sslrequiressl mod/mod_ssl.html#sslrequiressl
sslsessioncache mod/mod_ssl.html#sslsessioncache
sslsessioncachetimeout mod/mod_ssl.html#sslsessioncachetimeout
+sslsessionticketkeyfile mod/mod_ssl.html#sslsessionticketkeyfile
+sslsessiontickets mod/mod_ssl.html#sslsessiontickets
sslstrictsnivhostcheck mod/mod_ssl.html#sslstrictsnivhostcheck
sslusername mod/mod_ssl.html#sslusername
sslverifyclient mod/mod_ssl.html#sslverifyclient
<li><a href="mod_ssl.html#sslrequiressl">SSLRequireSSL</a></li>
<li><a href="mod_ssl.html#sslsessioncache">SSLSessionCache</a></li>
<li><a href="mod_ssl.html#sslsessioncachetimeout">SSLSessionCacheTimeout</a></li>
+<li><a href="mod_ssl.html#sslsessionticketkeyfile">SSLSessionTicketKeyFile</a></li>
+<li><a href="mod_ssl.html#sslsessiontickets">SSLSessionTickets</a></li>
<li><a href="mod_ssl.html#sslstrictsnivhostcheck">SSLStrictSNIVHostCheck</a></li>
<li><a href="mod_ssl.html#sslusername">SSLUserName</a></li>
<li><a href="mod_ssl.html#sslverifyclient">SSLVerifyClient</a></li>
<li><a href="mod_ssl.html#sslrequiressl">SSLRequireSSL</a></li>
<li><a href="mod_ssl.html#sslsessioncache">SSLSessionCache</a></li>
<li><a href="mod_ssl.html#sslsessioncachetimeout">SSLSessionCacheTimeout</a></li>
+<li><a href="mod_ssl.html#sslsessionticketkeyfile">SSLSessionTicketKeyFile</a></li>
+<li><a href="mod_ssl.html#sslsessiontickets">SSLSessionTickets</a></li>
<li><a href="mod_ssl.html#sslstrictsnivhostcheck">SSLStrictSNIVHostCheck</a></li>
<li><a href="mod_ssl.html#sslusername">SSLUserName</a></li>
<li><a href="mod_ssl.html#sslverifyclient">SSLVerifyClient</a></li>
<li><a href="mod_ssl.html#sslrequiressl">SSLRequireSSL</a></li>
<li><a href="mod_ssl.html#sslsessioncache">SSLSessionCache</a></li>
<li><a href="mod_ssl.html#sslsessioncachetimeout">SSLSessionCacheTimeout</a></li>
+<li><a href="mod_ssl.html#sslsessionticketkeyfile">SSLSessionTicketKeyFile</a></li>
+<li><a href="mod_ssl.html#sslsessiontickets">SSLSessionTickets</a></li>
<li><a href="mod_ssl.html#sslstrictsnivhostcheck">SSLStrictSNIVHostCheck</a></li>
<li><a href="mod_ssl.html#sslusername">SSLUserName</a></li>
<li><a href="mod_ssl.html#sslverifyclient">SSLVerifyClient</a></li>
<li><a href="mod_ssl.html#sslrequiressl">SSLRequireSSL</a></li>
<li><a href="mod_ssl.html#sslsessioncache">SSLSessionCache</a></li>
<li><a href="mod_ssl.html#sslsessioncachetimeout">SSLSessionCacheTimeout</a></li>
+<li><a href="mod_ssl.html#sslsessionticketkeyfile">SSLSessionTicketKeyFile</a></li>
+<li><a href="mod_ssl.html#sslsessiontickets">SSLSessionTickets</a></li>
<li><a href="mod_ssl.html#sslstrictsnivhostcheck">SSLStrictSNIVHostCheck</a></li>
<li><a href="mod_ssl.html#sslusername">SSLUserName</a></li>
<li><a href="mod_ssl.html#sslverifyclient">SSLVerifyClient</a></li>
<li><a href="mod_ssl.html#sslrequiressl">SSLRequireSSL</a></li>
<li><a href="mod_ssl.html#sslsessioncache">SSLSessionCache</a></li>
<li><a href="mod_ssl.html#sslsessioncachetimeout">SSLSessionCacheTimeout</a></li>
+<li><a href="mod_ssl.html#sslsessionticketkeyfile">SSLSessionTicketKeyFile</a></li>
+<li><a href="mod_ssl.html#sslsessiontickets">SSLSessionTickets</a></li>
<li><a href="mod_ssl.html#sslstrictsnivhostcheck">SSLStrictSNIVHostCheck</a></li>
