diff options
| author | Eric Covener <covener@apache.org> | 2018-03-30 14:40:53 +0200 |
|---|---|---|
| committer | Eric Covener <covener@apache.org> | 2018-03-30 14:40:53 +0200 |
| commit | e7202dce8417f450ed4d4e48da45930e89cb426b (patch) | |
| tree | 3fd310b7a42ed6d4b766ed4581b4d5c1a3bf500a /docs/manual/mod/mod_ssl.html.en | |
| parent | bring balance to the force (diff) | |
| download | apache2-e7202dce8417f450ed4d4e48da45930e89cb426b.tar.xz apache2-e7202dce8417f450ed4d4e48da45930e89cb426b.zip | |
xforms
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1828060 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'docs/manual/mod/mod_ssl.html.en')
| -rw-r--r-- | docs/manual/mod/mod_ssl.html.en | 211 |
1 files changed, 31 insertions, 180 deletions
diff --git a/docs/manual/mod/mod_ssl.html.en b/docs/manual/mod/mod_ssl.html.en index 11a7010572..8c982305d1 100644 --- a/docs/manual/mod/mod_ssl.html.en +++ b/docs/manual/mod/mod_ssl.html.en @@ -86,7 +86,6 @@ to provide the cryptography engine.</p> <li><img alt="" src="../images/down.gif" /> <a href="#ssloptions">SSLOptions</a></li> <li><img alt="" src="../images/down.gif" /> <a href="#sslpassphrasedialog">SSLPassPhraseDialog</a></li> <li><img alt="" src="../images/down.gif" /> <a href="#sslpolicy">SSLPolicy</a></li> -<li><img alt="" src="../images/down.gif" /> <a href="#sslpolicydefinesection"><SSLPolicyDefine></a></li> <li><img alt="" src="../images/down.gif" /> <a href="#sslprotocol">SSLProtocol</a></li> <li><img alt="" src="../images/down.gif" /> <a href="#sslproxycacertificatefile">SSLProxyCACertificateFile</a></li> <li><img alt="" src="../images/down.gif" /> <a href="#sslproxycacertificatepath">SSLProxyCACertificatePath</a></li> @@ -101,7 +100,6 @@ to provide the cryptography engine.</p> <li><img alt="" src="../images/down.gif" /> <a href="#sslproxymachinecertificatechainfile">SSLProxyMachineCertificateChainFile</a></li> <li><img alt="" src="../images/down.gif" /> <a href="#sslproxymachinecertificatefile">SSLProxyMachineCertificateFile</a></li> <li><img alt="" src="../images/down.gif" /> <a href="#sslproxymachinecertificatepath">SSLProxyMachineCertificatePath</a></li> -<li><img alt="" src="../images/down.gif" /> <a href="#sslproxypolicy">SSLProxyPolicy</a></li> <li><img alt="" src="../images/down.gif" /> <a href="#sslproxyprotocol">SSLProxyProtocol</a></li> <li><img alt="" src="../images/down.gif" /> <a href="#sslproxyverify">SSLProxyVerify</a></li> <li><img alt="" src="../images/down.gif" /> <a href="#sslproxyverifydepth">SSLProxyVerifyDepth</a></li> @@ -746,7 +744,7 @@ key file.</p> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Cipher Suite available for negotiation in SSL handshake</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCipherSuite <em>cipher-spec</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCipherSuite [<em>protocol</em>] <em>cipher-spec</em></code></td></tr> <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLCipherSuite DEFAULT (depends on OpenSSL version)</code></td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr> <tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr> @@ -756,12 +754,26 @@ handshake</td></tr> <p> This complex directive uses a colon-separated <em>cipher-spec</em> string consisting of OpenSSL cipher specifications to configure the Cipher Suite the -client is permitted to negotiate in the SSL handshake phase. Notice that this -directive can be used both in per-server and per-directory context. In -per-server context it applies to the standard SSL handshake when a connection +client is permitted to negotiate in the SSL handshake phase. The optional +protocol specifier can configure the Cipher Suite for a specific SSL version. +Possible values include "SSL" for all SSL Protocols up to and including TLSv1.2. +</p> +<p> +Notice that this +directive can be used both in per-server and per-directory context. +In per-server context it applies to the standard SSL handshake when a connection is established. In per-directory context it forces a SSL renegotiation with the reconfigured Cipher Suite after the HTTP request was read but before the HTTP -response is sent.</p> +response is sent. (Since renegotiation is not</p> +<p> +If the SSL library supports TLSv1.3 (OpenSSL 1.1.1 and later), the protocol +specifier "TLSv1.3" can be used to configure the cipher suites for that protocol. +Since TLSv1.3 does not offer renegotiations, specifying ciphers for it in +a directory context is not allowed.</p> +<p> +For a list of TLSv1.3 cipher names, see +<a href="https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html">the OpenSSL +documentation</a>.</p> <p> An SSL cipher specification in <em>cipher-spec</em> is composed of 4 major attributes plus a few extra minor ones:</p> @@ -957,7 +969,7 @@ SSLCryptoDevice ubsec</pre> <div class="directive-section"><h2><a name="SSLEngine" id="SSLEngine">SSLEngine</a> <a name="sslengine" id="sslengine">Directive</a></h2> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>SSL Engine Operation Switch</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLEngine on|off|optional|addr[:port] [addr[:port]] ...