From: Rich Bowen Date: Tue, 14 Apr 2026 16:47:13 +0000 (+0000) Subject: Bring markup into compliance with style guide. X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fc8e3a28b55f004a98a2dcf031f7d2aea00415e5;p=thirdparty%2Fapache%2Fhttpd.git Bring markup into compliance with style guide. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1933048 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml index 43f477eb72..f60e9068df 100644 --- a/docs/manual/mod/mod_ssl.xml +++ b/docs/manual/mod/mod_ssl.xml @@ -77,30 +77,30 @@ compatibility variables.

SSL_CLIENT_M_VERSION string The version of the client certificate SSL_CLIENT_M_SERIAL string The serial of the client certificate SSL_CLIENT_S_DN string Subject DN in client's certificate -SSL_CLIENT_S_DN_x509 string Component of client's Subject DN -SSL_CLIENT_SAN_Email_n string Client certificate's subjectAltName extension entries of type rfc822Name -SSL_CLIENT_SAN_DNS_n string Client certificate's subjectAltName extension entries of type dNSName -SSL_CLIENT_SAN_OTHER_msUPN_n string Client certificate's subjectAltName extension entries of type otherName, Microsoft User Principal Name form (OID 1.3.6.1.4.1.311.20.2.3) +SSL_CLIENT_S_DN_x509 string Component of client's Subject DN +SSL_CLIENT_SAN_Email_n string Client certificate's subjectAltName extension entries of type rfc822Name +SSL_CLIENT_SAN_DNS_n string Client certificate's subjectAltName extension entries of type dNSName +SSL_CLIENT_SAN_OTHER_msUPN_n string Client certificate's subjectAltName extension entries of type otherName, Microsoft User Principal Name form (OID 1.3.6.1.4.1.311.20.2.3) SSL_CLIENT_I_DN string Issuer DN of client's certificate -SSL_CLIENT_I_DN_x509 string Component of client's Issuer DN +SSL_CLIENT_I_DN_x509 string Component of client's Issuer DN SSL_CLIENT_V_START string Validity of client's certificate (start time) SSL_CLIENT_V_END string Validity of client's certificate (end time) SSL_CLIENT_V_REMAIN string Number of days until client's certificate expires SSL_CLIENT_A_SIG string Algorithm used for the signature of client's certificate SSL_CLIENT_A_KEY string Algorithm used for the public key of client's certificate SSL_CLIENT_CERT string PEM-encoded client certificate -SSL_CLIENT_CERT_CHAIN_n string PEM-encoded certificates in client certificate chain +SSL_CLIENT_CERT_CHAIN_n string PEM-encoded certificates in client certificate chain SSL_CLIENT_CERT_RFC4523_CEA string Serial number and issuer of the certificate. The format matches that of the CertificateExactAssertion in RFC4523 -SSL_CLIENT_VERIFY string NONE, SUCCESS, GENEROUS or FAILED:reason +SSL_CLIENT_VERIFY string NONE, SUCCESS, GENEROUS or FAILED:reason SSL_SERVER_M_VERSION string The version of the server certificate SSL_SERVER_M_SERIAL string The serial of the server certificate SSL_SERVER_S_DN string Subject DN in server's certificate -SSL_SERVER_SAN_Email_n string Server certificate's subjectAltName extension entries of type rfc822Name -SSL_SERVER_SAN_DNS_n string Server certificate's subjectAltName extension entries of type dNSName -SSL_SERVER_SAN_OTHER_dnsSRV_n string Server certificate's subjectAltName extension entries of type otherName, SRVName form (OID 1.3.6.1.5.5.7.8.7, RFC 4985) -SSL_SERVER_S_DN_x509 string Component of server's Subject DN +SSL_SERVER_SAN_Email_n string Server certificate's subjectAltName extension entries of type rfc822Name +SSL_SERVER_SAN_DNS_n string Server certificate's subjectAltName extension entries of type dNSName +SSL_SERVER_SAN_OTHER_dnsSRV_n string Server certificate's subjectAltName extension entries of type otherName, SRVName form (OID 1.3.6.1.5.5.7.8.7, RFC 4985) +SSL_SERVER_S_DN_x509 string Component of server's Subject DN SSL_SERVER_I_DN string Issuer DN of server's certificate -SSL_SERVER_I_DN_x509 string Component of server's Issuer DN +SSL_SERVER_I_DN_x509 string Component of server's Issuer DN SSL_SERVER_V_START string Validity of server's certificate (start time) SSL_SERVER_V_END string Validity of server's certificate (end time) SSL_SERVER_A_SIG string Algorithm used for the signature of server's certificate @@ -123,9 +123,9 @@ compatibility variables.

