From: Thom May Date: Mon, 29 Sep 2003 12:08:06 +0000 (+0000) Subject: Ensure that ssl-std.conf is generated at configure time, and switch X-Git-Tag: 2.0.48~41 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e6f47982a1162ab0b34249215c505a8e0318350b;p=thirdparty%2Fapache%2Fhttpd.git Ensure that ssl-std.conf is generated at configure time, and switch to using the expanded config variables to work the same as httpd-std.conf PR: 19611 PR: 19611 Reviewed by: jerenkrantz, striker, jim, nd, trawick git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@101341 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/STATUS b/STATUS index 80eab2e17f0..a88ae1467c9 100644 --- a/STATUS +++ b/STATUS @@ -1,5 +1,5 @@ APACHE 2.0 STATUS: -*-text-*- -Last modified at [$Date: 2003/09/27 18:47:05 $] +Last modified at [$Date: 2003/09/29 12:08:06 $] Release: @@ -147,36 +147,6 @@ PATCHES TO PORT FROM 2.1 +1: wrowe +1 (concept): jim (final vote when the patch is available) - * Ensure that ssl-std.conf is generated at configure time, and switch - to using the expanded config variables to work the same as - httpd-std.conf PR: 19611 - (this requires deleting ssl-std.conf and replacing it with an autogen'd - one) - configure.in: r1.250 - docs/conf/ssl-std.conf.in: r1.1,1.2 - +1: thommay, jerenkrantz, striker, jim, nd, trawick - nd: The runtime files (e.g. cache) should be in runtimedir, since the - logfilefir should not be writable for the httpd user. - - thommay: In principle I agree; however I was going for the principle - of least surprise - the new version uses exactly the same - settings as the old one. If we want to change the locations - I'm quite happy to do that but don't think that should - affect backporting this fix. - - nd: Actually I see no problem with surprises. If someone uses this - tailored example config, it's probably his first SSL config. If - it's not his first one, he probably doesn't care about - IMHO :) - An appropriate change-log entry should warn the rest of the - people, shouldn't it? - - trawick: existing configs shouldn't be overwritten, new configs - should default to our best available recommendation - - thommay: can't argue with this, commited. - - nd: thx.:) - * mod_ssl: Drop SSL_EXPERIMENTAL_ENGINE test in favor of testing for the ENGINE_init() function in config.m4, and use HAVE_ENGINE_INIT instead. wrowe notes that this feature is a noop until configured with SSLEngine. diff --git a/configure.in b/configure.in index 6619d98b7fa..1fb63472112 100644 --- a/configure.in +++ b/configure.in @@ -566,7 +566,7 @@ AC_SUBST(ap_make_delimiter) dnl Ensure that docs/conf is created. test -d docs/conf||$mkdir_p docs/conf -AC_OUTPUT($APACHE_OUTPUT_FILES docs/conf/httpd-std.conf include/ap_config_layout.h support/apxs support/apachectl support/dbmmanage support/envvars-std support/log_server_status support/logresolve.pl support/phf_abuse_log.cgi support/split-logfile build/rules.mk,[true],[ +AC_OUTPUT($APACHE_OUTPUT_FILES docs/conf/httpd-std.conf docs/conf/ssl-std.conf include/ap_config_layout.h support/apxs support/apachectl support/dbmmanage support/envvars-std support/log_server_status support/logresolve.pl support/phf_abuse_log.cgi support/split-logfile build/rules.mk,[true],[ APACHE_GEN_MAKEFILES ]) diff --git a/docs/conf/ssl-std.conf b/docs/conf/ssl-std.conf deleted file mode 100644 index d01f5c11bd1..00000000000 --- a/docs/conf/ssl-std.conf +++ /dev/null @@ -1,249 +0,0 @@ -# -# This is the Apache server configuration file providing SSL support. -# It contains the configuration directives to instruct the server how to -# serve pages over an https connection. For detailing information about these -# directives see -# -# For the moment, see for this info. -# The documents are still being prepared from material donated by the -# modssl project. -# -# Do NOT simply read the instructions in here without understanding -# what they do. They're here only as hints or reminders. If you are unsure -# consult the online docs. You have been warned. -# - - -# Until documentation is completed, please check http://www.modssl.org/ -# for additional config examples and module docmentation. Directives -# and features of mod_ssl are largely unchanged from the mod_ssl project -# for Apache 1.3. - -# -# When we also provide SSL we have to listen to the -# standard HTTP port (see above) and to the HTTPS port -# -# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two -# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" -# -Listen 443 - -## -## SSL Global Context -## -## All SSL configuration in this context applies both to -## the main server and all SSL-enabled virtual hosts. -## - -# -# Some MIME-types for downloading Certificates and CRLs -# -AddType application/x-x509-ca-cert .crt -AddType application/x-pkcs7-crl .crl - -# Pass Phrase Dialog: -# Configure the pass phrase gathering process. -# The filtering dialog program (`builtin' is a internal -# terminal dialog) has to provide the pass phrase on stdout. -SSLPassPhraseDialog builtin - -# Inter-Process Session Cache: -# Configure the SSL Session Cache: First the mechanism -# to use and second the expiring timeout (in seconds). -#SSLSessionCache none -#SSLSessionCache shmht:logs/ssl_scache(512000) -#SSLSessionCache shmcb:logs/ssl_scache(512000) -SSLSessionCache dbm:logs/ssl_scache -SSLSessionCacheTimeout 300 - -# Semaphore: -# Configure the path to the mutual exclusion semaphore the -# SSL engine uses internally for inter-process synchronization. -SSLMutex file:logs/ssl_mutex - -# Pseudo Random Number Generator (PRNG): -# Configure one or more sources to seed the PRNG of the -# SSL library. The seed data should be of good random quality. -# WARNING! On some platforms /dev/random blocks if not enough entropy -# is available. This means you then cannot use the /dev/random device -# because it would lead to very long connection times (as long as -# it requires to make more entropy available). But usually those -# platforms additionally provide a /dev/urandom device which doesn't -# block. So, if available, use this one instead. Read the mod_ssl User -# Manual for more details. -SSLRandomSeed startup builtin -SSLRandomSeed connect builtin -#SSLRandomSeed startup file:/dev/random 512 -#SSLRandomSeed startup file:/dev/urandom 512 -#SSLRandomSeed connect file:/dev/random 512 -#SSLRandomSeed connect file:/dev/urandom 512 - -## -## SSL Virtual Host Context -## - - - -# General setup for the virtual host -DocumentRoot "@@ServerRoot@@/htdocs" -ServerName www.example.com:443 -ServerAdmin you@example.com -ErrorLog logs/error_log -TransferLog logs/access_log - -# SSL Engine Switch: -# Enable/Disable SSL for this virtual host. -SSLEngine on - -# SSL Cipher Suite: -# List the ciphers that the client is permitted to negotiate. -# See the mod_ssl documentation for a complete list. -SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL - -# Server Certificate: -# Point SSLCertificateFile at a PEM encoded certificate. If -# the certificate is encrypted, then you will be prompted for a -# pass phrase. Note that a kill -HUP will prompt again. Keep -# in mind that if you have both an RSA and a DSA certificate you -# can configure both in parallel (to also allow the use of DSA -# ciphers, etc.) -SSLCertificateFile @@ServerRoot@@/conf/ssl.crt/server.crt -#SSLCertificateFile @@ServerRoot@@/conf/ssl.crt/server-dsa.crt - -# Server Private Key: -# If the key is not combined with the certificate, use this -# directive to point at the key file. Keep in mind that if -# you've both a RSA and a DSA private key you can configure -# both in parallel (to also allow the use of DSA ciphers, etc.) -SSLCertificateKeyFile @@ServerRoot@@/conf/ssl.key/server.key -#SSLCertificateKeyFile @@ServerRoot@@/conf/ssl.key/server-dsa.key - -# Server Certificate Chain: -# Point SSLCertificateChainFile at a file containing the -# concatenation of PEM encoded CA certificates which form the -# certificate chain for the server certificate. Alternatively -# the referenced file can be the same as SSLCertificateFile -# when the CA certificates are directly appended to the server -# certificate for convinience. -#SSLCertificateChainFile @@ServerRoot@@/conf/ssl.crt/ca.crt - -# Certificate Authority (CA): -# Set the CA certificate verification path where to find CA -# certificates for client authentication or alternatively one -# huge file containing all of them (file must be PEM encoded) -# Note: Inside SSLCACertificatePath you need hash symlinks -# to point to the certificate files. Use the provided -# Makefile to update the hash symlinks after changes. -#SSLCACertificatePath @@ServerRoot@@/conf/ssl.crt -#SSLCACertificateFile @@ServerRoot@@/conf/ssl.crt/ca-bundle.crt - -# Certificate Revocation Lists (CRL): -# Set the CA revocation path where to find CA CRLs for client -# authentication or alternatively one huge file containing all -# of them (file must be PEM encoded) -# Note: Inside SSLCARevocationPath you need hash symlinks -# to point to the certificate files. Use the provided -# Makefile to update the hash symlinks after changes. -#SSLCARevocationPath @@ServerRoot@@/conf/ssl.crl -#SSLCARevocationFile @@ServerRoot@@/conf/ssl.crl/ca-bundle.crl - -# Client Authentication (Type): -# Client certificate verification type and depth. Types are -# none, optional, require and optional_no_ca. Depth is a -# number which specifies how deeply to verify the certificate -# issuer chain before deciding the certificate is not valid. -#SSLVerifyClient require -#SSLVerifyDepth 