summaryrefslogtreecommitdiff
path: root/docs/manual/mod/mod_ssl.html.en
diff options
context:
space:
mode:
authorStefan Fritsch <sf@sfritsch.de>2014-03-29 21:56:19 +0100
committerStefan Fritsch <sf@sfritsch.de>2014-03-29 21:56:45 +0100
commit2a463b3cd73c32ee9dcd508248d0194923f435f4 (patch)
tree2ff478255a77a55031056790918b6f983bb7b20a /docs/manual/mod/mod_ssl.html.en
parent86d5cc79d9d6750da8771fdb0c9ab22c19b8ad45 (diff)
downloadapache2-upstream/2.4.9.tar.gz
Imported Upstream version 2.4.9upstream/2.4.9
Diffstat (limited to 'docs/manual/mod/mod_ssl.html.en')
-rw-r--r--docs/manual/mod/mod_ssl.html.en343
1 files changed, 157 insertions, 186 deletions
diff --git a/docs/manual/mod/mod_ssl.html.en b/docs/manual/mod/mod_ssl.html.en
index 071207e9..a6225492 100644
--- a/docs/manual/mod/mod_ssl.html.en
+++ b/docs/manual/mod/mod_ssl.html.en
@@ -9,7 +9,7 @@
<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
-<script src="../style/scripts/prettify.js" type="text/javascript">
+<script src="../style/scripts/prettify.min.js" type="text/javascript">
</script>
<link href="../images/favicon.ico" rel="shortcut icon" /></head>
@@ -68,6 +68,7 @@ to provide the cryptography engine.</p>
<li><img alt="" src="../images/down.gif" /> <a href="#sslocsprespondertimeout">SSLOCSPResponderTimeout</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslocspresponsemaxage">SSLOCSPResponseMaxAge</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslocspresponsetimeskew">SSLOCSPResponseTimeSkew</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#sslopensslconfcmd">SSLOpenSSLConfCmd</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#ssloptions">SSLOptions</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslpassphrasedialog">SSLPassPhraseDialog</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslprotocol">SSLProtocol</a></li>
@@ -247,9 +248,7 @@ you find in the above table.</p>
For backward compatibility there is additionally a special
``<code>%{</code><em>name</em><code>}c</code>'' cryptography format function
provided. Information about this function is provided in the <a href="../ssl/ssl_compat.html">Compatibility</a> chapter.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"</pre>
</div>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
@@ -293,9 +292,7 @@ string in <code class="module"><a href="../mod/mod_log_config.html">mod_log_conf
encrypted with SSL. This is similar to the
<code class="directive">SSLRequireSSL</code> directive.</p>
- <pre class="prettyprint lang-config">
- Require ssl
- </pre>
+ <pre class="prettyprint lang-config">Require ssl</pre>
@@ -309,10 +306,8 @@ string in <code class="module"><a href="../mod/mod_log_config.html">mod_log_conf
<p>The following example grants access if the user is authenticated
either with a client certificate or by username and password.</p>
- <pre class="prettyprint lang-config">
- Require ssl-verify-client<br />
- Require valid-user
- </pre>
+ <pre class="prettyprint lang-config"> Require ssl-verify-client<br />
+ Require valid-user</pre>
@@ -335,9 +330,7 @@ with. These are used for Client Authentication. Such a file is simply the
concatenation of the various PEM-encoded Certificate files, in order of
preference. This can be used alternatively and/or additionally to
<code class="directive"><a href="#sslcacertificatepath">SSLCACertificatePath</a></code>.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-client.crt
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-client.crt</pre>
</div>
</div>
@@ -361,9 +354,7 @@ hash filenames. So usually you can't just place the Certificate files
there: you also have to create symbolic links named
<em>hash-value</em><code>.N</code>. And you should always make sure this directory
contains the appropriate symbolic links.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLCACertificatePath /usr/local/apache2/conf/ssl.crt/
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLCACertificatePath /usr/local/apache2/conf/ssl.crt/</pre>
</div>
</div>
@@ -401,9 +392,7 @@ directives.</p>
specify an <em>all-in-one</em> file containing a concatenation of
PEM-encoded CA certificates.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLCADNRequestFile /usr/local/apache2/conf/ca-names.crt
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLCADNRequestFile /usr/local/apache2/conf/ca-names.crt</pre>
</div>
</div>
@@ -428,9 +417,7 @@ through hash filenames. So usually you can't just place the
Certificate files there: you also have to create symbolic links named
<em>hash-value</em><code>.N</code>. And you should always make sure
this directory contains the appropriate symbolic links.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLCADNRequestPath /usr/local/apache2/conf/ca-names.crt/
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLCADNRequestPath /usr/local/apache2/conf/ca-names.crt/</pre>
</div>
</div>
@@ -466,9 +453,7 @@ to succeed - otherwise it will fail with an
<code>"unable to get certificate CRL"</code> error.
