From 2a463b3cd73c32ee9dcd508248d0194923f435f4 Mon Sep 17 00:00:00 2001 From: Stefan Fritsch Date: Sat, 29 Mar 2014 21:56:19 +0100 Subject: Imported Upstream version 2.4.9 --- docs/manual/ssl/ssl_howto.html.en | 59 +++++++++++++-------------------------- 1 file changed, 20 insertions(+), 39 deletions(-) (limited to 'docs/manual/ssl/ssl_howto.html.en') diff --git a/docs/manual/ssl/ssl_howto.html.en b/docs/manual/ssl/ssl_howto.html.en index 4f1a6725..fb3e3897 100644 --- a/docs/manual/ssl/ssl_howto.html.en +++ b/docs/manual/ssl/ssl_howto.html.en @@ -9,7 +9,7 @@ - @@ -44,8 +44,7 @@ before progressing to the advanced techniques.

Your SSL configuration will need to contain, at minimum, the following directives.

-
-LoadModule ssl_module modules/mod_ssl.so
+
LoadModule ssl_module modules/mod_ssl.so
 
 Listen 443
 <VirtualHost *:443>
@@ -53,8 +52,7 @@ Listen 443
     SSLEngine on
     SSLCertificateFile /path/to/www.example.com.cert
     SSLCertificateKeyFile /path/to/www.example.com.key
-</VirtualHost>
-

+</VirtualHost>
top
@@ -71,19 +69,15 @@ requires a strong cipher for access to a particular URL? only?

The following enables only the strongest ciphers:

- 
-      SSLCipherSuite HIGH:!aNULL:!MD5
-
+ 
SSLCipherSuite HIGH:!aNULL:!MD5

While with the following configuration you specify a preference for specific speed-optimized ciphers (which will be selected by mod_ssl, provided that they are supported by the client):

- 
-SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5
-SSLHonorCipherOrder on
-
+ 
SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5
+SSLHonorCipherOrder on
@@ -97,16 +91,14 @@ URL? blocks, to give a per-directory solution, and can automatically force a renegotiation of the SSL parameters to meet the new configuration. This can be done as follows:

- 
-# be liberal in general
+    
# be liberal in general
 SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
 
 <Location /strong/area>
 # but https://hostname/strong/area/ and below
 # requires strong ciphers
 SSLCipherSuite HIGH:!aNULL:!MD5
-</Location>
-    

+</Location>
top
@@ -132,13 +124,11 @@ Intranet website, for clients coming from the Internet? need to do is to create client certificates signed by your own CA certificate (ca.crt) and then verify the clients against this certificate.

- 
-# require a client certificate which has to be directly
+    
# require a client certificate which has to be directly
 # signed by our CA certificate in ca.crt
 SSLVerifyClient require
 SSLVerifyDepth 1
-SSLCACertificateFile conf/ssl.crt/ca.crt
-    

+SSLCACertificateFile conf/ssl.crt/ca.crt
@@ -150,15 +140,13 @@ SSLCACertificateFile conf/ssl.crt/ca.crt you can use the per-directory reconfiguration features of mod_ssl:

- 
-SSLVerifyClient none
+    
SSLVerifyClient none
 SSLCACertificateFile conf/ssl.crt/ca.crt
 
 <Location /secure/area>
 SSLVerifyClient require
 SSLVerifyDepth 1
-</Location>
-    

+</Location>
@@ -178,8 +166,7 @@ SSLVerifyDepth 1 you should establish a password database containing all clients allowed, as follows:

- 
-SSLVerifyClient      none
+    
SSLVerifyClient      none
 SSLCACertificateFile conf/ssl.crt/ca.crt
 SSLCACertificatePath conf/ssl.crt
 
@@ -193,16 +180,14 @@ SSLCACertificatePath conf/ssl.crt
     AuthBasicProvider    file
     AuthUserFile         /usr/local/apache2/conf/httpd.passwd
     Require              valid-user
-</Directory>
-    

+</Directory>

The password used in this example is the DES encrypted string "password". See the SSLOptions docs for more information.

-

httpd.passwd

-/C=DE/L=Munich/O=Snake Oil, Ltd./OU=Staff/CN=Foo:xxj31ZMTZzkVA
+    
httpd.passwd
/C=DE/L=Munich/O=Snake Oil, Ltd./OU=Staff/CN=Foo:xxj31ZMTZzkVA
 /C=US/L=S.F./O=Snake Oil, Ltd./OU=CA/CN=Bar:xxj31ZMTZzkVA
 /C=US/L=L.A./O=Snake Oil, Ltd./OU=Dev/CN=Quux:xxj31ZMTZzkVA

 
@@ -210,8 +195,7 @@ SSLCACertificatePath conf/ssl.crt
     into the DN, you can match them more easily using SSLRequire, as follows:

 
 
-    
-SSLVerifyClient      none
+    
SSLVerifyClient      none
 SSLCACertificateFile conf/ssl.crt/ca.crt
 SSLCACertificatePath conf/ssl.crt
 
@@ -222,8 +206,7 @@ SSLCACertificatePath conf/ssl.crt
   SSLRequireSSL
   SSLRequire       %{SSL_CLIENT_S_DN_O}  eq "Snake Oil, Ltd." \
                and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}
-</Directory>
-    

+</Directory>

 
 
 
@@ -239,8 +222,7 @@ plain HTTP access for clients on the Intranet.
    This configuration should remain outside of your HTTPS virtual host, so
    that it applies to both HTTPS and HTTP.

 
-    
-SSLCACertificateFile conf/ssl.crt/company-ca.crt
+    
SSLCACertificateFile conf/ssl.crt/company-ca.crt
 
 <Directory /usr/local/apache2/htdocs>
     #   Outside the subarea only Intranet access is granted
@@ -277,8 +259,7 @@ SSLCACertificateFile conf/ssl.crt/company-ca.crt
     AuthBasicProvider    file
     AuthUserFile         conf/protected.passwd
     Require              valid-user
-</Directory>
-    

+</Directory>
top
@@ -314,7 +295,7 @@ var comments_identifier = 'http://httpd.apache.org/docs/2.4/ssl/ssl_howto.html'; } })(window, document); //-->