From: Daniel Gruno Date: Fri, 27 Apr 2012 08:15:15 +0000 (+0000) Subject: Rebuild mod_ssl doc X-Git-Tag: 2.5.0-alpha~6977 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=103d4dc25680e9a80aa8ea1fce85c888a67f5e46;p=thirdparty%2Fapache%2Fhttpd.git Rebuild mod_ssl doc git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1331289 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/mod/mod_ssl.html.en b/docs/manual/mod/mod_ssl.html.en index dff97566bd8..01145802766 100644 --- a/docs/manual/mod/mod_ssl.html.en +++ b/docs/manual/mod/mod_ssl.html.en @@ -240,8 +240,10 @@ For backward compatibility there is additionally a special ``%{name}c'' cryptography format function provided. Information about this function is provided in the Compatibility chapter.

Example

-CustomLog logs/ssl_request_log \ - "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" +

 
+CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+

top
@@ -285,9 +287,10 @@ string in mod_log_conf encrypted with SSL. This is similar to the SSLRequireSSL directive.

-

+ 

       Require ssl
-
+ + @@ -300,10 +303,11 @@ string in mod_log_conf

The following example grants access if the user is authenticated either with a client certificate or by username and password.

-

+ 

       Require ssl-verify-client

       Require valid-user
-
+ + @@ -326,7 +330,10 @@ concatenation of the various PEM-encoded Certificate files, in order of preference. This can be used alternatively and/or additionally to SSLCACertificatePath.

Example

+

 SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-client.crt
+
+

@@ -351,7 +358,10 @@ there: you also have to create symbolic links named hash-value.N. And you should always make sure this directory contains the appropriate symbolic links.

Example

+

 SSLCACertificatePath /usr/local/apache2/conf/ssl.crt/
+
+

@@ -390,7 +400,10 @@ specify an all-in-one file containing a concatenation of PEM-encoded CA certificates.

Example

+

 SSLCADNRequestFile /usr/local/apache2/conf/ca-names.crt
+
+

@@ -416,7 +429,10 @@ Certificate files there: you also have to create symbolic links named hash-value.N. And you should always make sure this directory contains the appropriate symbolic links.

Example

+

 SSLCADNRequestPath /usr/local/apache2/conf/ca-names.crt/
+
+

@@ -453,7 +469,10 @@ to succeed - otherwise it will fail with an

Example

+

 SSLCARevocationCheck chain
+
+

@@ -475,7 +494,10 @@ for Client Authentication. Such a file is simply the concatenation of the various PEM-encoded CRL files, in order of preference. This can be used alternatively and/or additionally to SSLCARevocationPath.

Example

+

 SSLCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle-client.crl
+
+

@@ -500,7 +522,10 @@ Additionally you have to create symbolic links named hash-value.rN. And you should always make sure this directory contains the appropriate symbolic links.

Example

+

 SSLCARevocationPath /usr/local/apache2/conf/ssl.crl/
+
+

@@ -537,7 +562,10 @@ using a coupled RSA+DSA certificate pair, this will work only if actually both certificates use the same certificate chain. Else the browsers will be confused in this situation.

Example

+

 SSLCertificateChainFile /usr/local/apache2/conf/ssl.crt/ca.crt
+
+

@@ -558,7 +586,10 @@ Pass Phrase dialog is forced at startup time. This directive can be used up to two times (referencing different filenames) when both a RSA and a DSA based server certificate is used in parallel.

Example

+

 SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
+
+

@@ -585,7 +616,10 @@ at startup time. This directive can be used up to two times (referencing different filenames) when both a RSA and a DSA based private key is used in parallel.

Example

+

 SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key
+
+

@@ -710,7 +744,10 @@ KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1

The complete list of particular RSA & DH ciphers for SSL is given in Table 2.

Example

+

 SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW
+
+

@@ -770,8 +807,11 @@ separate "-engine" releases of OpenSSL 0.9.6 must be used.

"openssl engine".

