<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
+<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head>
+<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type" />
+<!--
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
This file is generated from xml source: DO NOT EDIT
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-->
-<title>mod_ssl - Apache HTTP Server</title>
+<title>mod_ssl - Apache HTTP Server Version 2.5</title>
<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
-<script src="../style/scripts/prettify.js" type="text/javascript">
+<script src="../style/scripts/prettify.min.js" type="text/javascript">
</script>
<link href="../images/favicon.ico" rel="shortcut icon" /></head>
<p>Further details, discussion, and examples are provided in the
<a href="../ssl/">SSL documentation</a>.</p>
</div>
-<div id="quickview"><h3 class="directives">Directives</h3>
+<div id="quickview"><h3>Topics</h3>
+<ul id="topics">
+<li><img alt="" src="../images/down.gif" /> <a href="#envvars">Environment Variables</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#logformats">Custom Log Formats</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#notes">Request Notes</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#expressionparser">Expression Parser Extension</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#authzproviders">Authorization providers for use with Require</a></li>
+</ul><h3 class="directives">Directives</h3>
<ul id="toc">
<li><img alt="" src="../images/down.gif" /> <a href="#sslcacertificatefile">SSLCACertificateFile</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslcacertificatepath">SSLCACertificatePath</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslocsprespondertimeout">SSLOCSPResponderTimeout</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslocspresponsemaxage">SSLOCSPResponseMaxAge</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslocspresponsetimeskew">SSLOCSPResponseTimeSkew</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#sslocspuserequestnonce">SSLOCSPUseRequestNonce</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#sslopensslconfcmd">SSLOpenSSLConfCmd</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#ssloptions">SSLOptions</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslpassphrasedialog">SSLPassPhraseDialog</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslprotocol">SSLProtocol</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslsessioncache">SSLSessionCache</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslsessioncachetimeout">SSLSessionCacheTimeout</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslsessionticketkeyfile">SSLSessionTicketKeyFile</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#sslsessiontickets">SSLSessionTickets</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslsrpunknownuserseed">SSLSRPUnknownUserSeed</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslsrpverifierfile">SSLSRPVerifierFile</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslstaplingcache">SSLStaplingCache</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslverifyclient">SSLVerifyClient</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslverifydepth">SSLVerifyDepth</a></li>
</ul>
-<h3>Topics</h3>
-<ul id="topics">
-<li><img alt="" src="../images/down.gif" /> <a href="#envvars">Environment Variables</a></li>
-<li><img alt="" src="../images/down.gif" /> <a href="#logformats">Custom Log Formats</a></li>
-<li><img alt="" src="../images/down.gif" /> <a href="#notes">Request Notes</a></li>
-<li><img alt="" src="../images/down.gif" /> <a href="#authzproviders">Authorization providers for use with Require</a></li>
-</ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div>
+<ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="envvars" id="envvars">Environment Variables</a></h2>
<tr><td><code>SSL_CLIENT_M_SERIAL</code></td> <td>string</td> <td>The serial of the client certificate</td></tr>
<tr><td><code>SSL_CLIENT_S_DN</code></td> <td>string</td> <td>Subject DN in client's certificate</td></tr>
<tr><td><code>SSL_CLIENT_S_DN_</code><em>x509</em></td> <td>string</td> <td>Component of client's Subject DN</td></tr>
+<tr><td><code>SSL_CLIENT_SAN_Email_</code><em>n</em></td> <td>string</td> <td>Client certificate's subjectAltName extension entries of type rfc822Name</td></tr>
+<tr><td><code>SSL_CLIENT_SAN_DNS_</code><em>n</em></td> <td>string</td> <td>Client certificate's subjectAltName extension entries of type dNSName</td></tr>
+<tr><td><code>SSL_CLIENT_SAN_OTHER_msUPN_</code><em>n</em></td> <td>string</td> <td>Client certificate's subjectAltName extension entries of type otherName, Microsoft User Principal Name form (OID 1.3.6.1.4.1.311.20.2.3)</td></tr>
<tr><td><code>SSL_CLIENT_I_DN</code></td> <td>string</td> <td>Issuer DN of client's certificate</td></tr>
<tr><td><code>SSL_CLIENT_I_DN_</code><em>x509</em></td> <td>string</td> <td>Component of client's Issuer DN</td></tr>
<tr><td><code>SSL_CLIENT_V_START</code></td> <td>string</td> <td>Validity of client's certificate (start time)</td></tr>
<tr><td><code>SSL_CLIENT_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of client's certificate</td></tr>
<tr><td><code>SSL_CLIENT_CERT</code></td> <td>string</td> <td>PEM-encoded client certificate</td></tr>
<tr><td><code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em></td> <td>string</td> <td>PEM-encoded certificates in client certificate chain</td></tr>
+<tr><td><code>SSL_CLIENT_CERT_RFC4523_CEA</code></td> <td>string</td> <td>Serial number and issuer of the certificate. The format matches that of the CertificateExactAssertion in RFC4523</td></tr>
