Upstream tarball 2.2.3upstream/2.2.3

1 files changed, 294 insertions, 0 deletions

diff --git a/docs/manual/ssl/ssl_howto.html.en b/docs/manual/ssl/ssl_howto.html.en
new file mode 100644
index 00000000..8c514409
--- /dev/null
+++ b/docs/manual/ssl/ssl_howto.html.en
@@ -0,0 +1,294 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
+        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+              This file is generated from xml source: DO NOT EDIT
+        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+      -->
+<title>SSL/TLS Strong Encryption: How-To - Apache HTTP Server</title>
+<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
+<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
+<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" />
+<link href="../images/favicon.ico" rel="shortcut icon" /></head>
+<body id="manual-page"><div id="page-header">
+<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
+<p class="apache">Apache HTTP Server Version 2.2</p>
+<img alt="" src="../images/feather.gif" /></div>
+<div class="up"><a href="./"><img title="&lt;-" alt="&lt;-" src="../images/left.gif" /></a></div>
+<div id="path">
+<a href="http://www.apache.org/">Apache</a> &gt; <a href="http://httpd.apache.org/">HTTP Server</a> &gt; <a href="http://httpd.apache.org/docs/">Documentation</a> &gt; <a href="../">Version 2.2</a> &gt; <a href="./">SSL/TLS</a></div><div id="page-content"><div id="preamble"><h1>SSL/TLS Strong Encryption: How-To</h1>
+<div class="toplang">
+<p><span>Available Languages: </span><a href="../en/ssl/ssl_howto.html" title="English">&nbsp;en&nbsp;</a></p>
+</div>
+
+<blockquote>
+<p>The solution to this problem is trivial
+and is left as an exercise for the reader.</p>
+
+<p class="cite">-- <cite>Standard textbook cookie</cite></p>
+</blockquote>
+
+<p>How to solve particular security problems for an SSL-aware
+webserver is not always obvious because of the interactions between SSL,
+HTTP and Apache's way of processing requests. This chapter gives
+instructions on how to solve some typical situations. Treat it as a first
+step to find out the final solution, but always try to understand the 
+stuff before you use it. Nothing is worse than using a security solution
+without knowing its restrictions and how it interacts with other systems.</p>
+</div>
+<div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#ciphersuites">Cipher Suites and Enforcing Strong Security</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#accesscontrol">Client Authentication and Access Control</a></li>
+</ul></div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="ciphersuites" id="ciphersuites">Cipher Suites and Enforcing Strong Security</a></h2>
+
+<ul>
+<li><a href="#realssl">How can I create a real SSLv2-only server?</a></li>
+<li><a href="#onlystrong">How can I create an SSL server which accepts strong encryption only?</a></li>
+<li><a href="#upgradeenc">How can I create an SSL server which accepts strong encryption only, but allows
+export browsers to upgrade to stronger encryption?</a></li>
+<li><a href="#strongurl">How can I create an SSL server which accepts all types of ciphers in general, but 
+requires a strong cipher for access to a particular URL?</a></li>
+</ul>
+
+<h3><a name="realssl" id="realssl">How can I create a real SSLv2-only server?</a></h3>
+
+    <p>The following creates an SSL server which speaks only the SSLv2 protocol and
+    its ciphers.</p>
+
+    <div class="example"><h3>httpd.conf</h3><p><code>
+      SSLProtocol -all +SSLv2<br />
+      SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP<br />
+    </code></p></div>
+
+
+<h3><a name="onlystrong" id="onlystrong">How can I create an SSL server which accepts strong encryption
+only?</a></h3>
+
+    <p>The following enables only the seven strongest ciphers:</p>
+    <div class="example"><h3>httpd.conf</h3><p><code>
+      SSLProtocol all<br />
+      SSLCipherSuite HIGH:MEDIUM<br />
+    </code></p></div>
+
+
+<h3><a name="upgradeenc" id="upgradeenc">How can I create an SSL server which accepts strong encryption
+only, but allows export browsers to upgrade to stronger encryption?</a></h3>
+
+    <p>This facility is called Server Gated Cryptography (SGC) and requires 
+    a Global ID server certificate, signed by a special CA certificate 
+    from Verisign. This enables strong encryption in 'export' versions of 
+    browsers, which traditionally could not support it (because of US export 
+    restrictions).</p>
+    <p>When a browser connects with an export cipher, the server sends its Global
+    ID certificate. The browser verifies this, and can then upgrade its
+    cipher suite before any HTTP communication takes place. The problem 
+    lies in allowing browsers to upgrade in this fashion, but still requiring
+    strong encryption. In other words, we want browsers to either start a 
+    connection with strong encryption, or to start with export ciphers but 
+    upgrade to strong encryption before beginning HTTP communication.</p>
+    <p>This can be done as follows:</p>
+    <div class="example"><h3>httpd.conf</h3><p><code>
+      # allow all ciphers for the initial handshake,<br />
+      # so export browsers can upgrade via SGC facility<br />
+      SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL<br />
+      <br />
+      &lt;Directory /usr/local/apache2/htdocs&gt;<br />
+      # but finally deny all browsers which haven't upgraded<br />
+      SSLRequire %{SSL_CIPHER_USEKEYSIZE} &gt;= 128<br />
+      &lt;/Directory&gt;
+    </code></p></div>
+
+
+<h3><a name="strongurl" id="strongurl">How can I create an SSL server which accepts all types of ciphers
+in general, but requires a strong ciphers for access to a particular
+URL?</a></h3>
+
+    <p>Obviously, a server-wide <code class="directive"><a href="../mod/mod_ssl.html#sslciphersuite">SSLCipherSuite</a></code> which restricts 
+    ciphers to the strong variants, isn't the answer here. However, 
+    <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> can be reconfigured within <code>Location</code>
+    blocks, to give a per-directory solution, and can automatically force
+    a renegotiation of the SSL parameters to meet the new configuration.
