From: Daniel Gruno Date: Fri, 27 Apr 2012 06:14:04 +0000 (+0000) Subject: Syntax updates for mod_ssl.xml (yes, everything is a freaky carnival tent now) X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5244591037b52365a8bfd0f5123d53e606300c03;p=thirdparty%2Fapache%2Fhttpd.git Syntax updates for mod_ssl.xml (yes, everything is a freaky carnival tent now) git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1331234 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml index 1513b3cacc9..9a40a4d7c0c 100644 --- a/docs/manual/mod/mod_ssl.xml +++ b/docs/manual/mod/mod_ssl.xml @@ -169,8 +169,9 @@ For backward compatibility there is additionally a special provided. Information about this function is provided in the Compatibility chapter.

Example -CustomLog logs/ssl_request_log \ - "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + +CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + @@ -214,9 +215,9 @@ string in mod_log_config.

encrypted with SSL. This is similar to the SSLRequireSSL directive.

- + Require ssl - + @@ -229,10 +230,10 @@ string in mod_log_config.

The following example grants access if the user is authenticated either with a client certificate or by username and password.

- + Require ssl-verify-client
Require valid-user - + @@ -311,7 +312,9 @@ query can be done in two ways which can be configured by program is called only once per unique Pass Phrase.

Example + SSLPassPhraseDialog exec:/usr/local/apache/sbin/pp-filter + @@ -391,13 +394,15 @@ The following source variants are available:

on your platform.

Example -SSLRandomSeed startup builtin
-SSLRandomSeed startup file:/dev/random
-SSLRandomSeed startup file:/dev/urandom 1024
-SSLRandomSeed startup exec:/usr/local/bin/truerand 16
-SSLRandomSeed connect builtin
-SSLRandomSeed connect file:/dev/random
-SSLRandomSeed connect file:/dev/urandom 1024
+ +SSLRandomSeed startup builtin +SSLRandomSeed startup file:/dev/random +SSLRandomSeed startup file:/dev/urandom 1024 +SSLRandomSeed startup exec:/usr/local/bin/truerand 16 +SSLRandomSeed connect builtin +SSLRandomSeed connect file:/dev/random +SSLRandomSeed connect file:/dev/urandom 1024 + @@ -468,8 +473,10 @@ The following five storage types are currently supported:

Examples -SSLSessionCache dbm:/usr/local/apache/logs/ssl_gcache_data
+ +SSLSessionCache dbm:/usr/local/apache/logs/ssl_gcache_data SSLSessionCache shmcb:/usr/local/apache/logs/ssl_gcache_data(512000) +

The ssl-cache mutex is used to serialize access to @@ -494,7 +501,9 @@ global/inter-process SSL Session Cache and the OpenSSL internal memory cache. It can be set as low as 15 for testing, but should be set to higher values like 300 in real life.

Example + SSLSessionCacheTimeout 600 + @@ -515,10 +524,12 @@ type="section">VirtualHost section to enable SSL/TLS for a that virtual host. By default the SSL/TLS Protocol Engine is disabled for both the main server and all configured virtual hosts.

Example -<VirtualHost _default_:443>
-SSLEngine on
-...
+ +<VirtualHost _default_:443> +SSLEngine on +#... </VirtualHost> +

In Apache 2.1 and later, SSLEngine can be set to optional. This enables support for @@ -599,7 +610,9 @@ The available (case-insensitive) protocols are:

``+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2, respectively.

Example + SSLProtocol TLSv1 + @@ -729,7 +742,9 @@ KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1

The complete list of particular RSA & DH ciphers for SSL is given in Table 2.

Example + SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW + @@ -787,7 +802,9 @@ Pass Phrase dialog is forced at startup time. This directive can be used up to two times (referencing different filenames) when both a RSA and a DSA based server certificate is used in parallel.

Example + SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt + @@ -814,7 +831,9 @@ at startup time. This directive can be used up to two times (referencing different filenames) when both a RSA and a DSA based private key is used in parallel.

