strong>none</strong>:
873 no remote server Certificate is required at all</li>
874 <li><strong>optional</strong>:
875 the remote server <em>may</em> present a valid Certificate</li>
876 <li><strong>require</strong>:
877 the remote server <em>has to</em> present a valid Certificate</li>
878 <li><strong>optional_no_ca</strong>:
879 the remote server may present a valid Certificate<br />
880 but it need not to be (successfully) verifiable.</li>
882 <p>In practice only levels <strong>none</strong> and
883 <strong>require</strong> are really interesting, because level
884 <strong>optional</strong> doesn't work with all servers and level
885 <strong>optional_no_ca</strong> is actually against the idea of
886 authentication (but can be used to establish SSL test pages, etc.)</p>
887 <div class="example"><h3>Example</h3><p><code>
888 SSLProxyVerify require
890 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="SSLProxyVerifyDepth" id="SSLProxyVerifyDepth">SSLProxyVerifyDepth</a> <a name="sslproxyverifydepth" id="sslproxyverifydepth">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
891 </a></th><td>Maximum depth of CA Certificates in Remote Server
892 Certificate verification</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
893 </a></th><td><code>SSLVerifyDepth <em>number</em></code></td></tr><tr><th><a href="directive-dict.html#Default">Default:
894 </a></th><td><code>SSLVerifyDepth 1</code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
895 </a></th><td>server config, virtual host, directory, .htaccess</td></tr><tr><th><a href="directive-dict.html#Override">Override:
896 </a></th><td>AuthConfig</td></tr><tr><th><a href="directive-dict.html#Status">Status:
897 </a></th><td>Extension</td></tr><tr><th><a href="directive-dict.html#Module">Module:
898 </a></th><td>mod_ssl</td></tr></table>
900 This directive sets how deeply mod_ssl should verify before deciding that the
901 remote server does not have a valid certificate. Notice that this directive can be
902 used both in per-server and per-directory context. In per-server context it
903 applies to the client authentication process used in the standard SSL
904 handshake when a connection is established. In per-directory context it forces
905 a SSL renegotation with the reconfigured remote server verification depth after the
906 HTTP request was read but before the HTTP response is sent.</p>
908 The depth actually is the maximum number of intermediate certificate issuers,
909 i.e. the number of CA certificates which are max allowed to be followed while
910 verifying the remote server certificate. A depth of 0 means that self-signed
911 remote server certificates are accepted only, the default depth of 1 means
912 the remote server certificate can be self-signed or has to be signed by a CA
913 which is directly known to the server (i.e. the CA's certificate is under
914 <code class="directive"><a href="#sslproxycacertificatepath">SSLProxyCACertificatePath</a></code>), etc.</p>
915 <div class="example"><h3>Example</h3><p><code>
916 SSLProxyVerifyDepth 10
918 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="SSLRandomSeed" id="SSLRandomSeed">SSLRandomSeed</a> <a name="sslrandomseed" id="sslrandomseed">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
919 </a></th><td>Pseudo Random Number Generator (PRNG) seeding
920 source</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
921 </a></th><td><code>SSLRandomSeed <em>context</em> <em>source</em>
922 [<em>bytes</em>]</code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
923 </a></th><td>server config</td></tr><tr><th><a href="directive-dict.html#Status">Status:
924 </a></th><td>Extension</td></tr><tr><th><a href="directive-dict.html#Module">Module:
925 </a></th><td>mod_ssl</td></tr></table>
927 This configures one or more sources for seeding the Pseudo Random Number
928 Generator (PRNG) in OpenSSL at startup time (<em>context</em> is
929 <code>startup</code>) and/or just before a new SSL connection is established
930 (<em>context</em> is <code>connect</code>). This directive can only be used
931 in the global server context because the PRNG is a global facility.</p>
933 The following <em>source</em> variants are available:</p>
935 <li><code>builtin</code>
936 <p> This is the always available builtin seeding source. It's usage
937 consumes minimum CPU cycles under runtime and hence can be always used
938 without drawbacks. The source used for seeding the PRNG contains of the
939 current time, the current process id and (when applicable) a randomly
940 choosen 1KB extract of the inter-process scoreboard structure of Apache.