SSL_ECH_OUTER_SNI string SNI value that was seen in plaintext SNI (or `NONE`) -

x509 specifies a component of an X.509 DN; one of +

x509 specifies a component of an X.509 DN; one of C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email. In httpd 2.2.0 and -later, x509 may also include a numeric _n +later, x509 may also include a numeric _n suffix. If the DN in question contains multiple attributes of the same name, this suffix is used as a zero-based index to select a particular attribute. For example, where the server certificate @@ -140,13 +140,13 @@ the SSLOptions directive, the first (or only) attribute of any DN is added only under a non-suffixed name; i.e. no _0 suffixed entries are added.

-

In httpd 2.4.32 and later, an optional _RAW suffix may be -added to x509 in a DN component, to suppress conversion of +

In httpd 2.4.32 and later, an optional _RAW suffix may be +added to x509 in a DN component, to suppress conversion of the attribute value to UTF-8. This must be placed after the index suffix (if any). For example, SSL_SERVER_S_DN_OU_RAW or SSL_SERVER_S_DN_OU_0_RAW could be used.

-

The format of the *_DN variables has changed in Apache HTTPD +

The format of the *_DN variables has changed in Apache HTTPD 2.3.11. See the LegacyDNStringFormat option for SSLOptions for details.

@@ -177,13 +177,13 @@ REQUEST_URI REMOTE_USER

In these contexts, two special formats can also be used:

-
ENV:variablename
+
ENV:variablename
This will expand to the standard environment - variable variablename.
+ variable variablename. -
HTTP:headername
+
HTTP:headername
This will expand to the value of the request header with name - headername.
+ headername.
@@ -194,13 +194,13 @@ REQUEST_URI REMOTE_USER loaded (under DSO situation) additional functions exist for the Custom Log Format of mod_log_config. First there is an -additional ``%{varname}x'' +additional ``%{varname}x'' eXtension format function which can be used to expand any variables provided by any module, especially those provided by mod_ssl which can you find in the above table.

For backward compatibility there is additionally a special -``%{name}c'' cryptography format function +``%{name}c'' cryptography format function provided. Information about this function is provided in the Compatibility chapter.

Example @@ -216,7 +216,7 @@ directive.

Request Notes

mod_ssl sets "notes" for the request which can be -used in logging with the %{name}n format +used in logging with the %{name}n format string in mod_log_config.

The notes supported are as follows:

@@ -248,12 +248,12 @@ loaded (under DSO situation) any variables provided by mod_ssl can be used in expressions for the ap_expr Expression Parser. The variables can be referenced using the syntax -``%{varname}''. Starting +``%{varname}''. Starting with version 2.4.18 one can also use the mod_rewrite style syntax -``%{SSL:varname}'' or +``%{SSL:varname}'' or the function style syntax -``ssl(varname)''.

+``ssl(varname)''.

Example (using <module>mod_headers</module>) Header set X-SSL-PROTOCOL "expr=%{SSL_PROTOCOL}" @@ -305,7 +305,7 @@ Require valid-user SSLPassPhraseDialog Type of pass phrase dialog for encrypted private keys -SSLPassPhraseDialog type +SSLPassPhraseDialog type SSLPassPhraseDialog builtin server config @@ -319,7 +319,7 @@ SSL-enabled virtual servers. Because for security reasons the Private Key files are usually encrypted, mod_ssl needs to query the administrator for a Pass Phrase in order to decrypt those files. This query can be done in two ways which can be configured by -type:

+type:

  • builtin

    @@ -385,8 +385,8 @@ SSLPassPhraseDialog "exec:/usr/local/apache/sbin/pp-filter" SSLRandomSeed Pseudo Random Number Generator (PRNG) seeding source -SSLRandomSeed context source -[bytes] +SSLRandomSeed context source +[bytes] server config @@ -399,12 +399,12 @@ later.

