From: Stefan Fritsch Date: Sun, 11 Nov 2012 19:37:54 +0000 (+0000) Subject: Merge r1408093: X-Git-Tag: 2.4.4~449 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=00b91d6c5630ae0dd2bf8afb6df8da542c5b2849;p=apache Merge r1408093: Remove SSLv2 stuff that is no longer supported. Add a few newer algorithms and cipher aliases. This is incomplete, but the openssl 1.0.1c man pages don't have the complete list either :-( git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1408096 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml index bc5fb6903f..00a09596b2 100644 --- a/docs/manual/mod/mod_ssl.xml +++ b/docs/manual/mod/mod_ssl.xml @@ -30,8 +30,8 @@ Layer (SSL) and Transport Layer Security (TLS) protocols ssl_module -

This module provides SSL v2/v3 and TLS v1 support for the Apache -HTTP Server.

+

This module provides SSL v3 and TLS v1.x support for the Apache +HTTP Server. SSL v2 is no longer supported.

This module relies on OpenSSL to provide the cryptography engine.

@@ -584,14 +584,14 @@ The available (case-insensitive) protocols are:

This is the Secure Sockets Layer (SSL) protocol, version 3.0, from the Netscape Corporation. - It is the successor to SSLv2 and the predecessor to TLSv1. It's supported by - almost all popular browsers.

+ It is the successor to SSLv2 and the predecessor to TLSv1.

  • TLSv1

    This is the Transport Layer Security (TLS) protocol, version 1.0. It is the successor to SSLv3 and is defined in - RFC 2246.

    • + RFC 2246. + It is supported by nearly every client.

  • TLSv1.1 (when using OpenSSL 1.0.1 and later)

    @@ -644,23 +644,24 @@ An SSL cipher specification in cipher-spec is composed of 4 major attributes plus a few extra minor ones:

    • Key Exchange Algorithm:
      - RSA or Diffie-Hellman variants. + RSA, Diffie-Hellman, Elliptic Curve Diffie-Hellman, Secure Remote Password
    • Authentication Algorithm:
      - RSA, Diffie-Hellman, DSS or none. + RSA, Diffie-Hellman, DSS, ECDSA, or none.
    • Cipher/Encryption Algorithm:
      - DES, Triple-DES, RC4, RC2, IDEA or none. + AES, DES, Triple-DES, RC4, RC2, IDEA, etc.
    • MAC Digest Algorithm:
      - MD5, SHA or SHA1. + MD5, SHA or SHA1, SHA256, SHA384.
    -

    An SSL cipher can also be an export cipher and is either an SSLv2 or SSLv3/TLSv1 -cipher (here TLSv1 is equivalent to SSLv3). To specify which ciphers to use, -one can either specify all the Ciphers, one at a time, or use aliases to -specify the preference and order for the ciphers (see Table -1).

    +

    An SSL cipher can also be an export cipher. SSLv2 ciphers are no longer +supported. To specify which ciphers to use, one can either specify all the +Ciphers, one at a time, or use aliases to specify the preference and order +for the ciphers (see Table +1). The actually available ciphers and aliases depends on the used +openssl version. Newer openssl versions may include additional ciphers.

    @@ -676,18 +677,21 @@ specify the preference and order for the ciphers (see Table - - - - - - + + + + + + + + - + + + - @@ -699,14 +703,17 @@ specify the preference and order for the ciphers (see Table + + - + +
    aDSS DSS authentication
    aDH Diffie-Hellman authentication
    Cipher Encoding Algorithm:
    eNULL No encoding
    DES DES encoding
    3DES Triple-DES encoding
    RC4 RC4 encoding
    RC2 RC2 encoding
    IDEA IDEA encoding
    eNULL No encryption
    NULL alias for eNULL
    AES AES encryption
    DES DES encryption
    3DES Triple-DES encryption
    RC4 RC4 encryption
    RC2 RC2 encryption
    IDEA IDEA encryption
    MAC Digest Algorithm:
    MD5 MD5 hash function
    SHA1 SHA1 hash function
    SHA SHA hash function
    SHA alias for SHA1
    SHA256 SHA256 hash function
    SHA384 SHA384 hash function
    Aliases:
    SSLv2 all SSL version 2.0 ciphers
    SSLv3 all SSL version 3.0 ciphers
    TLSv1 all TLS version 1.0 ciphers
    EXP all export ciphers
    RSA all ciphers using RSA key exchange
    DH all ciphers using Diffie-Hellman key exchange
    EDH all ciphers using Ephemeral Diffie-Hellman key exchange
    ECDH Elliptic Curve Diffie-Hellman key exchange
    ADH all ciphers using Anonymous Diffie-Hellman key exchange
    AECDH all ciphers using Anonymous Elliptic Curve Diffie-Hellman key exchange
    DSS all ciphers using DSS authentication
    NULL all ciphers using no encryption
    ECDSA all ciphers using ECDSA authentication
    aNULL all ciphers using no authentication

    Now where this becomes interesting is that these can be put together to specify the order and ciphers you wish to use. To speed this up -there are also aliases (SSLv2, SSLv3, TLSv1, EXP, LOW, MEDIUM, +there are also aliases (SSLv3, TLSv1, EXP, LOW, MEDIUM, HIGH) for certain groups of ciphers. These tags can be joined together with prefixes to form the cipher-spec. Available prefixes are:

    @@ -753,21 +760,13 @@ SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW     Cipher-Tag Protocol Key Ex. Auth. Enc. MAC Type RSA Ciphers: DES-CBC3-SHA SSLv3 RSA RSA 3DES(168) SHA1 -DES-CBC3-MD5 SSLv2 RSA RSA 3DES(168) MD5 IDEA-CBC-SHA SSLv3 RSA RSA IDEA(128) SHA1 RC4-SHA SSLv3 RSA RSA RC4(128) SHA1 RC4-MD5 SSLv3 RSA RSA RC4(128) MD5 -IDEA-CBC-MD5 SSLv2 RSA RSA IDEA(128) MD5 -RC2-CBC-MD5 SSLv2 RSA RSA RC2(128) MD5 -RC4-MD5 SSLv2 RSA RSA RC4(128) MD5 DES-CBC-SHA SSLv3 RSA RSA DES(56) SHA1 -RC4-64-MD5 SSLv2 RSA RSA RC4(64) MD5 -DES-CBC-MD5 SSLv2 RSA RSA DES(56) MD5 EXP-DES-CBC-SHA SSLv3 RSA(512) RSA DES(40) SHA1 export EXP-RC2-CBC-MD5 SSLv3 RSA(512) RSA RC2(40) MD5 export EXP-RC4-MD5 SSLv3 RSA(512) RSA RC4(40) MD5 export -EXP-RC2-CBC-MD5 SSLv2 RSA(512) RSA RC2(40) MD5 export -EXP-RC4-MD5 SSLv2 RSA(512) RSA RC4(40) MD5 export NULL-SHA SSLv3 RSA RSA None SHA1 NULL-MD5 SSLv3 RSA RSA None MD5 Diffie-Hellman Ciphers: @@ -1781,7 +1780,7 @@ for additional information. Cipher Suite available for negotiation in SSL proxy handshake SSLProxyCipherSuite cipher-spec -SSLProxyCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP +SSLProxyCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP server config virtual host directory