<title>mod_ssl - Apache HTTP Server</title>
<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
-<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" />
+<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
+<script src="../style/scripts/prettify.js" type="text/javascript">
+</script>
+
<link href="../images/favicon.ico" rel="shortcut icon" /></head>
<body>
<div id="page-header">
-<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/
directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
+<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/
quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
<p class="apache">Apache HTTP Server Version 2.5</p>
<img alt="" src="../images/feather.gif" /></div>
<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div>
<tr><th><a href="module-dict.html#SourceFile">SourceĀ File:</a></th><td>mod_ssl.c</td></tr></table>
<h3>Summary</h3>
-<p>This module provides SSL v2/v3 and TLS v1 support for the Apache
-HTTP Server. It was contributed by Ralf S. Engelschall based on his
-mod_ssl project and originally derived from work by Ben Laurie.</p>
+<p>This module provides SSL v3 and TLS v1.x support for the Apache
+HTTP Server. SSL v2 is no longer supported.</p>
<p>This module relies on <a href="http://www.openssl.org/">OpenSSL</a>
to provide the cryptography engine.</p>
<li><img alt="" src="../images/down.gif" /> <a href="#sslcertificatefile">SSLCertificateFile</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslcertificatekeyfile">SSLCertificateKeyFile</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslciphersuite">SSLCipherSuite</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#sslcompression">SSLCompression</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslcryptodevice">SSLCryptoDevice</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslengine">SSLEngine</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslfips">SSLFIPS</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslocsprespondertimeout">SSLOCSPResponderTimeout</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslocspresponsemaxage">SSLOCSPResponseMaxAge</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslocspresponsetimeskew">SSLOCSPResponseTimeSkew</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#sslopensslconfcmd">SSLOpenSSLConfCmd</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#ssloptions">SSLOptions</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslpassphrasedialog">SSLPassPhraseDialog</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslprotocol">SSLProtocol</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslproxycarevocationpath">SSLProxyCARevocationPath</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslproxycheckpeercn">SSLProxyCheckPeerCN</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslproxycheckpeerexpire">SSLProxyCheckPeerExpire</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#sslproxycheckpeername">SSLProxyCheckPeerName</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslproxyciphersuite">SSLProxyCipherSuite</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslproxyengine">SSLProxyEngine</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslproxymachinecertificatechainfile">SSLProxyMachineCertificateChainFile</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslsessioncache">SSLSessionCache</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslsessioncachetimeout">SSLSessionCacheTimeout</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslsessionticketkeyfile">SSLSessionTicketKeyFile</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#sslsrpunknownuserseed">SSLSRPUnknownUserSeed</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#sslsrpverifierfile">SSLSRPVerifierFile</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslstaplingcache">SSLStaplingCache</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslstaplingerrorcachetimeout">SSLStaplingErrorCacheTimeout</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslstaplingfaketrylater">SSLStaplingFakeTryLater</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#logformats">Custom Log Formats</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#notes">Request Notes</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authzproviders">Authorization providers for use with Require</a></li>
-</ul></div>
+</ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="envvars" id="envvars">Environment Variables</a></h2>
<tr><td><code>SSL_SERVER_A_SIG</code></td> <td>string</td> <td>Algorithm used for the signature of server's certificate</td></tr>
<tr><td><code>SSL_SERVER_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of server's certificate</td></tr>
<tr><td><code>SSL_SERVER_CERT</code></td> <td>string</td> <td>PEM-encoded server certificate</td></tr>
+<tr><td><code>SSL_SRP_USER</code></td> <td>string</td> <td>SRP username</td></tr>
+<tr><td><code>SSL_SRP_USERINFO</code></td> <td>string</td> <td>SRP user info</td></tr>
+<tr><td><code>SSL_TLS_SNI</code></td> <td>string</td> <td>Contents of the SNI TLS extension (if supplied with ClientHello)</td></tr>
</table>
<p><em>x509</em> specifies a component of an X.509 DN; one of
For backward compatibility there is additionally a special
``<code>%{</code><em>name</em><code>}c</code>'' cryptography format function
provided. Information about this function is provided in the <a href="../ssl/ssl_compat.html">Compatibility</a> chapter.</p>
-<div class="example"><h3>Example</h3><p><code>
-CustomLog logs/ssl_request_log \
- "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
-</code></p></div>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
+CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+</pre>
+</div>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="notes" id="notes">Request Notes</a></h2>
encrypted with SSL. This is similar to the
<code class="directive">SSLRequireSSL</code> directive.</p>
- <div class="example"><p><code>
+ <pre class="prettyprint lang-config">
Require ssl
- </code></p></div>
+ </pre>
+
<p>The following example grants access if the user is authenticated
either with a client certificate or by username and password.</p>
- <div class="example"><p><code>
+ <pre class="prettyprint lang-config">
Require ssl-verify-client<br />
Require valid-user
- </code></p></div>
+ </pre>
+
concatenation of the various PEM-encoded Certificate files, in order of
preference. This can be used alternatively and/or additionally to
<code class="directive"><a href="#sslcacertificatepath">SSLCACertificatePath</a></code>.</p>
-<div class="example"><h3>Example</h3><p><code>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-client.crt
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
hash filenames. So usually you can't just place the Certificate files
there: you also have to create symbolic links named
<em>hash-value</em><code>.N</code>. And you should always make sure this directory
-contains the appropriate symbolic links. Use the <code>Makefile</code> which
-comes with mod_ssl to accomplish this task.</p>
-<div class="example"><h3>Example</h3><p><code>
+contains the appropriate symbolic links.</p>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLCACertificatePath /usr/local/apache2/conf/ssl.crt/
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
specify an <em>all-in-one</em> file containing a concatenation of
PEM-encoded CA certificates.</p>
-<div class="example"><h3>Example</h3><p><code>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLCADNRequestFile /usr/local/apache2/conf/ca-names.crt
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
through hash filenames. So usually you can't just place the
Certificate files there: you also have to create symbolic links named
<em>hash-value</em><code>.N</code>. And you should always make sure
-this directory contains the appropriate symbolic links. Use the
-<code>Makefile</code> which comes with mod_ssl to accomplish this
-task.</p>
-<div class="example"><h3>Example</h3><p><code>
+this directory contains the appropriate symbolic links.</p>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLCADNRequestPath /usr/local/apache2/conf/ca-names.crt/
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<code>"unable to get certificate CRL"</code> error.
</p>
</div>
-<div class="example"><h3>Example</h3><p><code>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLCARevocationCheck chain
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
for Client Authentication. Such a file is simply the concatenation of
the various PEM-encoded CRL files, in order of preference. This can be
used alternatively and/or additionally to <code class="directive"><a href="#sslcarevocationpath">SSLCARevocationPath</a></code>.</p>
-<div class="example"><h3>Example</h3><p><code>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle-client.crl
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
hash filenames. So usually you have not only to place the CRL files there.
