<li><img alt="" src="../images/down.gif" /> <a href="#ssloptions">SSLOptions</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslpassphrasedialog">SSLPassPhraseDialog</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslpolicy">SSLPolicy</a></li>
-<li><img alt="" src="../images/down.gif" /> <a href="#sslpolicydefinesection"><SSLPolicyDefine></a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslprotocol">SSLProtocol</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslproxycacertificatefile">SSLProxyCACertificateFile</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslproxycacertificatepath">SSLProxyCACertificatePath</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslproxymachinecertificatechainfile">SSLProxyMachineCertificateChainFile</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslproxymachinecertificatefile">SSLProxyMachineCertificateFile</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslproxymachinecertificatepath">SSLProxyMachineCertificatePath</a></li>
-<li><img alt="" src="../images/down.gif" /> <a href="#sslproxypolicy">SSLProxyPolicy</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslproxyprotocol">SSLProxyProtocol</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslproxyverify">SSLProxyVerify</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslproxyverifydepth">SSLProxyVerifyDepth</a></li>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Cipher Suite available for negotiation in SSL
handshake</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCipherSuite <em>cipher-spec</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCipherSuite [<em>protocol</em>] <em>cipher-spec</em></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLCipherSuite DEFAULT (depends on OpenSSL version)</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
<p>
This complex directive uses a colon-separated <em>cipher-spec</em> string
consisting of OpenSSL cipher specifications to configure the Cipher Suite the
-client is permitted to negotiate in the SSL handshake phase. Notice that this
-directive can be used both in per-server and per-directory context. In
-per-server context it applies to the standard SSL handshake when a connection
+client is permitted to negotiate in the SSL handshake phase. The optional
+protocol specifier can configure the Cipher Suite for a specific SSL version.
+Possible values include "SSL" for all SSL Protocols up to and including TLSv1.2.
+</p>
+<p>
+Notice that this
+directive can be used both in per-server and per-directory context.
+In per-server context it applies to the standard SSL handshake when a connection
is established. In per-directory context it forces a SSL renegotiation with the
reconfigured Cipher Suite after the HTTP request was read but before the HTTP
-response is sent.</p>
+response is sent. (Since renegotiation is not</p>
+<p>
+If the SSL library supports TLSv1.3 (OpenSSL 1.1.1 and later), the protocol
+specifier "TLSv1.3" can be used to configure the cipher suites for that protocol.
+Since TLSv1.3 does not offer renegotiations, specifying ciphers for it in
+a directory context is not allowed.</p>
+<p>
+For a list of TLSv1.3 cipher names, see
+<a href="https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html">the OpenSSL
+documentation</a>.</p>
<p>
An SSL cipher specification in <em>cipher-spec</em> is composed of 4 major
attributes plus a few extra minor ones:</p>
<div class="directive-section"><h2><a name="SSLEngine" id="SSLEngine">SSLEngine</a> <a name="sslengine" id="sslengine">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>SSL Engine Operation Switch</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLEngine on|off|optional|addr[:port] [addr[:port]] ...</code></td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLEngine on|off|optional</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLEngine off</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The <code>addr:port</code> parameter is available in Apache 2.4.30 and later.</td></tr>
</table>
<p>
-This directive toggles the usage of the SSL/TLS Protocol Engine. Values 'on',
-
'off' and 'optional' should be used inside a <code class="directive"><a href="../mod/core.html#virtualhost"><VirtualHost></a></code> section to enable SSL/TLS for a
+This directive toggles the usage of the SSL/TLS Protocol Engine. This
+
is should be used inside a <code class="directive"><a href="../mod/core.html#virtualhost"><VirtualHost></a></code> section to enable SSL/TLS for a
that virtual host. By default the SSL/TLS Protocol Engine is
disabled for both the main server and all configured virtual hosts.</p>
<div class="example"><h3>Example</h3><pre class="prettyprint lang-config"><VirtualHost _default_:443>
#...
</VirtualHost></pre>
</div>
-<p>The <code>addr:port</code> values should be used in the
-global server to enable the SSL/TLS Protocol Engine for <em>all</em>
-<code class="directive"><a href="../mod/core.html#virtualhost"><VirtualHost></a></code>s
-that match one of the addresses in the list.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLEngine *:443
-<VirtualHost *:443>
-#...