<tr><td><code>SSL_CLIENT_VERIFY</code></td> <td>string</td> <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS</code> or <code>FAILED:</code><em>reason</em></td></tr>
<tr><td><code>SSL_SERVER_M_VERSION</code></td> <td>string</td> <td>The version of the server certificate</td></tr>
<tr><td><code>SSL_SERVER_M_SERIAL</code></td> <td>string</td> <td>The serial of the server certificate</td></tr>
<tr><td><code>SSL_SERVER_S_DN</code></td> <td>string</td> <td>Subject DN in server's certificate</td></tr>
+<tr><td><code>SSL_SERVER_SAN_Email_</code><em>n</em></td> <td>string</td> <td>Server certificate's subjectAltName extension entries of type rfc822Name</td></tr>
+<tr><td><code>SSL_SERVER_SAN_DNS_</code><em>n</em></td> <td>string</td> <td>Server certificate's subjectAltName extension entries of type dNSName</td></tr>
+<tr><td><code>SSL_SERVER_SAN_OTHER_dnsSRV_</code><em>n</em></td> <td>string</td> <td>Server certificate's subjectAltName extension entries of type otherName, SRVName form (OID 1.3.6.1.5.5.7.8.7, RFC 4985)</td></tr>
<tr><td><code>SSL_SERVER_S_DN_</code><em>x509</em></td> <td>string</td> <td>Component of server's Subject DN</td></tr>
<tr><td><code>SSL_SERVER_I_DN</code></td> <td>string</td> <td>Issuer DN of server's certificate</td></tr>
<tr><td><code>SSL_SERVER_I_DN_</code><em>x509</em></td> <td>string</td> <td>Component of server's Issuer DN</td></tr>
For backward compatibility there is additionally a special
``<code>%{</code><em>name</em><code>}c</code>'' cryptography format function
provided. Information about this function is provided in the <a href="../ssl/ssl_compat.html">Compatibility</a> chapter.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">CustomLog "logs/ssl_request_log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"</pre>
</div>
+<p>These formats even work without setting the <code>StdEnvVars</code>
+option of the <code class="directive"><a href="#ssloptions">SSLOptions</a></code>
+directive.</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="notes" id="notes">Request Notes</a></h2>
for the current connection, the note is not set.</dd>
</dl>
+</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="expressionparser" id="expressionparser">Expression Parser Extension</a></h2>
+
+<p>When <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> is built into Apache or at least
+loaded (under DSO situation) any <a name="envvars">variables</a>
+provided by <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> can be used in expressions
+for the <a href="../expr.html">ap_expr Expression Parser</a>.
+The variables can be referenced using the syntax
+``<code>%{</code><em>varname</em><code>}</code>''. Starting
+with version 2.4.18 one can also use the
+<code class="module"><a href="../mod/mod_rewrite.html">mod_rewrite</a></code> style syntax
+``<code>%{SSL:</code><em>varname</em><code>}</code>'' or
+the function style syntax
+``<code>ssl(</code><em>varname</em><code>)</code>''.</p>
+<div class="example"><h3>Example (using <code class="module"><a href="../mod/mod_headers.html">mod_headers</a></code>)</h3><pre class="prettyprint lang-config">Header set X-SSL-PROTOCOL "expr=%{SSL_PROTOCOL}"
+Header set X-SSL-CIPHER "expr=%{SSL:SSL_CIPHER}"</pre>
+</div>
+<p>This feature even works without setting the <code>StdEnvVars</code>
+option of the <code class="directive"><a href="#ssloptions">SSLOptions</a></code>
+directive.</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="authzproviders" id="authzproviders">Authorization providers for use with Require</a></h2>
encrypted with SSL. This is similar to the
<code class="directive">SSLRequireSSL</code> directive.</p>
- <pre class="prettyprint lang-config">
- Require ssl
- </pre>
+ <pre class="prettyprint lang-config">Require ssl</pre>
<p>The following example grants access if the user is authenticated
either with a client certificate or by username and password.</p>
- <pre class="prettyprint lang-config">
- Require ssl-verify-client<br />
- Require valid-user
- </pre>
+ <pre class="prettyprint lang-config"> Require ssl-verify-client<br />
+ Require valid-user</pre>
concatenation of the various PEM-encoded Certificate files, in order of
preference. This can be used alternatively and/or additionally to
<code class="directive"><a href="#sslcacertificatepath">SSLCACertificatePath</a></code>.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-client.crt
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-client.crt</pre>
</div>
</div>
there: you also have to create symbolic links named
<em>hash-value</em><code>.N</code>. And you should always make sure this directory
contains the appropriate symbolic links.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLCACertificatePath /usr/local/apache2/conf/ssl.crt/
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLCACertificatePath /usr/local/apache2/conf/ssl.crt/</pre>
</div>
</div>
specify an <em>all-in-one</em> file containing a concatenation of
PEM-encoded CA certificates.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLCADNRequestFile /usr/local/apache2/conf/ca-names.crt
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLCADNRequestFile /usr/local/apache2/conf/ca-names.crt</pre>
</div>
</div>
Certificate files there: you also have to create symbolic links named
<em>hash-value</em><code>.N</code>. And you should always make sure
this directory contains the appropriate symbolic links.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLCADNRequestPath /usr/local/apache2/conf/ca-names.crt/
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLCADNRequestPath /usr/local/apache2/conf/ca-names.crt/</pre>
</div>
</div>
<code>"unable to get certificate CRL"</code> error.