    This configures one or more sources for seeding the Pseudo Random Number -Generator (PRNG) in OpenSSL at startup time (context is +Generator (PRNG) in OpenSSL at startup time (context is startup) and/or just before a new SSL connection is established -(context is connect). This directive can only be used +(context is connect). This directive can only be used in the global server context because the PRNG is a global facility.

    -The following source variants are available:

    +The following source variants are available:

    • builtin

      This is the always available builtin seeding source. Its usage @@ -419,10 +419,10 @@ The following source variants are available:

    • file:/path/to/source

      This variant uses an external file /path/to/source as the - source for seeding the PRNG. When bytes is specified, only the - first bytes number of bytes of the file form the entropy (and - bytes is given to /path/to/source as the first - argument). When bytes is not specified the whole file forms the + source for seeding the PRNG. When bytes is specified, only the + first bytes number of bytes of the file form the entropy (and + bytes is given to /path/to/source as the first + argument). When bytes is not specified the whole file forms the entropy (and 0 is given to /path/to/source as the first argument). Use this especially at startup time, for instance with an available /dev/random and/or @@ -443,9 +443,9 @@ The following source variants are available:

      This variant uses an external executable /path/to/program as the source for seeding the - PRNG. When bytes is specified, only the first - bytes number of bytes of its stdout contents - form the entropy. When bytes is not specified, the + PRNG. When bytes is specified, only the first + bytes number of bytes of its stdout contents + form the entropy. When bytes is not specified, the entirety of the data produced on stdout form the entropy. Use this only at startup time when you need a very strong seeding with the help of an external program (for instance as in @@ -480,7 +480,7 @@ SSLRandomSeed connect "file:/dev/urandom" 1024 SSLSessionCache Type of the global/inter-process SSL Session Cache -SSLSessionCache type +SSLSessionCache type SSLSessionCache none server config @@ -495,7 +495,7 @@ up to four parallel requests are common) those requests are served by different pre-forked server processes. Here an inter-process cache helps to avoid unnecessary session handshakes.

      -The following five storage types are currently supported:

      +The following five storage types are currently supported:

      • none @@ -518,10 +518,10 @@ The following five storage types are currently supported:

        high load. To use this, ensure that mod_socache_dbm is loaded.

        • -
      • shmcb:/path/to/datafile[(size)] +
      • shmcb:/path/to/datafile[(size)]

        This makes use of a high-performance cyclic buffer - (approx. size bytes in size) inside a shared memory + (approx. size bytes in size) inside a shared memory segment in RAM (established via /path/to/datafile) to synchronize the local OpenSSL memory caches of the server processes. This is the recommended session cache. To use this, @@ -558,7 +558,7 @@ using the Mutex directive.

        SSLSessionCacheTimeout Number of seconds before an SSL session expires in the Session Cache -SSLSessionCacheTimeout seconds +SSLSessionCacheTimeout seconds SSLSessionCacheTimeout 300 server config virtual host @@ -640,7 +640,7 @@ by the applicable Security Policy. SSLProtocol Configure usable SSL/TLS protocol versions -SSLProtocol [+|-]protocol ... +SSLProtocol [+|-]protocol ... SSLProtocol all -SSLv3 server config virtual host @@ -650,7 +650,7 @@ by the applicable Security Policy. This directive can be used to control which versions of the SSL/TLS protocol will be accepted in new connections.

