by running the following command. This list shows you the
detailed configurations each policy is made of:</p>
-<div class="example"><h3>List all Defined Policies</h3><pre class="prettyprint lang-sh">> httpd -t -D DUMP_SSL_POLICIES</pre>
+<div class="example"><h3>List all Defined Policies</h3><pre class="prettyprint lang-sh">httpd -t -D DUMP_SSL_POLICIES</pre>
</div>
<p>The directive can only be used in the server config (global context), so
</table>
<p>This directive applies the set of SSL* directives defined
under 'name' (see <code class="directive"><SSLPolicy></code>) as the <em>base</em>
-settings in the current context. That means that any other SSL* directives
-you make in the same context remain effective. So, the effective
-<code class="directive">SSLProtocol</code> value in the following settings are:</p>
+settings in the current context. Apache comes with the following pre-defined policies from
+Mozilla, the makers of the Firefox browser
+(<a href="https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations">see here
+for a detailed description by them.</a>):
+</p>
+<ul>
+ <li><code>modern</code>: recommended when your server is accessible on the open Internet. Works with all modern browsers, but old devices might be unable to connect.</li>
+ <li><code>intermediate</code>: the fallback if you need to support old (but not very old) clients.</li>
+ <li><code>old</code>: when you need to give Windows XP/Internet Explorer 6 access. The last resort.</li>
+</ul>
-<div class="example"><h3>Policy Precedence</h3><pre class="prettyprint lang-config"> <VirtualHost...> # effective: 'all'
- SSLPolicy modern
- SSLProtocol all
- </VirtualHost>
+<p>You can check the detailed description of all defined policies via the command line:</p>
+<div class="example"><h3>List all Defined Policies</h3><pre class="prettyprint lang-sh">httpd -t -D DUMP_SSL_POLICIES</pre>
+</div>
- <VirtualHost...> # effective: 'all'
- SSLProtocol all
- SSLPolicy modern
- </VirtualHost>
+<p>A SSLPolicy defines the baseline for the context it is used in. That means that any
+other SSL* directives in the same context override it. As an example of this, see the effective
+<code class="directive">SSLProtocol</code> value in the following settings:</p>
+<div class="example"><h3>Policy Precedence</h3><pre class="prettyprint lang-config"><VirtualHost...> # effective: 'all'
SSLPolicy modern
- <VirtualHost...> # effective: 'all'
- SSLProtocol all
- </VirtualHost>
-
SSLProtocol all
- <VirtualHost...> # effective: '+TLSv1.2'
- SSLPolicy modern
- </VirtualHost></pre>
+</VirtualHost>
+
+<VirtualHost...> # effective: 'all'
+ SSLProtocol all
+ SSLPolicy modern
+</VirtualHost>
+
+SSLPolicy modern
+<VirtualHost...> # effective: 'all'
+ SSLProtocol all
+</VirtualHost>
+
+SSLProtocol all
+<VirtualHost...> # effective: '+TLSv1.2'
+ SSLPolicy modern
+</VirtualHost></pre>
</div>
<p>There can be more than one policy applied in a context. The
later ones overshadowing the earlier ones:</p>
-<div class="example"><h3>Policy Ordering</h3><pre class="prettyprint lang-config"> <VirtualHost...> # effective: 'intermediate > modern'
- SSLPolicy modern
- SSLPolicy intermediate
- </VirtualHost>
+<div class="example"><h3>Policy Ordering</h3><pre class="prettyprint lang-config"><VirtualHost...> # effective protocol: 'all -SSLv3'
+ SSLPolicy modern
+ SSLPolicy intermediate
+</VirtualHost>
- <VirtualHost...> # effective: 'modern > intermediate'
- SSLPolicy intermediate
- SSLPolicy modern
- </VirtualHost></pre>
+<VirtualHost...> # effective protocol: '+TLSv1.2'
+ SSLPolicy intermediate
+ SSLPolicy modern
+</VirtualHost></pre>
</div>
projects / apache / commitdiff