</code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLEngine on|off|optional</code></td></tr> <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLEngine off</code></td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> @@ -965,8 +977,8 @@ SSLCryptoDevice ubsec</pre> <tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The <code>addr:port</code> parameter is available in Apache 2.4.30 and later.</td></tr> </table> <p> -This directive toggles the usage of the SSL/TLS Protocol Engine. Values 'on', -'off' and 'optional' should be used inside a <code class="directive"><a href="../mod/core.html#virtualhost"><VirtualHost></a></code> section to enable SSL/TLS for a +This directive toggles the usage of the SSL/TLS Protocol Engine. This +is should be used inside a <code class="directive"><a href="../mod/core.html#virtualhost"><VirtualHost></a></code> section to enable SSL/TLS for a that virtual host. By default the SSL/TLS Protocol Engine is disabled for both the main server and all configured virtual hosts.</p> <div class="example"><h3>Example</h3><pre class="prettyprint lang-config"><VirtualHost _default_:443> @@ -974,15 +986,6 @@ SSLEngine on #... </VirtualHost></pre> </div> -<p>The <code>addr:port</code> values should be used in the -global server to enable the SSL/TLS Protocol Engine for <em>all</em> -<code class="directive"><a href="../mod/core.html#virtualhost"><VirtualHost></a></code>s -that match one of the addresses in the list.</p> -<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLEngine *:443 -<VirtualHost *:443> -#... -</VirtualHost></pre> -</div> <p><code class="directive">SSLEngine</code> can be set to <code>optional</code>: this enables support for <a href="http://www.ietf.org/rfc/rfc2817.txt">RFC 2817</a>. @@ -1495,149 +1498,14 @@ for a detailed description by them.</a>): <li><code>intermediate</code>: the fallback if you need to support old (but not very old) clients.</li> <li><code>old</code>: when you need to give Windows XP/Internet Explorer 6 access. The last resort.</li> </ul> +<p>SSLPolicy applies configuration settings in place, meaning previous values are +overwritten. Configuration directives following an SSLPolicy may overwrite it. +</p> <p>You can check the detailed description of all defined policies via the command line:</p> <div class="example"><h3>List all Defined Policies</h3><pre class="prettyprint lang-sh">httpd -t -D DUMP_SSL_POLICIES</pre> </div> -<p>A SSLPolicy defines the baseline for the context it is used in. That means that any -other SSL* directives in the same context override it. As an example of this, see the effective -<code class="directive">SSLProtocol</code> value in the following settings:</p> - -<div class="example"><h3>Policy Precedence</h3><pre class="prettyprint lang-config"><VirtualHost...> # effective: 'all' - SSLPolicy modern - SSLProtocol all -</VirtualHost> - -<VirtualHost...> # effective: 'all' - SSLProtocol all - SSLPolicy modern -</VirtualHost> - -SSLPolicy modern -<VirtualHost...> # effective: 'all' - SSLProtocol all -</VirtualHost> - -SSLProtocol all -<VirtualHost...> # effective: '+TLSv1.2' - SSLPolicy modern -</VirtualHost></pre> -</div> - -<p>There can be more than one policy applied in a context. The -later ones overshadowing the earlier ones:</p> - -<div class="example"><h3>Policy Ordering</h3><pre class="prettyprint lang-config"><VirtualHost...> # effective protocol: 'all -SSLv3' - SSLPolicy modern - SSLPolicy intermediate -</VirtualHost> - -<VirtualHost...> # effective protocol: '+TLSv1.2' - SSLPolicy intermediate - SSLPolicy modern -</VirtualHost></pre> -</div> - - -</div> -<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> -<div class="directive-section"><h2><a name="SSLPolicyDefinesection" id="SSLPolicyDefinesection"><SSLPolicyDefine></a> <a name="sslpolicydefinesection" id="sslpolicydefinesection">Directive</a></h2> -<table class="directive"> -<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Define a named set of SSL configurations</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code><SSLPolicyDefine <em>name</em>></code></td></tr> -<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> -<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> -<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> -<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.4.30 and later</td></tr> -</table> -<p>This directive defines a set of SSL* configurations under -and gives it a name. This name can be used in the directives -<code class="directive">SSLPolicy</code> and <code class="directive">SSLProxyPolicy</code> -to apply this configuration set in the current context.</p> - -<div class="example"><h3>Define and Use of a Policy</h3><pre class="prettyprint lang-config"><SSLPolicyDefine safe-stapling> - SSLUseStapling on - SSLStaplingResponderTimeout 2 - SSLStaplingReturnResponderErrors off - SSLStaplingFakeTryLater off - SSLStaplingStandardCacheTimeout 86400 -</SSLPolicyDefine> - - ... - <VirtualHost...> - SSLPolicy safe-stapling - ...</pre> -</div> - -<p>On the one hand, this can make server configurations easier to -<em>read</em> and <em>maintain</em>. On the other hand, it is -intended to make SSL easier and safer to <em>use</em>. For the -latter, Apache httpd ships with a set of pre-defined policies -that reflect good open source practise. The policy "modern", -for example, carries the settings to make your server work -compatible and securely with current browsers.