941 The drawback is that this is not really a strong source and at startup
942 time (where the scoreboard is still not available) this source just
943 produces a few bytes of entropy. So you should always, at least for the
944 startup, use an additional seeding source.</p></li>
945 <li><code>file:/path/to/source</code>
947 This variant uses an external file <code>/path/to/source</code> as the
948 source for seeding the PRNG. When <em>bytes</em> is specified, only the
949 first <em>bytes</em> number of bytes of the file form the entropy (and
950 <em>bytes</em> is given to <code>/path/to/source</code> as the first
951 argument). When <em>bytes</em> is not specified the whole file forms the
952 entropy (and <code>0</code> is given to <code>/path/to/source</code> as
953 the first argument). Use this especially at startup time, for instance
954 with an available <code>/dev/random</code> and/or
955 <code>/dev/urandom</code> devices (which usually exist on modern Unix
956 derivates like FreeBSD and Linux).</p>
958 <em>But be careful</em>: Usually <code>/dev/random</code> provides only as
959 much entropy data as it actually has, i.e. when you request 512 bytes of
960 entropy, but the device currently has only 100 bytes available two things
961 can happen: On some platforms you receive only the 100 bytes while on
962 other platforms the read blocks until enough bytes are available (which
963 can take a long time). Here using an existing <code>/dev/urandom</code> is
964 better, because it never blocks and actually gives the amount of requested
965 data. The drawback is just that the quality of the received data may not
968 On some platforms like FreeBSD one can even control how the entropy is
969 actually generated, i.e. by which system interrupts. More details one can
970 find under <em>rndcontrol(8)</em> on those platforms. Alternatively, when
971 your system lacks such a random device, you can use tool
972 like <a href="http://www.lothar.com/tech/crypto/">EGD</a>
973 (Entropy Gathering Daemon) and run it's client program with the
974 <code>exec:/path/to/program/</code> variant (see below) or use
975 <code>egd:/path/to/egd-socket</code> (see below).</p></li>
977 <li><code>exec:/path/to/program</code>
979 This variant uses an external executable
980 <code>/path/to/program</code> as the source for seeding the
981 PRNG. When <em>bytes</em> is specified, only the first
982 <em>bytes</em> number of bytes of its <code>stdout</code> contents
983 form the entropy. When <em>bytes</em> is not specified, the
984 entirety of the data produced on <code>stdout</code> form the
985 entropy. Use this only at startup time when you need a very strong
986 seeding with the help of an external program (for instance as in
987 the example above with the <code>truerand</code> utility you can
988 find in the mod_ssl distribution which is based on the AT&T
989 <em>truerand</em> library). Using this in the connection context
990 slows down the server too dramatically, of course. So usually you
991 should avoid using external programs in that context.</p></li>
992 <li><code>egd:/path/to/egd-socket</code> (Unix only)
994 This variant uses the Unix domain socket of the
995 external Entropy Gathering Daemon (EGD) (see <a href="http://www.lothar.com/tech/crypto/">http://www.lothar.com/tech
996 /crypto/</a>) to seed the PRNG. Use this if no random device exists
997 on your platform.</p></li>
999 <div class="example"><h3>Example</h3><p><code>
1000 SSLRandomSeed startup builtin<br />
1001 SSLRandomSeed startup file:/dev/random<br />
1002 SSLRandomSeed startup file:/dev/urandom 1024<br />
1003 SSLRandomSeed startup exec:/usr/local/bin/truerand 16<br />