Example

-# For a Broadcom accelerator:
+

+# For a Broadcom accelerator:
 SSLCryptoDevice ubsec
+
+

@@ -791,10 +831,13 @@ is should be used inside a

Example

-<VirtualHost _default_:443>
-SSLEngine on
-...
+

+<VirtualHost _default_:443>
+SSLEngine on
+#...
 </VirtualHost>
+
+

In Apache 2.1 and later, SSLEngine can be set to optional. This enables support for @@ -844,7 +887,10 @@ by the applicable Security Policy. the client's preference is used. If this directive is enabled, the server's preference will be used instead.

Example

+

 SSLHonorCipherOrder on
+
+

@@ -881,7 +927,10 @@ in CVE-200

Example

+

 SSLInsecureRenegotiation on
+
+

The SSL_SECURE_RENEG environment variable can be used @@ -927,10 +976,13 @@ itself, or derived by configuration; see the directives.

Example

-SSLVerifyClient on
-SSLOCSPEnable on
-SSLOCSPDefaultResponder http://responder.example.com:8888/responder
+

+SSLVerifyClient on
+SSLOCSPEnable on
+SSLOCSPDefaultResponder http://responder.example.com:8888/responder
 SSLOCSPOverrideResponder on
+
+

@@ -1096,10 +1148,13 @@ The available options are:

Example

-SSLOptions +FakeBasicAuth -StrictRequire
-<Files ~ "\.(cgi|shtml)$">
- SSLOptions +StdEnvVars -ExportCertData
+

+SSLOptions +FakeBasicAuth -StrictRequire
+<Files ~ "\.(cgi|shtml)$">
+    SSLOptions +StdEnvVars -ExportCertData
 <Files>
+
+

@@ -1177,7 +1232,10 @@ query can be done in two ways which can be configured by program is called only once per unique Pass Phrase.

Example

+

 SSLPassPhraseDialog exec:/usr/local/apache/sbin/pp-filter
+
+

@@ -1227,7 +1285,10 @@ The available (case-insensitive) protocols are:

``+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2, respectively.

Example

+

 SSLProtocol TLSv1
+
+

@@ -1249,7 +1310,10 @@ concatenation of the various PEM-encoded Certificate files, in order of preference. This can be used alternatively and/or additionally to SSLProxyCACertificatePath.

Example

+

 SSLProxyCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-remote-server.crt
+
+

@@ -1274,7 +1338,10 @@ there: you also have to create symbolic links named hash-value.N. And you should always make sure this directory contains the appropriate symbolic links.

Example

+

 SSLProxyCACertificatePath /usr/local/apache2/conf/ssl.crt/
+
+

@@ -1312,7 +1379,10 @@ to succeed - otherwise it will fail with an

Example

+

 SSLProxyCARevocationCheck chain
+
+

@@ -1334,7 +1404,10 @@ for Remote Server Authentication. Such a file is simply the concatenation of the various PEM-encoded CRL files, in order of preference. This can be used alternatively and/or additionally to SSLProxyCARevocationPath.

Example

+

 SSLProxyCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle-remote-server.crl
+
+

@@ -1359,7 +1432,10 @@ Additionally you have to create symbolic links named hash-value.rN. And you should always make sure this directory contains the appropriate symbolic links.

Example

+

 SSLProxyCARevocationPath /usr/local/apache2/conf/ssl.crl/
+
+

@@ -1380,7 +1456,10 @@ compared against the hostname of the request URL. If both are not equal a 502 status code (Bad Gateway) is sent.

Example

+

 SSLProxyCheckPeerCN on
+
+

@@ -1401,7 +1480,10 @@ is expired or not. If the check fails a 502 status code (Bad Gateway) is sent.

Example

+

 SSLProxyCheckPeerExpire on
+
+

@@ -1438,10 +1520,13 @@ is usually used inside a

Example

-<VirtualHost _default_:443>
-SSLProxyEngine on
-...
+

+<VirtualHost _default_:443>
+    SSLProxyEngine on
+    #...
 </VirtualHost>
+
+

@@ -1472,7 +1557,10 @@ trusted as if they were also in

Example

+

 SSLProxyMachineCertificateChainFile /usr/local/apache2/conf/ssl.crt/proxyCA.pem
+
+

@@ -1499,7 +1587,10 @@ or additionally to SSLProxyMachineCertificatePath.