<li><a href="mod_ssl.html#sslusername">SSLUserName</a></li>
<li><a href="mod_ssl.html#sslverifyclient">SSLVerifyClient</a></li>
<li><a href="mod_ssl.html#sslrequiressl">SSLRequireSSL</a></li>
<li><a href="mod_ssl.html#sslsessioncache">SSLSessionCache</a></li>
<li><a href="mod_ssl.html#sslsessioncachetimeout">SSLSessionCacheTimeout</a></li>
+<li><a href="mod_ssl.html#sslsessionticketkeyfile">SSLSessionTicketKeyFile</a></li>
+<li><a href="mod_ssl.html#sslsessiontickets">SSLSessionTickets</a></li>
<li><a href="mod_ssl.html#sslstrictsnivhostcheck">SSLStrictSNIVHostCheck</a></li>
<li><a href="mod_ssl.html#sslusername">SSLUserName</a></li>
<li><a href="mod_ssl.html#sslverifyclient">SSLVerifyClient</a></li>
<li><a href="mod_ssl.html#sslrequiressl">SSLRequireSSL</a></li>
<li><a href="mod_ssl.html#sslsessioncache">SSLSessionCache</a></li>
<li><a href="mod_ssl.html#sslsessioncachetimeout">SSLSessionCacheTimeout</a></li>
+<li><a href="mod_ssl.html#sslsessionticketkeyfile">SSLSessionTicketKeyFile</a></li>
+<li><a href="mod_ssl.html#sslsessiontickets">SSLSessionTickets</a></li>
<li><a href="mod_ssl.html#sslstrictsnivhostcheck">SSLStrictSNIVHostCheck</a></li>
<li><a href="mod_ssl.html#sslusername">SSLUserName</a></li>
<li><a href="mod_ssl.html#sslverifyclient">SSLVerifyClient</a></li>
<li><a href="mod_ssl.html#sslrequiressl">SSLRequireSSL</a></li>
<li><a href="mod_ssl.html#sslsessioncache">SSLSessionCache</a></li>
<li><a href="mod_ssl.html#sslsessioncachetimeout">SSLSessionCacheTimeout</a></li>
+<li><a href="mod_ssl.html#sslsessionticketkeyfile">SSLSessionTicketKeyFile</a></li>
+<li><a href="mod_ssl.html#sslsessiontickets">SSLSessionTickets</a></li>
<li><a href="mod_ssl.html#sslstrictsnivhostcheck">SSLStrictSNIVHostCheck</a></li>
<li><a href="mod_ssl.html#sslusername">SSLUserName</a></li>
<li><a href="mod_ssl.html#sslverifyclient">SSLVerifyClient</a></li>
format)</td></tr>
<tr><td><code>%{<var>format</var>}t</code></td>
<td>The time, in the form given by format, which should be in
- <code>strftime(3)</code> format. (potentially localized)</td></tr>
+ an extended <code>strftime(3)</code> format (potentially localized).
+ If the format starts with <code>begin:</code> (default) the time is taken
+ at the beginning of the request processing. If it starts with
+ <code>end:</code> it is the time when the log entry gets written,
+ close to the end of the request processing. In addition to the formats
+ supported by <code>strftime(3)</code>, the following format tokens are
+ supported:
+ <table>
+ <tr><td><code>sec</code></td><td>number of seconds since the Epoch</td></tr>
+ <tr><td><code>msec</code></td><td>number of milliseconds since the Epoch</td></tr>
+ <tr><td><code>usec</code></td><td>number of microseconds since the Epoch</td></tr>
+ <tr><td><code>msec_frac</code></td><td>millisecond fraction</td></tr>
+ <tr><td><code>usec_frac</code></td><td>microsecond fraction</td></tr>
+ </table>
+ These tokens can not be combined with each other or <code>strftime(3)</code>
+ formatting in the same format string. You can use multiple
+ <code>%{<var>format</var>}t</code> tokens instead. The extended
+ <code>strftime(3)</code> tokens are available in 2.2.30 and later.