</p>
</div>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLCARevocationCheck chain
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLCARevocationCheck chain</pre>
</div>
</div>
for Client Authentication. Such a file is simply the concatenation of
the various PEM-encoded CRL files, in order of preference. This can be
used alternatively and/or additionally to <code class="directive"><a href="#sslcarevocationpath">SSLCARevocationPath</a></code>.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle-client.crl
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle-client.crl</pre>
</div>
</div>
Additionally you have to create symbolic links named
<em>hash-value</em><code>.rN</code>. And you should always make sure this directory
contains the appropriate symbolic links.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLCARevocationPath /usr/local/apache2/conf/ssl.crl/
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLCARevocationPath /usr/local/apache2/conf/ssl.crl/</pre>
</div>
</div>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
</table>
+<div class="note"><h3>SSLCertificateChainFile is deprecated</h3>
+<p><code>SSLCertificateChainFile</code> became obsolete with version 2.4.8,
+when <code class="directive"><a href="#sslcertificatefile">SSLCertificateFile</a></code>
+was extended to also load intermediate CA certificates from the server
+certificate file.</p>
+</div>
+
<p>
This directive sets the optional <em>all-in-one</em> file where you can
assemble the certificates of Certification Authorities (CA) which form the
using a coupled RSA+DSA certificate pair, this will work only if actually both
certificates use the <em>same</em> certificate chain. Else the browsers will be
confused in this situation.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLCertificateChainFile /usr/local/apache2/conf/ssl.crt/ca.crt
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLCertificateChainFile /usr/local/apache2/conf/ssl.crt/ca.crt</pre>
</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLCertificateFile" id="SSLCertificateFile">SSLCertificateFile</a> <a name="sslcertificatefile" id="sslcertificatefile">Directive</a></h2>
<table class="directive">
-<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Server PEM-encoded X.509 Certificate file</td></tr>
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Server PEM-encoded X.509 certificate data file</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCertificateFile <em>file-path</em></code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
</table>
<p>
-This directive points to the file with the PEM-encoded certificate,
-optionally also the corresponding private key, and - beginning with
-version 2.5.0-dev as of 2013-09-29 - DH parameters and/or an EC curve name
-for ephemeral keys (as generated by <code>openssl dhparam</code>
-and <code>openssl ecparam</code>, respectively). If the private key
-is encrypted, the pass phrase dialog is forced at startup time.
+This directive points to a file with certificate data in PEM format.
+At a minimum, the file must include an end-entity (leaf) certificate.
+The directive can be used multiple times (referencing different filenames)
+to support multiple algorithms for server authentication - typically
+RSA, DSA, and ECC. The number of supported algorithms depends on the
+OpenSSL version being used for mod_ssl: with version 1.0.0 or later,
+<code>openssl list-public-key-algorithms</code> will output a list
+of supported algorithms.
</p>
+
+<p>
+The files may also include intermediate CA certificates, sorted from
+leaf to root. This is supported with version 2.4.8 and later,
+and obsoletes <code class="directive"><a href="#sslcertificatechainfile">SSLCertificateChainFile</a></code>.
+When running with OpenSSL 1.0.2 or later, this allows
+to configure the intermediate CA chain on a per-certificate basis.
+</p>
+
<p>
-This directive can be used up to three times (referencing different filenames)
-when both an RSA, a DSA, and an ECC based server certificate is used in
-parallel. Note that DH and ECDH parameters are only read from the first
-<code class="directive">SSLCertificateFile</code> directive.</p>
+Custom DH parameters and an EC curve name for ephemeral keys,
+can also be added to end of the first file configured using
+<code class="directive"><a href="#sslcertificatefile">SSLCertificateFile</a></code>.
+This is supported in version 2.4.7 or later.
+Such parameters can be generated using the commands
+<code>openssl dhparam</code> and <code>openssl ecparam</code>.
+The parameters can be added as-is to the end of the first
+certificate file. Only the first file can be used for custom
+parameters, as they are applied independently of the authentication
+algorithm type.
+</p>
+
+<p>
+Finally the end-entity certificate's private key can also be
+added to the certificate file instead of using a separate
+<code class="directive"><a href="#sslcertificatekeyfile">SSLCertificateKeyFile</a></code>
+directive. This practice is highly discouraged. If it is used,
+the certificate files using such an embedded key must be configured
+after the certificates using a separate key file. If the private
+key is encrypted, the pass phrase dialog is forced at startup time.
+</p>
<div class="note">
<h3>DH parameter interoperability with primes > 1024 bit</h3>
<p>
-Beginning with version 2.5.0-dev as of 2013-09-29, mod_ssl makes use of
+Beginning with version 2.4.7, mod_ssl makes use of
standardized DH parameters with prime lengths of 2048, 3072 and 4096 bits
+and with additional prime lengths of 6144 and 8192 bits beginning with
+version 2.4.10
(from <a href="http://www.ietf.org/rfc/rfc3526.txt">RFC 3526</a>), and hands
them out to clients based on the length of the certificate's RSA/DSA key.