</p>
</div>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLCARevocationCheck chain
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLCARevocationCheck chain</pre>
</div>
</div>
@@ -489,9 +474,7 @@ Authorities (CA) whose <em>clients</em> you deal with. These are used
for Client Authentication. Such a file is simply the concatenation of
the various PEM-encoded CRL files, in order of preference. This can be
used alternatively and/or additionally to <code class="directive"><a href="#sslcarevocationpath">SSLCARevocationPath</a></code>.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle-client.crl
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle-client.crl</pre>
</div>
</div>
@@ -515,9 +498,7 @@ hash filenames. So usually you have not only to place the CRL files there.
Additionally you have to create symbolic links named
<em>hash-value</em><code>.rN</code>. And you should always make sure this directory
contains the appropriate symbolic links.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLCARevocationPath /usr/local/apache2/conf/ssl.crl/
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLCARevocationPath /usr/local/apache2/conf/ssl.crl/</pre>
</div>
</div>
@@ -530,6 +511,13 @@ SSLCARevocationPath /usr/local/apache2/conf/ssl.crl/
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
</table>
+<div class="note"><h3>SSLCertificateChainFile is deprecated</h3>
+<p><code>SSLCertificateChainFile</code> became obsolete with version 2.4.8,
+when <code class="directive"><a href="#sslcertificatefile">SSLCertificateFile</a></code>
+was extended to also load intermediate CA certificates from the server
+certificate file.</p>
+</div>
+
<p>
This directive sets the optional <em>all-in-one</em> file where you can
assemble the certificates of Certification Authorities (CA) which form the
@@ -553,34 +541,51 @@ But be careful: Providing the certificate chain works only if you are using a
using a coupled RSA+DSA certificate pair, this will work only if actually both
certificates use the <em>same</em> certificate chain. Else the browsers will be
confused in this situation.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLCertificateChainFile /usr/local/apache2/conf/ssl.crt/ca.crt
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLCertificateChainFile /usr/local/apache2/conf/ssl.crt/ca.crt</pre>
</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLCertificateFile" id="SSLCertificateFile">SSLCertificateFile</a> <a name="sslcertificatefile" id="sslcertificatefile">Directive</a></h2>
<table class="directive">
-<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Server PEM-encoded X.509 Certificate file</td></tr>
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Server PEM-encoded X.509 certificate data file</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCertificateFile <em>file-path</em></code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
</table>
<p>
-This directive points to the file with the PEM-encoded certificate,
-optionally also the corresponding private key, and - beginning with
-version 2.4.7 - DH parameters and/or an EC curve name
-for ephemeral keys (as generated by <code>openssl dhparam</code>
-and <code>openssl ecparam</code>, respectively). If the private key
-is encrypted, the pass phrase dialog is forced at startup time.
+This directive points to a file with certificate data in PEM format.
+At a minimum, the file must include an end-entity (leaf) certificate.
+Beginning with version 2.4.8, it may also include intermediate CA
+certificates, sorted from leaf to root, and obsoletes
+<code class="directive"><a href="#sslcertificatechainfile">SSLCertificateChainFile</a></code>.
