<tr><td><code>SSL_CIPHER_EXPORT</code></td> <td>string</td> <td><code>true</code> if cipher is an export cipher</td></tr>
<tr><td><code>SSL_CIPHER_USEKEYSIZE</code></td> <td>number</td> <td>Number of cipher bits (actually used)</td></tr>
<tr><td><code>SSL_CIPHER_ALGKEYSIZE</code></td> <td>number</td> <td>Number of cipher bits (possible)</td></tr>
+<tr><td><code>SSL_COMPRESS_METHOD</code></td> <td>string</td> <td>SSL compression method negotiated</td></tr>
<tr><td><code>SSL_VERSION_INTERFACE</code></td> <td>string</td> <td>The mod_ssl program version</td></tr>
<tr><td><code>SSL_VERSION_LIBRARY</code></td> <td>string</td> <td>The OpenSSL program version</td></tr>
<tr><td><code>SSL_CLIENT_M_VERSION</code></td> <td>string</td> <td>The version of the client certificate</td></tr>
using certain browsers, particularly if client certificates are
enabled. This setting is not recommended.</p></li>
+<li><code>internal</code>
+
+ <p>This disables any global/inter-process Session Cache. However
+ it does allow OpenSSL to use its own internal session cache. This in
+ mainly useful in situations where a global cache cannot be used
+ but the client requires a non-null session ID.</p></li>
+
<li><code>dbm:/path/to/datafile</code>
<p>This makes use of a DBM hashfile on the local disk to
using certain browsers, particularly if client certificates are
enabled. This setting is not recommended.</p></li>
+<li><code>internal</code>
+
+ <p>This disables any global/inter-process Session Cache. However
+ it does allow OpenSSL to use its own internal session cache. This in
+ mainly useful in situations where a global cache cannot be used
+ but the client requires a non-null session ID.</p></li>
+
<li><code>dbm:/path/to/datafile</code>
<p>This makes use of a DBM hashfile on the local disk to
<li><a href="#vhosts">HTTPS and name-based vhosts</a></li>
<li><a href="#vhosts2">Why is it not possible to use Name-Based Virtual
Hosting to identify different SSL virtual hosts?</a></li>
+<li><a href="#comp">How do I get SSL compression working?</a></li>
<li><a href="#lockicon">The lock icon in Netscape locks very late</a></li>
<li><a href="#msie">Why do I get I/O errors with MSIE clients?</a></li>
<li><a href="#nn">Why do I get I/O errors with NS clients?</a></li>
Use different port numbers for different SSL hosts.</p>
+<h3><a name="comp" id="comp">How do I get SSL compression working?</a></h3>
+<p>Although SSL compression negotiation was already defined in the specification
+of SSLv2 and TLS, it took until May 2004 when RFC 3749 defined DEFLATE as
+a negotiable standard compression method.
+</p>
+<p>OpenSSL 0.9.8 started to support this by default when compiled with the
+<code>zlib</code> option. If both the client and the server support compression,
+it will be used. However, most clients still try to initially connect with an
+SSLv2 Hello. As SSLv2 did not include an array of prefered compression algorithms
+in its handshake, compression can not be negotiated with these clients.
+If the client disables support for SSLv2, based on the used SSL library
+a SSLv3 or TLS Hello might be sent and compression might be set up.
+You can verify if clients make use of SSL compression by logging the
+<code>%{SSL_COMPRESS_METHOD}x</code> variable.
+</p>
+
+
<h3><a name="lockicon" id="lockicon">When I use Basic Authentication over HTTPS the lock icon in Netscape browsers
still shows the unlocked state when the dialog pops up. Does this mean the
username/password is still transmitted unencrypted?</a></h3>
projects / apache / commitdiff