``<code>%{</code><em>name</em><code>}c</code>'' cryptography format function
provided. Information about this function is provided in the <a href="../ssl/ssl_compat.html">Compatibility</a> chapter.</p>
<div class="example"><h3>Example</h3><p><code>
-CustomLog logs/ssl_request_log \
- "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+<pre class="prettyprint lang-config">
+CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+</pre>
+
</code></p></div>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
encrypted with SSL. This is similar to the
<code class="directive">SSLRequireSSL</code> directive.</p>
- <div class="example"><p><code>
+ <pre class="prettyprint lang-config">
Require ssl
- </code></p></div>
+ </pre>
+
<p>The following example grants access if the user is authenticated
either with a client certificate or by username and password.</p>
- <div class="example"><p><code>
+ <pre class="prettyprint lang-config">
Require ssl-verify-client<br />
Require valid-user
- </code></p></div>
+ </pre>
+
preference. This can be used alternatively and/or additionally to
<code class="directive"><a href="#sslcacertificatepath">SSLCACertificatePath</a></code>.</p>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-client.crt
+</pre>
+
</code></p></div>
</div>
<em>hash-value</em><code>.N</code>. And you should always make sure this directory
contains the appropriate symbolic links.</p>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLCACertificatePath /usr/local/apache2/conf/ssl.crt/
+</pre>
+
</code></p></div>
</div>
PEM-encoded CA certificates.</p>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLCADNRequestFile /usr/local/apache2/conf/ca-names.crt
+</pre>
+
</code></p></div>
</div>
<em>hash-value</em><code>.N</code>. And you should always make sure
this directory contains the appropriate symbolic links.</p>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLCADNRequestPath /usr/local/apache2/conf/ca-names.crt/
+</pre>
+
</code></p></div>
</div>
</p>
</div>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLCARevocationCheck chain
+</pre>
+
</code></p></div>
</div>
the various PEM-encoded CRL files, in order of preference. This can be
used alternatively and/or additionally to <code class="directive"><a href="#sslcarevocationpath">SSLCARevocationPath</a></code>.</p>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle-client.crl
+</pre>
+
</code></p></div>
</div>
<em>hash-value</em><code>.rN</code>. And you should always make sure this directory
contains the appropriate symbolic links.</p>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLCARevocationPath /usr/local/apache2/conf/ssl.crl/
+</pre>
+
</code></p></div>
</div>
certificates use the <em>same</em> certificate chain. Else the browsers will be
confused in this situation.</p>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLCertificateChainFile /usr/local/apache2/conf/ssl.crt/ca.crt
+</pre>
+
</code></p></div>
</div>
two times (referencing different filenames) when both a RSA and a DSA based
server certificate is used in parallel.</p>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
+</pre>
+
</code></p></div>
</div>
(referencing different filenames) when both a RSA and a DSA based
private key is used in parallel.</p>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key
+</pre>
+
</code></p></div>
</div>
</pre></div>
<p>The complete list of particular RSA & DH ciphers for SSL is given in <a href="#table2">Table 2</a>.</p>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW
+</pre>
+
</code></p></div>
<table class="bordered">
"<code>openssl engine</code>".</p>
<div class="example"><h3>Example</h3><p><code>
-# For a Broadcom accelerator:<br />
+<pre class="prettyprint lang-config">
+# For a Broadcom accelerator:
SSLCryptoDevice ubsec
+</pre>
+
</code></p></div>
</div>
that virtual host. By default the SSL/TLS Protocol Engine is
disabled for both the main server and all configured virtual hosts.</p>
<div class="example"><h3>Example</h3><p><code>
-<VirtualHost _default_:443><br />
-SSLEngine on<br />
-...<br />
+<pre class="prettyprint lang-config">
+<VirtualHost _default_:443>
+SSLEngine on
+#...