</p>
+
<p>
-This directive can be used up to three times (referencing different filenames)
-when both an RSA, a DSA, and an ECC based server certificate is used in
-parallel. Note that DH and ECDH parameters are only read from the first
-<code class="directive">SSLCertificateFile</code> directive.</p>
+Additional optional elements are DH parameters and/or an EC curve name
+for ephemeral keys, as generated by <code>openssl dhparam</code> and
+<code>openssl ecparam</code>, respectively (supported in version 2.4.7
+or later) and finally, the end-entity certificate's private key.
+If the private key is encrypted, the pass phrase dialog is forced
+at startup time.</p>
+
+<p>
+This directive can be used multiple times (referencing different filenames)
+to support multiple algorithms for server authentication - typically
+RSA, DSA, and ECC. The number of supported algorithms depends on the
+OpenSSL version being used for mod_ssl: with version 1.0.0 or later,
+<code>openssl list-public-key-algorithms</code> will output a list
+of supported algorithms.</p>
+
+<p>
+When running with OpenSSL 1.0.2 or later, this directive allows
+to configure the intermediate CA chain on a per-certificate basis,
+which removes a limitation of the (now obsolete)
+<code class="directive"><a href="#sslcertificatechainfile">SSLCertificateChainFile</a></code> directive.
+DH and ECDH parameters, however, are only read from the first
+<code class="directive">SSLCertificateFile</code> directive, as they
+are applied independently of the authentication algorithm type.</p>
<div class="note">
<h3>DH parameter interoperability with primes &gt; 1024 bit</h3>
@@ -596,37 +601,34 @@ such issues.
</p>
</div>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt</pre>
</div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLCertificateKeyFile" id="SSLCertificateKeyFile">SSLCertificateKeyFile</a> <a name="sslcertificatekeyfile" id="sslcertificatekeyfile">Directive</a></h2>
<table class="directive">
-<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Server PEM-encoded Private Key file</td></tr>
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Server PEM-encoded private key file</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCertificateKeyFile <em>file-path</em></code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
</table>
<p>
-This directive points to the PEM-encoded Private Key file for the
-server. If the Private Key is not combined with the Certificate in the
-<code class="directive">SSLCertificateFile</code>, use this additional directive to
-point to the file with the stand-alone Private Key. When
-<code class="directive">SSLCertificateFile</code> is used and the file
-contains both the Certificate and the Private Key this directive need
-not be used. But we strongly discourage this practice. Instead we
-recommend you to separate the Certificate and the Private Key. If the
-contained Private Key is encrypted, the Pass Phrase dialog is forced
-at startup time. This directive can be used up to three times
-(referencing different filenames) when both a RSA, a DSA, and an ECC based
-private key is used in parallel.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key
-</pre>
+This directive points to the PEM-encoded private key file for the
+server (the private key may also be combined with the certificate in the
+<code class="directive"><a href="#sslcertificatefile">SSLCertificateFile</a></code>, but this practice
+is discouraged). If the contained private key is encrypted, the pass phrase
+dialog is forced at startup time.</p>
+
+<p>
+The directive can be used multiple times (referencing different filenames)
+to support multiple algorithms for server authentication. For each
+<code class="directive"><a href="#sslcertificatekeyfile">SSLCertificateKeyFile</a></code>
+directive, there must be a matching <code class="directive">SSLCertificateFile</code>
+directive.</p>
+
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key</pre>
</div>
</div>
@@ -757,20 +759,16 @@ between speed and security. Next, include high and medium security ciphers.
Finally, remove all ciphers which do not authenticate, i.e. for SSL the
Anonymous Diffie-Hellman ciphers, as well as all ciphers which use
<code>MD5</code> as hash algorithm, because it has been proven insufficient.</p>
-<div class="example"><pre>
-$ openssl ciphers -v 'RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5'
+<div class="example"><pre>$ openssl ciphers -v 'RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5'
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
... ... ... ... ...