1004 SSLRandomSeed connect builtin<br />
1005 SSLRandomSeed connect file:/dev/random<br />
1006 SSLRandomSeed connect file:/dev/urandom 1024<br />
1008 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="SSLRequire" id="SSLRequire">SSLRequire</a> <a name="sslrequire" id="sslrequire">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
1009 </a></th><td>Allow access only when an arbitrarily complex
1010 boolean expression is true</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
1011 </a></th><td><code>SSLRequire <em>expression</em></code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
1012 </a></th><td>directory, .htaccess</td></tr><tr><th><a href="directive-dict.html#Override">Override:
1013 </a></th><td>AuthConfig</td></tr><tr><th><a href="directive-dict.html#Status">Status:
1014 </a></th><td>Extension</td></tr><tr><th><a href="directive-dict.html#Module">Module:
1015 </a></th><td>mod_ssl</td></tr></table>
1017 This directive specifies a general access requirement which has to be
1018 fulfilled in order to allow access. It's a very powerful directive because the
1019 requirement specification is an arbitrarily complex boolean expression
1020 containing any number of access checks.</p>
1022 The <em>expression</em> must match the following syntax (given as a BNF
1023 grammar notation):</p>
1026 expr ::= "<strong>true</strong>" | "<strong>false</strong>"
1027 | "<strong>!</strong>" expr
1028 | expr "<strong>&&</strong>" expr
1029 | expr "<strong>||</strong>" expr
1030 | "<strong>(</strong>" expr "<strong>)</strong>"
1033 comp ::= word "<strong>==</strong>" word | word "<strong>eq</strong>" word
1034 | word "<strong>!=</strong>" word | word "<strong>ne</strong>" word
1035 | word "<strong><</strong>" word | word "<strong>lt</strong>" word
1036 | word "<strong><=</strong>" word | word "<strong>le</strong>" word
1037 | word "<strong>></strong>" word | word "<strong>gt</strong>" word
1038 | word "<strong>>=</strong>" word | word "<strong>ge</strong>" word
1039 | word "<strong>in</strong>" "<strong>{</strong>" wordlist "<strong>}</strong>"
1040 | word "<strong>=~</strong>" regex
1041 | word "<strong>!~</strong>" regex
1044 | wordlist "<strong>,</strong>" word
1053 variable ::= "<strong>%{</strong>" varname "<strong>}</strong>"
1054 function ::= funcname "<strong>(</strong>" funcargs "<strong>)</strong>"
1057 <p>while for <code>varname</code> any variable from <a href="#table3">Table 3</a> can be used. Finally for
1058 <code>funcname</code> the following functions are available:</p>
1060 <li><code>file(</code><em>filename</em><code>)</code>
1062 This function takes one string argument and expands to the contents of the
1063 file. This is especially useful for matching this contents against a
1064 regular expression, etc.</p>
1067 <p>Notice that <em>expression</em> is first parsed into an internal machine
1068 representation and then evaluated in a second step. Actually, in Global and
1069 Per-Server Class context <em>expression</em> is parsed at startup time and
1070 at runtime only the machine representation is executed. For Per-Directory
1071 context this is different: here <em>expression</em> has to be parsed and
1072 immediately executed for every request.</p>
1073 <div class="example"><h3>Example</h3><p><code>
1074 SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \<br />
1075 and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \<br />
1076 and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \<br />
1077 and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \<br />
1078 and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \<br />
1079 or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
