From: Rainer Jung Date: Mon, 1 Jun 2015 16:01:49 +0000 (+0000) Subject: Try to clarify extended uses of SSLCertificateFile. X-Git-Tag: 2.2.30~46 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=12e357ddac78f925a1cd758b1a8b7469004a8cf5;p=thirdparty%2Fapache%2Fhttpd.git Try to clarify extended uses of SSLCertificateFile. Backport of r1682923 and r1682937 from trunk, resp. r1682929 and r1682939 from 2.4.x. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1682942 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml index dfbc0941e09..cb4af664d47 100644 --- a/docs/manual/mod/mod_ssl.xml +++ b/docs/manual/mod/mod_ssl.xml @@ -776,18 +776,32 @@ SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW

-This directive points to the file with the PEM-encoded certificate, -optionally also the corresponding private key, and - beginning with -version 2.2.30 - DH parameters and/or an EC curve name -for ephemeral keys (as generated by openssl dhparam -and openssl ecparam, respectively). If the private key -is encrypted, the pass phrase dialog is forced at startup time. +This directive points to a file with certificate data in PEM format. +At a minimum, the file must include an end-entity (leaf) certificate. +The directive can be used up to three times (referencing different filenames) +when an RSA, a DSA, and an ECC based server certificate is used in parallel.

+

-This directive can be used up to three times (referencing different filenames) -when both an RSA, a DSA, and an ECC based server certificate is used in -parallel. Note that DH and ECDH parameters are only read from the first -SSLCertificateFile directive.

+Custom DH parameters and an EC curve name for ephemeral keys, +can be added to end of the first file configured using +SSLCertificateFile. +This is supported in version 2.2.30 or later. +Such parameters can be generated using the commands +openssl dhparam and openssl ecparam. +The parameters can be added as-is to the end of the first +certificate file. Only the first file can be used for custom +parameters, as they are applied independently of the authentication +algorithm type. +

+ +

+Finally the the end-entity certificate's private key can also be +added to the certificate file instead of using a separate +SSLCertificateKeyFile +directive. This practice is highly discouraged. If the private +key is encrypted, the pass phrase dialog is forced at startup time. +

DH parameter interoperability with primes > 1024 bit @@ -820,18 +834,22 @@ SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt

-This directive points to the PEM-encoded Private Key file for the -server. If the Private Key is not combined with the Certificate in the -SSLCertificateFile, use this additional directive to -point to the file with the stand-alone Private Key. When -SSLCertificateFile is used and the file -contains both the Certificate and the Private Key this directive need -not be used. But we strongly discourage this practice. Instead we -recommend you to separate the Certificate and the Private Key. If the -contained Private Key is encrypted, the Pass Phrase dialog is forced -at startup time. This directive can be used up to three times -(referencing different filenames) when both a RSA, a DSA, and an ECC based -private key is used in parallel.

+This directive points to the PEM-encoded private key file for the +server. If the contained private key is encrypted, the pass phrase +dialog is forced at startup time.

+ +

+The directive can be used up to three times (referencing different filenames) +when an RSA, a DSA, and an ECC based private key is used in parallel. For each +SSLCertificateKeyFile +directive, there must be a matching SSLCertificateFile +directive.

+ +

+The private key may also be combined with the certificate in the file given by +SSLCertificateFile, but this practice +is highly discouraged.

+ Example SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key diff --git a/docs/manual/ssl/ssl_faq.xml b/docs/manual/ssl/ssl_faq.xml index 3a98b4a5382..dd10dcbd19d 100644 --- a/docs/manual/ssl/ssl_faq.xml +++ b/docs/manual/ssl/ssl_faq.xml @@ -946,20 +946,22 @@ HTTPS to an Apache+mod_ssl server with Netscape Navigator? or higher), you can either rearrange mod_ssl's cipher list with SSLCipherSuite (possibly in conjunction with SSLHonorCipherOrder), - or you can use the SSLCertificateFile - directive to configure custom DH parameters with a 1024-bit prime, which + or you can use custom DH parameters with a 1024-bit prime, which will always have precedence over any of the built-in DH parameters.

-

To generate custom DH parameters, use the openssl dhparam - command. Alternatively, you can append the following standard 1024-bit DH +

To generate custom DH parameters, use the openssl dhparam 1024 + command. Alternatively, you can use the following standard 1024-bit DH parameters from RFC 2409, - section 6.2 to the respective - SSLCertificateFile file:

+ section 6.2:

-----BEGIN DH PARAMETERS-----
 MIGHAoGBAP//////////yQ/aoiFowjTExmKLgNwc0SkCTgiKZ8x0Agu+pjsTmyJR
 Sgh5jjQE3e+VGbPNOkMbMCsKbfJfFDdP4TVtbVHCReSFtXZiXn7G9ExC6aY37WsL
 /1y29Aa37e44a/taiZ+lrp8kEXxLH+ZJKGZR7OZTgf//////////AgEC
 -----END DH PARAMETERS-----
 +

Add the custom parameters including the "BEGIN DH PARAMETERS" and + "END DH PARAMETERS" lines to the end of the first certificate file + you have configured using the + SSLCertificateFile directive.