SEED-SHA SSLv3 Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1
PSK-RC4-SHA SSLv3 Kx=PSK Au=PSK Enc=RC4(128) Mac=SHA1
-KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1
-</pre></div>
+KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1</pre></div>
<p>The complete list of particular RSA &amp; DH ciphers for SSL is given in <a href="#table2">Table 2</a>.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW</pre>
</div>
<table class="bordered">
@@ -841,10 +839,8 @@ separate "-engine" releases of OpenSSL 0.9.6 must be used.</p>
<p>To discover which engine names are supported, run the command
"<code>openssl engine</code>".</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-# For a Broadcom accelerator:
-SSLCryptoDevice ubsec
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config"># For a Broadcom accelerator:
+SSLCryptoDevice ubsec</pre>
</div>
</div>
@@ -863,12 +859,10 @@ This directive toggles the usage of the SSL/TLS Protocol Engine. This
is should be used inside a <code class="directive"><a href="../mod/core.html#virtualhost">&lt;VirtualHost&gt;</a></code> section to enable SSL/TLS for a
that virtual host. By default the SSL/TLS Protocol Engine is
disabled for both the main server and all configured virtual hosts.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-&lt;VirtualHost _default_:443&gt;
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">&lt;VirtualHost _default_:443&gt;
SSLEngine on
#...
-&lt;/VirtualHost&gt;
-</pre>
+&lt;/VirtualHost&gt;</pre>
</div>
<p>In Apache 2.1 and later, <code class="directive">SSLEngine</code> can be set to
<code>optional</code>. This enables support for
@@ -908,7 +902,8 @@ by the applicable Security Policy.
<div class="directive-section"><h2><a name="SSLHonorCipherOrder" id="SSLHonorCipherOrder">SSLHonorCipherOrder</a> <a name="sslhonorcipherorder" id="sslhonorcipherorder">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Option to prefer the server's cipher preference order</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLHonorCipherOrder <em>flag</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLHonorCipherOrder on|off</code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLHonorCipherOrder off</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
@@ -917,9 +912,7 @@ by the applicable Security Policy.
<p>When choosing a cipher during an SSLv3 or TLSv1 handshake, normally
the client's preference is used. If this directive is enabled, the
server's preference will be used instead.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLHonorCipherOrder on
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLHonorCipherOrder on</pre>
</div>
</div>
@@ -927,7 +920,7 @@ SSLHonorCipherOrder on
<div class="directive-section"><h2><a name="SSLInsecureRenegotiation" id="SSLInsecureRenegotiation">SSLInsecureRenegotiation</a> <a name="sslinsecurerenegotiation" id="sslinsecurerenegotiation">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Option to enable support for insecure renegotiation</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLInsecureRenegotiation <em>flag</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLInsecureRenegotiation on|off</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLInsecureRenegotiation off</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
@@ -955,9 +948,7 @@ the Man-in-the-Middle prefix attack as described
in <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555">CVE-2009-3555</a>.</p>
</div>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLInsecureRenegotiation on
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLInsecureRenegotiation on</pre>
</div>
<p>The <code>SSL_SECURE_RENEG</code> environment variable can be used
@@ -985,7 +976,8 @@ the certificate being verified.</p>
<div class="directive-section"><h2><a name="SSLOCSPEnable" id="SSLOCSPEnable">SSLOCSPEnable</a> <a name="sslocspenable" id="sslocspenable">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enable OCSP validation of the client certificate chain</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLOCSPEnable <em>flag</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLOCSPEnable on|off</code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLOCSPEnable off</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