Additionally you have to create symbolic links named
<em>hash-value</em><code>.rN</code>. And you should always make sure this directory
-contains the appropriate symbolic links. Use the <code>Makefile</code> which
-comes with <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> to accomplish this task.</p>
-<div class="example"><h3>Example</h3><p><code>
+contains the appropriate symbolic links.</p>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLCARevocationPath /usr/local/apache2/conf/ssl.crl/
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
</table>
+<div class="note"><h3>SSLCertificateChainFile is deprecated</h3>
+<p><code>SSLCertificateChainFile</code> became obsolete with version
+2.5.0-dev as of 2013-12-28, when
+<code class="directive"><a href="#sslcertificatefile">SSLCertificateFile</a></code>
+was extended to also load intermediate CA certificates from the server
+certificate file.</p>
+</div>
+
<p>
This directive sets the optional <em>all-in-one</em> file where you can
assemble the certificates of Certification Authorities (CA) which form the
using a coupled RSA+DSA certificate pair, this will work only if actually both
certificates use the <em>same</em> certificate chain. Else the browsers will be
confused in this situation.</p>
-<div class="example"><h3>Example</h3><p><code>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLCertificateChainFile /usr/local/apache2/conf/ssl.crt/ca.crt
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLCertificateFile" id="SSLCertificateFile">SSLCertificateFile</a> <a name="sslcertificatefile" id="sslcertificatefile">Directive</a></h2>
<table class="directive">
-<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Server PEM-encoded X.509 Certificate file</td></tr>
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Server PEM-encoded X.509 certificate data file</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCertificateFile <em>file-path</em></code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
</table>
<p>
-This directive points to the PEM-encoded Certificate file for the server and
-optionally also to the corresponding RSA or DSA Private Key file for it
-(contained in the same file). If the contained Private Key is encrypted the
-Pass Phrase dialog is forced at startup time. This directive can be used up to
-two times (referencing different filenames) when both a RSA and a DSA based
-server certificate is used in parallel.</p>
-<div class="example"><h3>Example</h3><p><code>
+This directive points to a file with certificate data in PEM format.
+At a minimum, the file must include an end-entity (leaf) certificate.
+Beginning with version 2.5.0-dev as of 2013-12-28, it may also
+include intermediate CA certificates, sorted from leaf to root,
+and obsoletes <code class="directive"><a href="#sslcertificatechainfile">SSLCertificateChainFile</a></code>.
+</p>
+
+<p>
+Additional optional elements are DH parameters and/or an EC curve name
+for ephemeral keys, as generated by <code>openssl dhparam</code> and
+<code>openssl ecparam</code>, respectively (supported in version 2.5.0-dev
+as of 2013-09-29), and finally, the end-entity certificate's private key.
+If the private key is encrypted, the pass phrase dialog is forced
+at startup time.</p>
+
+<p>
+This directive can be used multiple times (referencing different filenames)
+to support multiple algorithms for server authentication - typically
+RSA, DSA, and ECC. The number of supported algorithms depends on the
+OpenSSL version being used for mod_ssl: with version 1.0.0 or later,
+<code>openssl list-public-key-algorithms</code> will output a list
+of supported algorithms.</p>
+
+<p>
+When running with OpenSSL 1.0.2 or later, this directive allows
+to configure the intermediate CA chain on a per-certificate basis,
+which removes a limitation of the (now obsolete)
+<code class="directive"><a href="#sslcertificatechainfile">SSLCertificateChainFile</a></code> directive.
+DH and ECDH parameters, however, are only read from the first
+<code class="directive">SSLCertificateFile</code> directive, as they
+are applied independently of the authentication algorithm type.</p>
+
+<div class="note">
+<h3>DH parameter interoperability with primes > 1024 bit</h3>
+<p>
+Beginning with version 2.5.0-dev as of 2013-09-29, mod_ssl makes use of
+standardized DH parameters with prime lengths of 2048, 3072 and 4096 bits
+(from <a href="http://www.ietf.org/rfc/rfc3526.txt">RFC 3526</a>), and hands
+them out to clients based on the length of the certificate's RSA/DSA key.
+With Java-based clients in particular (Java 7 or earlier), this may lead
+to handshake failures - see this
+<a href="../ssl/ssl_faq.html#javadh">FAQ answer</a> for working around
+such issues.
+</p>
+</div>
+
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLCertificateKeyFile" id="SSLCertificateKeyFile">SSLCertificateKeyFile</a> <a name="sslcertificatekeyfile" id="sslcertificatekeyfile">Directive</a></h2>
<table class="directive">
-<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Server PEM-encoded Private Key file</td></tr>
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Server PEM-encoded private key file</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCertificateKeyFile <em>file-path</em></code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
</table>
<p>
-This directive points to the PEM-encoded Private Key file for the
-server. If the Private Key is not combined with the Certificate in the
-<code class="directive">SSLCertificateFile</code>, use this additional directive to
-point to the file with the stand-alone Private Key. When
-<code class="directive">SSLCertificateFile</code> is used and the file
-contains both the Certificate and the Private Key this directive need
-not be used. But we strongly discourage this practice. Instead we
-recommend you to separate the Certificate and the Private Key. If the
-contained Private Key is encrypted, the Pass Phrase dialog is forced
-at startup time. This directive can be used up to two times
-(referencing different filenames) when both a RSA and a DSA based
-private key is used in parallel.</p>
-<div class="example"><h3>Example</h3><p><code>
+This directive points to the PEM-encoded private key file for the
+server (the private key may also be combined with the certificate in the
+<code class="directive"><a href="#sslcertificatefile">SSLCertificateFile</a></code>, but this practice
+is discouraged). If the contained private key is encrypted, the pass phrase
+dialog is forced at startup time.</p>
+
+<p>
+The directive can be used multiple times (referencing different filenames)
+to support multiple algorithms for server authentication. For each
+<code class="directive"><a href="#sslcertificatekeyfile">SSLCertificateKeyFile</a></code>
+directive, there must be a matching <code class="directive">SSLCertificateFile</code>
+directive.</p>
+
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
attributes plus a few extra minor ones:</p>
<ul>
<li><em>Key Exchange Algorithm</em>:<br />
- RSA or Diffie-Hellman variants.
+ RSA, Diffie-Hellman, Elliptic Curve Diffie-Hellman, Secure Remote Password
</li>
<li><em>Authentication Algorithm</em>:<br />
- RSA, Diffie-Hellman, DSS or none.
+ RSA, Diffie-Hellman, DSS, ECDSA, or none.
</li>
<li><em>Cipher/Encryption Algorithm</em>:<br />
- DES, Triple-DES, RC4, RC2, IDEA or none.
+ AES, DES, Triple-DES, RC4, RC2, IDEA, etc.
</li>
<li><em>MAC Digest Algorithm</em>:<br />
- MD5, SHA or SHA1.
+ MD5, SHA or SHA1, SHA256, SHA384.