        -The available (case-insensitive) protocols are:

        +The available (case-insensitive) protocols are:

        • SSLv3

          @@ -726,7 +726,7 @@ though). SSLCipherSuite Cipher Suite available for negotiation in SSL handshake -SSLCipherSuite [protocol] cipher-spec +SSLCipherSuite [protocol] cipher-spec SSLCipherSuite DEFAULT (depends on OpenSSL version) server config virtual host @@ -736,7 +736,7 @@ handshake

          -This complex directive uses a colon-separated cipher-spec string +This complex directive uses a colon-separated cipher-spec string consisting of OpenSSL cipher specifications to configure the Cipher Suite the client is permitted to negotiate in the SSL handshake phase. The optional protocol specifier can configure the Cipher Suite for a specific SSL version. @@ -759,7 +759,7 @@ For a list of TLSv1.3 cipher names, see the OpenSSL documentation.

          -An SSL cipher specification in cipher-spec is composed of 4 major +An SSL cipher specification in cipher-spec is composed of 4 major attributes plus a few extra minor ones:

          • Key Exchange Algorithm:
            @@ -836,7 +836,7 @@ Now where this becomes interesting is that these can be put together to specify the order and ciphers you wish to use. To speed this up there are also aliases (SSLv3, TLSv1, EXP, LOW, MEDIUM, HIGH) for certain groups of ciphers. These tags can be joined -together with prefixes to form the cipher-spec. Available +together with prefixes to form the cipher-spec. Available prefixes are:

            • none: add cipher to list
              • @@ -855,7 +855,7 @@ ciphers are always disabled, as mod_ssl unconditionally adds

              A simpler way to look at all of this is to use the ``openssl ciphers -v'' command which provides a nice way to successively create the -correct cipher-spec string. The default cipher-spec string +correct cipher-spec string. The default cipher-spec string depends on the version of the OpenSSL libraries used. Let's suppose it is ``RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5'' which means the following: Put RC4-SHA and AES128-SHA at @@ -1149,7 +1149,7 @@ effect.

              SSLCACertificatePath Directory of PEM-encoded CA Certificates for Client Auth -SSLCACertificatePath directory-path +SSLCACertificatePath directory-path server config virtual host AuthConfig @@ -1163,7 +1163,7 @@ verify the client certificate on Client Authentication.

              The files in this directory have to be PEM-encoded and are accessed through hash filenames. So usually you can't just place the Certificate files there: you also have to create symbolic links named -hash-value.N. And you should always make sure this directory +hash-value.N. And you should always make sure this directory contains the appropriate symbolic links.

              Example @@ -1267,7 +1267,7 @@ effect.

              SSLCADNRequestPath Directory of PEM-encoded CA Certificates for defining acceptable CA names -SSLCADNRequestPath directory-path +SSLCADNRequestPath directory-path server config virtual host @@ -1282,7 +1282,7 @@ details.

              The files in this directory have to be PEM-encoded and are accessed through hash filenames. So usually you can't just place the Certificate files there: you also have to create symbolic links named -hash-value.N. And you should always make sure +hash-value.N. And you should always make sure this directory contains the appropriate symbolic links.

              Example @@ -1302,7 +1302,7 @@ to take effect.

              SSLCARevocationPath Directory of PEM-encoded CA CRLs for Client Auth -SSLCARevocationPath directory-path +SSLCARevocationPath directory-path server config virtual host @@ -1315,7 +1315,7 @@ These are used to revoke the client certificate on Client Authentication.

              The files in this directory have to be PEM-encoded and are accessed through hash filenames. So usually you have not only to place the CRL files there. Additionally you have to create symbolic links named -hash-value.rN. And you should always make sure this directory +hash-value.rN. And you should always make sure this directory contains the appropriate symbolic links.

              Example @@ -1365,11 +1365,11 @@ effect.

              SSLCARevocationCheck Enable CRL-based revocation checking -SSLCARevocationCheck chain|leaf|none [flags ...] +SSLCARevocationCheck chain|leaf|none [flags ...] SSLCARevocationCheck none server config virtual host -Optional flags available in httpd 2.4.21 or +Optional flags available in httpd 2.4.21 or later @@ -1381,7 +1381,7 @@ configured. When set to chain (recommended setting), CRL checks are applied to all certificates in the chain, while setting it to leaf limits the checks to the end-entity cert.