@@ -1002,12 +994,10 @@ itself, or derived by configuration; see the
<code class="directive"><a href="#sslocspoverrideresponder">SSLOCSPOverrideResponder</a></code>
directives.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLVerifyClient on
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLVerifyClient on
SSLOCSPEnable on
SSLOCSPDefaultResponder http://responder.example.com:8888/responder
-SSLOCSPOverrideResponder on
-</pre>
+SSLOCSPOverrideResponder on</pre>
</div>
</div>
@@ -1015,7 +1005,8 @@ SSLOCSPOverrideResponder on
<div class="directive-section"><h2><a name="SSLOCSPOverrideResponder" id="SSLOCSPOverrideResponder">SSLOCSPOverrideResponder</a> <a name="sslocspoverrideresponder" id="sslocspoverrideresponder">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Force use of the default responder URI for OCSP validation</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLOCSPOverrideResponder <em>flag</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLOCSPOverrideResponder on|off</code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLOCSPOverrideResponder off</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
@@ -1074,6 +1065,42 @@ which means that OCSP responses are considered valid as long as their
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="SSLOpenSSLConfCmd" id="SSLOpenSSLConfCmd">SSLOpenSSLConfCmd</a> <a name="sslopensslconfcmd" id="sslopensslconfcmd">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Configure OpenSSL parameters through its <em>SSL_CONF</em> API</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLOpenSSLConfCmd <em>command-name</em> <em>command-value</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.4.8 and later, if using OpenSSL 1.0.2 or later</td></tr>
+</table>
+<p>This directive exposes OpenSSL's <em>SSL_CONF</em> API to mod_ssl,
+allowing a flexible configuration of OpenSSL parameters without the need
+of implementing additional <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> directives when new
+features are added to OpenSSL.</p>
+
+<p>The set of available <code class="directive">SSLOpenSSLConfCmd</code> commands
+depends on the OpenSSL version being used for <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>
+(at least version 1.0.2 is required). For a list of supported command
+names, see the section <em>Supported configuration file commands</em> in the
+<a href="http://www.openssl.org/docs/ssl/SSL_CONF_cmd.html#SUPPORTED_CONFIGURATION_FILE_COM">SSL_CONF_cmd(3)</a> manual page for OpenSSL.</p>
+
+<p>Some of the <code class="directive">SSLOpenSSLConfCmd</code> commands can be used
+as an alternative to existing directives (such as
+<code class="directive"><a href="#sslciphersuite">SSLCipherSuite</a></code> or
+<code class="directive"><a href="#sslprotocol">SSLProtocol</a></code>),
+though it should be noted that the syntax / allowable values for the parameters
+may sometimes differ.</p>
+
+<div class="example"><h3>Examples</h3><pre class="prettyprint lang-config">SSLOpenSSLConfCmd Options -SessionTicket,ServerPreference
+SSLOpenSSLConfCmd ECDHParameters brainpoolP256r1
+SSLOpenSSLConfCmd ServerInfoFile /usr/local/apache2/conf/server-info.pem
+SSLOpenSSLConfCmd Protocol "-ALL, TLSv1.2"
+SSLOpenSSLConfCmd SignatureAlgorithms RSA+SHA384:ECDSA+SHA256</pre>
+</div>
+
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLOptions" id="SSLOptions">SSLOptions</a> <a name="ssloptions" id="ssloptions">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Configure various SSL engine run-time options</td></tr>
@@ -1177,12 +1204,10 @@ The available <em>option</em>s are:</p>
</p>
</li>
</ul>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLOptions +FakeBasicAuth -StrictRequire
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLOptions +FakeBasicAuth -StrictRequire
&lt;Files ~ "\.(cgi|shtml)$"&gt;
SSLOptions +StdEnvVars -ExportCertData
-&lt;Files&gt;
-</pre>
+&lt;Files&gt;</pre>
</div>
</div>
@@ -1259,9 +1284,7 @@ query can be done in two ways which can be configured by
The reuse-algorithm above is used here, too. In other words: The external
program is called only once per unique Pass Phrase.</p></li>
</ul>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLPassPhraseDialog exec:/usr/local/apache/sbin/pp-filter
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLPassPhraseDialog exec:/usr/local/apache/sbin/pp-filter</pre>