+    This can be done as follows:</p>
+    <div class="example"><p><code>
+      # be liberal in general<br />
+      SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL<br />
+      <br />
+      &lt;Location /strong/area&gt;<br />
+      # but https://hostname/strong/area/ and below<br />
+      # requires strong ciphers<br />
+      SSLCipherSuite HIGH:MEDIUM<br />
+      &lt;/Location&gt;
+    </code></p></div>
+
+</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="accesscontrol" id="accesscontrol">Client Authentication and Access Control</a></h2>
+
+<ul>
+<li><a href="#allclients">How can I force clients to authenticate using certificates?</a></li>
+<li><a href="#arbitraryclients">How can I force clients to authenticate using certificates for a 
+        particular URL, but still allow arbitrary clients to access the rest of the server?</a></li>
+<li><a href="#certauthenticate">How can I allow only clients who have certificates to access a
+        particular URL, but allow all clients to access the rest of the server?</a></li>
+<li><a href="#intranet">How can I require HTTPS with strong ciphers, and either
+basic authentication or client certificates, for access to part of the
+Intranet website, for clients coming from the Internet?</a></li>
+</ul>
+
+<h3><a name="allclients" id="allclients">How can I force clients to authenticate using certificates?</a></h3>
+
+
+    <p>When you know all of your users (eg, as is often the case on a corporate
+    Intranet), you can require plain certificate authentication. All you
+    need to do is to create client certificates signed by your own CA
+    certificate (<code>ca.crt</code>) and then verify the clients against this
+    certificate.</p>
+    <div class="example"><h3>httpd.conf</h3><p><code>
+      # require a client certificate which has to be directly<br />
+      # signed by our CA certificate in ca.crt<br />
+      SSLVerifyClient require<br />
+      SSLVerifyDepth 1<br />
+      SSLCACertificateFile conf/ssl.crt/ca.crt
+    </code></p></div>
+
+
+<h3><a name="arbitraryclients" id="arbitraryclients">How can I force clients to authenticate using certificates for a
+	particular URL, but still allow arbitrary clients to access the rest of the server?</a></h3>
+
+
+<p>To force clients to authenticate using certificates for a particular URL,
+	you can use the per-directory reconfiguration features of <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>:</p>
+
+    <div class="example"><h3>httpd.conf</h3><p><code>
+    SSLVerifyClient none<br />
+    SSLCACertificateFile conf/ssl.crt/ca.crt<br />
+    <br />
+    &lt;Location /secure/area&gt;<br />
+    SSLVerifyClient require<br />
+    SSLVerifyDepth 1<br />
+    &lt;/Location&gt;<br />
+    </code></p></div>
+
+
+<h3><a name="certauthenticate" id="certauthenticate">How can I allow only clients who have certificates to access a
+	particular URL, but allow all clients to access the rest of the server?</a></h3>
+
+
+    <p>The key to doing this is checking that part of the client certificate
+    matches what you expect. Usually this means checking all or part of the
+    Distinguished Name (DN), to see if it contains some known string.