</VirtualHost>
+</pre>
+
</code></p></div>
<p>In Apache 2.1 and later, <code class="directive">SSLEngine</code> can be set to
<code>optional</code>. This enables support for
the client's preference is used. If this directive is enabled, the
server's preference will be used instead.</p>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLHonorCipherOrder on
+</pre>
+
</code></p></div>
</div>
</div>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLInsecureRenegotiation on
+</pre>
+
</code></p></div>
<p>The <code>SSL_SECURE_RENEG</code> environment variable can be used
directives.</p>
<div class="example"><h3>Example</h3><p><code>
-SSLVerifyClient on<br />
-SSLOCSPEnable on<br />
-SSLOCSPDefaultResponder http://responder.example.com:8888/responder<br />
+<pre class="prettyprint lang-config">
+SSLVerifyClient on
+SSLOCSPEnable on
+SSLOCSPDefaultResponder http://responder.example.com:8888/responder
SSLOCSPOverrideResponder on
+</pre>
+
</code></p></div>
</div>
</li>
</ul>
<div class="example"><h3>Example</h3><p><code>
-SSLOptions +FakeBasicAuth -StrictRequire<br />
-<Files ~ "\.(cgi|shtml)$"><br />
- SSLOptions +StdEnvVars -ExportCertData<br />
+<pre class="prettyprint lang-config">
+SSLOptions +FakeBasicAuth -StrictRequire
+<Files ~ "\.(cgi|shtml)$">
+ SSLOptions +StdEnvVars -ExportCertData
<Files>
+</pre>
+
</code></p></div>
</div>
program is called only once per unique Pass Phrase.</p></li>
</ul>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLPassPhraseDialog exec:/usr/local/apache/sbin/pp-filter
+</pre>
+
</code></p></div>
</div>
``<code>+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2</code>, respectively.</p></li>
</ul>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLProtocol TLSv1
+</pre>
+
</code></p></div>
</div>
preference. This can be used alternatively and/or additionally to
<code class="directive"><a href="#sslproxycacertificatepath">SSLProxyCACertificatePath</a></code>.</p>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLProxyCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-remote-server.crt
+</pre>
+
</code></p></div>
</div>
<em>hash-value</em><code>.N</code>. And you should always make sure this directory
contains the appropriate symbolic links.</p>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLProxyCACertificatePath /usr/local/apache2/conf/ssl.crt/
+</pre>
+
</code></p></div>
</div>
</p>
</div>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLProxyCARevocationCheck chain
+</pre>
+
</code></p></div>
</div>
the various PEM-encoded CRL files, in order of preference. This can be
used alternatively and/or additionally to <code class="directive"><a href="#sslproxycarevocationpath">SSLProxyCARevocationPath</a></code>.</p>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLProxyCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle-remote-server.crl
+</pre>
+
</code></p></div>
</div>
<em>hash-value</em><code>.rN</code>. And you should always make sure this directory
contains the appropriate symbolic links.</p>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLProxyCARevocationPath /usr/local/apache2/conf/ssl.crl/
+</pre>
+
</code></p></div>
</div>
a 502 status code (Bad Gateway) is sent.
</p>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLProxyCheckPeerCN on
+</pre>
+
</code></p></div>
</div>
sent.
</p>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLProxyCheckPeerExpire on
+</pre>
+
</code></p></div>
</div>
usage in a particular virtual host. By default the SSL/TLS Protocol Engine is
disabled for proxy image both for the main server and all configured virtual hosts.</p>
<div class="example"><h3>Example</h3><p><code>
-<VirtualHost _default_:443><br />
-SSLProxyEngine on<br />
-...<br />
+<pre class="prettyprint lang-config">
+<VirtualHost _default_:443>
+ SSLProxyEngine on
+ #...
