From ef6f8cb1d3d713b524d4ad51d10b5ed00a7215f7 Mon Sep 17 00:00:00 2001 From: Stefan Eissing Date: Wed, 16 Aug 2017 14:27:53 +0000 Subject: [PATCH] On the trunk: mod_ssl.xml: adding description of predefined policies, some work tweakings. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1805203 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/mod/mod_ssl.xml | 76 +++++++++++++++++++++++-------------- 1 file changed, 47 insertions(+), 29 deletions(-) diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml index 1e62f9859e..8ee8d1fa71 100644 --- a/docs/manual/mod/mod_ssl.xml +++ b/docs/manual/mod/mod_ssl.xml @@ -2857,7 +2857,7 @@ detailed configurations each policy is made of:

List all Defined Policies -> httpd -t -D DUMP_SSL_POLICIES +httpd -t -D DUMP_SSL_POLICIES @@ -2931,31 +2931,49 @@ Include ssl-policies.conf

This directive applies the set of SSL* directives defined under 'name' (see SSLPolicy) as the base -settings in the current context. That means that any other SSL* directives -you make in the same context remain effective. So, the effective -SSLProtocol value in the following settings are:

+settings in the current context. Apache comes with the following pre-defined polcies from +Mozilla, the makers of the Firefox browser +(see here +for a detailed description by them.): +

+ + +

You can check the detailed description of all defined policies via the command line:

+List all Defined Policies + +httpd -t -D DUMP_SSL_POLICIES + + + +

A SSLPolicy defines the baseline for the context it is used in. That means that any +other SSL* directives in the same context override it. As an example of this, see the effective +SSLProtocol value in the following settings:

Policy Precedence - <VirtualHost...> # effective: 'all' - SSLPolicy modern - SSLProtocol all - </VirtualHost> - - <VirtualHost...> # effective: 'all' - SSLProtocol all - SSLPolicy modern - </VirtualHost> +<VirtualHost...> # effective: 'all' + SSLPolicy modern + SSLProtocol all +</VirtualHost> +<VirtualHost...> # effective: 'all' + SSLProtocol all SSLPolicy modern - <VirtualHost...> # effective: 'all' - SSLProtocol all - </VirtualHost> - +</VirtualHost> + +SSLPolicy modern +<VirtualHost...> # effective: 'all' SSLProtocol all - <VirtualHost...> # effective: '+TLSv1.2' - SSLPolicy modern - </VirtualHost> +</VirtualHost> + +SSLProtocol all +<VirtualHost...> # effective: '+TLSv1.2' + SSLPolicy modern +</VirtualHost> @@ -2964,15 +2982,15 @@ later ones overshadowing the earlier ones:

Policy Ordering - <VirtualHost...> # effective: 'intermediate > modern' - SSLPolicy modern - SSLPolicy intermediate - </VirtualHost> - - <VirtualHost...> # effective: 'modern > intermediate' - SSLPolicy intermediate - SSLPolicy modern - </VirtualHost> +<VirtualHost...> # effective protocol: 'all -SSLv3' + SSLPolicy modern + SSLPolicy intermediate +</VirtualHost> + +<VirtualHost...> # effective protocol: '+TLSv1.2' + SSLPolicy intermediate + SSLPolicy modern +</VirtualHost> -- 2.50.1