1081 <table class="bordered"><tr><td>
1082 <em>Standard CGI/1.0 and Apache variables:</em>
1084 HTTP_USER_AGENT PATH_INFO AUTH_TYPE
1085 HTTP_REFERER QUERY_STRING SERVER_SOFTWARE
1086 HTTP_COOKIE REMOTE_HOST API_VERSION
1087 HTTP_FORWARDED REMOTE_IDENT TIME_YEAR
1088 HTTP_HOST IS_SUBREQ TIME_MON
1089 HTTP_PROXY_CONNECTION DOCUMENT_ROOT TIME_DAY
1090 HTTP_ACCEPT SERVER_ADMIN TIME_HOUR
1091 HTTP:headername SERVER_NAME TIME_MIN
1092 THE_REQUEST SERVER_PORT TIME_SEC
1093 REQUEST_METHOD SERVER_PROTOCOL TIME_WDAY
1094 REQUEST_SCHEME REMOTE_ADDR TIME
1095 REQUEST_URI REMOTE_USER ENV:<strong>variablename</strong>
1098 <em>SSL-related variables:</em>
1100 HTTPS SSL_CLIENT_M_VERSION SSL_SERVER_M_VERSION
1101 SSL_CLIENT_M_SERIAL SSL_SERVER_M_SERIAL
1102 SSL_PROTOCOL SSL_CLIENT_V_START SSL_SERVER_V_START
1103 SSL_SESSION_ID SSL_CLIENT_V_END SSL_SERVER_V_END
1104 SSL_CIPHER SSL_CLIENT_S_DN SSL_SERVER_S_DN
1105 SSL_CIPHER_EXPORT SSL_CLIENT_S_DN_C SSL_SERVER_S_DN_C
1106 SSL_CIPHER_ALGKEYSIZE SSL_CLIENT_S_DN_ST SSL_SERVER_S_DN_ST
1107 SSL_CIPHER_USEKEYSIZE SSL_CLIENT_S_DN_L SSL_SERVER_S_DN_L
1108 SSL_VERSION_LIBRARY SSL_CLIENT_S_DN_O SSL_SERVER_S_DN_O
1109 SSL_VERSION_INTERFACE SSL_CLIENT_S_DN_OU SSL_SERVER_S_DN_OU
1110 SSL_CLIENT_S_DN_CN SSL_SERVER_S_DN_CN
1111 SSL_CLIENT_S_DN_T SSL_SERVER_S_DN_T
1112 SSL_CLIENT_S_DN_I SSL_SERVER_S_DN_I
1113 SSL_CLIENT_S_DN_G SSL_SERVER_S_DN_G
1114 SSL_CLIENT_S_DN_S SSL_SERVER_S_DN_S
1115 SSL_CLIENT_S_DN_D SSL_SERVER_S_DN_D
1116 SSL_CLIENT_S_DN_UID SSL_SERVER_S_DN_UID
1117 SSL_CLIENT_S_DN_Email SSL_SERVER_S_DN_Email
1118 SSL_CLIENT_I_DN SSL_SERVER_I_DN
1119 SSL_CLIENT_I_DN_C SSL_SERVER_I_DN_C
1120 SSL_CLIENT_I_DN_ST SSL_SERVER_I_DN_ST
1121 SSL_CLIENT_I_DN_L SSL_SERVER_I_DN_L
1122 SSL_CLIENT_I_DN_O SSL_SERVER_I_DN_O
1123 SSL_CLIENT_I_DN_OU SSL_SERVER_I_DN_OU
1124 SSL_CLIENT_I_DN_CN SSL_SERVER_I_DN_CN
1125 SSL_CLIENT_I_DN_T SSL_SERVER_I_DN_T
1126 SSL_CLIENT_I_DN_I SSL_SERVER_I_DN_I
1127 SSL_CLIENT_I_DN_G SSL_SERVER_I_DN_G
1128 SSL_CLIENT_I_DN_S SSL_SERVER_I_DN_S
1129 SSL_CLIENT_I_DN_D SSL_SERVER_I_DN_D
1130 SSL_CLIENT_I_DN_UID SSL_SERVER_I_DN_UID
1131 SSL_CLIENT_I_DN_Email SSL_SERVER_I_DN_Email
1132 SSL_CLIENT_A_SIG SSL_SERVER_A_SIG
1133 SSL_CLIENT_A_KEY SSL_SERVER_A_KEY
1134 SSL_CLIENT_CERT SSL_SERVER_CERT
1135 SSL_CLIENT_CERT_CHAIN<strong>n</strong>
1139 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="SSLRequireSSL" id="SSLRequireSSL">SSLRequireSSL</a> <a name="sslrequiressl" id="sslrequiressl">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
1140 </a></th><td>Deny access when SSL is not used for the
1141 HTTP request</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
1142 </a></th><td><code>SSLRequireSSL</code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
1143 </a></th><td>directory, .htaccess</td></tr><tr><th><a href="directive-dict.html#Override">Override:
1144 </a></th><td>AuthConfig</td></tr><tr><th><a href="directive-dict.html#Status">Status:
1145 </a></th><td>Extension</td></tr><tr><th><a href="directive-dict.html#Module">Module:
1146 </a></th><td>mod_ssl</td></tr></table>
1148 This directive forbids access unless HTTP over SSL (i.e. HTTPS) is enabled for
1149 the current connection. This is very handy inside the SSL-enabled virtual
1150 host or directories for defending against configuration errors that expose
1151 stuff that should be protected. When this directive is present all requests
1152 are denied which are not using SSL.</p>
1153 <div class="example"><h3>Example</h3><p><code>
1156 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="SSLSessionCache" id="SSLSessionCache">SSLSessionCache</a> <a name="sslsessioncache" id="sslsessioncache">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