+ </td></tr>
<tr class="odd"><td><code>%T</code></td>
<td>The time taken to serve the request, in seconds.</td></tr>
-<tr><td><code>%u</code></td>
+<tr><td><code>%{<var>UNIT</var>}T</code></td>
+ <td>The time taken to serve the request, in a time unit given by
+ <code>UNIT</code>. Valid units are <code>ms</code> for milliseconds,
+ <code>us</code> for microseconds, and <code>s</code> for seconds.
+ Using <code>s</code> gives the same result as <code>%T</code>
+ without any format; using <code>us</code> gives the same result
+ as <code>%D</code>. Combining <code>%T</code> with a unit is
+ available in 2.2.30 and later.</td></tr>
+<tr class="odd"><td><code>%u</code></td>
<td>Remote user (from auth; may be bogus if return status
(<code>%s</code>) is 401)</td></tr>
-<tr class="odd"><td><code>%U</code></td>
+<tr><td><code>%U</code></td>
<td>The URL path requested, not including any query string.</td></tr>
-<tr><td><code>%v</code></td>
+<tr class="odd"><td><code>%v</code></td>
<td>The canonical <code class="directive"><a href="../mod/core.html#servername">ServerName</a></code>
of the server serving the request.</td></tr>
-<tr class="odd"><td><code>%V</code></td>
+<tr><td><code>%V</code></td>
<td>The server name according to the <code class="directive"><a href="../mod/core.html#usecanonicalname">UseCanonicalName</a></code> setting.</td></tr>
-<tr><td><code>%X</code></td>
+<tr class="odd"><td><code>%X</code></td>
<td>Connection status when response is completed:
<table>
<p>(This directive was <code>%c</code> in late versions of Apache
1.3, but this conflicted with the historical ssl
<code>%{<var>var</var>}c</code> syntax.)</p></td></tr>
-<tr class="odd"><td><code>%I</code></td>
+<tr><td><code>%I</code></td>
<td>Bytes received, including request and headers, cannot be zero.
You need to enable <code class="module"><a href="../mod/mod_logio.html">mod_logio</a></code> to use this.</td></tr>
-<tr><td><code>%O</code></td>
+<tr class="odd"><td><code>%O</code></td>
<td>Bytes sent, including headers, cannot be zero. You need to
enable <code class="module"><a href="../mod/mod_logio.html">mod_logio</a></code> to use this.</td></tr>
-<tr class="odd"><td><code>%{<var>VARNAME</var>}^ti</code></td>
+<tr><td><code>%{<var>VARNAME</var>}^ti</code></td>
<td>The contents of <code><var>VARNAME</var>:</code> trailer line(s)
in the request sent to the server. </td></tr>
-<tr><td><code>%{<var>VARNAME</var>}^to</code></td>
+<tr class="odd"><td><code>%{<var>VARNAME</var>}^to</code></td>
<td>The contents of <code><var>VARNAME</var>:</code> trailer line(s)
in the response sent from the server. </td></tr>
</table>
<dt>Agent (Browser) log format</dt>
<dd><code>"%{User-agent}i"</code></dd>
</dl>
+
+ <p>You can use the <code>%{format}t</code> directive multiple
+ times to build up a time format using the extended format tokens
+ like <code>msec_frac</code>:</p>
+ <dl>
+<dt>Timestamp including milliseconds</dt>
+<dd><code>"%{%d/%b/%Y %T}t.%{msec_frac}t %{%z}t"</code></dd>
+
+ </dl>
+
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<a href="../ko/mod/mod_log_config.html" hreflang="ko" rel="alternate" title="Korean"> ko </a> |
<a href="../tr/mod/mod_log_config.html" title="Türkçe"> tr </a></p>
</div>
+<div class="outofdate">Bu çeviri güncel olmayabilir. Son değişiklikler için İngilizce sürüm geçerlidir.</div>