10 - -# Access Control: -# With SSLRequire you can do per-directory access control based -# on arbitrary complex boolean expressions containing server -# variable checks and other lookup directives. The syntax is a -# mixture between C and Perl. See the mod_ssl documentation -# for more details. -# -#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ -# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ -# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ -# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ -# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ -# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ -# - -# SSL Engine Options: -# Set various options for the SSL engine. -# o FakeBasicAuth: -# Translate the client X.509 into a Basic Authorisation. This means that -# the standard Auth/DBMAuth methods can be used for access control. The -# user name is the `one line' version of the client's X.509 certificate. -# Note that no password is obtained from the user. Every entry in the user -# file needs this password: `xxj31ZMTZzkVA'. -# o ExportCertData: -# This exports two additional environment variables: SSL_CLIENT_CERT and -# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the -# server (always existing) and the client (only existing when client -# authentication is used). This can be used to import the certificates -# into CGI scripts. -# o StdEnvVars: -# This exports the standard SSL/TLS related `SSL_*' environment variables. -# Per default this exportation is switched off for performance reasons, -# because the extraction step is an expensive operation and is usually -# useless for serving static content. So one usually enables the -# exportation for CGI and SSI requests only. -# o CompatEnvVars: -# This exports obsolete environment variables for backward compatibility -# to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this -# to provide compatibility to existing CGI scripts. -# o StrictRequire: -# This denies access when "SSLRequireSSL" or "SSLRequire" applied even -# under a "Satisfy any" situation, i.e. when it applies access is denied -# and no other module can change it. -# o OptRenegotiate: -# This enables optimized SSL connection renegotiation handling when SSL -# directives are used in per-directory context. -#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire - - SSLOptions +StdEnvVars - - - SSLOptions +StdEnvVars - - -# SSL Protocol Adjustments: -# The safe and default but still SSL/TLS standard compliant shutdown -# approach is that mod_ssl sends the close notify alert but doesn't wait for -# the close notify alert from client. When you need a different shutdown -# approach you can use one of the following variables: -# o ssl-unclean-shutdown: -# This forces an unclean shutdown when the connection is closed, i.e. no -# SSL close notify alert is send or allowed to received. This violates -# the SSL/TLS standard but is needed for some brain-dead browsers. Use -# this when you receive I/O errors because of the standard approach where -# mod_ssl sends the close notify alert. -# o ssl-accurate-shutdown: -# This forces an accurate shutdown when the connection is closed, i.e. a -# SSL close notify alert is send and mod_ssl waits for the close notify -# alert of the client. This is 100% SSL/TLS standard compliant, but in -# practice often causes hanging connections with brain-dead browsers. Use -# this only for browsers where you know that their SSL implementation -# works correctly. -# Notice: Most problems of broken clients are also related to the HTTP -# keep-alive facility, so you usually additionally want to disable -# keep-alive for those clients, too. Use variable "nokeepalive" for this. -# Similarly, one has to force some clients to use HTTP/1.0 to workaround -# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and -# "force-response-1.0" for this. -SetEnvIf User-Agent ".*MSIE.*" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - -# Per-Server Logging: -# The home of a custom SSL log file. Use this when you want a -# compact non-error SSL logfile on a virtual host basis. -CustomLog logs/ssl_request_log \ - "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" - - - - - diff --git a/docs/conf/ssl-std.conf.in b/docs/conf/ssl-std.conf.in index a3056ca1f5a..411088c5519 100644 --- a/docs/conf/ssl-std.conf.in +++ b/docs/conf/ssl-std.conf.in @@ -2,7 +2,7 @@ # This is the Apache server configuration file providing SSL support. # It contains the configuration directives to instruct the server how to # serve pages over an https connection. For detailing information about these -# directives see +# directives see # # For the moment, see for this info. # The documents are still being prepared from material donated by the