              -

              The available flags are:

              +

              The available flags are:

              • no_crl_for_cert_ok

                @@ -1398,7 +1398,7 @@ CRL checks are applied to all certificates in the chain, while setting it to "unable to get certificate CRL" error.

                - The flag no_crl_for_cert_ok allows to restore + The flag no_crl_for_cert_ok allows to restore previous behaviour.

                • @@ -1419,7 +1419,7 @@ SSLCARevocationCheck chain no_crl_for_cert_ok SSLVerifyClient Type of Client Certificate verification -SSLVerifyClient level +SSLVerifyClient level SSLVerifyClient none server config virtual host @@ -1437,7 +1437,7 @@ established. In per-directory context it forces a SSL renegotiation with the reconfigured client verification level after the HTTP request was read but before the HTTP response is sent.

                -The following levels are available for level:

                +The following levels are available for level:

                • none: no client Certificate is required at all
                  • @@ -1462,7 +1462,7 @@ SSLVerifyClient require SSLVerifyDepth Maximum depth of CA Certificates in Client Certificate verification -SSLVerifyDepth number +SSLVerifyDepth number SSLVerifyDepth 1 server config virtual host @@ -1527,7 +1527,7 @@ available in the SSL_SRP_USERINFO request environment variable.

                  SSLSRPUnknownUserSeed SRP unknown user seed -SSLSRPUnknownUserSeed secret-string +SSLSRPUnknownUserSeed secret-string server config virtual host Available in httpd 2.4.4 and later, if using OpenSSL 1.0.1 or @@ -1549,7 +1549,7 @@ SSLSRPUnknownUserSeed "secret" SSLOptions Configure various SSL engine run-time options -SSLOptions [+|-]option ... +SSLOptions [+|-]option ... server config virtual host directory @@ -1568,7 +1568,7 @@ are merged. Any options preceded by a + are added to the options currently in force, and any options preceded by a - are removed from the options currently in force.

                  -The available options are:

                  +The available options are:

                  • StdEnvVars

                    @@ -1582,7 +1582,7 @@ The available options are:

                    When this option is enabled, additional CGI/SSI environment variables are created: SSL_SERVER_CERT, SSL_CLIENT_CERT and - SSL_CLIENT_CERT_CHAIN_n (with n = 0,1,2,..). + SSL_CLIENT_CERT_CHAIN_n (with n = 0,1,2,..). These contain the PEM-encoded X.509 Certificates of server and client for the current HTTPS connection and can be used by CGI scripts for deeper Certificate checking. Additionally all other certificates of the client @@ -1598,7 +1598,7 @@ The available options are:

                    be used for access control. The user name is just the Subject of the Client's X509 Certificate (can be determined by running OpenSSL's openssl x509 command: openssl x509 -noout -subject -in - certificate.crt). The optional certificate.crt). The optional SSLUserName directive can be used to specify which part of the certificate Subject is embedded in the username. Note that no password is obtained from the user. Every entry in the user @@ -1706,7 +1706,7 @@ SSLRequireSSL SSLRequire Allow access only when an arbitrarily complex boolean expression is true -SSLRequire expression +SSLRequire expression directory .htaccess AuthConfig @@ -1740,7 +1740,7 @@ fulfilled in order to allow access. It is a very powerful directive because the requirement specification is an arbitrarily complex boolean expression containing any number of access checks.

                    -The expression must match the following syntax (given as a BNF +The expression must match the following syntax (given as a BNF grammar notation):

                    @@ -1781,9 +1781,9 @@ href="#envvars">Environment Variables can be used.  For
 funcname the available functions are listed in
 the ap_expr documentation.
                    
 
-
                    The expression is parsed into an internal machine
+
                    The expression is parsed into an internal machine
 representation when the configuration is loaded, and then evaluated
-during request processing.  In .htaccess context, the expression is
+during request processing.  In .htaccess context, the expression is
 both parsed and executed each time the .htaccess file is encountered during
 request processing.
                    