<table class="module"><tr><th><a href="module-dict.html#Description">Açıklama:</a></th><td>Sunucuya yapılan isteklerin günlük kayıtlarının tutulması
</td></tr>
<tr><th><a href="module-dict.html#Status">Durum:</a></th><td>Temel</td></tr>
<li><img alt="" src="../images/down.gif" /> <a href="#sslrequiressl">SSLRequireSSL</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslsessioncache">SSLSessionCache</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslsessioncachetimeout">SSLSessionCacheTimeout</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#sslsessionticketkeyfile">SSLSessionTicketKeyFile</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#sslsessiontickets">SSLSessionTickets</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslstrictsnivhostcheck">SSLStrictSNIVHostCheck</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslusername">SSLUserName</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslverifyclient">SSLVerifyClient</a></li>
<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>ECC support is available in Apache 2.2.26 and later</td></tr>
</table>
<p>
-This directive points to the PEM-encoded Certificate file for the server and
-optionally also to the corresponding RSA or DSA Private Key file for it
-(contained in the same file). If the contained Private Key is encrypted the
-Pass Phrase dialog is forced at startup time. This directive can be used up to
-three times (referencing different filenames) when both a RSA, a DSA, and an
-ECC based server certificate is used in parallel.</p>
+This directive points to a file with certificate data in PEM format.
+At a minimum, the file must include an end-entity (leaf) certificate.
+The directive can be used up to three times (referencing different filenames)
+when an RSA, a DSA, and an ECC based server certificate is used in parallel.
+</p>
+
+<p>
+Custom DH parameters and an EC curve name for ephemeral keys,
+can be added to end of the first file configured using
+<code class="directive"><a href="#sslcertificatefile">SSLCertificateFile</a></code>.
+This is supported in version 2.2.30 or later.
+Such parameters can be generated using the commands
+<code>openssl dhparam</code> and <code>openssl ecparam</code>.
+The parameters can be added as-is to the end of the first
+certificate file. Only the first file can be used for custom
+parameters, as they are applied independently of the authentication
+algorithm type.
+</p>
+
+<p>
+Finally the the end-entity certificate's private key can also be
+added to the certificate file instead of using a separate
+<code class="directive"><a href="#sslcertificatekeyfile">SSLCertificateKeyFile</a></code>
+directive. This practice is highly discouraged. If the private
+key is encrypted, the pass phrase dialog is forced at startup time.
+</p>
+
+<div class="note">
+<h3>DH parameter interoperability with primes > 1024 bit</h3>
+<p>
+Beginning with version 2.2.30, mod_ssl makes use of
+standardized DH parameters with prime lengths of 2048, 3072, 4096, 6144 and
+8192 bits (from <a href="http://www.ietf.org/rfc/rfc3526.txt">RFC 3526</a>),
+and hands them out to clients based on the length of the certificate's RSA/DSA
+key.
+With Java-based clients in particular (Java 7 or earlier), this may lead
+to handshake failures - see this
+<a href="../ssl/ssl_faq.html#javadh">FAQ answer</a> for working around
+such issues.