Example + SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key + @@ -853,7 +872,9 @@ using a coupled RSA+DSA certificate pair, this will work only if actually both certificates use the same certificate chain. Else the browsers will be confused in this situation.

Example + SSLCertificateChainFile /usr/local/apache2/conf/ssl.crt/ca.crt + @@ -878,7 +899,9 @@ there: you also have to create symbolic links named hash-value.N. And you should always make sure this directory contains the appropriate symbolic links.

Example + SSLCACertificatePath /usr/local/apache2/conf/ssl.crt/ + @@ -900,7 +923,9 @@ concatenation of the various PEM-encoded Certificate files, in order of preference. This can be used alternatively and/or additionally to SSLCACertificatePath.

Example + SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-client.crt + @@ -945,7 +970,9 @@ specify an all-in-one file containing a concatenation of PEM-encoded CA certificates.

Example + SSLCADNRequestFile /usr/local/apache2/conf/ca-names.crt + @@ -972,7 +999,9 @@ Certificate files there: you also have to create symbolic links named hash-value.N. And you should always make sure this directory contains the appropriate symbolic links.

Example + SSLCADNRequestPath /usr/local/apache2/conf/ca-names.crt/ + @@ -997,7 +1026,9 @@ Additionally you have to create symbolic links named hash-value.rN. And you should always make sure this directory contains the appropriate symbolic links.

Example + SSLCARevocationPath /usr/local/apache2/conf/ssl.crl/ + @@ -1020,7 +1051,9 @@ the various PEM-encoded CRL files, in order of preference. This can be used alternatively and/or additionally to SSLCARevocationPath.

Example + SSLCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle-client.crl + @@ -1057,7 +1090,9 @@ to succeed - otherwise it will fail with an

Example + SSLCARevocationCheck chain + @@ -1101,7 +1136,9 @@ The following levels are available for level:

optional_no_ca is actually against the idea of authentication (but can be used to establish SSL test pages, etc.)

Example + SSLVerifyClient require + @@ -1136,7 +1173,9 @@ certificate can be self-signed or has to be signed by a CA which is directly known to the server (i.e. the CA's certificate is under SSLCACertificatePath), etc.

Example + SSLVerifyDepth 10 + @@ -1242,10 +1281,12 @@ The available options are:

Example -SSLOptions +FakeBasicAuth -StrictRequire
-<Files ~ "\.(cgi|shtml)$">
- SSLOptions +StdEnvVars -ExportCertData
+ +SSLOptions +FakeBasicAuth -StrictRequire +<Files ~ "\.(cgi|shtml)$"> + SSLOptions +StdEnvVars -ExportCertData <Files> + @@ -1267,7 +1308,9 @@ host or directories for defending against configuration errors that expose stuff that should be protected. When this directive is present all requests are denied which are not using SSL.

Example + SSLRequireSSL + @@ -1358,12 +1401,14 @@ both parsed and executed each time the .htaccess file is encountered during request processing.

Example -
SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)-/                \
+
+SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)-/                \
             and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd."        \
             and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}  \
             and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5          \
             and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
-           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+ or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ +

The PeerExtList(object-ID) function expects @@ -1375,7 +1420,9 @@ exactly against the value of an extension identified with this OID. extension must match).

Example + SSLRequire "foobar" in PeerExtList("1.2.3.4.5.6") + Notes on the PeerExtList function @@ -1432,7 +1479,9 @@ memory must be considered when changing this configuration setting.

Example + SSLRenegBufferSize 262144 + @@ -1464,7 +1513,9 @@ version of OpenSSL.

Example + SSLStrictSNIVHostCheck on + @@ -1489,7 +1540,9 @@ directory contains the appropriate symbolic links.

Currently there is no support for encrypted private keys

Example + SSLProxyMachineCertificatePath /usr/local/apache2/conf/proxy.crt/ + @@ -1516,7 +1569,9 @@ or additionally to SSLProxyMachineCertificatePath.