With Java-based clients in particular (Java 7 or earlier), this may lead
</p>
</div>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt</pre>
</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLCertificateKeyFile" id="SSLCertificateKeyFile">SSLCertificateKeyFile</a> <a name="sslcertificatekeyfile" id="sslcertificatekeyfile">Directive</a></h2>
<table class="directive">
-<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Server PEM-encoded Private Key file</td></tr>
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Server PEM-encoded private key file</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCertificateKeyFile <em>file-path</em></code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
</table>
<p>
-This directive points to the PEM-encoded Private Key file for the
-server. If the Private Key is not combined with the Certificate in the
-<code class="directive">SSLCertificateFile</code>, use this additional directive to
-point to the file with the stand-alone Private Key. When
-<code class="directive">SSLCertificateFile</code> is used and the file
-contains both the Certificate and the Private Key this directive need
-not be used. But we strongly discourage this practice. Instead we
-recommend you to separate the Certificate and the Private Key. If the
-contained Private Key is encrypted, the Pass Phrase dialog is forced
-at startup time. This directive can be used up to three times
-(referencing different filenames) when both a RSA, a DSA, and an ECC based
-private key is used in parallel.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key
-</pre>
+This directive points to the PEM-encoded private key file for the
+server. If the contained private key is encrypted, the pass phrase
+dialog is forced at startup time.</p>
+
+<p>
+The directive can be used multiple times (referencing different filenames)
+to support multiple algorithms for server authentication. For each
+<code class="directive"><a href="#sslcertificatekeyfile">SSLCertificateKeyFile</a></code>
+directive, there must be a matching <code class="directive">SSLCertificateFile</code>
+directive.</p>
+
+<p>
+The private key may also be combined with the certificate in the file given by
+<code class="directive"><a href="#sslcertificatefile">SSLCertificateFile</a></code>, but this practice
+is highly discouraged. If it is used, the certificate files using such
+an embedded key must be configured after the certificates using a separate
+key file.</p>
+
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key</pre>
</div>
</div>
<div class="note">
<h3><code>aNULL</code>, <code>eNULL</code> and <code>EXP</code>
ciphers are always disabled</h3>
-<p>Beginning with version 2.5.0-dev as of 2013-09-25, null and export-grade
-ciphers are always disabled, as mod_ssl unconditionally prepends any supplied
-cipher suite string with <code>!aNULL:!eNULL:!EXP:</code> at initialization.</p>
+<p>Beginning with version 2.4.7, null and export-grade
+ciphers are always disabled, as mod_ssl unconditionally adds
+<code>!aNULL:!eNULL:!EXP</code> to any cipher string at initialization.</p>
</div>
<p>A simpler way to look at all of this is to use the ``<code>openssl ciphers
Finally, remove all ciphers which do not authenticate, i.e. for SSL the
Anonymous Diffie-Hellman ciphers, as well as all ciphers which use
<code>MD5</code> as hash algorithm, because it has been proven insufficient.</p>
-<div class="example"><pre>
-$ openssl ciphers -v 'RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5'
+<div class="example"><pre>$ openssl ciphers -v 'RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5'
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
... ... ... ... ...
SEED-SHA SSLv3 Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1
PSK-RC4-SHA SSLv3 Kx=PSK Au=PSK Enc=RC4(128) Mac=SHA1
-KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1
-</pre></div>
+KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1</pre></div>
<p>The complete list of particular RSA & DH ciphers for SSL is given in <a href="#table2">Table 2</a>.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW</pre>
</div>
<table class="bordered">
<p>To discover which engine names are supported, run the command
"<code>openssl engine</code>".</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-# For a Broadcom accelerator:
-SSLCryptoDevice ubsec
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config"># For a Broadcom accelerator:
+SSLCryptoDevice ubsec</pre>
</div>
</div>
is should be used inside a <code class="directive"><a href="../mod/core.html#virtualhost"><VirtualHost></a></code> section to enable SSL/TLS for a
that virtual host. By default the SSL/TLS Protocol Engine is
disabled for both the main server and all configured virtual hosts.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-<VirtualHost _default_:443>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config"><VirtualHost _default_:443>
SSLEngine on
#...
-</VirtualHost>
-</pre>
+</VirtualHost></pre>
</div>
<p>In Apache 2.1 and later, <code class="directive">SSLEngine</code> can be set to
<code>optional</code>. This enables support for
<div class="directive-section"><h2><a name="SSLHonorCipherOrder" id="SSLHonorCipherOrder">SSLHonorCipherOrder</a> <a name="sslhonorcipherorder" id="sslhonorcipherorder">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Option to prefer the server's cipher preference order</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLHonorCipherOrder <em>flag</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLHonorCipherOrder on|off</code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLHonorCipherOrder off</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available if using OpenSSL 0.9.7 or later</td></tr>
</table>
<p>When choosing a cipher during an SSLv3 or TLSv1 handshake, normally
the client's preference is used. If this directive is enabled, the
server's preference will be used instead.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLHonorCipherOrder on
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLHonorCipherOrder on</pre>
</div>
</div>
<div class="directive-section"><h2><a name="SSLInsecureRenegotiation" id="SSLInsecureRenegotiation">SSLInsecureRenegotiation</a> <a name="sslinsecurerenegotiation" id="sslinsecurerenegotiation">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Option to enable support for insecure renegotiation</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLInsecureRenegotiation <em>flag</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLInsecureRenegotiation on|off</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLInsecureRenegotiation off</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
in <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555">CVE-2009-3555</a>.</p>
</div>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLInsecureRenegotiation on
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLInsecureRenegotiation on</pre>
</div>
<p>The <code>SSL_SECURE_RENEG</code> environment variable can be used
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.3 and later, if using OpenSSL 0.9.7 or later</td></tr>
</table>
<p>This option sets the default OCSP responder to use. If <code class="directive"><a href="#sslocspoverrideresponder">SSLOCSPOverrideResponder</a></code> is not enabled,
the URI given will be used only if no responder URI is specified in
<div class="directive-section"><h2><a name="SSLOCSPEnable" id="SSLOCSPEnable">SSLOCSPEnable</a> <a name="sslocspenable" id="sslocspenable">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enable OCSP validation of the client certificate chain</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLOCSPEnable <em>flag</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLOCSPEnable on|off</code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLOCSPEnable off</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.3 and later, if using OpenSSL 0.9.7 or later</td></tr>
</table>
<p>This option enables OCSP validation of the client certificate
chain. If this option is enabled, certificates in the client's
<code class="directive"><a href="#sslocspoverrideresponder">SSLOCSPOverrideResponder</a></code>
directives.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLVerifyClient on
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLVerifyClient on
SSLOCSPEnable on
SSLOCSPDefaultResponder http://responder.example.com:8888/responder
-SSLOCSPOverrideResponder on
-</pre>
+SSLOCSPOverrideResponder on</pre>
</div>
</div>
<div class="directive-section"><h2><a name="SSLOCSPOverrideResponder" id="SSLOCSPOverrideResponder">SSLOCSPOverrideResponder</a> <a name="sslocspoverrideresponder" id="sslocspoverrideresponder">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Force use of the default responder URI for OCSP validation</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLOCSPOverrideResponder <em>flag</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLOCSPOverrideResponder on|off</code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLOCSPOverrideResponder off</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.3 and later, if using OpenSSL 0.9.7 or later</td></tr>
</table>
<p>This option forces the configured default OCSP responder to be used
during OCSP certificate validation, regardless of whether the
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.3 and later, if using OpenSSL 0.9.7 or later</td></tr>
</table>
<p>This option sets the timeout for queries to OCSP responders, when
<code class="directive"><a href="#sslocspenable">SSLOCSPEnable</a></code> is turned on.</p>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.3 and later, if using OpenSSL 0.9.7 or later</td></tr>
</table>
<p>This option sets the maximum allowable age ("freshness") for OCSP responses.