</p> - -<p>The list of predefined policies in your Apache can be obtained -by running the following command. This list shows you the -detailed configurations each policy is made of:</p> - -<div class="example"><h3>List all Defined Policies</h3><pre class="prettyprint lang-sh">httpd -t -D DUMP_SSL_POLICIES</pre> -</div> - -<p>The directive can only be used in the server config (global context). It can take -most SSL* directives, however a few can only be set once and are not allowed inside -policy defintions. These are <code class="directive">SSLCryptoDevice</code>, -<code class="directive">SSLRandomSeed</code>, -<code class="directive">SSLSessionCache</code> and -<code class="directive">SSLStaplingCache</code>. -</p> -<p>Two policies cannot have the same name. However, policies can -be redefined:</p> - -<div class="example"><h3>Policy Overwrite</h3><pre class="prettyprint lang-config"><SSLPolicyDefine proxy-trust> - SSLProxyVerify require -</SSLPolicyDefine> - ... -<SSLPolicyDefine proxy-trust> - SSLProxyVerify none -</SSLPolicyDefine></pre> -</div> - -<p>Policy definitions are <em>added</em> in the order they appear, but are -<em>applied</em> when the whole configuration has been read. This means that any -use of 'proxy-trust' will mean 'SSLProxyVerify none'. The first definition -has no effect at all. That allows pre-installed policies to be replaced -without the need to disable them.</p> - -<p>Additional to replacing policies, redefinitions may just alter -an aspect of a policy:</p> - -<div class="example"><h3>Policy Redefine</h3><pre class="prettyprint lang-config"><SSLPolicyDefine proxy-trust> - SSLProxyVerify require -</SSLPolicyDefine> - ... -<SSLPolicyDefine proxy-trust> - SSLPolicy proxy-trust - SSLProxyVerifyDepth 10 -</SSLPolicyDefine></pre> -</div> - -<p>This re-uses all settings from the previous 'proxy-trust' and adds -one directive on top of it. All others still apply. This is very handy -when pre-defined policies (from Apache itself or a distributor) -that <em>almost</em> what you need. Previously, such definitions were -(copied and) edited. This made updating them difficult. Now they can -be setup like this:</p> - -<div class="example"><h3>Tweak a Pre-Defined Policy</h3><pre class="prettyprint lang-config">Include ssl-policies.conf - -<SSLPolicyDefine modern> - SSLPolicy modern - SSLProxyVerify none -</SSLPolicyDefine></pre> -</div> - </div> <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> @@ -1680,6 +1548,11 @@ The available (case-insensitive) <em>protocol</em>s are:</p> A revision of the TLS 1.1 protocol, as defined in <a href="http://www.ietf.org/rfc/rfc5246.txt">RFC 5246</a>.</p></li> +<li><code>TLSv1.3</code> (when using OpenSSL 1.1.1 and later) + <p> + A new version of the TLS protocol, as defined in + <a href="https://github.com/tlswg/tls13-spec">RFC TBD</a>.</p></li> + <li><code>all</code> <p> This is a shortcut for ``<code>+SSLv3 +TLSv1</code>'' or @@ -1925,7 +1798,7 @@ improvements. <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Cipher Suite available for negotiation in SSL proxy handshake</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProxyCipherSuite <em>cipher-spec</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProxyCipherSuite [<em>protocol</em>] <em>cipher-spec</em></code></td></tr> <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLProxyCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP</code></td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> @@ -2047,28 +1920,6 @@ contain a PEM-encoded certificate and matching private key. </div> <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> -<div class="directive-section"><h2><a name="SSLProxyPolicy" id="SSLProxyPolicy">SSLProxyPolicy</a> <a name="sslproxypolicy" id="sslproxypolicy">Directive</a></h2> -<table class="directive"> -<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Apply the SSLProxy* parts alone of a SSLPolicy</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProxyPolicy <em>name</em></code></td></tr> -<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> -<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> -<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> -<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in httpd 2.4.30 and later</td></tr> -</table> -<p>This directive is similar to <code class="directive">SSLPolicy</code>, but -applies only the SSLProxy* directives defined in the policy. This helps -when you need different policies for front and backends:</p> - -<div class="example"><h3>Another Policies for Proxy Only</h3><pre class="prettyprint lang-config">SSLPolicy modern -SSLProxyPolicy intermediate</pre> -</div> - -<p>In this example, the 'modern' policy is first applied for front- and backend. The backend -parts are then overwritten by the 'intermediate' policy settings.</p> - -</div> -<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> <div class="directive-section"><h2><a name="SSLProxyProtocol" id="SSLProxyProtocol">SSLProxyProtocol</a> <a name="sslproxyprotocol" id="sslproxyprotocol">Directive</a></h2> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Configure usable SSL protocol flavors for proxy usage</td></tr> |