+</p>
+</div>
+
<div class="example"><h3>Example</h3><p><code>
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
</code></p></div>
<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>ECC support is available in Apache 2.2.26 and later</td></tr>
</table>
<p>
-This directive points to the PEM-encoded Private Key file for the
-server. If the Private Key is not combined with the Certificate in the
-<code class="directive">SSLCertificateFile</code>, use this additional directive to
-point to the file with the stand-alone Private Key. When
-<code class="directive">SSLCertificateFile</code> is used and the file
-contains both the Certificate and the Private Key this directive need
-not be used. But we strongly discourage this practice. Instead we
-recommend you to separate the Certificate and the Private Key. If the
-contained Private Key is encrypted, the Pass Phrase dialog is forced
-at startup time. This directive can be used up to three times
-(referencing different filenames) when both a RSA, a DSA, and an ECC based
-private key is used in parallel.</p>
+This directive points to the PEM-encoded private key file for the
+server. If the contained private key is encrypted, the pass phrase
+dialog is forced at startup time.</p>
+
+<p>
+The directive can be used up to three times (referencing different filenames)
+when an RSA, a DSA, and an ECC based private key is used in parallel. For each
+<code class="directive"><a href="#sslcertificatekeyfile">SSLCertificateKeyFile</a></code>
+directive, there must be a matching <code class="directive">SSLCertificateFile</code>
+directive.</p>
+
+<p>
+The private key may also be combined with the certificate in the file given by
+<code class="directive"><a href="#sslcertificatefile">SSLCertificateFile</a></code>, but this practice
+is highly discouraged.</p>
+
<div class="example"><h3>Example</h3><p><code>
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key
</code></p></div>
<li><code>-</code>: remove cipher from list (can be added later again)</li>
<li><code>!</code>: kill cipher from list completely (can <strong>not</strong> be added later again)</li>
</ul>
+
+<div class="note">
+<h3><code>aNULL</code>, <code>eNULL</code> and <code>EXP</code>
+ciphers are always disabled</h3>
+<p>Beginning with version 2.2.30, null and export-grade
+ciphers are always disabled, as mod_ssl unconditionally prepends any supplied
+cipher suite string with <code>!aNULL:!eNULL:!EXP:</code> at initialization.</p>
+</div>
+
<p>A simpler way to look at all of this is to use the ``<code>openssl ciphers
-v</code>'' command which provides a nice way to successively create the
correct <em>cipher-spec</em> string. The default <em>cipher-spec</em> string
SSLSessionCacheTimeout 600
</code></p></div>
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="SSLSessionTicketKeyFile" id="SSLSessionTicketKeyFile">SSLSessionTicketKeyFile</a> <a name="sslsessionticketkeyfile" id="sslsessionticketkeyfile">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Persistent encryption/decryption key for TLS session tickets</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLSessionTicketKeyFile <em>file-path</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.2.30 and later, if using OpenSSL 0.9.8h or later</td></tr>
+</table>
+<p>Optionally configures a secret key for encrypting and decrypting
+TLS session tickets, as defined in
+<a href="http://www.ietf.org/rfc/rfc5077.txt">RFC 5077</a>.
+Primarily suitable for clustered environments where TLS sessions information
+should be shared between multiple nodes. For single-instance httpd setups,
+it is recommended to <em>not</em> configure a ticket key file, but to
+rely on (random) keys generated by mod_ssl at startup, instead.</p>
+<p>The ticket key file must contain 48 bytes of random data,
+preferrably created from a high-entropy source. On a Unix-based system,
+a ticket key file can be created as follows:</p>
+
+<div class="example"><p><code>
+dd if=/dev/random of=/path/to/file.tkey bs=1 count=48
+</code></p></div>
+
+<p>Ticket keys should be rotated (replaced) on a frequent basis,
+as this is the only way to invalidate an existing session ticket -
+OpenSSL currently doesn't allow to specify a limit for ticket lifetimes.
+A new ticket key only gets used after restarting the web server.
+All existing session tickets become invalid after a restart.</p>
+
+<div class="warning">
+<p>The ticket key file contains sensitive keying material and should
+be protected with file permissions similar to those used for
+<code class="directive"><a href="#sslcertificatekeyfile">SSLCertificateKeyFile</a></code>.</p>
+</div>
+
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="SSLSessionTickets" id="SSLSessionTickets">SSLSessionTickets</a> <a name="sslsessiontickets" id="sslsessiontickets">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enable or disable use of TLS session tickets</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLSessionTickets on|off</code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLSessionTickets on</code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.2.30 and later, if using OpenSSL 0.9.8f
+or later.</td></tr>
+</table>
