1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
|
<TITLE>Apache-SSL Documentation</TITLE>
<BODY BGCOLOR="#FFFFFF">
<CENTER><IMG SRC="ApachSSL.gif" HEIGHT=148 WIDTH=400><H1>Apache-SSL Documentation</H1></CENTER>
<CENTER><FONT SIZE=1>Last updated: <I>
February 06, 2004</I></FONT></CENTER>
<HR>
<H2>Directives</H2><UL>
<LI><A HREF=#CGI Environment Variables>CGI Environment Variables</A>
<LI><A HREF=#CustomLog>CustomLog</A>
<LI><A HREF=#SSLBanCipher>SSLBanCipher</A>
<LI><A HREF=#SSLCACertificateFile>SSLCACertificateFile</A>
<LI><A HREF=#SSLCACertificatePath>SSLCACertificatePath</A>
<LI><A HREF=#SSLCRLCheckAll>SSLCRLCheckAll</A>
<LI><A HREF=#SSLCacheServerPath>SSLCacheServerPath</A>
<LI><A HREF=#SSLCacheServerPort>SSLCacheServerPort</A>
<LI><A HREF=#SSLCacheServerRunDir>SSLCacheServerRunDir</A>
<LI><A HREF=#SSLCertificateFile>SSLCertificateFile</A>
<LI><A HREF=#SSLCertificateKeyFile>SSLCertificateKeyFile</A>
<LI><A HREF=#SSLCheckClientDN>SSLCheckClientDN</A>
<LI><A HREF=#SSLDenySSL>SSLDenySSL</A>
<LI><A HREF=#SSLDisable>SSLDisable</A>
<LI><A HREF=#SSLEnable>SSLEnable</A>
<LI><A HREF=#SSLExportClientCertificates>SSLExportClientCertificates</A>
<LI><A HREF=#SSLFakeBasicAuth>SSLFakeBasicAuth</A>
<LI><A HREF=#SSLNoCAList>SSLNoCAList</A>
<LI><A HREF=#SSLNoV2>SSLNoV2</A>
<LI><A HREF=#SSLOnCRLExpirySetEnv>SSLOnCRLExpirySetEnv</A>
<LI><A HREF=#SSLOnNoCRLSetEnv>SSLOnNoCRLSetEnv</A>
<LI><A HREF=#SSLOnRevocationSetEnv>SSLOnRevocationSetEnv</A>
<LI><A HREF=#SSLRandomFile>SSLRandomFile</A>
<LI><A HREF=#SSLRandomFilePerConnection>SSLRandomFilePerConnection</A>
<LI><A HREF=#SSLRequireCipher>SSLRequireCipher</A>
<LI><A HREF=#SSLRequireSSL>SSLRequireSSL</A>
<LI><A HREF=#SSLRequiredCiphers>SSLRequiredCiphers</A>
<LI><A HREF=#SSLSessionCacheTimeout>SSLSessionCacheTimeout</A>
<LI><A HREF=#SSLUseCRL>SSLUseCRL</A>
<LI><A HREF=#SSLVerifyClient>SSLVerifyClient</A>
<LI><A HREF=#SSLVerifyDepth>SSLVerifyDepth</A>
</UL>
<HR>
<H2><A NAME=CGI Environment Variables>CGI Environment Variables</A></H2>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Status><STRONG>Status:</STRONG></A> Extension<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Module><STRONG>Module:</STRONG></A> Apache-SSL<BR>
<P><PRE>
Name Value Desc
<HR>
HTTPS [if SET] HTTPS is being used.