The default value (<code>-1</code>) does not enforce a maximum age,
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.3 and later, if using OpenSSL 0.9.7 or later</td></tr>
</table>
<p>This option sets the maximum allowable time skew for OCSP responses
(when checking their <code>thisUpdate</code> and <code>nextUpdate</code> fields).</p>
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="SSLOCSPUseRequestNonce" id="SSLOCSPUseRequestNonce">SSLOCSPUseRequestNonce</a> <a name="sslocspuserequestnonce" id="sslocspuserequestnonce">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Use a nonce within OCSP queries</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLOCSPUseRequestNonce on|off</code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLOCSPUseRequestNonce on</code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.4.10 and later</td></tr>
+</table>
+<p>This option determines whether queries to OCSP responders should contain
+a nonce or not. By default, a query nonce is always used and checked against
+the response's one. When the responder does not use nonces (e.g. Microsoft OCSP
+Responder), this option should be turned <code>off</code>.</p>
+
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="SSLOpenSSLConfCmd" id="SSLOpenSSLConfCmd">SSLOpenSSLConfCmd</a> <a name="sslopensslconfcmd" id="sslopensslconfcmd">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Configure OpenSSL parameters through its <em>SSL_CONF</em> API</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLOpenSSLConfCmd <em>command-name</em> <em>command-value</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.4.8 and later, if using OpenSSL 1.0.2 or later</td></tr>
+</table>
+<p>This directive exposes OpenSSL's <em>SSL_CONF</em> API to mod_ssl,
+allowing a flexible configuration of OpenSSL parameters without the need
+of implementing additional <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> directives when new
+features are added to OpenSSL.</p>
+
+<p>The set of available <code class="directive">SSLOpenSSLConfCmd</code> commands
+depends on the OpenSSL version being used for <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>
+(at least version 1.0.2 is required). For a list of supported command
+names, see the section <em>Supported configuration file commands</em> in the
+<a href="http://www.openssl.org/docs/man1.0.2/ssl/SSL_CONF_cmd.html#SUPPORTED-CONFIGURATION-FILE-COMMANDS">SSL_CONF_cmd(3)</a> manual page for OpenSSL.</p>
+
+<p>Some of the <code class="directive">SSLOpenSSLConfCmd</code> commands can be used
+as an alternative to existing directives (such as
+<code class="directive"><a href="#sslciphersuite">SSLCipherSuite</a></code> or
+<code class="directive"><a href="#sslprotocol">SSLProtocol</a></code>),
+though it should be noted that the syntax / allowable values for the parameters
+may sometimes differ.</p>
+
+<div class="example"><h3>Examples</h3><pre class="prettyprint lang-config">SSLOpenSSLConfCmd Options -SessionTicket,ServerPreference
+SSLOpenSSLConfCmd ECDHParameters brainpoolP256r1
+SSLOpenSSLConfCmd ServerInfoFile /usr/local/apache2/conf/server-info.pem
+SSLOpenSSLConfCmd Protocol "-ALL, TLSv1.2"
+SSLOpenSSLConfCmd SignatureAlgorithms RSA+SHA384:ECDSA+SHA256</pre>
+</div>
+
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLOptions" id="SSLOptions">SSLOptions</a> <a name="ssloptions" id="ssloptions">Directive</a></h2>
SSL parameters causes a <em>full</em> SSL renegotiation handshake. When this
option is used mod_ssl tries to avoid unnecessary handshakes by doing more
granular (but still safe) parameter checks. Nevertheless these granular
- checks sometimes maybe not what the user expects, so enable this on a
+ checks sometimes may not be what the user expects, so enable this on a
per-directory basis only, please.</p>
</li>
<li><code>LegacyDNStringFormat</code>
</p>
</li>
</ul>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLOptions +FakeBasicAuth -StrictRequire
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLOptions +FakeBasicAuth -StrictRequire
<Files ~ "\.(cgi|shtml)$">
SSLOptions +StdEnvVars -ExportCertData
-<Files>
-</pre>
+<Files></pre>
</div>
</div>
<li><code>exec:/path/to/program</code>
<p>
Here an external program is configured which is called at startup for each
- encrypted Private Key file. It is called with two arguments (the first is
- of the form ``<code>servername:portnumber</code>'', the second is either
- ``<code>RSA</code>'', ``<code>DSA</code>'', or ``<code>ECC</code>''), which
- indicate for which server and algorithm it has to print the corresponding
+ encrypted Private Key file. It is called with one argument, a string of the
+ form ``<code>servername:portnumber:index</code>'' (with <code>index</code>
+ being a zero-based sequence number), which indicates for which server,
+ TCP port and certificate number it has to print the corresponding
Pass Phrase to <code>stdout</code>. The intent is that this external
program first runs security checks to make sure that the system is not
compromised by an attacker, and only when these checks were passed
The reuse-algorithm above is used here, too. In other words: The external
program is called only once per unique Pass Phrase.</p></li>
</ul>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLPassPhraseDialog exec:/usr/local/apache/sbin/pp-filter
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLPassPhraseDialog exec:/usr/local/apache/sbin/pp-filter</pre>
</div>
</div>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Configure usable SSL/TLS protocol versions</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProtocol [+|-]<em>protocol</em> ...</code></td></tr>
-<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLProtocol all</code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLProtocol all -SSLv3</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
<p>
This is the Secure Sockets Layer (SSL) protocol, version 3.0, from
the Netscape Corporation.
