<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
+<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head>
+<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type" />
+<!--
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
This file is generated from xml source: DO NOT EDIT
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
<div id="page-header">
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
<p class="apache">Apache HTTP Server Version 2.5</p>
-<img alt="" src="../images/feather.gif" /></div>
+<img alt="" src="../images/feather.png" /></div>
<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div>
<div id="path">
<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.5</a> > <a href="./">Modules</a></div>
<h3>Summary</h3>
-<p>This module provides an implementation of Certificate Transparency, in
+<p>This module provides an implementation of Certificate Transparency, in
conjunction with <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> and command-line tools from the
<a href="https://code.google.com/p/certificate-transparency/">certificate-transparency</a>
open source project. The goal of Certificate Transparency is to expose the
servers and proxies:</p>
<ul>
- <li>Signed Certificate Timestamps (SCTs) can be obtained from logs
+ <li>Signed Certificate Timestamps (SCTs) can be obtained from logs
automatically and, in conjunction with any statically configured SCTs, sent
to aware clients in the ServerHello (during the handshake).</li>
<li>SCTs can be received by the proxy from origin servers in the ServerHello,
- in a certificate extension, and/or within stapled OCSP responses; any SCTs
+ in a certificate extension, and/or within stapled OCSP responses; any SCTs
received can be partially validated on-line and optionally queued for off-line
audit.</li>
<li>The proxy can be configured to disallow communication with an origin
testing.</p>
</div>
</div>
-<div id="quickview"><h3 class="directives">Directives</h3>
+<div id="quickview"><h3>Topics</h3>
+<ul id="topics">
+<li><img alt="" src="../images/down.gif" /> <a href="#server">Server processing overview</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#proxy">Proxy processing overview</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#logconf">Log configuration</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#static">Storing SCTs in a form consumable by mod_ssl_ct</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#logging">Logging CT status in the access log</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#audit">Off-line audit for proxy</a></li>
+</ul><h3 class="directives">Directives</h3>
<ul id="toc">
<li><img alt="" src="../images/down.gif" /> <a href="#ctauditstorage">CTAuditStorage</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#ctlogclient">CTLogClient</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#ctstaticlogconfig">CTStaticLogConfig</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#ctstaticscts">CTStaticSCTs</a></li>
</ul>
-<h3>Topics</h3>
-<ul id="topics">
-<li><img alt="" src="../images/down.gif" /> <a href="#server">Server processing overview</a></li>
-<li><img alt="" src="../images/down.gif" /> <a href="#proxy">Proxy processing overview</a></li>
-<li><img alt="" src="../images/down.gif" /> <a href="#logconf">Log configuration</a></li>
-<li><img alt="" src="../images/down.gif" /> <a href="#logging">Logging CT status in the access log</a></li>
-<li><img alt="" src="../images/down.gif" /> <a href="#audit">Off-line audit for proxy</a></li>
-</ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div>
+<h3>Bugfix checklist</h3><ul class="seealso"><li><a href="https://www.apache.org/dist/httpd/CHANGES_2.4">httpd changelog</a></li><li><a href="https://bz.apache.org/bugzilla/buglist.cgi?bug_status=__open__&list_id=144532&product=Apache%20httpd-2&query_format=specific&order=changeddate%20DESC%2Cpriority%2Cbug_severity&component=mod_ssl_ct">Known issues</a></li><li><a href="https://bz.apache.org/bugzilla/enter_bug.cgi?product=Apache%20httpd-2&component=mod_ssl_ct">Report a bug</a></li></ul><h3>See also</h3>
+<ul class="seealso">
+<li><a href="#comments_section">Comments</a></li></ul></div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="server" id="server">Server processing overview</a></h2>
</ul>
<p>If verification fails for at least one SCT and verification was not
- successful for at least one SCT, the connection is aborted if
+ successful for at least one SCT, the connection is aborted if
<code class="directive"><a href="#ctproxyawareness">CTProxyAwareness</a></code> is set to
<em>require</em>.</p>
<dt>log URL</dt>
<dd>The URL of the log (for its API) is required by a server in order to
submit server certificates to the log. The server will submit
- each server certificate in order to obtain an SCT for each log with a
+ each server certificate in order to obtain an SCT for each log with a
configured URL, except when the log is also marked as distrusted or the
current time is not within any configured valid timestamp range.