-</VirtualHost></pre>
-</div>
<p><code class="directive">SSLEngine</code> can be set to <code>optional</code>:
this enables support for
<a href="http://www.ietf.org/rfc/rfc2817.txt">RFC 2817</a>.
<li><code>intermediate</code>: the fallback if you need to support old (but not very old) clients.</li>
<li><code>old</code>: when you need to give Windows XP/Internet Explorer 6 access. The last resort.</li>
</ul>
+<p>SSLPolicy applies configuration settings in place, meaning previous values are
+overwritten. Configuration directives following an SSLPolicy may overwrite it.
+</p>
<p>You can check the detailed description of all defined policies via the command line:</p>
<div class="example"><h3>List all Defined Policies</h3><pre class="prettyprint lang-sh">httpd -t -D DUMP_SSL_POLICIES</pre>
</div>
-<p>A SSLPolicy defines the baseline for the context it is used in. That means that any
-other SSL* directives in the same context override it. As an example of this, see the effective
-<code class="directive">SSLProtocol</code> value in the following settings:</p>
-
-<div class="example"><h3>Policy Precedence</h3><pre class="prettyprint lang-config"><VirtualHost...> # effective: 'all'
- SSLPolicy modern
- SSLProtocol all
-</VirtualHost>
-
-<VirtualHost...> # effective: 'all'
- SSLProtocol all
- SSLPolicy modern
-</VirtualHost>
-
-SSLPolicy modern
-<VirtualHost...> # effective: 'all'
- SSLProtocol all
-</VirtualHost>
-
-SSLProtocol all
-<VirtualHost...> # effective: '+TLSv1.2'
- SSLPolicy modern
-</VirtualHost></pre>
-</div>
-
-<p>There can be more than one policy applied in a context. The
-later ones overshadowing the earlier ones:</p>
-
-<div class="example"><h3>Policy Ordering</h3><pre class="prettyprint lang-config"><VirtualHost...> # effective protocol: 'all -SSLv3'
- SSLPolicy modern
- SSLPolicy intermediate
-</VirtualHost>
-
-<VirtualHost...> # effective protocol: '+TLSv1.2'
- SSLPolicy intermediate
- SSLPolicy modern
-</VirtualHost></pre>
-</div>
-
-
-</div>
-<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
-<div class="directive-section"><h2><a name="SSLPolicyDefinesection" id="SSLPolicyDefinesection"><SSLPolicyDefine></a> <a name="sslpolicydefinesection" id="sslpolicydefinesection">Directive</a></h2>
-<table class="directive">
-<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Define a named set of SSL configurations</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code><SSLPolicyDefine <em>name</em>></code></td></tr>
-<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
-<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
-<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.4.30 and later</td></tr>
-</table>
-<p>This directive defines a set of SSL* configurations under
-and gives it a name. This name can be used in the directives
-<code class="directive">SSLPolicy</code> and <code class="directive">SSLProxyPolicy</code>
-to apply this configuration set in the current context.</p>
-
-<div class="example"><h3>Define and Use of a Policy</h3><pre class="prettyprint lang-config"><SSLPolicyDefine safe-stapling>
- SSLUseStapling on
- SSLStaplingResponderTimeout 2
- SSLStaplingReturnResponderErrors off
- SSLStaplingFakeTryLater off
- SSLStaplingStandardCacheTimeout 86400
-</SSLPolicyDefine>
-
- ...
- <VirtualHost...>
- SSLPolicy safe-stapling
- ...</pre>
-</div>
-
-<p>On the one hand, this can make server configurations easier to
-<em>read</em> and <em>maintain</em>. On the other hand, it is
-intended to make SSL easier and safer to <em>use</em>. For the
-latter, Apache httpd ships with a set of pre-defined policies
-that reflect good open source practise. The policy "modern",
-for example, carries the settings to make your server work
-compatible and securely with current browsers.</p>
-
-<p>The list of predefined policies in your Apache can be obtained
-by running the following command. This list shows you the
-detailed configurations each policy is made of:</p>
-
-<div class="example"><h3>List all Defined Policies</h3><pre class="prettyprint lang-sh">httpd -t -D DUMP_SSL_POLICIES</pre>
-</div>
-
-<p>The directive can only be used in the server config (global context). It can take
-most SSL* directives, however a few can only be set once and are not allowed inside
-policy defintions. These are <code class="directive">SSLCryptoDevice</code>,
-<code class="directive">SSLRandomSeed</code>,
-<code class="directive">SSLSessionCache</code> and
-<code class="directive">SSLStaplingCache</code>.