</div>
</div>
@@ -1310,9 +1333,7 @@ The available (case-insensitive) <em>protocol</em>s are:</p>
- when using OpenSSL 1.0.1 and later -
``<code>+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2</code>, respectively.</p></li>
</ul>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLProtocol TLSv1
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProtocol TLSv1</pre>
</div>
</div>
@@ -1333,9 +1354,7 @@ with. These are used for Remote Server Authentication. Such a file is simply the
concatenation of the various PEM-encoded Certificate files, in order of
preference. This can be used alternatively and/or additionally to
<code class="directive"><a href="#sslproxycacertificatepath">SSLProxyCACertificatePath</a></code>.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLProxyCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-remote-server.crt
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProxyCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-remote-server.crt</pre>
</div>
</div>
@@ -1359,9 +1378,7 @@ hash filenames. So usually you can't just place the Certificate files
there: you also have to create symbolic links named
<em>hash-value</em><code>.N</code>. And you should always make sure this directory
contains the appropriate symbolic links.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLProxyCACertificatePath /usr/local/apache2/conf/ssl.crt/
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProxyCACertificatePath /usr/local/apache2/conf/ssl.crt/</pre>
</div>
</div>
@@ -1398,9 +1415,7 @@ to succeed - otherwise it will fail with an
<code>"unable to get certificate CRL"</code> error.
</p>
</div>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLProxyCARevocationCheck chain
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProxyCARevocationCheck chain</pre>
</div>
</div>
@@ -1421,9 +1436,7 @@ Authorities (CA) whose <em>remote servers</em> you deal with. These are used
for Remote Server Authentication. Such a file is simply the concatenation of
the various PEM-encoded CRL files, in order of preference. This can be
used alternatively and/or additionally to <code class="directive"><a href="#sslproxycarevocationpath">SSLProxyCARevocationPath</a></code>.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLProxyCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle-remote-server.crl
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProxyCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle-remote-server.crl</pre>
</div>
</div>
@@ -1447,9 +1460,7 @@ hash filenames. So usually you have not only to place the CRL files there.
Additionally you have to create symbolic links named
<em>hash-value</em><code>.rN</code>. And you should always make sure this directory
contains the appropriate symbolic links.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLProxyCARevocationPath /usr/local/apache2/conf/ssl.crl/
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProxyCARevocationPath /usr/local/apache2/conf/ssl.crl/</pre>
</div>
</div>
@@ -1475,9 +1486,7 @@ In 2.4.5 and later, SSLProxyCheckPeerCN has been superseded by
setting is only taken into account when
<code>SSLProxyCheckPeerName off</code> is specified at the same time.
</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLProxyCheckPeerCN on
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProxyCheckPeerCN on</pre>
</div>
</div>
@@ -1497,9 +1506,7 @@ This directive sets whether it is checked if the remote server certificate
is expired or not. If the check fails a 502 status code (Bad Gateway) is
sent.
</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLProxyCheckPeerExpire on
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProxyCheckPeerExpire on</pre>
</div>
</div>
@@ -1573,12 +1580,10 @@ forward proxy (using &lt;Proxy&gt; or &lt;ProxyRequest&gt; directives.
SSLProxyEngine is not required to enable a forward proxy server to
proxy SSL/TLS requests.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-&lt;VirtualHost _default_:443&gt;
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">&lt;VirtualHost _default_:443&gt;
SSLProxyEngine on
#...
-&lt;/VirtualHost&gt;
-</pre>
+&lt;/VirtualHost&gt;</pre>
</div>
</div>
@@ -1605,12 +1610,10 @@ be examined and a chain of trust will be constructed.
