provided. Information about this function is provided in the <a
href="../ssl/ssl_compat.html">Compatibility</a> chapter.</p>
<example><title>Example</title>
-CustomLog logs/ssl_request_log \
- "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+<highlight language="config">
+CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+</highlight>
</example>
</section>
encrypted with SSL. This is similar to the
<directive>SSLRequireSSL</directive> directive.</p>
- <example>
+ <highlight language="config">
Require ssl
- </example>
+ </highlight>
</section>
<p>The following example grants access if the user is authenticated
either with a client certificate or by username and password.</p>
- <example>
+ <highlight language="config">
Require ssl-verify-client<br/>
Require valid-user
- </example>
+ </highlight>
</section>
program is called only once per unique Pass Phrase.</p></li>
</ul>
<example><title>Example</title>
+<highlight language="config">
SSLPassPhraseDialog exec:/usr/local/apache/sbin/pp-filter
+</highlight>
</example>
</usage>
</directivesynopsis>
on your platform.</p></li>
</ul>
<example><title>Example</title>
-SSLRandomSeed startup builtin<br />
-SSLRandomSeed startup file:/dev/random<br />
-SSLRandomSeed startup file:/dev/urandom 1024<br />
-SSLRandomSeed startup exec:/usr/local/bin/truerand 16<br />
-SSLRandomSeed connect builtin<br />
-SSLRandomSeed connect file:/dev/random<br />
-SSLRandomSeed connect file:/dev/urandom 1024<br />
+<highlight language="config">
+SSLRandomSeed startup builtin
+SSLRandomSeed startup file:/dev/random
+SSLRandomSeed startup file:/dev/urandom 1024
+SSLRandomSeed startup exec:/usr/local/bin/truerand 16
+SSLRandomSeed connect builtin
+SSLRandomSeed connect file:/dev/random
+SSLRandomSeed connect file:/dev/urandom 1024
+</highlight>
</example>
</usage>
</directivesynopsis>
</ul>
<example><title>Examples</title>
-SSLSessionCache dbm:/usr/local/apache/logs/ssl_gcache_data<br />
+<highlight language="config">
+SSLSessionCache dbm:/usr/local/apache/logs/ssl_gcache_data
SSLSessionCache shmcb:/usr/local/apache/logs/ssl_gcache_data(512000)
+</highlight>
</example>
<p>The <code>ssl-cache</code> mutex is used to serialize access to
It can be set as low as 15 for testing, but should be set to higher
values like 300 in real life.</p>
<example><title>Example</title>
+<highlight language="config">
SSLSessionCacheTimeout 600
+</highlight>
</example>
</usage>
</directivesynopsis>
that virtual host. By default the SSL/TLS Protocol Engine is
disabled for both the main server and all configured virtual hosts.</p>
<example><title>Example</title>
-<VirtualHost _default_:443><br />
-SSLEngine on<br />
-...<br />
+<highlight language="config">
+<VirtualHost _default_:443>
+SSLEngine on
+#...
</VirtualHost>
+</highlight>
</example>
<p>In Apache 2.1 and later, <directive>SSLEngine</directive> can be set to
<code>optional</code>. This enables support for
``<code>+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2</code>, respectively.</p></li>
</ul>
<example><title>Example</title>
+<highlight language="config">
SSLProtocol TLSv1
+</highlight>
</example>
</usage>
</directivesynopsis>
<p>The complete list of particular RSA & DH ciphers for SSL is given in <a
href="#table2">Table 2</a>.</p>
<example><title>Example</title>
+<highlight language="config">
SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW
+</highlight>
</example>
<table border="1">
<columnspec><column width=".3"/><column width=".1"/><column width=".13"/>
two times (referencing different filenames) when both a RSA and a DSA based
server certificate is used in parallel.</p>
<example><title>Example</title>
+<highlight language="config">
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
+</highlight>
</example>
</usage>
</directivesynopsis>
(referencing different filenames) when both a RSA and a DSA based
private key is used in parallel.</p>
<example><title>Example</title>
+<highlight language="config">
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key
+</highlight>
</example>
</usage>
</directivesynopsis>
certificates use the <em>same</em> certificate chain. Else the browsers will be
confused in this situation.</p>
<example><title>Example</title>
+<highlight language="config">
SSLCertificateChainFile /usr/local/apache2/conf/ssl.crt/ca.crt
+</highlight>
</example>
</usage>
</directivesynopsis>
<em>hash-value</em><code>.N</code>. And you should always make sure this directory
contains the appropriate symbolic links.</p>
<example><title>Example</title>
+<highlight language="config">
SSLCACertificatePath /usr/local/apache2/conf/ssl.crt/
+</highlight>
</example>
</usage>
</directivesynopsis>
preference. This can be used alternatively and/or additionally to
<directive module="mod_ssl">SSLCACertificatePath</directive>.</p>
<example><title>Example</title>
+<highlight language="config">
SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-client.crt
+</highlight>
</example>
</usage>
</directivesynopsis>
PEM-encoded CA certificates.</p>
<example><title>Example</title>
+<highlight language="config">
SSLCADNRequestFile /usr/local/apache2/conf/ca-names.crt
+</highlight>
</example>
</usage>
</directivesynopsis>
<em>hash-value</em><code>.N</code>. And you should always make sure
this directory contains the appropriate symbolic links.</p>
<example><title>Example</title>
+<highlight language="config">
SSLCADNRequestPath /usr/local/apache2/conf/ca-names.crt/
+</highlight>
</example>
</usage>
</directivesynopsis>
<em>hash-value</em><code>.rN</code>. And you should always make sure this directory
contains the appropriate symbolic links.</p>
<example><title>Example</title>
+<highlight language="config">
SSLCARevocationPath /usr/local/apache2/conf/ssl.crl/
+</highlight>
</example>
</usage>
</directivesynopsis>
used alternatively and/or additionally to <directive
module="mod_ssl">SSLCARevocationPath</directive>.</p>
<example><title>Example</title>
+<highlight language="config">
SSLCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle-client.crl
+</highlight>
</example>
</usage>
</directivesynopsis>
</p>
</note>
<example><title>Example</title>
+<highlight language="config">
SSLCARevocationCheck chain
+</highlight>
</example>
</usage>
</directivesynopsis>
<strong>optional_no_ca</strong> is actually against the idea of
authentication (but can be used to establish SSL test pages, etc.)</p>
<example><title>Example</title>
+<highlight language="config">
SSLVerifyClient require
+</highlight>
</example>
</usage>
</directivesynopsis>
known to the server (i.e. the CA's certificate is under
<directive module="mod_ssl">SSLCACertificatePath</directive>), etc.</p>
<example><title>Example</title>
+<highlight language="config">
SSLVerifyDepth 10
+</highlight>
</example>
</usage>
</directivesynopsis>
</li>
</ul>
<example><title>Example</title>
-SSLOptions +FakeBasicAuth -StrictRequire<br />
-<Files ~ "\.(cgi|shtml)$"><br />
- SSLOptions +StdEnvVars -ExportCertData<br />
+<highlight language="config">
+SSLOptions +FakeBasicAuth -StrictRequire
+<Files ~ "\.(cgi|shtml)$">
+ SSLOptions +StdEnvVars -ExportCertData
<Files>
+</highlight>
</example>
</usage>
</directivesynopsis>
stuff that should be protected. When this directive is present all requests
are denied which are not using SSL.</p>
<example><title>Example</title>
+<highlight language="config">
SSLRequireSSL
+</highlight>
</example>
</usage>
</directivesynopsis>
request processing.</p>
<example><title>Example</title>
-<pre>SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
+<highlight language="config">
+SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
- or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/</pre>
+ or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+</highlight>
</example>
<p>The <code>PeerExtList(<em>object-ID</em>)</code> function expects
extension must match).</p>
<example><title>Example</title>
+<highlight language="config">
SSLRequire "foobar" in PeerExtList("1.2.3.4.5.6")
+</highlight>
</example>
<note><title>Notes on the PeerExtList function</title>
</p></note>
<example><title>Example</title>
+<highlight language="config">
SSLRenegBufferSize 262144
+</highlight>
</example>
</usage>
</directivesynopsis>
</p></note>
<example><title>Example</title>
+<highlight language="config">
SSLStrictSNIVHostCheck on
+</highlight>
</example>
</usage>
</directivesynopsis>
<p>Currently there is no support for encrypted private keys</p>
</note>
<example><title>Example</title>
+<highlight language="config">
SSLProxyMachineCertificatePath /usr/local/apache2/conf/proxy.crt/
+</highlight>
</example>
</usage>
</directivesynopsis>
<p>Currently there is no support for encrypted private keys</p>
</note>
<example><title>Example</title>
+<highlight language="config">
SSLProxyMachineCertificateFile /usr/local/apache2/conf/ssl.crt/proxy.pem
+</highlight>
</example>
</usage>
</directivesynopsis>
SSLProxyCACertificateFile</directive>.</p>
</note>
<example><title>Example</title>
+<highlight language="config">
SSLProxyMachineCertificateChainFile /usr/local/apache2/conf/ssl.crt/proxyCA.pem
+</highlight>
</example>
</usage>
</directivesynopsis>
<strong>optional_no_ca</strong> is actually against the idea of
authentication (but can be used to establish SSL test pages, etc.)</p>
<example><title>Example</title>
+<highlight language="config">
SSLProxyVerify require
+</highlight>
</example>
</usage>
</directivesynopsis>
which is directly known to the server (i.e. the CA's certificate is under
<directive module="mod_ssl">SSLProxyCACertificatePath</directive>), etc.</p>
<example><title>Example</title>
+<highlight language="config">
SSLProxyVerifyDepth 10
+</highlight>
</example>
</usage>
</directivesynopsis>
sent.