 
@@ -1798,9 +1798,9 @@ SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)-/                   \
 
 
 
-
                    The PeerExtList(object-ID) function expects
+
                    The PeerExtList(object-ID) function expects
 to find zero or more instances of the X.509 certificate extension
-identified by the given object ID (OID) in the client certificate.
+identified by the given object ID (OID) in the client certificate.
 The expression evaluates to true if the left-hand side string matches
 exactly against the value of an extension identified with this OID.
 (If multiple extensions with the same OID are present, at least one
@@ -2010,7 +2010,7 @@ SSLVHostSNIPolicy authonly
 
 SSLProxyMachineCertificatePath
 Directory of PEM-encoded client certificates and keys to be used by the proxy
-SSLProxyMachineCertificatePath directory
+SSLProxyMachineCertificatePath directory
 server config virtual host
 proxy section
 The proxy section context is allowed in httpd 2.4.30 and later
@@ -2048,7 +2048,7 @@ SSLProxyMachineCertificatePath "/usr/local/apache2/conf/proxy.crt/"
 
 SSLProxyMachineCertificateFile
 File of concatenated PEM-encoded client certificates and keys to be used by the proxy
-SSLProxyMachineCertificateFile filename
+SSLProxyMachineCertificateFile filename
 server config virtual host
 proxy section
 The proxy section context is allowed in httpd 2.4.30 and later
                    
@@ -2109,7 +2109,7 @@ SSLProxyMachineCertificateFile "/usr/local/apache2/conf/ssl.crt/proxy.pem"
 
 SSLProxyMachineCertificateChainFile
 File of concatenated PEM-encoded CA certificates to be used by the proxy for choosing a certificate
-SSLProxyMachineCertificateChainFile filename
+SSLProxyMachineCertificateChainFile filename
 server config virtual host
 proxy section
 The proxy section context is allowed in httpd 2.4.30 and later
@@ -2142,7 +2142,7 @@ SSLProxyMachineCertificateChainFile "/usr/local/apache2/conf/ssl.crt/proxyCA.pem
 
 SSLProxyVerify
 Type of remote server Certificate verification
-SSLProxyVerify level
+SSLProxyVerify level
 SSLProxyVerify none
 server config virtual host
 proxy section
@@ -2154,7 +2154,7 @@ SSLProxyMachineCertificateChainFile "/usr/local/apache2/conf/ssl.crt/proxyCA.pem
 server, this directive can be used to configure certificate
 verification of the remote server. 
                    
 
                    
-The following levels are available for level:
                    
+The following levels are available for level:
                    
 
                      
 
                    • none:
      no remote server Certificate is required at all
                      • 
@@ -2183,7 +2183,7 @@ SSLProxyVerify require
 SSLProxyVerifyDepth
 Maximum depth of CA Certificates in Remote Server
 Certificate verification
-SSLProxyVerifyDepth number
+SSLProxyVerifyDepth number
 SSLProxyVerifyDepth 1
 server config virtual host
 proxy section
@@ -2357,7 +2357,7 @@ server to proxy SSL/TLS requests.
                      
 
 SSLProxyProtocol
 Configure usable SSL protocol flavors for proxy usage
-SSLProxyProtocol [+|-]protocol ...
+SSLProxyProtocol [+|-]protocol ...
 SSLProxyProtocol all -SSLv3
 server config virtual host
 proxy section
@@ -2379,7 +2379,7 @@ for additional information.
 SSLProxyCipherSuite
 Cipher Suite available for negotiation in SSL
 proxy handshake
-SSLProxyCipherSuite [protocol] cipher-spec
+SSLProxyCipherSuite [protocol] cipher-spec
 SSLProxyCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP
 server config virtual host
 proxy section
@@ -2397,7 +2397,7 @@ for additional information.
                      