</p>
<div class="warning"><h3>Security warning</h3>
<p>If this directive is enabled, all of the certificates in the file will be
-trusted as if they were also in <code class="directive"><a href="#&#10;sslproxycacertificatefile">
+trusted as if they were also in <code class="directive"><a href="#sslproxycacertificatefile">
SSLProxyCACertificateFile</a></code>.</p>
</div>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLProxyMachineCertificateChainFile /usr/local/apache2/conf/ssl.crt/proxyCA.pem
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProxyMachineCertificateChainFile /usr/local/apache2/conf/ssl.crt/proxyCA.pem</pre>
</div>
</div>
@@ -1636,9 +1639,7 @@ or additionally to <code>SSLProxyMachineCertificatePath</code>.
<div class="warning">
<p>Currently there is no support for encrypted private keys</p>
</div>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLProxyMachineCertificateFile /usr/local/apache2/conf/ssl.crt/proxy.pem
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProxyMachineCertificateFile /usr/local/apache2/conf/ssl.crt/proxy.pem</pre>
</div>
</div>
@@ -1663,9 +1664,7 @@ directory contains the appropriate symbolic links.</p>
<div class="warning">
<p>Currently there is no support for encrypted private keys</p>
</div>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLProxyMachineCertificatePath /usr/local/apache2/conf/proxy.crt/
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProxyMachineCertificatePath /usr/local/apache2/conf/proxy.crt/</pre>
</div>
</div>
@@ -1722,9 +1721,7 @@ The following levels are available for <em>level</em>:</p>
<strong>optional</strong> doesn't work with all servers and level
<strong>optional_no_ca</strong> is actually against the idea of
authentication (but can be used to establish SSL test pages, etc.)</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLProxyVerify require
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProxyVerify require</pre>
</div>
</div>
@@ -1750,9 +1747,7 @@ remote server certificates are accepted only, the default depth of 1 means
the remote server certificate can be self-signed or has to be signed by a CA
which is directly known to the server (i.e. the CA's certificate is under
<code class="directive"><a href="#sslproxycacertificatepath">SSLProxyCACertificatePath</a></code>), etc.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLProxyVerifyDepth 10
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProxyVerifyDepth 10</pre>
</div>
</div>
@@ -1831,15 +1826,13 @@ The following <em>source</em> variants are available:</p>
/crypto/</a>) to seed the PRNG. Use this if no random device exists
on your platform.</p></li>
</ul>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLRandomSeed startup builtin
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/random
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed startup exec:/usr/local/bin/truerand 16
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/random
-SSLRandomSeed connect file:/dev/urandom 1024
-</pre>
+SSLRandomSeed connect file:/dev/urandom 1024</pre>
</div>
</div>
@@ -1868,9 +1861,7 @@ will be untrusted so a denial of service attack by consumption of
memory must be considered when changing this configuration setting.
</p></div>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLRenegBufferSize 262144
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLRenegBufferSize 262144</pre>
</div>
</div>
@@ -1916,8 +1907,7 @@ containing any number of access checks.</p>
The <em>expression</em> must match the following syntax (given as a BNF
grammar notation):</p>
<blockquote>
-<pre>
-expr ::= "<strong>true</strong>" | "<strong>false</strong>"
+<pre>expr ::= "<strong>true</strong>" | "<strong>false</strong>"
| "<strong>!</strong>" expr
| expr "<strong>&amp;&amp;</strong>" expr
| expr "<strong>||</strong>" expr
@@ -1946,8 +1936,7 @@ word ::= digit
digit ::= [0-9]+
cstring ::= "..."
variable ::= "<strong>%{</strong>" varname "<strong>}</strong>"
-function ::= funcname "<strong>(</strong>" funcargs "<strong>)</strong>"
-</pre>
+function ::= funcname "<strong>(</strong>" funcargs "<strong>)</strong>"</pre>
</blockquote>
<p>For <code>varname</code> any of the variables described in <a href="#envvars">Environment Variables</a> can be used. For
<code>funcname</code> the available functions are listed in
@@ -1959,14 +1948,12 @@ during request processing. In .htaccess context, the <em>expression</em> is
both parsed and executed each time the .htaccess file is encountered during
request processing.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
and %{TIME_WDAY} -ge 1 and %{TIME_WDAY} -le 5 \
and %{TIME_HOUR} -ge 8 and %{TIME_HOUR} -le 20 ) \
- or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
-</pre>
+ or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/</pre>
</div>
<p>The <code>PeerExtList(<em>object-ID</em>)</code> function expects
@@ -1977,9 +1964,7 @@ exactly against the value of an extension identified with this OID.