- It is the successor to SSLv2 and the predecessor to TLSv1.</p></li>
+ It is the successor to SSLv2 and the predecessor to TLSv1, but is
+ deprecated in <a href="http://www.ietf.org/rfc/rfc7568.txt">RFC 7568</a>.</p></li>
<li><code>TLSv1</code>
<p>
<p>
This is a shortcut for ``<code>+SSLv3 +TLSv1</code>'' or
- when using OpenSSL 1.0.1 and later -
- ``<code>+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2</code>, respectively.</p></li>
+ ``<code>+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2</code>'', respectively
+ (except for OpenSSL versions compiled with the ``no-ssl3'' configuration
+ option, where <code>all</code> does not include <code>+SSLv3</code>).</p></li>
</ul>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLProtocol TLSv1
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProtocol TLSv1</pre>
</div>
</div>
concatenation of the various PEM-encoded Certificate files, in order of
preference. This can be used alternatively and/or additionally to
<code class="directive"><a href="#sslproxycacertificatepath">SSLProxyCACertificatePath</a></code>.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLProxyCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-remote-server.crt
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProxyCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-remote-server.crt</pre>
</div>
</div>
there: you also have to create symbolic links named
<em>hash-value</em><code>.N</code>. And you should always make sure this directory
contains the appropriate symbolic links.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLProxyCACertificatePath /usr/local/apache2/conf/ssl.crt/
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProxyCACertificatePath /usr/local/apache2/conf/ssl.crt/</pre>
</div>
</div>
<code>"unable to get certificate CRL"</code> error.
</p>
</div>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLProxyCARevocationCheck chain
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProxyCARevocationCheck chain</pre>
</div>
</div>
for Remote Server Authentication. Such a file is simply the concatenation of
the various PEM-encoded CRL files, in order of preference. This can be
used alternatively and/or additionally to <code class="directive"><a href="#sslproxycarevocationpath">SSLProxyCARevocationPath</a></code>.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLProxyCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle-remote-server.crl
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProxyCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle-remote-server.crl</pre>
</div>
</div>
Additionally you have to create symbolic links named
<em>hash-value</em><code>.rN</code>. And you should always make sure this directory
contains the appropriate symbolic links.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLProxyCARevocationPath /usr/local/apache2/conf/ssl.crl/
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProxyCARevocationPath /usr/local/apache2/conf/ssl.crl/</pre>
</div>
</div>
a 502 status code (Bad Gateway) is sent.
</p>
<p>
-SSLProxyCheckPeerCN has been superseded by
+In 2.4.5 and later, SSLProxyCheckPeerCN has been superseded by
<code class="directive"><a href="#sslproxycheckpeername">SSLProxyCheckPeerName</a></code>, and its
setting is only taken into account when
<code>SSLProxyCheckPeerName off</code> is specified at the same time.
</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLProxyCheckPeerCN on
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProxyCheckPeerCN on</pre>
</div>
</div>
is expired or not. If the check fails a 502 status code (Bad Gateway) is
sent.
</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLProxyCheckPeerExpire on
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProxyCheckPeerExpire on</pre>
</div>
</div>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Apache HTTP Server 2.4.5 and later</td></tr>
</table>
<p>
This directive configures host name checking for server certificates
SSLProxyEngine is not required to enable a forward proxy server to
proxy SSL/TLS requests.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-<VirtualHost _default_:443>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config"><VirtualHost _default_:443>
SSLProxyEngine on
#...