 SSLProxyCACertificatePath
 Directory of PEM-encoded CA Certificates for
 Remote Server Auth
-SSLProxyCACertificatePath directory-path
+SSLProxyCACertificatePath directory-path
 server config virtual host
 proxy section
 The proxy section context is allowed in httpd 2.4.30 and later
@@ -2411,7 +2411,7 @@ verify the remote server certificate on Remote Server Authentication.
                      
 The files in this directory have to be PEM-encoded and are accessed through
 hash filenames. So usually you can't just place the Certificate files
 there: you also have to create symbolic links named
-hash-value.N. And you should always make sure this directory
+hash-value.N. And you should always make sure this directory
 contains the appropriate symbolic links.
                      
 Example
 
@@ -2450,7 +2450,7 @@ SSLProxyCACertificateFile "/usr/local/apache2/conf/ssl.crt/ca-bundle-remote-serv
 SSLProxyCARevocationPath
 Directory of PEM-encoded CA CRLs for
 Remote Server Auth
-SSLProxyCARevocationPath directory-path
+SSLProxyCARevocationPath directory-path
 server config virtual host
 proxy section
 The proxy section context is allowed in httpd 2.4.30 and later
@@ -2464,7 +2464,7 @@ These are used to revoke the remote server certificate on Remote Server Authenti
 The files in this directory have to be PEM-encoded and are accessed through
 hash filenames. So usually you have not only to place the CRL files there.
 Additionally you have to create symbolic links named
-hash-value.rN. And you should always make sure this directory
+hash-value.rN. And you should always make sure this directory
 contains the appropriate symbolic links.
                      
 Example
 
@@ -2544,7 +2544,7 @@ SSLProxyCARevocationCheck chain
 
 SSLUserName
 Variable name to determine user name
-SSLUserName varname
+SSLUserName varname
 server config
 directory
 .htaccess
@@ -2555,7 +2555,7 @@ SSLProxyCARevocationCheck chain
 This directive sets the "user" field in the Apache request object.
 This is used by lower modules to identify the user with a character
 string. In particular, this may cause the environment variable
-REMOTE_USER to be set.  The varname can be
+REMOTE_USER to be set.  The varname can be
 any of the SSL environment variables.
                      
 
 
                      When the FakeBasicAuth option is enabled, this directive
@@ -2593,7 +2593,7 @@ SSLHonorCipherOrder on
 
 SSLCryptoDevice
 Enable use of a cryptographic hardware accelerator
-SSLCryptoDevice engine
+SSLCryptoDevice engine
 SSLCryptoDevice builtin
 server config
 
@@ -2662,7 +2662,7 @@ SSLOCSPOverrideResponder on
 
 SSLOCSPDefaultResponder
 Set the default responder URI for OCSP validation
-SSLOCSPDefaultResponder uri
+SSLOCSPDefaultResponder uri
 server config
 virtual host
 
@@ -2692,7 +2692,7 @@ certificate being validated references an OCSP responder.
                      
 
 SSLOCSPResponseTimeSkew
 Maximum allowable time skew for OCSP response validation
-SSLOCSPResponseTimeSkew seconds
+SSLOCSPResponseTimeSkew seconds
 SSLOCSPResponseTimeSkew 300
 server config
 virtual host
@@ -2706,7 +2706,7 @@ certificate being validated references an OCSP responder.
                      
 
 SSLOCSPResponseMaxAge
 Maximum allowable age for OCSP responses
-SSLOCSPResponseMaxAge seconds
+SSLOCSPResponseMaxAge seconds
 SSLOCSPResponseMaxAge -1
 server config
 virtual host
@@ -2722,7 +2722,7 @@ which means that OCSP responses are considered valid as long as their
 
 SSLOCSPResponderTimeout
 Timeout for OCSP queries
-SSLOCSPResponderTimeout seconds
+SSLOCSPResponderTimeout seconds
 SSLOCSPResponderTimeout 10
 server config
 virtual host
@@ -2768,7 +2768,7 @@ testing an OCSP server.
                      