(If multiple extensions with the same OID are present, at least one
extension must match).</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLRequire "foobar" in PeerExtList("1.2.3.4.5.6")
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLRequire "foobar" in PeerExtList("1.2.3.4.5.6")</pre>
</div>
<div class="note"><h3>Notes on the PeerExtList function</h3>
@@ -2029,9 +2014,7 @@ the current connection. This is very handy inside the SSL-enabled virtual
host or directories for defending against configuration errors that expose
stuff that should be protected. When this directive is present all requests
are denied which are not using SSL.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLRequireSSL
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLRequireSSL</pre>
</div>
</div>
@@ -2101,10 +2084,8 @@ The following five storage <em>type</em>s are currently supported:</p>
</ul>
-<div class="example"><h3>Examples</h3><pre class="prettyprint lang-config">
-SSLSessionCache dbm:/usr/local/apache/logs/ssl_gcache_data
-SSLSessionCache shmcb:/usr/local/apache/logs/ssl_gcache_data(512000)
-</pre>
+<div class="example"><h3>Examples</h3><pre class="prettyprint lang-config">SSLSessionCache dbm:/usr/local/apache/logs/ssl_gcache_data
+SSLSessionCache shmcb:/usr/local/apache/logs/ssl_gcache_data(512000)</pre>
</div>
<p>The <code>ssl-cache</code> mutex is used to serialize access to
@@ -2128,9 +2109,7 @@ This directive sets the timeout in seconds for the information stored in the
global/inter-process SSL Session Cache and the OpenSSL internal memory cache.
It can be set as low as 15 for testing, but should be set to higher
values like 300 in real life.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLSessionCacheTimeout 600
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLSessionCacheTimeout 600</pre>
</div>
</div>
@@ -2403,9 +2382,7 @@ This option is only available if httpd was compiled against an SNI capable
version of OpenSSL.
</p></div>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLStrictSNIVHostCheck on
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLStrictSNIVHostCheck on</pre>
</div>
</div>
@@ -2429,9 +2406,7 @@ any of the <a href="#envvars">SSL environment variables</a>.</p>
<p>Note that this directive has no effect if the
<code>FakeBasicAuth</code> option is used (see <a href="#ssloptions">SSLOptions</a>).</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLUserName SSL_CLIENT_S_DN_CN
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLUserName SSL_CLIENT_S_DN_CN</pre>
</div>
</div>
@@ -2502,9 +2477,7 @@ The following levels are available for <em>level</em>:</p>
<strong>optional</strong> doesn't work with all browsers and level
<strong>optional_no_ca</strong> is actually against the idea of
authentication (but can be used to establish SSL test pages, etc.)</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLVerifyClient require
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLVerifyClient require</pre>
</div>
</div>
@@ -2536,9 +2509,7 @@ certificates are accepted only, the default depth of 1 means the client
certificate can be self-signed or has to be signed by a CA which is directly
known to the server (i.e. the CA's certificate is under
<code class="directive"><a href="#sslcacertificatepath">SSLCACertificatePath</a></code>), etc.</p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">
-SSLVerifyDepth 10
-</pre>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLVerifyDepth 10</pre>
</div>
</div>
@@ -2564,7 +2535,7 @@ var comments_identifier = 'http://httpd.apache.org/docs/2.4/mod/mod_ssl.html';
}
})(window, document);
//--><!]]></script></div><div id="footer">
-<p class="apache">Copyright 2013 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
+<p class="apache">Copyright 2014 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
if (typeof(prettyPrint) !== 'undefined') {
prettyPrint();
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-13 14:12:48 +0000