From e7202dce8417f450ed4d4e48da45930e89cb426b Mon Sep 17 00:00:00 2001 From: Eric Covener Date: Fri, 30 Mar 2018 12:40:53 +0000 Subject: xforms git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1828060 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/mod/mod_ssl.html.en | 211 ++++++---------------------------------- 1 file changed, 31 insertions(+), 180 deletions(-) (limited to 'docs/manual/mod/mod_ssl.html.en') diff --git a/docs/manual/mod/mod_ssl.html.en b/docs/manual/mod/mod_ssl.html.en index 11a7010572..8c982305d1 100644 --- a/docs/manual/mod/mod_ssl.html.en +++ b/docs/manual/mod/mod_ssl.html.en @@ -86,7 +86,6 @@ to provide the cryptography engine.

  • SSLOptions
  • SSLPassPhraseDialog
  • SSLPolicy
    • -
  • <SSLPolicyDefine>
  • SSLProtocol
  • SSLProxyCACertificateFile
  • SSLProxyCACertificatePath
    • @@ -101,7 +100,6 @@ to provide the cryptography engine.

  • SSLProxyMachineCertificateChainFile
  • SSLProxyMachineCertificateFile
  • SSLProxyMachineCertificatePath
    • -
  • SSLProxyPolicy
  • SSLProxyProtocol
  • SSLProxyVerify
  • SSLProxyVerifyDepth
    • @@ -746,7 +744,7 @@ key file.

    - + @@ -756,12 +754,26 @@ handshake

    This complex directive uses a colon-separated cipher-spec string consisting of OpenSSL cipher specifications to configure the Cipher Suite the -client is permitted to negotiate in the SSL handshake phase. Notice that this -directive can be used both in per-server and per-directory context. In -per-server context it applies to the standard SSL handshake when a connection +client is permitted to negotiate in the SSL handshake phase. The optional +protocol specifier can configure the Cipher Suite for a specific SSL version. +Possible values include "SSL" for all SSL Protocols up to and including TLSv1.2. +

    +

    +Notice that this +directive can be used both in per-server and per-directory context. +In per-server context it applies to the standard SSL handshake when a connection is established. In per-directory context it forces a SSL renegotiation with the reconfigured Cipher Suite after the HTTP request was read but before the HTTP -response is sent.

    +response is sent. (Since renegotiation is not

    +

    +If the SSL library supports TLSv1.3 (OpenSSL 1.1.1 and later), the protocol +specifier "TLSv1.3" can be used to configure the cipher suites for that protocol. +Since TLSv1.3 does not offer renegotiations, specifying ciphers for it in +a directory context is not allowed.

    +

    +For a list of TLSv1.3 cipher names, see +the OpenSSL +documentation.

    An SSL cipher specification in cipher-spec is composed of 4 major attributes plus a few extra minor ones:

    @@ -957,7 +969,7 @@ SSLCryptoDevice ubsec

    SSLEngine Directive

    Description:Cipher Suite available for negotiation in SSL handshake
    Syntax:SSLCipherSuite cipher-spec
    Syntax:SSLCipherSuite [protocol] cipher-spec
    Default:SSLCipherSuite DEFAULT (depends on OpenSSL version)
    Context:server config, virtual host, directory, .htaccess
    Override:AuthConfig
    - + @@ -965,8 +977,8 @@ SSLCryptoDevice ubsec
    Description:SSL Engine Operation Switch
    Syntax:SSLEngine on|off|optional|addr[:port] [addr[:port]] ...
    Syntax:SSLEngine on|off|optional
    Default:SSLEngine off
    Context:server config, virtual host
    Status:Extension
    Compatibility:The addr:port parameter is available in Apache 2.4.30 and later.

    -This directive toggles the usage of the SSL/TLS Protocol Engine. Values 'on', -'off' and 'optional' should be used inside a <VirtualHost> section to enable SSL/TLS for a +This directive toggles the usage of the SSL/TLS Protocol Engine. This +is should be used inside a <VirtualHost> section to enable SSL/TLS for a that virtual host. By default the SSL/TLS Protocol Engine is disabled for both the main server and all configured virtual hosts.

    Example

    <VirtualHost _default_:443>
@@ -974,15 +986,6 @@ SSLEngine on
 #...
 </VirtualHost>
    -

    The addr:port values should be used in the -global server to enable the SSL/TLS Protocol Engine for all -<VirtualHost>s -that match one of the addresses in the list.

    -

    Example

    SSLEngine *:443
-<VirtualHost *:443>
-#...
-</VirtualHost>
    -

    SSLEngine can be set to optional: this enables support for RFC 2817. @@ -1495,149 +1498,14 @@ for a detailed description by them.):

  • intermediate: the fallback if you need to support old (but not very old) clients.
  • old: when you need to give Windows XP/Internet Explorer 6 access. The last resort.
    • +

    SSLPolicy applies configuration settings in place, meaning previous values are +overwritten. Configuration directives following an SSLPolicy may overwrite it. +

    You can check the detailed description of all defined policies via the command line:

    List all Defined Policies

    httpd -t -D DUMP_SSL_POLICIES
    -

    A SSLPolicy defines the baseline for the context it is used in. That means that any -other SSL* directives in the same context override it. As an example of this, see the effective -SSLProtocol value in the following settings:

    - -

    Policy Precedence

    <VirtualHost...> # effective: 'all'
-   SSLPolicy modern
-   SSLProtocol all
-</VirtualHost>
-
-<VirtualHost...> # effective: 'all'
-   SSLProtocol all
-   SSLPolicy modern
-</VirtualHost>
-
-SSLPolicy modern
-<VirtualHost...> # effective: 'all'
-   SSLProtocol all
-</VirtualHost>
-   
-SSLProtocol all
-<VirtualHost...> # effective: '+TLSv1.2'
-  SSLPolicy modern
-</VirtualHost>
    -
    - -