</li>
</ul>
-<p>An SSL cipher can also be an export cipher and is either an SSLv2 or SSLv3/TLSv1
-cipher (here TLSv1 is equivalent to SSLv3). To specify which ciphers to use,
-one can either specify all the Ciphers, one at a time, or use aliases to
-specify the preference and order for the ciphers (see <a href="#table1">Table
-1</a>).</p>
+<p>An SSL cipher can also be an export cipher. SSLv2 ciphers are no longer
+supported. To specify which ciphers to use, one can either specify all the
+Ciphers, one at a time, or use aliases to specify the preference and order
+for the ciphers (see <a href="#table1">Table
+1</a>). The actually available ciphers and aliases depends on the used
+openssl version. Newer openssl versions may include additional ciphers.</p>
<table class="bordered">
<tr><td><code>kDHr</code></td> <td>Diffie-Hellman key exchange with RSA key</td></tr>
<tr><td><code>kDHd</code></td> <td>Diffie-Hellman key exchange with DSA key</td></tr>
<tr><td><code>kEDH</code></td> <td>Ephemeral (temp.key) Diffie-Hellman key exchange (no cert)</td> </tr>
+<tr><td><code>kSRP</code></td> <td>Secure Remote Password (SRP) key exchange</td></tr>
<tr><td colspan="2"><em>Authentication Algorithm:</em></td></tr>
<tr><td><code>aNULL</code></td> <td>No authentication</td></tr>
<tr><td><code>aRSA</code></td> <td>RSA authentication</td></tr>
<tr><td><code>aDSS</code></td> <td>DSS authentication</td> </tr>
<tr><td><code>aDH</code></td> <td>Diffie-Hellman authentication</td></tr>
<tr><td colspan="2"><em>Cipher Encoding Algorithm:</em></td></tr>
-<tr><td><code>eNULL</code></td> <td>No encoding</td> </tr>
-<tr><td><code>DES</code></td> <td>DES encoding</td> </tr>
-<tr><td><code>3DES</code></td> <td>Triple-DES encoding</td> </tr>
-<tr><td><code>RC4</code></td> <td>RC4 encoding</td> </tr>
-<tr><td><code>RC2</code></td> <td>RC2 encoding</td> </tr>
-<tr><td><code>IDEA</code></td> <td>IDEA encoding</td> </tr>
+<tr><td><code>eNULL</code></td> <td>No encryption</td> </tr>
+<tr><td><code>NULL</code></td> <td>alias for eNULL</td> </tr>
+<tr><td><code>AES</code></td> <td>AES encryption</td> </tr>
+<tr><td><code>DES</code></td> <td>DES encryption</td> </tr>
+<tr><td><code>3DES</code></td> <td>Triple-DES encryption</td> </tr>
+<tr><td><code>RC4</code></td> <td>RC4 encryption</td> </tr>
+<tr><td><code>RC2</code></td> <td>RC2 encryption</td> </tr>
+<tr><td><code>IDEA</code></td> <td>IDEA encryption</td> </tr>
<tr><td colspan="2"><em>MAC Digest Algorithm</em>:</td></tr>
<tr><td><code>MD5</code></td> <td>MD5 hash function</td></tr>
<tr><td><code>SHA1</code></td> <td>SHA1 hash function</td></tr>
-<tr><td><code>SHA</code></td> <td>SHA hash function</td> </tr>
+<tr><td><code>SHA</code></td> <td>alias for SHA1</td> </tr>
+<tr><td><code>SHA256</code></td> <td>SHA256 hash function</td> </tr>
+<tr><td><code>SHA384</code></td> <td>SHA384 hash function</td> </tr>
<tr><td colspan="2"><em>Aliases:</em></td></tr>
-<tr><td><code>SSLv2</code></td> <td>all SSL version 2.0 ciphers</td></tr>
<tr><td><code>SSLv3</code></td> <td>all SSL version 3.0 ciphers</td> </tr>
<tr><td><code>TLSv1</code></td> <td>all TLS version 1.0 ciphers</td> </tr>
<tr><td><code>EXP</code></td> <td>all export ciphers</td> </tr>
<tr><td><code>RSA</code></td> <td>all ciphers using RSA key exchange</td> </tr>
<tr><td><code>DH</code></td> <td>all ciphers using Diffie-Hellman key exchange</td> </tr>
<tr><td><code>EDH</code></td> <td>all ciphers using Ephemeral Diffie-Hellman key exchange</td> </tr>
+<tr><td><code>ECDH</code></td> <td>Elliptic Curve Diffie-Hellman key exchange</td> </tr>
<tr><td><code>ADH</code></td> <td>all ciphers using Anonymous Diffie-Hellman key exchange</td> </tr>
+<tr><td><code>AECDH</code></td> <td>all ciphers using Anonymous Elliptic Curve Diffie-Hellman key exchange</td> </tr>
+<tr><td><code>SRP</code></td> <td>all ciphers using Secure Remote Password (SRP) key exchange</td> </tr>
<tr><td><code>DSS</code></td> <td>all ciphers using DSS authentication</td> </tr>
-<tr><td><code>NULL</code></td> <td>all ciphers using no encryption</td> </tr>
+<tr><td><code>ECDSA</code></td> <td>all ciphers using ECDSA authentication</td> </tr>
+<tr><td><code>aNULL</code></td> <td>all ciphers using no authentication</td> </tr>
</table>
<p>
Now where this becomes interesting is that these can be put together
to specify the order and ciphers you wish to use. To speed this up
-there are also aliases (<code>SSLv2, SSLv3, TLSv1, EXP, LOW, MEDIUM,
+there are also aliases (<code>SSLv3, TLSv1, EXP, LOW, MEDIUM,
HIGH</code>) for certain groups of ciphers. These tags can be joined
together with prefixes to form the <em>cipher-spec</em>. Available
prefixes are:</p>
<ul>
<li>none: add cipher to list</li>
-<li><code>+</code>: add ciphers to list and pull them to current location in list</li>
+<li><code>+</code>: move matching ciphers to the current location in list</li>
<li><code>-</code>: remove cipher from list (can be added later again)</li>
<li><code>!</code>: kill cipher from list completely (can <strong>not</strong> be added later again)</li>
</ul>
+
+<div class="note">
+<h3><code>aNULL</code>, <code>eNULL</code> and <code>EXP</code>
+ciphers are always disabled</h3>
+<p>Beginning with version 2.5.0-dev as of 2013-09-25, null and export-grade
+ciphers are always disabled, as mod_ssl unconditionally prepends any supplied
+cipher suite string with <code>!aNULL:!eNULL:!EXP:</code> at initialization.</p>
+</div>
+
<p>A simpler way to look at all of this is to use the ``<code>openssl ciphers
-v</code>'' command which provides a nice way to successively create the
correct <em>cipher-spec</em> string. The default <em>cipher-spec</em> string
depends on the version of the OpenSSL libraries used. Let's suppose it is
-``<code>ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</code>'' which
-means the following: first, remove from consideration any ciphers that do not
-authenticate, i.e. for SSL the Anonymous Diffie-Hellman ciphers. Next,
-use ciphers using RC4 and RSA. Next include the high, medium and then the low
-security ciphers. Finally <em>pull</em> all SSLv2 and export ciphers to the
-end of the list.</p>
+``<code>RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5</code>'' which
+means the following: Put <code>RC4-SHA</code> and <code>AES128-SHA</code> at
+the beginning. We do this, because these ciphers offer a good compromise
+between speed and security. Next, include high and medium security ciphers.
+Finally, remove all ciphers which do not authenticate, i.e. for SSL the
+Anonymous Diffie-Hellman ciphers, as well as all ciphers which use
+<code>MD5</code> as hash algorithm, because it has been proven insufficient.</p>
<div class="example"><pre>
-$ openssl ciphers -v 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP'
-NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1
-NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5
-EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
+$ openssl ciphers -v 'RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5'
+RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
+AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
+DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
... ... ... ... ...
-EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
-EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
-EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
+SEED-SHA SSLv3 Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1
+PSK-RC4-SHA SSLv3 Kx=PSK Au=PSK Enc=RC4(128) Mac=SHA1
+KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1
</pre></div>
<p>The complete list of particular RSA & DH ciphers for SSL is given in <a href="#table2">Table 2</a>.</p>
-<div class="example"><h3>Example</h3><p><code>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW
-</code></p></div>
+</pre>
+</div>
<table class="bordered">
<tr><th><a name="table2">Cipher-Tag</a></th> <th>Protocol</th> <th>Key Ex.</th> <th>Auth.</th> <th>Enc.</th> <th>MAC</th> <th>Type</th> </tr>
<tr><td colspan="7"><em>RSA Ciphers:</em></td></tr>
<tr><td><code>DES-CBC3-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>3DES(168)</td> <td>SHA1</td> <td /> </tr>
-<tr><td><code>DES-CBC3-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>3DES(168)</td> <td>MD5</td> <td /> </tr>
<tr><td><code>IDEA-CBC-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>IDEA(128)</td> <td>SHA1</td> <td /> </tr>
<tr><td><code>RC4-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>RC4(128)</td> <td>SHA1</td> <td /> </tr>
<tr><td><code>RC4-MD5</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>RC4(128)</td> <td>MD5</td> <td /> </tr>
-<tr><td><code>IDEA-CBC-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>IDEA(128)</td> <td>MD5</td> <td /> </tr>
-<tr><td><code>RC2-CBC-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>RC2(128)</td> <td>MD5</td> <td /> </tr>
-<tr><td><code>RC4-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>RC4(128)</td> <td>MD5</td> <td /> </tr>
<tr><td><code>DES-CBC-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>DES(56)</td> <td>SHA1</td> <td /> </tr>
-<tr><td><code>RC4-64-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>RC4(64)</td> <td>MD5</td> <td /> </tr>
-<tr><td><code>DES-CBC-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>DES(56)</td> <td>MD5</td> <td /> </tr>
<tr><td><code>EXP-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>RSA(512)</td> <td>RSA</td> <td>DES(40)</td> <td>SHA1</td> <td> export</td> </tr>
<tr><td><code>EXP-RC2-CBC-MD5</code></td> <td>SSLv3</td> <td>RSA(512)</td> <td>RSA</td> <td>RC2(40)</td> <td>MD5</td> <td> export</td> </tr>
<tr><td><code>EXP-RC4-MD5</code></td> <td>SSLv3</td> <td>RSA(512)</td> <td>RSA</td> <td>RC4(40)</td> <td>MD5</td> <td> export</td> </tr>
-<tr><td><code>EXP-RC2-CBC-MD5</code></td> <td>SSLv2</td> <td>RSA(512)</td> <td>RSA</td> <td>RC2(40)</td> <td>MD5</td> <td> export</td> </tr>
-<tr><td><code>EXP-RC4-MD5</code></td> <td>SSLv2</td> <td>RSA(512)</td> <td>RSA</td> <td>RC4(40)</td> <td>MD5</td> <td> export</td> </tr>
<tr><td><code>NULL-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>None</td> <td>SHA1</td> <td /> </tr>
<tr><td><code>NULL-MD5</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>None</td> <td>MD5</td> <td /> </tr>
<tr><td colspan="7"><em>Diffie-Hellman Ciphers:</em></td></tr>
<tr><td><code>EXP-ADH-RC4-MD5</code></td> <td>SSLv3</td> <td>DH(512)</td> <td>None</td> <td>RC4(40)</td> <td>MD5</td> <td> export</td> </tr>
</table>
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="SSLCompression" id="SSLCompression">SSLCompression</a> <a name="sslcompression" id="sslcompression">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enable compression on the SSL level</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCompression on|off</code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLCompression off</code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.4.3 and later, if using OpenSSL 0.9.8 or later;
+virtual host scope available if using OpenSSL 1.0.0 or later.
+The default used to be <code>on</code> in version 2.4.3.</td></tr>
+</table>
+<p>This directive allows to enable compression on the SSL level.</p>
+<div class="warning">
+<p>Enabling compression causes security issues in most setups (the so called
+CRIME attack).</p>
+</div>
+
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLCryptoDevice" id="SSLCryptoDevice">SSLCryptoDevice</a> <a name="sslcryptodevice" id="sslcryptodevice">Directive</a></h2>
<p>To discover which engine names are supported, run the command
"<code>openssl engine</code>".</p>
-<div class="example"><h3>Example</h3><p><code>
-# For a Broadcom accelerator:<br />
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
+# For a Broadcom accelerator:
SSLCryptoDevice ubsec
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
is should be used inside a <code class="directive"><a href="../mod/core.html#virtualhost"><VirtualHost></a></code> section to enable SSL/TLS for a
that virtual host. By default the SSL/TLS Protocol Engine is
disabled for both the main server and all configured virtual hosts.</p>
-<div class="example"><h3>Example</h3><p><code>
-<VirtualHost _default_:443><br />
-SSLEngine on<br />
-...<br />
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
+<VirtualHost _default_:443>
+SSLEngine on
+#...