1157 </a></th><td>Type of the global/inter-process SSL Session
1158 Cache</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
1159 </a></th><td><code>SSLSessionCache <em>type</em></code></td></tr><tr><th><a href="directive-dict.html#Default">Default:
1160 </a></th><td><code>SSLSessionCache none</code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
1161 </a></th><td>server config</td></tr><tr><th><a href="directive-dict.html#Status">Status:
1162 </a></th><td>Extension</td></tr><tr><th><a href="directive-dict.html#Module">Module:
1163 </a></th><td>mod_ssl</td></tr></table>
1165 This configures the storage type of the global/inter-process SSL Session
1166 Cache. This cache is an optional facility which speeds up parallel request
1167 processing. For requests to the same server process (via HTTP keep-alive),
1168 OpenSSL already caches the SSL session information locally. But because modern
1169 clients request inlined images and other data via parallel requests (usually
1170 up to four parallel requests are common) those requests are served by
1171 <em>different</em> pre-forked server processes. Here an inter-process cache
1172 helps to avoid unneccessary session handshakes.</p>
1174 The following two storage <em>type</em>s are currently supported:</p>
1176 <li><code>none</code>
1178 This is the default and just disables the global/inter-process Session
1179 Cache. There is no drawback in functionality, but a noticeable speed
1180 penalty can be observed.</p></li>
1181 <li><code>dbm:/path/to/datafile</code>
1183 This makes use of a DBM hashfile on the local disk to synchronize the
1184 local OpenSSL memory caches of the server processes. The slight increase
1185 in I/O on the server results in a visible request speedup for your
1186 clients, so this type of storage is generally recommended.</p></li>
1187 <li><code>shm:/path/to/datafile</code>[<code>(</code><em>size</em><code>)</code>]
1189 This makes use of a high-performance hash table (approx. <em>size</em> bytes
1190 in size) inside a shared memory segment in RAM (established via
1191 <code>/path/to/datafile</code>) to synchronize the local OpenSSL memory
1192 caches of the server processes. This storage type is not available on all
1193 platforms. See the mod_ssl <code>INSTALL</code> document for details on
1194 how to build Apache+EAPI with shared memory support.</p></li>
1196 <div class="example"><h3>Examples</h3><p><code>
1197 SSLSessionCache dbm:/usr/local/apache/logs/ssl_gcache_data<br />
1198 SSLSessionCache shm:/usr/local/apache/logs/ssl_gcache_data(512000)
1200 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="SSLSessionCacheTimeout" id="SSLSessionCacheTimeout">SSLSessionCacheTimeout</a> <a name="sslsessioncachetimeout" id="sslsessioncachetimeout">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
1201 </a></th><td>Number of seconds before an SSL session expires
1202 in the Session Cache</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
1203 </a></th><td><code>SSLSessionCacheTimeout <em>seconds</em></code></td></tr><tr><th><a href="directive-dict.html#Default">Default:
1204 </a></th><td><code>SSLSessionCacheTimeout 300</code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
1205 </a></th><td>server config, virtual host</td></tr><tr><th><a href="directive-dict.html#Status">Status:
1206 </a></th><td>Extension</td></tr><tr><th><a href="directive-dict.html#Module">Module:
1207 </a></th><td>mod_ssl</td></tr></table>
1209 This directive sets the timeout in seconds for the information stored in the
1210 global/inter-process SSL Session Cache and the OpenSSL internal memory cache.