-</p>
-<p>Two policies cannot have the same name. However, policies can
-be redefined:</p>
-
-<div class="example"><h3>Policy Overwrite</h3><pre class="prettyprint lang-config"><SSLPolicyDefine proxy-trust>
- SSLProxyVerify require
-</SSLPolicyDefine>
- ...
-<SSLPolicyDefine proxy-trust>
- SSLProxyVerify none
-</SSLPolicyDefine></pre>
-</div>
-
-<p>Policy definitions are <em>added</em> in the order they appear, but are
-<em>applied</em> when the whole configuration has been read. This means that any
-use of 'proxy-trust' will mean 'SSLProxyVerify none'. The first definition
-has no effect at all. That allows pre-installed policies to be replaced
-without the need to disable them.</p>
-
-<p>Additional to replacing policies, redefinitions may just alter
-an aspect of a policy:</p>
-
-<div class="example"><h3>Policy Redefine</h3><pre class="prettyprint lang-config"><SSLPolicyDefine proxy-trust>
- SSLProxyVerify require
-</SSLPolicyDefine>
- ...
-<SSLPolicyDefine proxy-trust>
- SSLPolicy proxy-trust
- SSLProxyVerifyDepth 10
-</SSLPolicyDefine></pre>
-</div>
-
-<p>This re-uses all settings from the previous 'proxy-trust' and adds
-one directive on top of it. All others still apply. This is very handy
-when pre-defined policies (from Apache itself or a distributor)
-that <em>almost</em> what you need. Previously, such definitions were
-(copied and) edited. This made updating them difficult. Now they can
-be setup like this:</p>
-
-<div class="example"><h3>Tweak a Pre-Defined Policy</h3><pre class="prettyprint lang-config">Include ssl-policies.conf
-
-<SSLPolicyDefine modern>
- SSLPolicy modern
- SSLProxyVerify none
-</SSLPolicyDefine></pre>
-</div>
-
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
A revision of the TLS 1.1 protocol, as defined in
<a href="http://www.ietf.org/rfc/rfc5246.txt">RFC 5246</a>.</p></li>
+<li><code>TLSv1.3</code> (when using OpenSSL 1.1.1 and later)
+ <p>
+ A new version of the TLS protocol, as defined in
+ <a href="https://github.com/tlswg/tls13-spec">RFC TBD</a>.</p></li>
+
<li><code>all</code>
<p>
This is a shortcut for ``<code>+SSLv3 +TLSv1</code>'' or
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Cipher Suite available for negotiation in SSL
proxy handshake</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProxyCipherSuite <em>cipher-spec</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProxyCipherSuite [<em>protocol</em>] <em>cipher-spec</em></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLProxyCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProxyMachineCertificatePath "/usr/local/apache2/conf/proxy.crt/"</pre>
</div>
-</div>
-<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
-<div class="directive-section"><h2><a name="SSLProxyPolicy" id="SSLProxyPolicy">SSLProxyPolicy</a> <a name="sslproxypolicy" id="sslproxypolicy">Directive</a></h2>
-<table class="directive">
-<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Apply the SSLProxy* parts alone of a SSLPolicy</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProxyPolicy <em>name</em></code></td></tr>
-<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
-<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
-<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.4.30 and later</td></tr>
-</table>
-<p>This directive is similar to <code class="directive">SSLPolicy</code>, but
-applies only the SSLProxy* directives defined in the policy. This helps
-when you need different policies for front and backends:</p>
-
-<div class="example"><h3>Another Policies for Proxy Only</h3><pre class="prettyprint lang-config">SSLPolicy modern
-SSLProxyPolicy intermediate</pre>
-</div>
-
-<p>In this example, the 'modern' policy is first applied for front- and backend. The backend
-parts are then overwritten by the 'intermediate' policy settings.</p>
-
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLProxyProtocol" id="SSLProxyProtocol">SSLProxyProtocol</a> <a name="sslproxyprotocol" id="sslproxyprotocol">Directive</a></h2>
projects / apache / blobdiff