X-Git-Url: https://granicus.if.org/sourcecode?a=blobdiff_plain;f=docs%2Fmanual%2Fmod%2Fmod_session_crypto.html.en;h=5925ebb791addf39428c9c2477b1c98d5d8e1eb5;hb=0ae5b1af6b6bf3048d2a124e84905f63d6507dea;hp=2d4cdd0ea0ace372dab0a14a50b427ac70e6dbd5;hpb=a83284e10365f9baf39331e545dde65ecdc99ef1;p=apache diff --git a/docs/manual/mod/mod_session_crypto.html.en b/docs/manual/mod/mod_session_crypto.html.en index 2d4cdd0ea0..5925ebb791 100644 --- a/docs/manual/mod/mod_session_crypto.html.en +++ b/docs/manual/mod/mod_session_crypto.html.en @@ -1,23 +1,28 @@ - -mod_session_crypto - Apache HTTP Server +mod_session_crypto - Apache HTTP Server Version 2.5 - + + +
-

Modules | Directives | FAQ | Glossary | Sitemap

-

Apache HTTP Server Version 2.3

-
+

Modules | Directives | FAQ | Glossary | Sitemap

+

Apache HTTP Server Version 2.5

+
<-
-Apache > HTTP Server > Documentation > Version 2.3 > Modules
+Apache > HTTP Server > Documentation > Version 2.5 > Modules

Apache Module mod_session_crypto

@@ -50,20 +55,22 @@ the mod_session module.

-
top

Basic Usage

@@ -71,11 +78,10 @@

To create a simple encrypted session and store it in a cookie called session, configure the session as follows:

-

Browser based encrypted session

- Session On
- SessionCookieName session path=/
- SessionCryptoPassphrase secret -

+

Browser based encrypted session

Session On
+SessionCookieName session path=/
+SessionCryptoPassphrase secret
+

The session will be encrypted with the given key. Different servers can be configured to share sessions by ensuring the same encryption key is used @@ -89,6 +95,27 @@

top
+

SessionCryptoCipher Directive

+ + + + + + + + +
Description:The crypto cipher to be used to encrypt the session
Syntax:SessionCryptoCipher name
Default:aes256
Context:server config, virtual host, directory, .htaccess
Status:Experimental
Module:mod_session_crypto
Compatibility:Available in Apache 2.3.0 and later
+

The SessionCryptoCipher directive allows the cipher to + be used during encryption. If not specified, the cipher defaults to + aes256.

+ +

Possible values depend on the crypto driver in use, and could be one of:

+ +
  • 3des192
  • aes128
  • aes192
  • aes256
+ + +
+
top

SessionCryptoDriver Directive

@@ -106,45 +133,51 @@

The NSS crypto driver requires some parameters for configuration, which are specified as parameters with optional values after the driver name.

-

NSS without a certificate database

- SessionCryptoDriver nss -

+

NSS without a certificate database

SessionCryptoDriver nss
+
-

NSS with certificate database

- SessionCryptoDriver nss dir=certs -

+

NSS with certificate database

SessionCryptoDriver nss dir=certs
+
-

NSS with certificate database and parameters

- SessionCryptoDriver nss dir=certs key3=key3.db cert7=cert7.db secmod=secmod -

+

NSS with certificate database and parameters

SessionCryptoDriver nss dir=certs key3=key3.db cert7=cert7.db secmod=secmod
+
-

The NSS crypto driver might have already been configured by another - part of the server, for example from mod_nss or - mod_ldap. If found to have already been configured, - a warning will be logged, and the existing configuration will have taken affect. - To avoid this warning, use the noinit parameter as follows.

+

NSS with paths containing spaces

SessionCryptoDriver nss "dir=My Certs" key3=key3.db cert7=cert7.db secmod=secmod
+
-

NSS with certificate database

- SessionCryptoDriver nss noinit -

+

The NSS crypto driver might have already been + configured by another part of the server, for example from + mod_nss or mod_ldap. If found to + have already been configured, a warning will be logged, and the + existing configuration will have taken affect. To avoid this + warning, use the noinit parameter as follows.

+ +

NSS with certificate database

SessionCryptoDriver nss noinit
+

To prevent confusion, ensure that all modules requiring NSS are configured with identical parameters.

+

The openssl crypto driver supports an optional parameter to specify + the engine to be used for encryption.

+ +

OpenSSL with engine support

SessionCryptoDriver openssl engine=name
+
+
top

SessionCryptoPassphrase Directive

Description:The crypto driver to be used to encrypt the session
- +
Description:The key used to encrypt the session
Syntax:SessionCryptoPassphrase secret
Syntax:SessionCryptoPassphrase secret [ secret ... ]
Default:none
Context:server config, virtual host, directory, .htaccess
Status:Experimental
Module:mod_session_crypto
Compatibility:Available in Apache 2.3.0 and later
-

The SessionCryptoPassphrase directive specifies the key +

The SessionCryptoPassphrase directive specifies the keys to be used to enable symmetrical encryption on the contents of the session before writing the session, or decrypting the contents of the session after reading the session.

@@ -152,27 +185,79 @@

Keys are more secure when they are long, and consist of truly random characters. Changing the key on a server has the effect of invalidating all existing sessions.

-

The cipher can be set to 3des192 or aes256 using the - cipher parameter as per the example below. If not set, the cipher defaults - to aes256.

+

Multiple keys can be specified in order to support key rotation. The first key + listed will be used for encryption, while all keys listed will be attempted for + decryption. To rotate keys across multiple servers over a period of time, add a new + secret to the end of the list, and once rolled out completely to all servers, remove + the first key from the start of the list.

-

Cipher

- SessionCryptoPassphrase secret cipher=aes256 -

+

As of version 2.4.7 if the value begins with exec: the resulting command + will be executed and the first line returned to standard output by the program will be + used as the key.

+
#key used as-is
+SessionCryptoPassphrase secret
 
-    
The openssl crypto driver supports an optional parameter to specify
-    the engine to be used for encryption.

+#Run /path/to/program to get key
+SessionCryptoPassphrase exec:/path/to/program
+
+#Run /path/to/otherProgram and provide arguments
+SessionCryptoPassphrase "exec:/path/to/otherProgram argument1"
+ + +
+
top
+

SessionCryptoPassphraseFile Directive

+ + + + + + + + +
Description:File containing keys used to encrypt the session
Syntax:SessionCryptoPassphraseFile filename
Default:none
Context:server config, virtual host, directory
Status:Experimental
Module:mod_session_crypto
Compatibility:Available in Apache 2.3.0 and later
+

The SessionCryptoPassphraseFile directive specifies the + name of a configuration file containing the keys to use for encrypting or decrypting + the session, specified one per line. The file is read on server start, and a graceful + restart will be necessary for httpd to pick up changes to the keys.

+ +

Unlike the SessionCryptoPassphrase directive, the keys are + not exposed within the httpd configuration and can be hidden by protecting the file + appropriately.

-

OpenSSL with engine support

- SessionCryptoPassphrase secret engine=name -

+

Multiple keys can be specified in order to support key rotation. The first key + listed will be used for encryption, while all keys listed will be attempted for + decryption. To rotate keys across multiple servers over a period of time, add a new + secret to the end of the list, and once rolled out completely to all servers, remove + the first key from the start of the list.

Available Languages:  en 

-
+
top

Comments

Notice:
This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our mailing lists.
+
\ No newline at end of file