-</VirtualHost>
-</pre>
+</VirtualHost></pre>
</div>
</div>
</p>
<div class="warning"><h3>Security warning</h3>
<p>If this directive is enabled, all of the certificates in the file will be
-trusted as if they were also in <code class="directive"><a href="# sslproxycacertificatefile">
+trusted as if they were also in <code class="directive"><a href="#sslproxycacertificatefile">
SSLProxyCACertificateFile</a></code>.</p>
</div>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLProxyMachineCertificateChainFile /usr/local/apache2/conf/ssl.crt/proxyCA.pem
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProxyMachineCertificateChainFile /usr/local/apache2/conf/ssl.crt/proxyCA.pem</pre>
</div>
</div>
<div class="warning">
<p>Currently there is no support for encrypted private keys</p>
</div>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLProxyMachineCertificateFile /usr/local/apache2/conf/ssl.crt/proxy.pem
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProxyMachineCertificateFile /usr/local/apache2/conf/ssl.crt/proxy.pem</pre>
</div>
</div>
<div class="warning">
<p>Currently there is no support for encrypted private keys</p>
</div>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLProxyMachineCertificatePath /usr/local/apache2/conf/proxy.crt/
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProxyMachineCertificatePath /usr/local/apache2/conf/proxy.crt/</pre>
</div>
</div>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Configure usable SSL protocol flavors for proxy usage</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProxyProtocol [+|-]<em>protocol</em> ...</code></td></tr>
-<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLProxyProtocol all</code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLProxyProtocol all -SSLv3</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>Options</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<strong>optional</strong> doesn't work with all servers and level
<strong>optional_no_ca</strong> is actually against the idea of
authentication (but can be used to establish SSL test pages, etc.)</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLProxyVerify require
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProxyVerify require</pre>
</div>
</div>
the remote server certificate can be self-signed or has to be signed by a CA
which is directly known to the server (i.e. the CA's certificate is under
<code class="directive"><a href="#sslproxycacertificatepath">SSLProxyCACertificatePath</a></code>), etc.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLProxyVerifyDepth 10
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProxyVerifyDepth 10</pre>
</div>
</div>
/crypto/</a>) to seed the PRNG. Use this if no random device exists
on your platform.</p></li>
</ul>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLRandomSeed startup builtin
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/random
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed startup exec:/usr/local/bin/truerand 16
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/random
-SSLRandomSeed connect file:/dev/urandom 1024
-</pre>
+SSLRandomSeed connect file:/dev/urandom 1024</pre>
</div>
</div>
memory must be considered when changing this configuration setting.
</p></div>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLRenegBufferSize 262144
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLRenegBufferSize 262144</pre>
</div>
</div>
The <em>expression</em> must match the following syntax (given as a BNF
grammar notation):</p>
<blockquote>
-<pre>
-expr ::= "<strong>true</strong>" | "<strong>false</strong>"
+<pre>expr ::= "<strong>true</strong>" | "<strong>false</strong>"
| "<strong>!</strong>" expr
| expr "<strong>&&</strong>" expr
| expr "<strong>||</strong>" expr
digit ::= [0-9]+
cstring ::= "..."
variable ::= "<strong>%{</strong>" varname "<strong>}</strong>"
-function ::= funcname "<strong>(</strong>" funcargs "<strong>)</strong>"
-</pre>
+function ::= funcname "<strong>(</strong>" funcargs "<strong>)</strong>"</pre>
</blockquote>
<p>For <code>varname</code> any of the variables described in <a href="#envvars">Environment Variables</a> can be used. For
<code>funcname</code> the available functions are listed in
the <a href="../expr.html#functions">ap_expr documentation</a>.</p>
<p>The <em>expression</em> is parsed into an internal machine
-representation when the configuration is loaded, and then evaluated
-during request processing. In .htaccess context, the <em>expression</em> is
-both parsed and executed each time the .htaccess file is encountered during
+representation when the configuration is loaded, and then evaluated
+during request processing. In .htaccess context, the <em>expression</em> is
+both parsed and executed each time the .htaccess file is encountered during
request processing.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
and %{TIME_WDAY} -ge 1 and %{TIME_WDAY} -le 5 \
and %{TIME_HOUR} -ge 8 and %{TIME_HOUR} -le 20 ) \
- or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
-</pre>
+ or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/</pre>
</div>
<p>The <code>PeerExtList(<em>object-ID</em>)</code> function expects
(If multiple extensions with the same OID are present, at least one
extension must match).</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLRequire "foobar" in PeerExtList("1.2.3.4.5.6")
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLRequire "foobar" in PeerExtList("1.2.3.4.5.6")</pre>
</div>
<div class="note"><h3>Notes on the PeerExtList function</h3>
host or directories for defending against configuration errors that expose
stuff that should be protected. When this directive is present all requests
are denied which are not using SSL.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLRequireSSL
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLRequireSSL</pre>
</div>
</div>
</ul>
-<div class="example"><h3>Examples</h3><pre class="prettyprint lang-config">
-SSLSessionCache dbm:/usr/local/apache/logs/ssl_gcache_data
-SSLSessionCache shmcb:/usr/local/apache/logs/ssl_gcache_data(512000)
-</pre>
+<div class="example"><h3>Examples</h3><pre class="prettyprint lang-config">SSLSessionCache dbm:/usr/local/apache/logs/ssl_gcache_data
+SSLSessionCache shmcb:/usr/local/apache/logs/ssl_gcache_data(512000)</pre>
</div>
<p>The <code>ssl-cache</code> mutex is used to serialize access to
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Applies also to RFC 5077 TLS session resumption in Apache 2.4.10 and later</td></tr>
</table>
<p>
This directive sets the timeout in seconds for the information stored in the
-global/inter-process SSL Session Cache and the OpenSSL internal memory cache.
+global/inter-process SSL Session Cache, the OpenSSL internal memory cache and
+for sessions resumed by TLS session resumption (RFC 5077).
It can be set as low as 15 for testing, but should be set to higher
values like 300 in real life.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLSessionCacheTimeout 600
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLSessionCacheTimeout 600</pre>
</div>
</div>
<p>Ticket keys should be rotated (replaced) on a frequent basis,
as this is the only way to invalidate an existing session ticket -
-OpenSSL currently doesn't allow to specify a limit for ticket lifetimes.</p>
+OpenSSL currently doesn't allow to specify a limit for ticket lifetimes.
+A new ticket key only gets used after restarting the web server.