</VirtualHost>
-</code></p></div>
+</pre>
+</div>
<p>In Apache 2.1 and later, <code class="directive">SSLEngine</code> can be set to
<code>optional</code>. This enables support for
<a href="http://www.ietf.org/rfc/rfc2817.txt">RFC 2817</a>, Upgrading to TLS
<div class="directive-section"><h2><a name="SSLHonorCipherOrder" id="SSLHonorCipherOrder">SSLHonorCipherOrder</a> <a name="sslhonorcipherorder" id="sslhonorcipherorder">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Option to prefer the server's cipher preference order</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLHonorCipherOrder <em>flag</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLHonorCipherOrder on|off</code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLHonorCipherOrder off</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.1 and later, if using OpenSSL 0.9.7 or later</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available if using OpenSSL 0.9.7 or later</td></tr>
</table>
<p>When choosing a cipher during an SSLv3 or TLSv1 handshake, normally
the client's preference is used. If this directive is enabled, the
server's preference will be used instead.</p>
-<div class="example"><h3>Example</h3><p><code>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLHonorCipherOrder on
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLInsecureRenegotiation" id="SSLInsecureRenegotiation">SSLInsecureRenegotiation</a> <a name="sslinsecurerenegotiation" id="sslinsecurerenegotiation">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Option to enable support for insecure renegotiation</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLInsecureRenegotiation <em>flag</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLInsecureRenegotiation on|off</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLInsecureRenegotiation off</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.2.15 and later, if using OpenSSL 0.9.8m or later</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available if using OpenSSL 0.9.8m or later</td></tr>
</table>
<p>As originally specified, all versions of the SSL and TLS protocols
(up to and including TLS/1.2) were vulnerable to a Man-in-the-Middle
in <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555">CVE-2009-3555</a>.</p>
</div>
-<div class="example"><h3>Example</h3><p><code>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLInsecureRenegotiation on
-</code></p></div>
+</pre>
+</div>
<p>The <code>SSL_SECURE_RENEG</code> environment variable can be used
from an SSI or CGI script to determine whether secure renegotiation is
<div class="directive-section"><h2><a name="SSLOCSPEnable" id="SSLOCSPEnable">SSLOCSPEnable</a> <a name="sslocspenable" id="sslocspenable">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enable OCSP validation of the client certificate chain</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLOCSPEnable <em>flag</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLOCSPEnable on|off</code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLOCSPEnable off</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
<code class="directive"><a href="#sslocspoverrideresponder">SSLOCSPOverrideResponder</a></code>
directives.</p>
-<div class="example"><h3>Example</h3><p><code>
-SSLVerifyClient on<br />
-SSLOCSPEnable on<br />
-SSLOCSPDefaultResponder http://responder.example.com:8888/responder<br />
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
+SSLVerifyClient on
+SSLOCSPEnable on
+SSLOCSPDefaultResponder http://responder.example.com:8888/responder
SSLOCSPOverrideResponder on
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLOCSPOverrideResponder" id="SSLOCSPOverrideResponder">SSLOCSPOverrideResponder</a> <a name="sslocspoverrideresponder" id="sslocspoverrideresponder">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Force use of the default responder URI for OCSP validation</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLOCSPOverrideResponder <em>flag</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLOCSPOverrideResponder on|off</code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLOCSPOverrideResponder off</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
<p>This option sets the maximum allowable time skew for OCSP responses
(when checking their <code>thisUpdate</code> and <code>nextUpdate</code> fields).</p>
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="SSLOpenSSLConfCmd" id="SSLOpenSSLConfCmd">SSLOpenSSLConfCmd</a> <a name="sslopensslconfcmd" id="sslopensslconfcmd">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Configure OpenSSL parameters through its <em>SSL_CONF</em> API</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLOpenSSLConfCmd <em>command-name</em> <em>command-value</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.5.0-dev and later, if using OpenSSL 1.0.2 or later</td></tr>
+</table>
+<p>This directive exposes OpenSSL's <em>SSL_CONF</em> API to mod_ssl,
+allowing a flexible configuration of OpenSSL parameters without the need
+of implementing additional <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> directives when new
+features are added to OpenSSL.</p>
+
+<p>The set of available <code class="directive">SSLOpenSSLConfCmd</code> commands
+depends on the OpenSSL version being used for <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>
+(at least version 1.0.2 is required). For a list of supported command
+names, see the section <em>Supported configuration file commands</em> in the
+<a href="http://www.openssl.org/docs/ssl/SSL_CONF_cmd.html#SUPPORTED_CONFIGURATION_FILE_COM">SSL_CONF_cmd(3)</a> manual page for OpenSSL.</p>
+
+<p>Some of the <code class="directive">SSLOpenSSLConfCmd</code> commands can be used
+as an alternative to existing directives (such as
+<code class="directive"><a href="#sslciphersuite">SSLCipherSuite</a></code> or
+<code class="directive"><a href="#sslprotocol">SSLProtocol</a></code>),
+though it should be noted that the syntax / allowable values for the parameters
+may sometimes differ.</p>
+
+<div class="example"><h3>Examples</h3><pre class="prettyprint lang-config">
+SSLOpenSSLConfCmd Options -SessionTicket,ServerPreference
+SSLOpenSSLConfCmd ECDHParameters brainpoolP256r1
+SSLOpenSSLConfCmd ServerInfoFile /usr/local/apache2/conf/server-info.pem
+SSLOpenSSLConfCmd Protocol "-ALL, TLSv1.2"
+SSLOpenSSLConfCmd SignatureAlgorithms RSA+SHA384:ECDSA+SHA256
+</pre>
+</div>
+
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLOptions" id="SSLOptions">SSLOptions</a> <a name="ssloptions" id="ssloptions">Directive</a></h2>
be used for access control. The user name is just the Subject of the
Client's X509 Certificate (can be determined by running OpenSSL's
<code>openssl x509</code> command: <code>openssl x509 -noout -subject -in
- </code><em>certificate</em><code>.crt</code>). Note that no password is
- obtained from the user. Every entry in the user file needs this password:
- ``<code>xxj31ZMTZzkVA</code>'', which is the DES-encrypted version of the
- word `<code>password</code>''. Those who live under MD5-based encryption
- (for instance under FreeBSD or BSD/OS, etc.) should use the following MD5
- hash of the same word: ``<code>$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/</code>''.</p>
+ </code><em>certificate</em><code>.crt</code>). The optional <code class="directive"><a href="#sslusername">SSLUserName</a></code> directive can be used to
+ specify which part of the certificate Subject is embedded in the username.
+ Note that no password is obtained from the user. Every entry in the user
+ file needs this password: ``<code>xxj31ZMTZzkVA</code>'', which is the
+ DES-encrypted version of the word `<code>password</code>''. Those who
+ live under MD5-based encryption (for instance under FreeBSD or BSD/OS,
+ etc.) should use the following MD5 hash of the same word:
+ ``<code>$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/</code>''.</p>
+
+ <p>Note that the <code class="directive"><a href="../mod/mod_auth_basic.html#authbasicfake">AuthBasicFake</a></code>
+ directive within <code class="module"><a href="../mod/mod_auth_basic.html">mod_auth_basic</a></code> can be used as a more
+ general mechanism for faking basic authentication, giving control over the
+ structure of both the username and password.</p>
</li>
<li><code>StrictRequire</code>
<p>
SSL parameters causes a <em>full</em> SSL renegotiation handshake. When this
option is used mod_ssl tries to avoid unnecessary handshakes by doing more
granular (but still safe) parameter checks. Nevertheless these granular
- checks sometimes maybe not what the user expects, so enable this on a
+ checks sometimes may not be what the user expects, so enable this on a
per-directory basis only, please.</p>
</li>
<li><code>LegacyDNStringFormat</code>
</p>
</li>
</ul>
-<div class="example"><h3>Example</h3><p><code>
-SSLOptions +FakeBasicAuth -StrictRequire<br />
-<Files ~ "\.(cgi|shtml)$"><br />
- SSLOptions +StdEnvVars -ExportCertData<br />
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
+SSLOptions +FakeBasicAuth -StrictRequire
+<Files ~ "\.(cgi|shtml)$">
+ SSLOptions +StdEnvVars -ExportCertData
<Files>
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
Here an external program is configured which is called at startup for each
encrypted Private Key file. It is called with two arguments (the first is
of the form ``<code>servername:portnumber</code>'', the second is either
- ``<code>RSA</code>'' or ``<code>DSA</code>''), which indicate for which
- server and algorithm it has to print the corresponding Pass Phrase to
- <code>stdout</code>. The intent is that this external program first runs
- security checks to make sure that the system is not compromised by an
- attacker, and only when these checks were passed successfully it provides
- the Pass Phrase.</p>
+ ``<code>RSA</code>'', ``<code>DSA</code>'', or ``<code>ECC</code>''), which
+ indicate for which server and algorithm it has to print the corresponding
+ Pass Phrase to <code>stdout</code>. The intent is that this external
+ program first runs security checks to make sure that the system is not
+ compromised by an attacker, and only when these checks were passed
+ successfully it provides the Pass Phrase.</p>
<p>
Both these security checks, and the way the Pass Phrase is determined, can
be as complex as you like. Mod_ssl just defines the interface: an
The reuse-algorithm above is used here, too. In other words: The external
program is called only once per unique Pass Phrase.</p></li>
</ul>
-<div class="example"><h3>Example</h3><p><code>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLPassPhraseDialog exec:/usr/local/apache/sbin/pp-filter
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<p>
This is the Secure Sockets Layer (SSL) protocol, version 3.0, from
the Netscape Corporation.