    There can be more than one policy applied in a context. The -later ones overshadowing the earlier ones:

    - -

    Policy Ordering

    <VirtualHost...> # effective protocol: 'all -SSLv3'
-   SSLPolicy modern
-   SSLPolicy intermediate
-</VirtualHost>
-
-<VirtualHost...> # effective protocol: '+TLSv1.2'
-   SSLPolicy intermediate
-   SSLPolicy modern
-</VirtualHost>
    -
    - - - -
    top
    -

    <SSLPolicyDefine> Directive

    - - - - - - - -
    Description:Define a named set of SSL configurations
    Syntax:<SSLPolicyDefine name>
    Context:server config
    Status:Extension
    Module:mod_ssl
    Compatibility:Available in httpd 2.4.30 and later
    -

    This directive defines a set of SSL* configurations under -and gives it a name. This name can be used in the directives -SSLPolicy and SSLProxyPolicy -to apply this configuration set in the current context.

    - -

    Define and Use of a Policy

    <SSLPolicyDefine safe-stapling>
-   SSLUseStapling on
-   SSLStaplingResponderTimeout 2
-   SSLStaplingReturnResponderErrors off
-   SSLStaplingFakeTryLater off
-   SSLStaplingStandardCacheTimeout 86400
-</SSLPolicyDefine>
-
-   ...
-   <VirtualHost...>
-      SSLPolicy safe-stapling
-      ...
    -
    - -

    On the one hand, this can make server configurations easier to -read and maintain. On the other hand, it is -intended to make SSL easier and safer to use. For the -latter, Apache httpd ships with a set of pre-defined policies -that reflect good open source practise. The policy "modern", -for example, carries the settings to make your server work -compatible and securely with current browsers.

    - -

    The list of predefined policies in your Apache can be obtained -by running the following command. This list shows you the -detailed configurations each policy is made of:

    - -

    List all Defined Policies

    httpd -t -D DUMP_SSL_POLICIES
    -
    - -

    The directive can only be used in the server config (global context). It can take -most SSL* directives, however a few can only be set once and are not allowed inside -policy defintions. These are SSLCryptoDevice, -SSLRandomSeed, -SSLSessionCache and -SSLStaplingCache. -

    -

    Two policies cannot have the same name. However, policies can -be redefined:

    - -

    Policy Overwrite

    <SSLPolicyDefine proxy-trust>
-   SSLProxyVerify require
-</SSLPolicyDefine>
-   ...
-<SSLPolicyDefine proxy-trust>
-   SSLProxyVerify none
-</SSLPolicyDefine>
    -
    - -

    Policy definitions are added in the order they appear, but are -applied when the whole configuration has been read. This means that any -use of 'proxy-trust' will mean 'SSLProxyVerify none'. The first definition -has no effect at all. That allows pre-installed policies to be replaced -without the need to disable them.

    - -

    Additional to replacing policies, redefinitions may just alter -an aspect of a policy:

    - -

    Policy Redefine

    <SSLPolicyDefine proxy-trust>
-   SSLProxyVerify require
-</SSLPolicyDefine>
-   ...
-<SSLPolicyDefine proxy-trust>
-   SSLPolicy proxy-trust
-   SSLProxyVerifyDepth 10
-</SSLPolicyDefine>
    -
    - -

    This re-uses all settings from the previous 'proxy-trust' and adds -one directive on top of it. All others still apply. This is very handy -when pre-defined policies (from Apache itself or a distributor) -that almost what you need. Previously, such definitions were -(copied and) edited. This made updating them difficult. Now they can -be setup like this:

    - -

    Tweak a Pre-Defined Policy

    Include ssl-policies.conf
-
-<SSLPolicyDefine modern>
-   SSLPolicy modern
-   SSLProxyVerify none
-</SSLPolicyDefine>
    -
    -
    top
    @@ -1680,6 +1548,11 @@ The available (case-insensitive) protocols are:

    A revision of the TLS 1.1 protocol, as defined in RFC 5246.

    +
  • TLSv1.3 (when using OpenSSL 1.1.1 and later) +

    + A new version of the TLS protocol, as defined in + RFC TBD.

    • +
  • all

    This is a shortcut for ``+SSLv3 +TLSv1'' or @@ -1925,7 +1798,7 @@ improvements. - + @@ -2045,28 +1918,6 @@ contain a PEM-encoded certificate and matching private key.

    Example

    SSLProxyMachineCertificatePath "/usr/local/apache2/conf/proxy.crt/"
    - -
    top
    -

    SSLProxyPolicy Directive

    -
    Description:Cipher Suite available for negotiation in SSL proxy handshake
    Syntax:SSLProxyCipherSuite cipher-spec
    Syntax:SSLProxyCipherSuite [protocol] cipher-spec
    Default:SSLProxyCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP
    Context:server config, virtual host, proxy section
    Status:Extension
    - - - - - - -
    Description:Apply the SSLProxy* parts alone of a SSLPolicy
    Syntax:SSLProxyPolicy name
    Context:server config, virtual host
    Status:Extension
    Module:mod_ssl
    Compatibility:Available in httpd 2.4.30 and later
    -

    This directive is similar to SSLPolicy, but -applies only the SSLProxy* directives defined in the policy. This helps -when you need different policies for front and backends:

    - -

    Another Policies for Proxy Only

    SSLPolicy modern
-SSLProxyPolicy intermediate
    -
    - -

    In this example, the 'modern' policy is first applied for front- and backend. The backend -parts are then overwritten by the 'intermediate' policy settings.

    -
    top

    SSLProxyProtocol Directive

    -- cgit v1.2.3