+All existing session tickets become invalid after a restart.</p>
<div class="warning">
<p>The ticket key file contains sensitive keying material and should
<code class="directive"><a href="#sslcertificatekeyfile">SSLCertificateKeyFile</a></code>.</p>
</div>
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="SSLSessionTickets" id="SSLSessionTickets">SSLSessionTickets</a> <a name="sslsessiontickets" id="sslsessiontickets">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enable or disable use of TLS session tickets</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLSessionTickets on|off</code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLSessionTickets on</code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.4.11 and later, if using OpenSSL 0.9.8f
+or later.</td></tr>
+</table>
+<p>This directive allows to enable or disable the use of TLS session tickets
+(RFC 5077).</p>
+<div class="warning">
+<p>TLS session tickets are enabled by default. Using them without restarting
+the web server with an appropriate frequency (e.g. daily) compromises perfect
+forward secrecy.</p>
+</div>
+
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLSRPUnknownUserSeed" id="SSLSRPUnknownUserSeed">SSLSRPUnknownUserSeed</a> <a name="sslsrpunknownuserseed" id="sslsrpunknownuserseed">Directive</a></h2>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.4.4 and later, if using OpenSSL 1.0.1 or
+later</td></tr>
</table>
<p>
This directive sets the seed used to fake SRP user parameters for unknown
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.4.4 and later, if using OpenSSL 1.0.1 or
+later</td></tr>
</table>
<p>
This directive enables TLS-SRP and sets the path to the OpenSSL SRP (Secure
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available if using OpenSSL 0.9.8h or later</td></tr>
</table>
<p>Configures the cache used to store OCSP responses which get included
in the TLS handshake if <code class="directive"><a href="#sslusestapling">SSLUseStapling</a></code>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available if using OpenSSL 0.9.8h or later</td></tr>
</table>
<p>Sets the timeout in seconds before <em>invalid</em> responses
in the OCSP stapling cache (configured through <code class="directive"><a href="#sslstaplingcache">SSLStaplingCache</a></code>) will expire.
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available if using OpenSSL 0.9.8h or later</td></tr>
</table>
<p>When enabled and a query to an OCSP responder for stapling
purposes fails, mod_ssl will synthesize a "tryLater" response for the
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available if using OpenSSL 0.9.8h or later</td></tr>
</table>
<p>This directive overrides the URI of an OCSP responder as obtained from
the authorityInfoAccess (AIA) extension of the certificate.
-Of potential use when going through a proxy for retrieving OCSP queries.</p>
+One potential use is when a proxy is used for retrieving OCSP queries.</p>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available if using OpenSSL 0.9.8h or later</td></tr>
</table>
<p>This option sets the timeout for queries to OCSP responders when
<code class="directive"><a href="#sslusestapling">SSLUseStapling</a></code> is enabled
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available if using OpenSSL 0.9.8h or later</td></tr>
</table>
<p>This option sets the maximum allowable age ("freshness") when
considering OCSP responses for stapling purposes, i.e. when
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available if using OpenSSL 0.9.8h or later</td></tr>
</table>
<p>This option sets the maximum allowable time skew when mod_ssl checks the
<code>thisUpdate</code> and <code>nextUpdate</code> fields of OCSP responses
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available if using OpenSSL 0.9.8h or later</td></tr>
</table>
<p>When enabled, mod_ssl will pass responses from unsuccessful
stapling related OCSP queries (such as status errors, expired responses etc.)
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available if using OpenSSL 0.9.8h or later</td></tr>
</table>
<p>Sets the timeout in seconds before responses in the OCSP stapling cache
(configured through <code class="directive"><a href="#sslstaplingcache">SSLStaplingCache</a></code>)
version of OpenSSL.
</p></div>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLStrictSNIVHostCheck on
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLStrictSNIVHostCheck on</pre>
</div>
</div>
instead controls the value of the username embedded within the basic
authentication header (see <a href="#ssloptions">SSLOptions</a>).</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLUserName SSL_CLIENT_S_DN_CN
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLUserName SSL_CLIENT_S_DN_CN</pre>
</div>
</div>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.3.3 and later, if using OpenSSL 0.9.8h or later</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available if using OpenSSL 0.9.8h or later</td></tr>
</table>
<p>This option enables OCSP stapling, as defined by the "Certificate
Status Request" TLS extension specified in RFC 6066. If enabled (and
(TLS Multiple Certificate Status Extension).
</p>
+<p>When OCSP stapling is enabled, the <code>ssl-stapling</code> mutex is used
+to control access to the OCSP stapling cache in order to prevent corruption,
+and the <code>sss-stapling-refresh</code> mutex is used to control refreshes
+of OCSP responses. These mutexes can be configured using the
+<code class="directive"><a href="../mod/core.html#mutex">Mutex</a></code> directive.
+</p>
+
+
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLVerifyClient" id="SSLVerifyClient">SSLVerifyClient</a> <a name="sslverifyclient" id="sslverifyclient">Directive</a></h2>
<strong>optional</strong> doesn't work with all browsers and level
<strong>optional_no_ca</strong> is actually against the idea of
authentication (but can be used to establish SSL test pages, etc.)</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLVerifyClient require
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLVerifyClient require</pre>
</div>
</div>
certificate can be self-signed or has to be signed by a CA which is directly
known to the server (i.e. the CA's certificate is under
<code class="directive"><a href="#sslcacertificatepath">SSLCACertificatePath</a></code>), etc.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLVerifyDepth 10
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLVerifyDepth 10</pre>
</div>
</div>
}
})(window, document);
//--><!]]></script></div><div id="footer">
-<p class="apache">Copyright 201
3 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
+<p class="apache">Copyright 201
5 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><
projects / apache / blobdiff