 
 SSLOCSPResponderCertificateFile
 Set of trusted PEM encoded OCSP responder certificates
-SSLOCSPResponderCertificateFile file
+SSLOCSPResponderCertificateFile file
 server config
 virtual host
 Available in httpd 2.4.26 and later, if using OpenSSL 0.9.7 or later
@@ -2784,7 +2784,7 @@ response.
                      
 
 SSLOCSPProxyURL
 Proxy URL to use for OCSP requests
-SSLOCSPProxyURL url
+SSLOCSPProxyURL url
 server config
 virtual host
 Available in httpd 2.4.19 and later
@@ -2836,7 +2836,7 @@ of OCSP responses.  These mutexes can be configured using the
 
 SSLStaplingCache
 Configures the OCSP stapling cache
-SSLStaplingCache type
+SSLStaplingCache type
 server config
 Available if using OpenSSL 0.9.8h or later
 
@@ -2853,7 +2853,7 @@ the same storage types are supported as with
 
 SSLStaplingResponseTimeSkew
 Maximum allowable time skew for OCSP stapling response validation
-SSLStaplingResponseTimeSkew seconds
+SSLStaplingResponseTimeSkew seconds
 SSLStaplingResponseTimeSkew 300
 server config
 virtual host
@@ -2870,7 +2870,7 @@ if SSLUseStapling is turned on.
                      
 
 SSLStaplingResponderTimeout
 Timeout for OCSP stapling queries
-SSLStaplingResponderTimeout seconds
+SSLStaplingResponderTimeout seconds
 SSLStaplingResponderTimeout 10
 server config
 virtual host
@@ -2886,7 +2886,7 @@ and mod_ssl is querying a responder for OCSP stapling purposes.
                      
 
 SSLStaplingResponseMaxAge
 Maximum allowable age for OCSP stapling responses
-SSLStaplingResponseMaxAge seconds
+SSLStaplingResponseMaxAge seconds
 SSLStaplingResponseMaxAge -1
 server config
 virtual host
@@ -2905,7 +2905,7 @@ which means that OCSP responses are considered valid as long as their
 
 SSLStaplingStandardCacheTimeout
 Number of seconds before expiring responses in the OCSP stapling cache
-SSLStaplingStandardCacheTimeout seconds
+SSLStaplingStandardCacheTimeout seconds
 SSLStaplingStandardCacheTimeout 3600
 server config
 virtual host
@@ -2961,7 +2961,7 @@ is also enabled.
                      
 
 SSLStaplingErrorCacheTimeout
 Number of seconds before expiring invalid responses in the OCSP stapling cache
-SSLStaplingErrorCacheTimeout seconds
+SSLStaplingErrorCacheTimeout seconds
 SSLStaplingErrorCacheTimeout 600
 server config
 virtual host
@@ -2979,7 +2979,7 @@ To set the cache timeout for valid responses, see
 
 SSLStaplingForceURL
 Override the OCSP responder URI specified in the certificate's AIA extension
-SSLStaplingForceURL uri
+SSLStaplingForceURL uri
 server config
 virtual host
 Available if using OpenSSL 0.9.8h or later
@@ -3093,7 +3093,7 @@ forward secrecy.
                      
 
 SSLOpenSSLConfCmd
 Configure OpenSSL parameters through its SSL_CONF API
-SSLOpenSSLConfCmd command-name command-value
+SSLOpenSSLConfCmd command-name command-value
 server config
 virtual host
 Available in httpd 2.4.8 and later, if using OpenSSL 1.0.2 or later
@@ -3142,7 +3142,7 @@ mod_ssl behaviour will change across versions of httpd where
 
 SSLPolicy
 Apply a SSLPolicy by name
-SSLPolicy name
+SSLPolicy name
 server config
 virtual host
 Available in httpd 2.5.0 and later
@@ -3176,7 +3176,7 @@ httpd -t -D DUMP_SSL_POLICIES
 
 SSLECHKeyDir
 Load the set of Encrypted Client Hello (ECH) PEM files in the named directory
-SSLECHKeyDir dirname
+SSLECHKeyDir dirname
 server config
 Available in Apache HTTP Server 2.5.1 and later