</p>
<example><title>Example</title>
+<highlight language="config">
SSLProxyCheckPeerExpire on
+</highlight>
</example>
</usage>
</directivesynopsis>
a 502 status code (Bad Gateway) is sent.
</p>
<example><title>Example</title>
+<highlight language="config">
SSLProxyCheckPeerCN on
+</highlight>
</example>
</usage>
</directivesynopsis>
usage in a particular virtual host. By default the SSL/TLS Protocol Engine is
disabled for proxy image both for the main server and all configured virtual hosts.</p>
<example><title>Example</title>
-<VirtualHost _default_:443><br />
-SSLProxyEngine on<br />
-...<br />
+<highlight language="config">
+<VirtualHost _default_:443>
+ SSLProxyEngine on
+ #...
</VirtualHost>
+</highlight>
</example>
</usage>
</directivesynopsis>
<em>hash-value</em><code>.N</code>. And you should always make sure this directory
contains the appropriate symbolic links.</p>
<example><title>Example</title>
+<highlight language="config">
SSLProxyCACertificatePath /usr/local/apache2/conf/ssl.crt/
+</highlight>
</example>
</usage>
</directivesynopsis>
preference. This can be used alternatively and/or additionally to
<directive module="mod_ssl">SSLProxyCACertificatePath</directive>.</p>
<example><title>Example</title>
+<highlight language="config">
SSLProxyCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-remote-server.crt
+</highlight>
</example>
</usage>
</directivesynopsis>
<em>hash-value</em><code>.rN</code>. And you should always make sure this directory
contains the appropriate symbolic links.</p>
<example><title>Example</title>
+<highlight language="config">
SSLProxyCARevocationPath /usr/local/apache2/conf/ssl.crl/
+</highlight>
</example>
</usage>
</directivesynopsis>
used alternatively and/or additionally to <directive
module="mod_ssl">SSLProxyCARevocationPath</directive>.</p>
<example><title>Example</title>
+<highlight language="config">
SSLProxyCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle-remote-server.crl
+</highlight>
</example>
</usage>
</directivesynopsis>
</p>
</note>
<example><title>Example</title>
+<highlight language="config">
SSLProxyCARevocationCheck chain
+</highlight>
</example>
</usage>
</directivesynopsis>
href="#ssloptions">SSLOptions</a>).</p>
<example><title>Example</title>
+<highlight language="config">
SSLUserName SSL_CLIENT_S_DN_CN
+</highlight>
</example>
</usage>
</directivesynopsis>
the client's preference is used. If this directive is enabled, the
server's preference will be used instead.</p>
<example><title>Example</title>
+<highlight language="config">
SSLHonorCipherOrder on
+</highlight>
</example>
</usage>
</directivesynopsis>
"<code>openssl engine</code>".</p>
<example><title>Example</title>
-# For a Broadcom accelerator:<br />
+<highlight language="config">
+# For a Broadcom accelerator:
SSLCryptoDevice ubsec
+</highlight>
</example>
</usage>
</directivesynopsis>
directives.</p>
<example><title>Example</title>
-SSLVerifyClient on<br/>
-SSLOCSPEnable on<br/>
-SSLOCSPDefaultResponder http://responder.example.com:8888/responder<br/>
+<highlight language="config">
+SSLVerifyClient on
+SSLOCSPEnable on
+SSLOCSPDefaultResponder http://responder.example.com:8888/responder
SSLOCSPOverrideResponder on
+</highlight>
</example>
</usage>
</directivesynopsis>
</note>
<example><title>Example</title>
+<highlight language="config">
SSLInsecureRenegotiation on
+</highlight>
</example>
<p>The <code>SSL_SECURE_RENEG</code> environment variable can be used
projects / thirdparty / apache / httpd.git / commitdiff