- It is the successor to SSLv2 and the predecessor to TLSv1. It's supported by
- almost all popular browsers.</p></li>
+ It is the successor to SSLv2 and the predecessor to TLSv1.</p></li>
<li><code>TLSv1</code>
<p>
This is the Transport Layer Security (TLS) protocol, version 1.0.
It is the successor to SSLv3 and is defined in
- <a href="http://www.ietf.org/rfc/rfc2246.txt">RFC 2246</a>.</p></li>
+ <a href="http://www.ietf.org/rfc/rfc2246.txt">RFC 2246</a>.
+ It is supported by nearly every client.</p></li>
<li><code>TLSv1.1</code> (when using OpenSSL 1.0.1 and later)
<p>
- when using OpenSSL 1.0.1 and later -
``<code>+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2</code>, respectively.</p></li>
</ul>
-<div class="example"><h3>Example</h3><p><code>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLProtocol TLSv1
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
concatenation of the various PEM-encoded Certificate files, in order of
preference. This can be used alternatively and/or additionally to
<code class="directive"><a href="#sslproxycacertificatepath">SSLProxyCACertificatePath</a></code>.</p>
-<div class="example"><h3>Example</h3><p><code>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLProxyCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-remote-server.crt
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
hash filenames. So usually you can't just place the Certificate files
there: you also have to create symbolic links named
<em>hash-value</em><code>.N</code>. And you should always make sure this directory
-contains the appropriate symbolic links. Use the <code>Makefile</code> which
-comes with mod_ssl to accomplish this task.</p>
-<div class="example"><h3>Example</h3><p><code>
+contains the appropriate symbolic links.</p>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLProxyCACertificatePath /usr/local/apache2/conf/ssl.crt/
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<code>"unable to get certificate CRL"</code> error.
</p>
</div>
-<div class="example"><h3>Example</h3><p><code>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLProxyCARevocationCheck chain
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
for Remote Server Authentication. Such a file is simply the concatenation of
the various PEM-encoded CRL files, in order of preference. This can be
used alternatively and/or additionally to <code class="directive"><a href="#sslproxycarevocationpath">SSLProxyCARevocationPath</a></code>.</p>
-<div class="example"><h3>Example</h3><p><code>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLProxyCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle-remote-server.crl
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
hash filenames. So usually you have not only to place the CRL files there.
Additionally you have to create symbolic links named
<em>hash-value</em><code>.rN</code>. And you should always make sure this directory
-contains the appropriate symbolic links. Use the <code>Makefile</code> which
-comes with <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> to accomplish this task.</p>
-<div class="example"><h3>Example</h3><p><code>
+contains the appropriate symbolic links.</p>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLProxyCARevocationPath /usr/local/apache2/conf/ssl.crl/
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLProxyCheckPeerCN" id="SSLProxyCheckPeerCN">SSLProxyCheckPeerCN</a> <a name="sslproxycheckpeercn" id="sslproxycheckpeercn">Directive</a></h2>
<table class="directive">
-<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Whether to check the remote server certificates CN field
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Whether to check the remote server certificate's CN field
</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProxyCheckPeerCN on|off</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLProxyCheckPeerCN on</code></td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
</table>
<p>
-This directive sets whether the remote server certificates CN field is
+This directive sets whether the remote server certificate's CN field is
compared against the hostname of the request URL. If both are not equal
a 502 status code (Bad Gateway) is sent.
</p>
-<div class="example"><h3>Example</h3><p><code>
+<p>
+SSLProxyCheckPeerCN has been superseded by
+<code class="directive"><a href="#sslproxycheckpeername">SSLProxyCheckPeerName</a></code>, and its
+setting is only taken into account when
+<code>SSLProxyCheckPeerName off</code> is specified at the same time.
+</p>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLProxyCheckPeerCN on
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
is expired or not. If the check fails a 502 status code (Bad Gateway) is
sent.
</p>
-<div class="example"><h3>Example</h3><p><code>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLProxyCheckPeerExpire on
-</code></p></div>
+</pre>
+</div>
+
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="SSLProxyCheckPeerName" id="SSLProxyCheckPeerName">SSLProxyCheckPeerName</a> <a name="sslproxycheckpeername" id="sslproxycheckpeername">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Configure host name checking for remote server certificates
+</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProxyCheckPeerName on|off</code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLProxyCheckPeerName on</code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
+</table>
+<p>
+This directive configures host name checking for server certificates
+when mod_ssl is acting as an SSL client. The check will
+succeed if the host name from the request URI is found in
+either the subjectAltName extension or (one of) the CN attribute(s)
+in the certificate's subject. If the check fails, the SSL request
+is aborted and a 502 status code (Bad Gateway) is returned.
+The directive supersedes <code class="directive"><a href="#sslproxycheckpeercn">SSLProxyCheckPeerCN</a></code>,
+which only checks for the expected host name in the first CN attribute.
+</p>
+<p>
+Wildcard matching is supported in one specific flavor: subjectAltName entries
+of type dNSName or CN attributes starting with <code>*.</code> will match
+for any DNS name with the same number of labels and the same suffix
+(i.e., <code>*.example.org</code> matches for <code>foo.example.org</code>,
+but not for <code>foo.bar.example.org</code>).
+</p>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Cipher Suite available for negotiation in SSL
proxy handshake</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProxyCipherSuite <em>cipher-spec</em></code></td></tr>
-<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLProxyCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLProxyCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
This directive toggles the usage of the SSL/TLS Protocol Engine for proxy. This
is usually used inside a <code class="directive"><a href="../mod/core.html#virtualhost"><VirtualHost></a></code> section to enable SSL/TLS for proxy
usage in a particular virtual host. By default the SSL/TLS Protocol Engine is
-disabled for proxy image both for the main server and all configured virtual hosts.</p>
-<div class="example"><h3>Example</h3><p><code>
-<VirtualHost _default_:443><br />
-SSLProxyEngine on<br />
-...<br />
+disabled for proxy both for the main server and all configured virtual hosts.</p>
+
+<p>Note that the SSLProxyEngine directive should not, in
+general, be included in a virtual host that will be acting as a
+forward proxy (using <Proxy> or <ProxyRequest> directives.
+SSLProxyEngine is not required to enable a forward proxy server to
+proxy SSL/TLS requests.</p>
+
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
+<VirtualHost _default_:443>
+ SSLProxyEngine on
+ #...