+<p>This directive allows to enable or disable the use of TLS session tickets
+(RFC 5077).</p>
+<div class="warning">
+<p>TLS session tickets are enabled by default. Using them without restarting
+the web server with an appropriate frequency (e.g. daily) compromises perfect
+forward secrecy.</p>
+</div>
+
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLStrictSNIVHostCheck" id="SSLStrictSNIVHostCheck">SSLStrictSNIVHostCheck</a> <a name="sslstrictsnivhostcheck" id="sslstrictsnivhostcheck">Directive</a></h2>
<p>Given those assumptions, at a single point in time we can
identify any httpd process on any machine in the cluster from
all other httpd processes. The machine's IP address and the pid
- of the httpd process are sufficient to do this. So in order to
+ of the httpd process are sufficient to do this. A httpd process
+ can handle multiple requests simultaneously if you use a
+ multi-threaded MPM. In order to identify threads, we use a thread
+ index Apache httpd uses internally. So in order to
generate unique identifiers for requests we need only
distinguish between different points in time.</p>
even still, if you're running NTP then your UTC time will be
correct very shortly after reboot.</p>
+
<p>The <code>UNIQUE_ID</code> environment variable is
- constructed by encoding the 112-bit (32-bit IP address, 32 bit
- pid, 32 bit time stamp, 16 bit counter) quadruple using the
+ constructed by encoding the 144-bit (32-bit IP address, 32 bit
+ pid, 32 bit time stamp, 16 bit counter, 32 bit thread index)
+ quadruple using the
alphabet <code>[A-Za-z0-9@-]</code> in a manner similar to MIME
- base64 encoding, producing 19 characters. The MIME base64
+ base64 encoding, producing 24 characters. The MIME base64
alphabet is actually <code>[A-Za-z0-9+/]</code> however
<code>+</code> and <code>/</code> need to be specially encoded
in URLs, which makes them less desirable. All values are
issuing the new encodings.</p>
<p>This we believe is a relatively portable solution to this
- problem. It can be extended to multithreaded systems like
- Windows NT, and can grow with future needs. The identifiers
+ problem. The identifiers
generated have essentially an infinite life-time because future
identifiers can be made longer as required. Essentially no
communication is required between machines in the cluster (only
Cache</td></tr>
<tr><td><a href="mod_ssl.html#sslsessioncachetimeout">SSLSessionCacheTimeout <em>seconds</em></a></td><td> 300 </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Number of seconds before an SSL session expires
in the Session Cache</td></tr>
+<tr class="odd"><td><a href="mod_ssl.html#sslsessionticketkeyfile">SSLSessionTicketKeyFile <em>file-path</em></a></td><td></td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Persistent encryption/decryption key for TLS session tickets</td></tr>
+<tr><td><a href="mod_ssl.html#sslsessiontickets">SSLSessionTickets on|off</a></td><td> on </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Enable or disable use of TLS session tickets</td></tr>
<tr class="odd"><td><a href="mod_ssl.html#sslstrictsnivhostcheck">SSLStrictSNIVHostCheck on|off</a></td><td> off </td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Whether to allow non SNI clients to access a name based virtual
host.
</td></tr>
Cache</td></tr>
<tr><td><a href="mod_ssl.html#sslsessioncachetimeout">SSLSessionCacheTimeout <em>seconds</em></a></td><td> 300 </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Number of seconds before an SSL session expires
in the Session Cache</td></tr>
+<tr class="odd"><td><a href="mod_ssl.html#sslsessionticketkeyfile">SSLSessionTicketKeyFile <em>file-path</em></a></td><td></td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Persistent encryption/decryption key for TLS session tickets</td></tr>
+<tr><td><a href="mod_ssl.html#sslsessiontickets">SSLSessionTickets on|off</a></td><td> on </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Enable or disable use of TLS session tickets</td></tr>
<tr class="odd"><td><a href="mod_ssl.html#sslstrictsnivhostcheck">SSLStrictSNIVHostCheck on|off</a></td><td> off </td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Whether to allow non SNI clients to access a name based virtual
host.
</td></tr>
Cache</td></tr>
<tr><td><a href="mod_ssl.html#sslsessioncachetimeout">SSLSessionCacheTimeout <em>seconds</em></a></td><td> 300 </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Number of seconds before an SSL session expires
in the Session Cache</td></tr>
+<tr class="odd"><td><a href="mod_ssl.html#sslsessionticketkeyfile">SSLSessionTicketKeyFile <em>file-path</em></a></td><td></td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Persistent encryption/decryption key for TLS session tickets</td></tr>
+<tr><td><a href="mod_ssl.html#sslsessiontickets">SSLSessionTickets on|off</a></td><td> on </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Enable or disable use of TLS session tickets</td></tr>
<tr class="odd"><td><a href="mod_ssl.html#sslstrictsnivhostcheck">SSLStrictSNIVHostCheck on|off</a></td><td> off </td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Whether to allow non SNI clients to access a name based virtual
host.