HTTPS_CIPHER <string> SSL/TLS cipherspec
SSL_CIPHER <string> The same as HTTPS_CIPHER
SSL_PROTOCOL_VERSION <string> Self explanatory
SSL_SSLEAY_VERSION <string> Self explanatory
HTTPS_KEYSIZE <number> Number of bits in the session key
HTTPS_SECRETKEYSIZE <number> Number of bits in the secret key
SSL_CLIENT_DN <string> DN in client's certificate
SSL_CLIENT_<x509> <string> Component of client's DN
SSL_CLIENT_I_DN <string> DN of issuer of client's certificate
SSL_CLIENT_I_<x509> <string> Component of client's issuer's DN
SSL_SERVER_DN <string> DN in server's certificate
SSL_SERVER_<x509> <string> Component of server's DN
SSL_SERVER_I_DN <string> DN of issuer of server's certificate
SSL_SERVER_I_<x509> <string> Component of server's issuer's DN
SSL_CLIENT_CERT <string> Base64 encoding of client cert
SSL_CLIENT_CERT_CHAIN_<I>n</I> <string> Base64 encoding of client cert chain
</PRE>
where <x509> is a component of an X509 DN.</P>
<HR>
<H2><A NAME=CustomLog>CustomLog</A></H2>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Status><STRONG>Status:</STRONG></A> Extension<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Module><STRONG>Module:</STRONG></A> Apache-SSL<BR>
<P>Although <A
HREF="http://www.apache.org/docs/mod/mod_log_config.html#customlog">CustomLog</A>
is a standard Apache directive, Apache-SSL adds some extra information
that can be logged:</P>
<BLOCKQUOTE>
<PRE>{cipher}c</PRE> The name of the cipher being used for this connection.<BR>
<PRE>{clientcert}c</PRE> The "one-line" version of the certificate presented by the client.<BR>
<PRE>{errcode}c</PRE> If the client certificate verification failed, this is the SSLeay error code. In the case of success a "-" will be logged.<BR>
<PRE>{errstr}c</PRE> This is the SSLeay string corresponding to the error code.<BR>
<PRE>{version}c</PRE> The version of SSL being used. If you are using SSLeay versions prior to 0.9.0, then this is simply a number, 2 for SSL2 or 3 for SSL3. For SSLeay version 0.9.0 and later, it is a string, currently one of "SSL2", "SSL3" or "TLS1".<BR>
</BLOCKQUOTE>
<P>
<STRONG>Example:</STRONG>
<BLOCKQUOTE>
<PRE>
CustomLog logs/ssl_log "%t %{cipher}c %{clientcert}c %{errcode}c %{errstr}c %{version}c"
</PRE>
</BLOCKQUOTE>
<P>
<BR>
<HR>
<H2><A NAME=SSLBanCipher>SSLBanCipher</A></H2>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Syntax><STRONG>Syntax:</STRONG></A> SSLBanCipher <EM>cipher-list</EM><BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Context><STRONG>Context:</STRONG></A> server config, virtual host, .htaccess, directory<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Override><STRONG>Override:</STRONG></A> FileInfo<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Status><STRONG>Status:</STRONG></A> Extension<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Module><STRONG>Module:</STRONG></A> Apache-SSL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Compatibility><STRONG>Compatibility:</STRONG></A> ??<BR>
<P>This directive specifies a space-separated list of cipher suites, as
per <A HREF=#SSLRequireCipher>SSLRequireCipher</A>, except it bans
them. It goes like this: if banned, reject; if required, accept; if no
required ciphers listed, accept.</P>
<P><STRONG>Examples:</STRONG>
<BLOCKQUOTE><PRE>
SSLBanCipher RC4-MD5 EXP-RC4-MD5
</PRE>
or (a rather sensible one to use by default):
<PRE>
SSLBanCipher NULL-MD5 NULL-SHA
</PRE></BLOCKQUOTE></P>
<HR>
<H2><A NAME=SSLCACertificateFile>SSLCACertificateFile</A></H2>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Syntax><STRONG>Syntax:</STRONG></A> SSLCACertificateFile <EM>file</EM><BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Context><STRONG>Context:</STRONG></A> server config, virtual host<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Status><STRONG>Status:</STRONG></A> Extension<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Module><STRONG>Module:</STRONG></A> Apache-SSL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Compatibility><STRONG>Compatibility:</STRONG></A> ??<BR>
<P>You can use this directive instead of
<A HREF="#SSLCACertificatePath">SSLCACertificatePath</A> to specify a
single certificate file. This file can contain more than one certificate.</P>
<P><STRONG>Example:</STRONG>
<BLOCKQUOTE><PRE>
SSLCACertificateFile /usr/local/apache/certs/my.ca.pem
</PRE></BLOCKQUOTE></P>
<HR>
<H2><A NAME=SSLCACertificatePath>SSLCACertificatePath</A></H2>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Syntax><STRONG>Syntax:</STRONG></A> SSLCACertificatePath <EM>directory</EM><BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Context><STRONG>Context:</STRONG></A> server config, virtual host<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Status><STRONG>Status:</STRONG></A> Extension<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Module><STRONG>Module:</STRONG></A> Apache-SSL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Compatibility><STRONG>Compatibility:</STRONG></A> ??<BR>
<P>This is the path to the directory where you keep the certificates
of the certification authorities whose client certificates you are
prepared to accept. They must be PEM encoded (or, at least, what
SSLeay calls PEM encoded).</P>
<P><STRONG>Example:</STRONG>
<BLOCKQUOTE><PRE>
SSLCACertificatePath /usr/local/apache/certs
</PRE></BLOCKQUOTE></P>
<HR>
<H2><A NAME=SSLCRLCheckAll>SSLCRLCheckAll</A></H2>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Syntax><STRONG>Syntax:</STRONG></A> SSLCRLCheckAll<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Context><STRONG>Context:</STRONG></A> server config, virtual host<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Status><STRONG>Status:</STRONG></A> Extension<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Module><STRONG>Module:</STRONG></A> Apache-SSL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Compatibility><STRONG>Compatibility:</STRONG></A> apache_1.3.28+ssl_1.50<BR>
<P>Check all certificates in the chain against their CRLs, rather than
just the client certificate.