</VirtualHost>
+</pre>
+
</code></p></div>
</div>
SSLProxyCACertificateFile</a></code>.</p>
</div>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLProxyMachineCertificateChainFile /usr/local/apache2/conf/ssl.crt/proxyCA.pem
+</pre>
+
</code></p></div>
</div>
<p>Currently there is no support for encrypted private keys</p>
</div>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLProxyMachineCertificateFile /usr/local/apache2/conf/ssl.crt/proxy.pem
+</pre>
+
</code></p></div>
</div>
<p>Currently there is no support for encrypted private keys</p>
</div>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLProxyMachineCertificatePath /usr/local/apache2/conf/proxy.crt/
+</pre>
+
</code></p></div>
</div>
<strong>optional_no_ca</strong> is actually against the idea of
authentication (but can be used to establish SSL test pages, etc.)</p>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLProxyVerify require
+</pre>
+
</code></p></div>
</div>
which is directly known to the server (i.e. the CA's certificate is under
<code class="directive"><a href="#sslproxycacertificatepath">SSLProxyCACertificatePath</a></code>), etc.</p>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLProxyVerifyDepth 10
+</pre>
+
</code></p></div>
</div>
on your platform.</p></li>
</ul>
<div class="example"><h3>Example</h3><p><code>
-SSLRandomSeed startup builtin<br />
-SSLRandomSeed startup file:/dev/random<br />
-SSLRandomSeed startup file:/dev/urandom 1024<br />
-SSLRandomSeed startup exec:/usr/local/bin/truerand 16<br />
-SSLRandomSeed connect builtin<br />
-SSLRandomSeed connect file:/dev/random<br />
-SSLRandomSeed connect file:/dev/urandom 1024<br />
+<pre class="prettyprint lang-config">
+SSLRandomSeed startup builtin
+SSLRandomSeed startup file:/dev/random
+SSLRandomSeed startup file:/dev/urandom 1024
+SSLRandomSeed startup exec:/usr/local/bin/truerand 16
+SSLRandomSeed connect builtin
+SSLRandomSeed connect file:/dev/random
+SSLRandomSeed connect file:/dev/urandom 1024
+</pre>
+
</code></p></div>
</div>
</p></div>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLRenegBufferSize 262144
+</pre>
+
</code></p></div>
</div>
both parsed and executed each time the .htaccess file is encountered during
request processing.</p>
-<div class="example"><h3>Example</h3><pre>SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
+<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
+SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
- or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/</pre></div>
+ or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+</pre>
+
+</code></p></div>
<p>The <code>PeerExtList(<em>object-ID</em>)</code> function expects
to find zero or more instances of the X.509 certificate extension
extension must match).</p>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLRequire "foobar" in PeerExtList("1.2.3.4.5.6")
+</pre>
+
</code></p></div>
<div class="note"><h3>Notes on the PeerExtList function</h3>
stuff that should be protected. When this directive is present all requests
are denied which are not using SSL.</p>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLRequireSSL
+</pre>
+
</code></p></div>
</div>
</ul>
<div class="example"><h3>Examples</h3><p><code>
-SSLSessionCache dbm:/usr/local/apache/logs/ssl_gcache_data<br />
+<pre class="prettyprint lang-config">
+SSLSessionCache dbm:/usr/local/apache/logs/ssl_gcache_data
SSLSessionCache shmcb:/usr/local/apache/logs/ssl_gcache_data(512000)
+</pre>
+
</code></p></div>
<p>The <code>ssl-cache</code> mutex is used to serialize access to
It can be set as low as 15 for testing, but should be set to higher
values like 300 in real life.</p>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLSessionCacheTimeout 600
+</pre>
+
</code></p></div>
</div>
</p></div>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLStrictSNIVHostCheck on
+</pre>
+
</code></p></div>
</div>
<code>FakeBasicAuth</code> option is used (see <a href="#ssloptions">SSLOptions</a>).</p>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLUserName SSL_CLIENT_S_DN_CN
+</pre>
+
</code></p></div>
</div>
<strong>optional_no_ca</strong> is actually against the idea of
authentication (but can be used to establish SSL test pages, etc.)</p>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLVerifyClient require
+</pre>
+
</code></p></div>
</div>
known to the server (i.e. the CA's certificate is under
<code class="directive"><a href="#sslcacertificatepath">SSLCACertificatePath</a></code>), etc.</p>
<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
SSLVerifyDepth 10
+</pre>
+
</code></p></div>
</div>
projects / apache / commitdiff