diff options
| author | Stefan Fritsch <sf@sfritsch.de> | 2011-12-27 19:42:59 +0100 |
|---|---|---|
| committer | Stefan Fritsch <sf@sfritsch.de> | 2011-12-27 19:42:59 +0100 |
| commit | e8bb7adda7f73e53cdab823e9cab2a49ccbdf188 (patch) | |
| tree | 87b13ae8f9f3b5c0059acca2796667726cddb838 /docs/manual/mod/mod_ssl.html.en | |
| parent | db26b587c04799e75b6dd0fcd4b46aaa168f9161 (diff) | |
| download | apache2-e8bb7adda7f73e53cdab823e9cab2a49ccbdf188.tar.gz | |
Upstream tarball 2.2.16upstream/2.2.16
Diffstat (limited to 'docs/manual/mod/mod_ssl.html.en')
| -rw-r--r-- | docs/manual/mod/mod_ssl.html.en | 35 |
1 files changed, 32 insertions, 3 deletions
diff --git a/docs/manual/mod/mod_ssl.html.en b/docs/manual/mod/mod_ssl.html.en index 4f3c3cdc..4743451d 100644 --- a/docs/manual/mod/mod_ssl.html.en +++ b/docs/manual/mod/mod_ssl.html.en @@ -54,6 +54,7 @@ to provide the cryptography engine.</p> <li><img alt="" src="../images/down.gif" /> <a href="#sslciphersuite">SSLCipherSuite</a></li> <li><img alt="" src="../images/down.gif" /> <a href="#sslcryptodevice">SSLCryptoDevice</a></li> <li><img alt="" src="../images/down.gif" /> <a href="#sslengine">SSLEngine</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#sslfips">SSLFIPS</a></li> <li><img alt="" src="../images/down.gif" /> <a href="#sslhonorcipherorder">SSLHonorCipherOrder</a></li> <li><img alt="" src="../images/down.gif" /> <a href="#sslinsecurerenegotiation">SSLInsecureRenegotiation</a></li> <li><img alt="" src="../images/down.gif" /> <a href="#sslmutex">SSLMutex</a></li> @@ -637,10 +638,38 @@ Within HTTP/1.1. At this time no web browsers support RFC 2817.</p> </div> <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="directive-section"><h2><a name="SSLFIPS" id="SSLFIPS">SSLFIPS</a> <a name="sslfips" id="sslfips">Directive</a></h2> +<table class="directive"> +<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>SSL FIPS mode Switch</td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLFIPS on|off</code></td></tr> +<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLFIPS off</code></td></tr> +<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> +<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> +<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +</table> +<p> +This directive toggles the usage of the SSL library FIPS_mode flag. +It must be set in the global server context and cannot be configured +with conflicting settings (SSLFIPS on followed by SSLFIPS off or +similar). The mode applies to all SSL library operations. +</p> +<p> +If httpd was compiled against an SSL library which did not support +the FIPS_mode flag, <code>SSLFIPS on</code> will fail. Refer to the +FIPS 140-2 Security Policy document of the SSL provider library for +specific requirements to use mod_ssl in a FIPS 140-2 approved mode +of operation; note that mod_ssl itself is not validated, but may be +described as using FIPS 140-2 validated cryptographic module, when +all components are assembled and operated under the guidelines imposed +by the applicable Security Policy. +</p> + +</div> +<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> <div class="directive-section"><h2><a name="SSLHonorCipherOrder" id="SSLHonorCipherOrder">SSLHonorCipherOrder</a> <a name="sslhonorcipherorder" id="sslhonorcipherorder">Directive</a></h2> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Option to prefer the server's cipher preference order</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLHonorCiperOrder <em>flag</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLHonorCipherOrder <em>flag</em></code></td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> @@ -674,8 +703,8 @@ during a renegotiation. This vulnerability allowed an attacker to server. A protocol extension was developed which fixed this vulnerability if supported by both client and server.</p> -<p>If <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> is linked against OpenSSL version 1.0.0 -Beta 5 or later, by default renegotiation is only supported with +<p>If <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> is linked against OpenSSL version 0.9.8m +or later, by default renegotiation is only supported with clients supporting the new protocol extension. If this directive is enabled, renegotiation will be allowed with old (unpatched) clients, albeit insecurely.</p> |