Currently there is no support for encrypted private keys

Example

+

 SSLProxyMachineCertificateFile /usr/local/apache2/conf/ssl.crt/proxy.pem
+
+

@@ -1525,7 +1616,10 @@ directory contains the appropriate symbolic links.

Currently there is no support for encrypted private keys

Example

+

 SSLProxyMachineCertificatePath /usr/local/apache2/conf/proxy.crt/
+
+

@@ -1583,7 +1677,10 @@ The following levels are available for level:

optional_no_ca is actually against the idea of authentication (but can be used to establish SSL test pages, etc.)

Example

+

 SSLProxyVerify require
+
+

@@ -1610,7 +1707,10 @@ the remote server certificate can be self-signed or has to be signed by a CA which is directly known to the server (i.e. the CA's certificate is under SSLProxyCACertificatePath), etc.

Example

+

 SSLProxyVerifyDepth 10
+
+

@@ -1690,13 +1790,16 @@ The following source variants are available:

on your platform.

Example

-SSLRandomSeed startup builtin
-SSLRandomSeed startup file:/dev/random
-SSLRandomSeed startup file:/dev/urandom 1024
-SSLRandomSeed startup exec:/usr/local/bin/truerand 16
-SSLRandomSeed connect builtin
-SSLRandomSeed connect file:/dev/random
-SSLRandomSeed connect file:/dev/urandom 1024
+

+SSLRandomSeed startup builtin
+SSLRandomSeed startup file:/dev/random
+SSLRandomSeed startup file:/dev/urandom 1024
+SSLRandomSeed startup exec:/usr/local/bin/truerand 16
+SSLRandomSeed connect builtin
+SSLRandomSeed connect file:/dev/random
+SSLRandomSeed connect file:/dev/urandom 1024
+
+

@@ -1726,7 +1829,10 @@ memory must be considered when changing this configuration setting.

Example

+

 SSLRenegBufferSize 262144
+
+

@@ -1815,12 +1921,17 @@ during request processing. In .htaccess context, the expression is both parsed and executed each time the .htaccess file is encountered during request processing.

-

Example

SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)-/                \
+
Example

+
+SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)-/                \
             and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd."        \
             and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}  \
             and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5          \
             and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
-           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/

+           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+
+ +

The PeerExtList(object-ID) function expects to find zero or more instances of the X.509 certificate extension @@ -1831,7 +1942,10 @@ exactly against the value of an extension identified with this OID. extension must match).

Example

+

 SSLRequire "foobar" in PeerExtList("1.2.3.4.5.6")
+
+

Notes on the PeerExtList function

@@ -1882,7 +1996,10 @@ host or directories for defending against configuration errors that expose stuff that should be protected. When this directive is present all requests are denied which are not using SSL.

Example

+

 SSLRequireSSL
+
+

@@ -1953,8 +2070,11 @@ The following five storage types are currently supported:

Examples

-SSLSessionCache dbm:/usr/local/apache/logs/ssl_gcache_data
+

+SSLSessionCache dbm:/usr/local/apache/logs/ssl_gcache_data
 SSLSessionCache shmcb:/usr/local/apache/logs/ssl_gcache_data(512000)
+
+

The ssl-cache mutex is used to serialize access to @@ -1979,7 +2099,10 @@ global/inter-process SSL Session Cache and the OpenSSL internal memory cache. It can be set as low as 15 for testing, but should be set to higher values like 300 in real life.

Example

+

 SSLSessionCacheTimeout 600
+
+

@@ -2202,7 +2325,10 @@ version of OpenSSL.

Example

+

 SSLStrictSNIVHostCheck on
+
+

@@ -2228,7 +2354,10 @@ any of the SSL environment variables.

FakeBasicAuth option is used (see SSLOptions).

Example

+

 SSLUserName SSL_CLIENT_S_DN_CN
+
+

@@ -2299,7 +2428,10 @@ The following levels are available for level:

optional_no_ca is actually against the idea of authentication (but can be used to establish SSL test pages, etc.)

Example

+

 SSLVerifyClient require
+
+

@@ -2332,7 +2464,10 @@ certificate can be self-signed or has to be signed by a CA which is directly known to the server (i.e. the CA's certificate is under SSLCACertificatePath), etc.

Example

+

 SSLVerifyDepth 10
+
+