Currently there is no support for encrypted private keys

Example + SSLProxyMachineCertificateFile /usr/local/apache2/conf/ssl.crt/proxy.pem + @@ -1546,7 +1601,9 @@ trusted as if they were also in SSLProxyCACertificateFile.

Example + SSLProxyMachineCertificateChainFile /usr/local/apache2/conf/ssl.crt/proxyCA.pem + @@ -1583,7 +1640,9 @@ The following levels are available for level:

optional_no_ca is actually against the idea of authentication (but can be used to establish SSL test pages, etc.)

Example + SSLProxyVerify require + @@ -1610,7 +1669,9 @@ the remote server certificate can be self-signed or has to be signed by a CA which is directly known to the server (i.e. the CA's certificate is under SSLProxyCACertificatePath), etc.

Example + SSLProxyVerifyDepth 10 + @@ -1631,7 +1692,9 @@ is expired or not. If the check fails a 502 status code (Bad Gateway) is sent.

Example + SSLProxyCheckPeerExpire on + @@ -1652,7 +1715,9 @@ compared against the hostname of the request URL. If both are not equal a 502 status code (Bad Gateway) is sent.

Example + SSLProxyCheckPeerCN on + @@ -1673,10 +1738,12 @@ type="section">VirtualHost section to enable SSL/TLS for proxy usage in a particular virtual host. By default the SSL/TLS Protocol Engine is disabled for proxy image both for the main server and all configured virtual hosts.

Example -<VirtualHost _default_:443>
-SSLProxyEngine on
-...
+ +<VirtualHost _default_:443> + SSLProxyEngine on + #... </VirtualHost> + @@ -1740,7 +1807,9 @@ there: you also have to create symbolic links named hash-value.N. And you should always make sure this directory contains the appropriate symbolic links.

Example + SSLProxyCACertificatePath /usr/local/apache2/conf/ssl.crt/ + @@ -1762,7 +1831,9 @@ concatenation of the various PEM-encoded Certificate files, in order of preference. This can be used alternatively and/or additionally to SSLProxyCACertificatePath.

Example + SSLProxyCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-remote-server.crt + @@ -1787,7 +1858,9 @@ Additionally you have to create symbolic links named hash-value.rN. And you should always make sure this directory contains the appropriate symbolic links.

Example + SSLProxyCARevocationPath /usr/local/apache2/conf/ssl.crl/ + @@ -1810,7 +1883,9 @@ the various PEM-encoded CRL files, in order of preference. This can be used alternatively and/or additionally to SSLProxyCARevocationPath.

Example + SSLProxyCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle-remote-server.crl + @@ -1848,7 +1923,9 @@ to succeed - otherwise it will fail with an

Example + SSLProxyCARevocationCheck chain + @@ -1876,7 +1953,9 @@ any of the SSL environment variables.

href="#ssloptions">SSLOptions).

Example + SSLUserName SSL_CLIENT_S_DN_CN + @@ -1894,7 +1973,9 @@ SSLUserName SSL_CLIENT_S_DN_CN the client's preference is used. If this directive is enabled, the server's preference will be used instead.

Example + SSLHonorCipherOrder on + @@ -1918,8 +1999,10 @@ separate "-engine" releases of OpenSSL 0.9.6 must be used.

"openssl engine".

Example -# For a Broadcom accelerator:
+ +# For a Broadcom accelerator: SSLCryptoDevice ubsec + @@ -1945,10 +2028,12 @@ itself, or derived by configuration; see the directives.

Example -SSLVerifyClient on
-SSLOCSPEnable on
-SSLOCSPDefaultResponder http://responder.example.com:8888/responder
+ +SSLVerifyClient on +SSLOCSPEnable on +SSLOCSPDefaultResponder http://responder.example.com:8888/responder SSLOCSPOverrideResponder on + @@ -2063,7 +2148,9 @@ in CVE-200 Example + SSLInsecureRenegotiation on +

The SSL_SECURE_RENEG environment variable can be used