+    There are two ways to do this, using either <code class="module"><a href="../mod/mod_auth_basic.html">mod_auth_basic</a></code> or
+    <code class="directive"><a href="../mod/mod_ssl.html#sslrequire">SSLRequire</a></code>.</p> 
+    
+    <p>The <code class="module"><a href="../mod/mod_auth_basic.html">mod_auth_basic</a></code> method is generally required when
+    the certificates are completely arbitrary, or when their DNs have
+    no common fields (usually the organisation, etc.). In this case,
+    you should establish a password database containing <em>all</em>
+    clients allowed, as follows:</p>
+    
+    <div class="example"><h3>httpd.conf</h3><pre>
+SSLVerifyClient      none
+&lt;Directory /usr/local/apache2/htdocs/secure/area&gt;
+
+SSLVerifyClient      require
+SSLVerifyDepth       5
+SSLCACertificateFile conf/ssl.crt/ca.crt
+SSLCACertificatePath conf/ssl.crt
+SSLOptions           +FakeBasicAuth
+SSLRequireSSL
+AuthName             "Snake Oil Authentication"
+AuthType             Basic
+AuthBasicProvider    file
+AuthUserFile         /usr/local/apache2/conf/httpd.passwd
+require              valid-user
+&lt;/Directory&gt;</pre></div>
+
+    <div class="example"><h3>httpd.passwd</h3><pre>
+/C=DE/L=Munich/O=Snake Oil, Ltd./OU=Staff/CN=Foo:xxj31ZMTZzkVA
+/C=US/L=S.F./O=Snake Oil, Ltd./OU=CA/CN=Bar:xxj31ZMTZzkVA
+/C=US/L=L.A./O=Snake Oil, Ltd./OU=Dev/CN=Quux:xxj31ZMTZzkVA</pre></div>
+
+    <p>When your clients are all part of a common hierarchy, which is encoded
+    into the DN, you can match them more easily using <code class="directive"><a href="../mod/mod_ssl.html#sslrequire">SSLRequire</a></code>, as follows:</p>
+
+
+    <div class="example"><h3>httpd.conf</h3><pre>
+SSLVerifyClient      none
+&lt;Directory /usr/local/apache2/htdocs/secure/area&gt;
+
+  SSLVerifyClient      require
+  SSLVerifyDepth       5
+  SSLCACertificateFile conf/ssl.crt/ca.crt
+  SSLCACertificatePath conf/ssl.crt
+  SSLOptions           +FakeBasicAuth
+  SSLRequireSSL
+  SSLRequire       %{SSL_CLIENT_S_DN_O}  eq "Snake Oil, Ltd." \
+               and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}
+&lt;/Directory&gt;</pre></div>
+
+
+<h3><a name="intranet" id="intranet">How can I require HTTPS with strong ciphers, and either basic
+authentication or client certificates, for access to part of the
+Intranet website, for clients coming from the Internet? I still want to allow
+plain HTTP access for clients on the Intranet.</a></h3>
+
+   
+   <p>These examples presume that clients on the Intranet have IPs in the range 
+   192.160.1.0/24, and that the part of the Intranet website you want to allow
+   internet access to is <code>/usr/local/apache2/htdocs/subarea</code>. 
+   This configuration should remain outside of your HTTPS virtual host, so
+   that it applies to both HTTPS and HTTP.</p>
+
+    <div class="example"><h3>httpd.conf</h3><pre>
+SSLCACertificateFile conf/ssl.crt/company-ca.crt
+
+&lt;Directory /usr/local/apache2/htdocs&gt;
+#   Outside the subarea only Intranet access is granted
+Order                deny,allow
+Deny                 from all
+Allow                from 192.168.1.0/24
+&lt;/Directory&gt;
+
+&lt;Directory /usr/local/apache2/htdocs/subarea&gt;
+#   Inside the subarea any Intranet access is allowed
+#   but from the Internet only HTTPS + Strong-Cipher + Password
+#   or the alternative HTTPS + Strong-Cipher + Client-Certificate
+
+#   If HTTPS is used, make sure a strong cipher is used.
+#   Additionally allow client certs as alternative to basic auth.
+SSLVerifyClient      optional
+SSLVerifyDepth       1
+SSLOptions           +FakeBasicAuth +StrictRequire
+SSLRequire           %{SSL_CIPHER_USEKEYSIZE} &gt;= 128
+
+#   Force clients from the Internet to use HTTPS
+RewriteEngine        on
+RewriteCond          %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$
+RewriteCond          %{HTTPS} !=on
+RewriteRule          .* - [F]
+
+#   Allow Network Access and/or Basic Auth
+Satisfy              any
+
+#   Network Access Control
+Order                deny,allow
+Deny                 from all
+Allow                192.168.1.0/24
+
+#   HTTP Basic Authentication
+AuthType             basic
+AuthName             "Protected Intranet Area"
+AuthBasicProvider    file
+AuthUserFile         conf/protected.passwd
+Require              valid-user
+&lt;/Directory&gt;</pre></div>
+
+</div></div>
+<div class="bottomlang">
+<p><span>Available Languages: </span><a href="../en/ssl/ssl_howto.html" title="English">&nbsp;en&nbsp;</a></p>
+</div><div id="footer">
+<p class="apache">Copyright 2006 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
+<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div>
+</body></html>
\ No newline at end of file