</VirtualHost>
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
</p>
<div class="warning"><h3>Security warning</h3>
<p>If this directive is enabled, all of the certificates in the file will be
-trusted as if they were also in <code class="directive"><a href="# sslproxycacertificatefile">
+trusted as if they were also in <code class="directive"><a href="#sslproxycacertificatefile">
SSLProxyCACertificateFile</a></code>.</p>
</div>
-<div class="example"><h3>Example</h3><p><code>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLProxyMachineCertificateChainFile /usr/local/apache2/conf/ssl.crt/proxyCA.pem
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="warning">
<p>Currently there is no support for encrypted private keys</p>
</div>
-<div class="example"><h3>Example</h3><p><code>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLProxyMachineCertificateFile /usr/local/apache2/conf/ssl.crt/proxy.pem
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<p>The files in this directory must be PEM-encoded and are accessed through
hash filenames. Additionally, you must create symbolic links named
<code><em>hash-value</em>.N</code>. And you should always make sure this
-directory contains the appropriate symbolic links. Use the Makefile which
-comes with mod_ssl to accomplish this task.
-</p>
+directory contains the appropriate symbolic links.</p>
<div class="warning">
<p>Currently there is no support for encrypted private keys</p>
</div>
-<div class="example"><h3>Example</h3><p><code>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLProxyMachineCertificatePath /usr/local/apache2/conf/proxy.crt/
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<strong>optional</strong> doesn't work with all servers and level
<strong>optional_no_ca</strong> is actually against the idea of
authentication (but can be used to establish SSL test pages, etc.)</p>
-<div class="example"><h3>Example</h3><p><code>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLProxyVerify require
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
the remote server certificate can be self-signed or has to be signed by a CA
which is directly known to the server (i.e. the CA's certificate is under
<code class="directive"><a href="#sslproxycacertificatepath">SSLProxyCACertificatePath</a></code>), etc.</p>
-<div class="example"><h3>Example</h3><p><code>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLProxyVerifyDepth 10
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
The following <em>source</em> variants are available:</p>
<ul>
<li><code>builtin</code>
- <p> This is the always available builtin seeding source. It's usage
+ <p> This is the always available builtin seeding source. Its usage
consumes minimum CPU cycles under runtime and hence can be always used
without drawbacks. The source used for seeding the PRNG contains of the
current time, the current process id and (when applicable) a randomly
can take a long time). Here using an existing <code>/dev/urandom</code> is
better, because it never blocks and actually gives the amount of requested
data. The drawback is just that the quality of the received data may not
- be the best.</p>
- <p>
- On some platforms like FreeBSD one can even control how the entropy is
- actually generated, i.e. by which system interrupts. More details one can
- find under <em>rndcontrol(8)</em> on those platforms. Alternatively, when
- your system lacks such a random device, you can use tool
- like <a href="http://www.lothar.com/tech/crypto/">EGD</a>
- (Entropy Gathering Daemon) and run it's client program with the
- <code>exec:/path/to/program/</code> variant (see below) or use
- <code>egd:/path/to/egd-socket</code> (see below).</p></li>
+ be the best.</p></li>
<li><code>exec:/path/to/program</code>
<p>
/crypto/</a>) to seed the PRNG. Use this if no random device exists
on your platform.</p></li>
</ul>
-<div class="example"><h3>Example</h3><p><code>
-SSLRandomSeed startup builtin<br />
-SSLRandomSeed startup file:/dev/random<br />
-SSLRandomSeed startup file:/dev/urandom 1024<br />
-SSLRandomSeed startup exec:/usr/local/bin/truerand 16<br />
-SSLRandomSeed connect builtin<br />
-SSLRandomSeed connect file:/dev/random<br />
-SSLRandomSeed connect file:/dev/urandom 1024<br />
-</code></p></div>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
+SSLRandomSeed startup builtin
+SSLRandomSeed startup file:/dev/random
+SSLRandomSeed startup file:/dev/urandom 1024
+SSLRandomSeed startup exec:/usr/local/bin/truerand 16
+SSLRandomSeed connect builtin
+SSLRandomSeed connect file:/dev/random
+SSLRandomSeed connect file:/dev/urandom 1024
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
memory must be considered when changing this configuration setting.
</p></div>
-<div class="example"><h3>Example</h3><p><code>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLRenegBufferSize 262144
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
</table>
+
+<div class="note"><h3>SSLRequire is deprecated</h3>
+<p><code>SSLRequire</code> is deprecated and should in general be replaced
+by <a href="mod_authz_core.html#reqexpr">Require expr</a>. The so called
+<a href="../expr.html">ap_expr</a> syntax of <code>Require expr</code> is
+a superset of the syntax of <code>SSLRequire</code>, with the following
+exception:</p>
+
+<p>In <code>SSLRequire</code>, the comparison operators <code><</code>,
+<code><=</code>, ... are completely equivalent to the operators
+<code>lt</code>, <code>le</code>, ... and work in a somewhat peculiar way that
+first compares the length of two strings and then the lexical order.
+On the other hand, <a href="../expr.html">ap_expr</a> has two sets of
+comparison operators: The operators <code><</code>,
+<code><=</code>, ... do lexical string comparison, while the operators
+<code>-lt</code>, <code>-le</code>, ... do integer comparison.
+For the latter, there are also aliases without the leading dashes:
+<code>lt</code>, <code>le</code>, ...
+</p>
+
+</div>
+
<p>
This directive specifies a general access requirement which has to be
fulfilled in order to allow access. It is a very powerful directive because the
<code>funcname</code> the available functions are listed in
the <a href="../expr.html#functions">ap_expr documentation</a>.</p>
-<p>Notice that <em>expression</em> is first parsed into an internal machine
-representation and then evaluated in a second step. Actually, in Global and
-Per-Server Class context <em>expression</em> is parsed at startup time and
-at runtime only the machine representation is executed. For Per-Directory
-context this is different: here <em>expression</em> has to be parsed and
-immediately executed for every request.</p>
-<div class="example"><h3>Example</h3><pre>SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
- and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
- and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
- and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
- and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
- or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/</pre></div>
+<p>The <em>expression</em> is parsed into an internal machine
+representation when the configuration is loaded, and then evaluated
+during request processing. In .htaccess context, the <em>expression</em> is
+both parsed and executed each time the .htaccess file is encountered during
+request processing.</p>
+
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
+SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
+ and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+ and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+ and %{TIME_WDAY} -ge 1 and %{TIME_WDAY} -le 5 \
+ and %{TIME_HOUR} -ge 8 and %{TIME_HOUR} -le 20 ) \
+ or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+</pre>
+</div>
<p>The <code>PeerExtList(<em>object-ID</em>)</code> function expects
to find zero or more instances of the X.509 certificate extension
(If multiple extensions with the same OID are present, at least one
extension must match).</p>
-<div class="example"><h3>Example</h3><p><code>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLRequire "foobar" in PeerExtList("1.2.3.4.5.6")
-</code></p></div>
+</pre>
+</div>
<div class="note"><h3>Notes on the PeerExtList function</h3>
</ul>
</div>
-<div class="note"><h3>SSLRequire is deprecated</h3>
-<p><code>SSLRequire</code> is deprecated and should in general be replaced
-by <a href="mod_authz_core.html#reqexpr">Require expr</a>. The so called
-<a href="../expr.html">ap_expr</a> syntax of <code>Require expr</code> is
-a superset of the syntax of <code>SSLRequire</code>, with the following
-exception:</p>
-
-<p>In <code>SSLRequire</code>, the comparison operators <code><</code>,
-<code><=</code>, ... are completely equivalent to the operators
-<code>lt</code>, <code>le</code>, ... and work in a somewhat pecular way that
-first compares the length of two strings and then the lexical order.