</td></tr>
Cache</td></tr>
<tr><td><a href="mod_ssl.html#sslsessioncachetimeout">SSLSessionCacheTimeout <em>seconds</em></a></td><td> 300 </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Number of seconds before an SSL session expires
in the Session Cache</td></tr>
+<tr class="odd"><td><a href="mod_ssl.html#sslsessionticketkeyfile">SSLSessionTicketKeyFile <em>file-path</em></a></td><td></td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Persistent encryption/decryption key for TLS session tickets</td></tr>
+<tr><td><a href="mod_ssl.html#sslsessiontickets">SSLSessionTickets on|off</a></td><td> on </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Enable or disable use of TLS session tickets</td></tr>
<tr class="odd"><td><a href="mod_ssl.html#sslstrictsnivhostcheck">SSLStrictSNIVHostCheck on|off</a></td><td> off </td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Whether to allow non SNI clients to access a name based virtual
host.
</td></tr>
Cache</td></tr>
<tr><td><a href="mod_ssl.html#sslsessioncachetimeout">SSLSessionCacheTimeout <em>seconds</em></a></td><td> 300 </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Number of seconds before an SSL session expires
in the Session Cache</td></tr>
+<tr class="odd"><td><a href="mod_ssl.html#sslsessionticketkeyfile">SSLSessionTicketKeyFile <em>file-path</em></a></td><td></td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Persistent encryption/decryption key for TLS session tickets</td></tr>
+<tr><td><a href="mod_ssl.html#sslsessiontickets">SSLSessionTickets on|off</a></td><td> on </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Enable or disable use of TLS session tickets</td></tr>
<tr class="odd"><td><a href="mod_ssl.html#sslstrictsnivhostcheck">SSLStrictSNIVHostCheck on|off</a></td><td> off </td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Whether to allow non SNI clients to access a name based virtual
host.
</td></tr>
Cache</td></tr>
<tr><td><a href="mod_ssl.html#sslsessioncachetimeout">SSLSessionCacheTimeout <em>seconds</em></a></td><td> 300 </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Number of seconds before an SSL session expires
in the Session Cache</td></tr>
+<tr class="odd"><td><a href="mod_ssl.html#sslsessionticketkeyfile">SSLSessionTicketKeyFile <em>file-path</em></a></td><td></td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Persistent encryption/decryption key for TLS session tickets</td></tr>
+<tr><td><a href="mod_ssl.html#sslsessiontickets">SSLSessionTickets on|off</a></td><td> on </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Enable or disable use of TLS session tickets</td></tr>
<tr class="odd"><td><a href="mod_ssl.html#sslstrictsnivhostcheck">SSLStrictSNIVHostCheck on|off</a></td><td> off </td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Whether to allow non SNI clients to access a name based virtual
host.
</td></tr>
Cache</td></tr>
<tr><td><a href="mod_ssl.html#sslsessioncachetimeout">SSLSessionCacheTimeout <em>seconds</em></a></td><td> 300 </td><td>sk</td><td>E</td></tr><tr><td class="descr" colspan="4">Number of seconds before an SSL session expires
in the Session Cache</td></tr>
+<tr class="odd"><td><a href="mod_ssl.html#sslsessionticketkeyfile">SSLSessionTicketKeyFile <em>file-path</em></a></td><td></td><td>sk</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Persistent encryption/decryption key for TLS session tickets</td></tr>
+<tr><td><a href="mod_ssl.html#sslsessiontickets">SSLSessionTickets on|off</a></td><td> on </td><td>sk</td><td>E</td></tr><tr><td class="descr" colspan="4">Enable or disable use of TLS session tickets</td></tr>
<tr class="odd"><td><a href="mod_ssl.html#sslstrictsnivhostcheck">SSLStrictSNIVHostCheck on|off</a></td><td> off </td><td>sk</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Whether to allow non SNI clients to access a name based virtual
host.