1211 It can be set as low as 15 for testing, but should be set to higher
1212 values like 300 in real life.</p>
1213 <div class="example"><h3>Example</h3><p><code>
1214 SSLSessionCacheTimeout 600
1216 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="SSLVerifyClient" id="SSLVerifyClient">SSLVerifyClient</a> <a name="sslverifyclient" id="sslverifyclient">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
1217 </a></th><td>Type of Client Certificate verification</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
1218 </a></th><td><code>SSLVerifyClient <em>level</em></code></td></tr><tr><th><a href="directive-dict.html#Default">Default:
1219 </a></th><td><code>SSLVerifyClient none</code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
1220 </a></th><td>server config, virtual host, directory, .htaccess</td></tr><tr><th><a href="directive-dict.html#Override">Override:
1221 </a></th><td>AuthConfig</td></tr><tr><th><a href="directive-dict.html#Status">Status:
1222 </a></th><td>Extension</td></tr><tr><th><a href="directive-dict.html#Module">Module:
1223 </a></th><td>mod_ssl</td></tr></table>
1225 This directive sets the Certificate verification level for the Client
1226 Authentication. Notice that this directive can be used both in per-server and
1227 per-directory context. In per-server context it applies to the client
1228 authentication process used in the standard SSL handshake when a connection is
1229 established. In per-directory context it forces a SSL renegotation with the
1230 reconfigured client verification level after the HTTP request was read but
1231 before the HTTP response is sent.</p>
1233 The following levels are available for <em>level</em>:</p>
1235 <li><strong>none</strong>:
1236 no client Certificate is required at all</li>
1237 <li><strong>optional</strong>:
1238 the client <em>may</em> present a valid Certificate</li>
1239 <li><strong>require</strong>:
1240 the client <em>has to</em> present a valid Certificate</li>
1241 <li><strong>optional_no_ca</strong>:
1242 the client may present a valid Certificate<br />
1243 but it need not to be (successfully) verifiable.</li>
1245 <p>In practice only levels <strong>none</strong> and
1246 <strong>require</strong> are really interesting, because level
1247 <strong>optional</strong> doesn't work with all browsers and level
1248 <strong>optional_no_ca</strong> is actually against the idea of
1249 authentication (but can be used to establish SSL test pages, etc.)</p>
1250 <div class="example"><h3>Example</h3><p><code>
1251 SSLVerifyClient require
1253 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="directive-section"><h2><a name="SSLVerifyDepth" id="SSLVerifyDepth">SSLVerifyDepth</a> <a name="sslverifydepth" id="sslverifydepth">Directive</a></h2><table class="directive"><tr><th><a href="directive-dict.html#Description">Description:
1254 </a></th><td>Maximum depth of CA Certificates in Client
1255 Certificate verification</td></tr><tr><th><a href="directive-dict.html#Syntax">Syntax:
1256 </a></th><td><code>SSLVerifyDepth <em>number</em></code></td></tr><tr><th><a href="directive-dict.html#Default">Default:
1257 </a></th><td><code>SSLVerifyDepth 1</code></td></tr><tr><th><a href="directive-dict.html#Context">Context:
1258 </a></th><td>server config, virtual host, directory, .htaccess</td></tr><tr><th><a href="directive-dict.html#Override">Override:
1259 </a></th><td>AuthConfig</td></tr><tr><th><a href="directive-dict.html#Status">Status:
1260 </a></th><td>Extension</td></tr><tr><th><a href="directive-dict.html#Module">Module:
1261 </a></th><td>mod_ssl</td></tr></table>
1263 This directive sets how deeply mod_ssl should verify before deciding that the
1264 clients don't have a valid certificate. Notice that this directive can be
1265 used both in per-server and per-directory context. In per-server context it
1266 applies to the client authentication process used in the standard SSL
1267 handshake when a connection is established. In per-directory context it forces
1268 a SSL renegotation with the reconfigured client verification depth after the
1269 HTTP request was read but before the HTTP response is sent.</p>
1271 The depth actually is the maximum number of intermediate certificate issuers,
1272 i.e. the number of CA certificates which are max allowed to be followed while
1273 verifying the client certificate. A depth of 0 means that self-signed client
1274 certificates are accepted only, the default depth of 1 means the client
1275 certificate can be self-signed or has to be signed by a CA which is directly
1276 known to the server (i.e. the CA's certificate is under
1277 <code class="directive"><a href="#sslcacertificatepath">SSLCACertificatePath</a></code>), etc.</p>
1278 <div class="example"><h3>Example</h3><p><code>
1281 </div></div><div id="footer"><p class="apache">Maintained by the <a href="http://httpd.apache.org/docs-project/">Apache HTTP Server Documentation Project</a></p><p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div></body></html>