-On the other hand, <a href="../expr.html">ap_expr</a> has two sets of
-comparison operators: The operators <code><</code>,
-<code><=</code>, ... do lexical string comparison, while the operators
-<code>-lt</code>, <code>-le</code>, ... do integer comparison.
-For the latter, there are also aliases without the leading dashes:
-<code>lt</code>, <code>le</code>, ...
-</p>
-
-</div>
-
<h3>See also</h3>
<ul>
host or directories for defending against configuration errors that expose
stuff that should be protected. When this directive is present all requests
are denied which are not using SSL.</p>
-<div class="example"><h3>Example</h3><p><code>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLRequireSSL
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
</ul>
-<div class="example"><h3>Examples</h3><p><code>
-SSLSessionCache dbm:/usr/local/apache/logs/ssl_gcache_data<br />
+<div class="example"><h3>Examples</h3><pre class="prettyprint lang-config">
+SSLSessionCache dbm:/usr/local/apache/logs/ssl_gcache_data
SSLSessionCache shmcb:/usr/local/apache/logs/ssl_gcache_data(512000)
-</code></p></div>
+</pre>
+</div>
<p>The <code>ssl-cache</code> mutex is used to serialize access to
the session cache to prevent corruption. This mutex can be configured
global/inter-process SSL Session Cache and the OpenSSL internal memory cache.
It can be set as low as 15 for testing, but should be set to higher
values like 300 in real life.</p>
-<div class="example"><h3>Example</h3><p><code>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLSessionCacheTimeout 600
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<code class="directive"><a href="#sslcertificatekeyfile">SSLCertificateKeyFile</a></code>.</p>
</div>
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="SSLSRPUnknownUserSeed" id="SSLSRPUnknownUserSeed">SSLSRPUnknownUserSeed</a> <a name="sslsrpunknownuserseed" id="sslsrpunknownuserseed">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>SRP unknown user seed</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLSRPUnknownUserSeed <em>secret-string</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
+</table>
+<p>
+This directive sets the seed used to fake SRP user parameters for unknown
+users, to avoid leaking whether a given user exists. Specify a secret
+string. If this directive is not used, then Apache will return the
+UNKNOWN_PSK_IDENTITY alert to clients who specify an unknown username.
+</p>
+<div class="example"><h3>Example</h3><p><code>
+SSLSRPUnknownUserSeed "secret"
+</code></p></div>
+
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="SSLSRPVerifierFile" id="SSLSRPVerifierFile">SSLSRPVerifierFile</a> <a name="sslsrpverifierfile" id="sslsrpverifierfile">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Path to SRP verifier file</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLSRPVerifierFile <em>file-path</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
+</table>
+<p>
+This directive enables TLS-SRP and sets the path to the OpenSSL SRP (Secure
+Remote Password) verifier file containing TLS-SRP usernames, verifiers, salts,
+and group parameters.</p>
+<div class="example"><h3>Example</h3><p><code>
+SSLSRPVerifierFile "/path/to/file.srpv"
+</code></p></div>
+<p>
+The verifier file can be created with the <code>openssl</code> command line
+utility:</p>
+<div class="example"><h3>Creating the SRP verifier file</h3><p><code>
+openssl srp -srpvfile passwd.srpv -userinfo "some info" -add username
+</code></p></div>
+<p> The value given with the optional <code>-userinfo</code> parameter is
+avalable in the <code>SSL_SRP_USERINFO</code> request environment variable.</p>
+
+
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLStaplingCache" id="SSLStaplingCache">SSLStaplingCache</a> <a name="sslstaplingcache" id="sslstaplingcache">Directive</a></h2>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.2.12 and later</td></tr>
</table>
<p>
This directive sets whether a non-SNI client is allowed to access a name-based
version of OpenSSL.
</p></div>
-<div class="example"><h3>Example</h3><p><code>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLStrictSNIVHostCheck on
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.0.51 and later</td></tr>
</table>
<p>
This directive sets the "user" field in the Apache request object.
<code>REMOTE_USER</code> to be set. The <em>varname</em> can be
any of the <a href="#envvars">SSL environment variables</a>.</p>
-<p>Note that this directive has no effect if the
-<code>FakeBasicAuth</code> option is used (see <a href="#ssloptions">SSLOptions</a>).</p>
+<p>When the <code>FakeBasicAuth</code> option is enabled, this directive
+instead controls the value of the username embedded within the basic
+authentication header (see <a href="#ssloptions">SSLOptions</a>).</p>
-<div class="example"><h3>Example</h3><p><code>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLUserName SSL_CLIENT_S_DN_CN
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
prerequisite for enabling OCSP stapling.</p>
<p>OCSP stapling relieves the client of querying the OCSP responder
-on its own, but it should be noted that in its current specification,
+on its own, but it should be noted that with the RFC 6066 specification,
the server's <code>CertificateStatus</code> reply may only include an
OCSP response for a single cert. For server certificates with intermediate
CA certificates in their chain (the typical case nowadays),
-stapling in its current form therefore only partially achieves the
-stated goal of "saving roundtrips and resources" - see also the <a href="https://datatracker.ietf.org/doc/draft-pettersen-tls-ext-multiple-ocsp/">
-"Adding Multiple TLS Certificate Status Extension requests"</a> Internet draft.
+stapling in its current implementation therefore only partially achieves the
+stated goal of "saving roundtrips and resources" - see also
+<a href="http://www.ietf.org/rfc/rfc6961.txt">RFC 6961</a>
+(TLS Multiple Certificate Status Extension).
</p>
</div>
<strong>optional</strong> doesn't work with all browsers and level
<strong>optional_no_ca</strong> is actually against the idea of
authentication (but can be used to establish SSL test pages, etc.)</p>
-<div class="example"><h3>Example</h3><p><code>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLVerifyClient require
-</code></p></div>
+</pre>
+</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
certificate can be self-signed or has to be signed by a CA which is directly
known to the server (i.e. the CA's certificate is under
<code class="directive"><a href="#sslcacertificatepath">SSLCACertificatePath</a></code>), etc.</p>
-<div class="example"><h3>Example</h3><p><code>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
SSLVerifyDepth 10
-</code></p></div>
+</pre>
+</div>
</div>
</div>
<div class="bottomlang">
<p><span>Available Languages: </span><a href="../en/mod/mod_ssl.html" title="English"> en </a></p>
-</div><div id="footer">
-<p class="apache">Copyright 2011 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
-<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div>
+</div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div>
+<script type="text/javascript"><!--//--><![CDATA[//><!--
+var comments_shortname = 'httpd';
+var comments_identifier = 'http://httpd.apache.org/docs/trunk/mod/mod_ssl.html';
+(function(w, d) {
+ if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
+ d.write('<div id="comments_thread"><\/div>');
+ var s = d.createElement('script');
+ s.type = 'text/javascript';
+ s.async = true;
+ s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
+ (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
+ }
+ else {
+ d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
+ }
+})(window, document);
+//--><!]]></script></div><div id="footer">
+<p class="apache">Copyright 2014 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
+<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
+if (typeof(prettyPrint) !== 'undefined') {
+ prettyPrint();
+}
+//--><!]]></script>
</body></html>
\ No newline at end of file
projects / apache / blobdiff