</td></tr>
Cache</td></tr>
<tr><td><a href="mod_ssl.html#sslsessioncachetimeout">SSLSessionCacheTimeout <em>seconds</em></a></td><td> 300 </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Number of seconds before an SSL session expires
in the Session Cache</td></tr>
+<tr class="odd"><td><a href="mod_ssl.html#sslsessionticketkeyfile">SSLSessionTicketKeyFile <em>file-path</em></a></td><td></td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Persistent encryption/decryption key for TLS session tickets</td></tr>
+<tr><td><a href="mod_ssl.html#sslsessiontickets">SSLSessionTickets on|off</a></td><td> on </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Enable or disable use of TLS session tickets</td></tr>
<tr class="odd"><td><a href="mod_ssl.html#sslstrictsnivhostcheck">SSLStrictSNIVHostCheck on|off</a></td><td> off </td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Whether to allow non SNI clients to access a name based virtual
host.
</td></tr>
<li><a href="#nn">Why do I get I/O errors, or the message "Netscape has
encountered bad data from the server", when connecting via
HTTPS to an Apache+mod_ssl server with Netscape Navigator?</a></li>
+<li><a href="#javadh">Why do I get handshake failures with Java-based clients when using a certificate with more than 1024 bits?</a></li>
</ul>
<h3><a name="random" id="random">Why do I get lots of random SSL protocol
implementation is correct, so when you encounter I/O errors with Netscape
Navigator it is usually caused by the configured certificates.</p>
+
+<h3><a name="javadh" id="javadh">Why do I get handshake failures with Java-based clients when using a certificate with more than 1024 bits?</a></h3>
+ <p>Beginning with version 2.2.30,
+ <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> will use DH parameters which include primes
+ with lengths of more than 1024 bits. Java 7 and earlier limit their
+ support for DH prime sizes to a maximum of 1024 bits, however.</p>
+
+ <p>If your Java-based client aborts with exceptions such as
+ <code>java.lang.RuntimeException: Could not generate DH keypair</code> and
+ <code>java.security.InvalidAlgorithmParameterException: Prime size must be
+ multiple of 64, and can only range from 512 to 1024 (inclusive)</code>,
+ and httpd logs <code>tlsv1 alert internal error (SSL alert number 80)</code>
+ (at <code class="directive"><a href="../mod/core.html#loglevel">LogLevel</a></code> <code>info</code>
+ or higher), you can either rearrange mod_ssl's cipher list with
+ <code class="directive"><a href="../mod/mod_ssl.html#sslciphersuite">SSLCipherSuite</a></code>
+ (possibly in conjunction with <code class="directive"><a href="../mod/mod_ssl.html#sslhonorcipherorder">SSLHonorCipherOrder</a></code>),
+ or you can use custom DH parameters with a 1024-bit prime, which
+ will always have precedence over any of the built-in DH parameters.</p>
+
+ <p>To generate custom DH parameters, use the <code>openssl dhparam 1024</code>
+ command. Alternatively, you can use the following standard 1024-bit DH
+ parameters from <a href="http://www.ietf.org/rfc/rfc2409.txt">RFC 2409</a>,
+ section 6.2:</p>
+ <div class="example"><pre>-----BEGIN DH PARAMETERS-----
+MIGHAoGBAP//////////yQ/aoiFowjTExmKLgNwc0SkCTgiKZ8x0Agu+pjsTmyJR
+Sgh5jjQE3e+VGbPNOkMbMCsKbfJfFDdP4TVtbVHCReSFtXZiXn7G9ExC6aY37WsL
+/1y29Aa37e44a/taiZ+lrp8kEXxLH+ZJKGZR7OZTgf//////////AgEC
+-----END DH PARAMETERS-----</pre></div>
+ <p>Add the custom parameters including the "BEGIN DH PARAMETERS" and
+ "END DH PARAMETERS" lines to the end of the first certificate file
+ you have configured using the
+ <code class="directive"><a href="../mod/mod_ssl.html#sslcertificatefile">SSLCertificateFile</a></code> directive.</p>
+
+
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="support" id="support">mod_ssl Support</a></h2>
projects / thirdparty / apache / httpd.git / commitdiff