<br />
</dl>
<p>Generally, only a small subset of this information is configured for a
- particular log. Refer to the documentation for the <code class="directive"><a href="#ctstaticlogconfig">CTStaticLogConfig</a></code> directive and the
+ particular log. Refer to the documentation for the <code class="directive"><a href="#ctstaticlogconfig">CTStaticLogConfig</a></code> directive and the
<code class="program"><a href="../programs/ctlogconfig.html">ctlogconfig</a></code> command for more specific information.</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
+<h2><a name="static" id="static">Storing SCTs in a form consumable by mod_ssl_ct</a></h2>
+
+
+ <p><code class="module"><a href="../mod/mod_ssl_ct.html">mod_ssl_ct</a></code> allows you to configure SCTs statically
+ using the <code class="directive">CTStaticSCTs</code> directive. These must be
+ in binary form, ready to send to a client.</p>
+
+ <p>Sample code in the form of a Python script to build an SCT in the correct
+ format from data received from a log can be found in
+ <a href="https://github.com/tomrittervg/ct-tools">Tom Ritter's ct-tools
+ repository</a>. Refer to <code>write-sct.py</code></p>
+</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
<h2><a name="logging" id="logging">Logging CT status in the access log</a></h2>
- <p>Both proxy and server modes set the <code>SSL_CT_PEER_STATUS</code>
- variable to indicate if the peer is CT-aware.</p>
+ <p>Proxy and server modes set the <code>SSL_CT_PROXY_STATUS</code> and
+ <code>SSL_CT_CLIENT_STATUS</code> variables, respectively, to indicate
+ if the corresponding peer is CT-aware.</p>
- <p>Proxy mode sets the <code>SSL_PROXY_SCT_SOURCES</code> variable to
+ <p>Proxy mode sets the <code>SSL_CT_PROXY_SCT_SOURCES</code> variable to
indicate whether and where SCTs were obtained (ServerHello, certificate
extension, etc.).</p>
<p>The directory will contain files named <code><em>PID</em>.tmp</code> for
active child processes and files named <code><em>PID</em>.out</code> for exited
- child processes. These <code>.out</code> files are ready for off-line audit.
+ child processes. These <code>.out</code> files are ready for off-line audit.
The experimental command <code>ctauditscts</code> (in the httpd source tree, not
currently installed) interfaces with <em>certificate-transparency</em> tools to
perform the audit.</p>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl_ct</td></tr>
</table>
<p>The <code class="directive">CTSCTStorage</code> directive sets the name of a
- directory where SCTs and SCT lists will will be stored. If <em>directory</em>
+ directory where SCTs and SCT lists will be stored. If <em>directory</em>
is not absolute then it is assumed to be relative to <code class="directive"><a href="../mod/core.html#defaultruntimedir">
DefaultRuntimeDir</a></code>.</p>
to that certificate; the name of the subdirectory is the SHA-256 hash of the
certificate.</p>
- <p>The certificate-specific directory contains SCTs retrieved from configured
+ <p>The certificate-specific directory contains SCTs retrieved from configured
logs, SCT lists prepared from statically configured SCTs and retrieved SCTs,
and other information used for managing SCTs.</p>
</table>
<p>This directive is used to configure information about a particular log.
This directive is appropriate when configuration information changes rarely.
- If dynamic configuration updates must be supported, refer to the
+ If dynamic configuration updates must be supported, refer to the
<code class="directive"><a href="#ctlogconfigdb">CTLogConfigDB</a></code> directive.</p>
<p>Each of the six fields must be specified, but usually only a small
Timestamps. This must be provided as a decimal number.
<br />
Specify <strong><code>-</code></strong> for one of the timestamps if it is unknown.
- For example, when configuring the minimum valid timestamp for a log which remains
+ For example, when configuring the minimum valid timestamp for a log which remains
valid, specify <strong><code>-</code></strong> for <em>max-timestamp</em>.
<br />
SCTs received from this log by the proxy are invalid if the timestamp
<p><em>sct-directory</em> should contain one or more files with extension
<code>.sct</code>, representing one or more SCTs corresponding to the
- server certificate. If <em>sct-directory</em> is not absolute, then it is
+ server certificate. If <em>sct-directory</em> is not absolute, then it is
assumed to be relative to <code class="directive"><a href="../mod/core.html#serverroot">ServerRoot</a></code>.</p>
<p>If <em>sct-directory</em> is empty, no error will be raised.</p>
}
})(window, document);
//--><!]]></script></div><div id="footer">
-<p class="apache">Copyright 201
4 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
+<p class="apache">Copyright 201
7 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><
projects / apache / blobdiff