<HR>
<H2><A NAME=SSLCacheServerPath>SSLCacheServerPath</A></H2>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Syntax><STRONG>Syntax:</STRONG></A> SSLCacheServerPath <EM>command</EM><BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Context><STRONG>Context:</STRONG></A> server config<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Status><STRONG>Status:</STRONG></A> Extension<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Module><STRONG>Module:</STRONG></A> Apache-SSL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Compatibility><STRONG>Compatibility:</STRONG></A> ??<BR>
<P>This is the path of the global cache server executable,
<I>gcache</I>. It can be absolute or relative to the ServerRoot.</P>
<P><STRONG>Example:</STRONG>
<BLOCKQUOTE><PRE>
SSLCacheServerPath /usr/local/apache/bin/gcache
</PRE>
or
<PRE>
SSLCacheServerPath bin/gcache
</PRE></BLOCKQUOTE></P>
<HR>
<H2><A NAME=SSLCacheServerPort>SSLCacheServerPort</A></H2>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Syntax><STRONG>Syntax:</STRONG></A> SSLCacheServerPort <EM>port|filename</EM><BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Context><STRONG>Context:</STRONG></A> server config<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Status><STRONG>Status:</STRONG></A> Extension<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Module><STRONG>Module:</STRONG></A> Apache-SSL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Compatibility><STRONG>Compatibility:</STRONG></A> apache_1.3.2+ssl_1.27<BR>
<P>The global cache server specified in <A
HREF=#SSLCacheServerPath>SSLCacheServerPath</A> can use either TCP/IP
or Unix domain sockets. If the argument is a number, then a TCP/IP
port at that number is used, otherwise it must be a fully qualified
filename to use for a Unix domain socket.</P>
<P>Note that an attacker can do bad things if they can connect to gcache, so
it is important to ensure that Apache-SSL is the <I>only</I> thing that can
connect to the port specified, either with firewalls or with appropriate file
permissions on a Unix domain socket.</P>
<P><STRONG>Examples:</STRONG>
<BLOCKQUOTE><PRE>
SSLCacheServerPort 12345
</PRE>
or
<PRE>
SSLCacheServerPort /a/path/to/a/socket
</PRE></BLOCKQUOTE></P>
<HR>
<H2><A NAME=SSLCacheServerRunDir>SSLCacheServerRunDir</A></H2>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Syntax><STRONG>Syntax:</STRONG></A> SSLCacheServerRunDir <EM>directory</EM><BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Context><STRONG>Context:</STRONG></A> server config<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Status><STRONG>Status:</STRONG></A> Extension<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Module><STRONG>Module:</STRONG></A> Apache-SSL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Compatibility><STRONG>Compatibility:</STRONG></A> ??<BR>
<P>Set the directory <I>gcache</I> runs in. Useful only for debugging, so
<I>gcache</I> can produce core dumps.
<HR>
<H2><A NAME=SSLCertificateFile>SSLCertificateFile</A></H2>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Syntax><STRONG>Syntax:</STRONG></A> SSLCertificateFile <EM>file</EM><BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Context><STRONG>Context:</STRONG></A> server config, virtual host<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Status><STRONG>Status:</STRONG></A> Extension<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Module><STRONG>Module:</STRONG></A> Apache-SSL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Compatibility><STRONG>Compatibility:</STRONG></A> ??<BR>
<P>This is your PEM-encoded server certificate (strictly, it is what
SSLeay calls PEM, which isn't really).</P>
<P><STRONG>Example:</STRONG>
<BLOCKQUOTE><PRE>
SSLCertificateFile /usr/local/apache/certs/my.server.pem
</PRE></BLOCKQUOTE></P>
<HR>
<H2><A NAME=SSLCertificateKeyFile>SSLCertificateKeyFile</A></H2>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Syntax><STRONG>Syntax:</STRONG></A> SSLCertificateKeyFile <EM>file</EM><BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Default><STRONG>Default:</STRONG></A> <CODE>embedded in <CODE>SSLCertificateFile</CODE></CODE><BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Context><STRONG>Context:</STRONG></A> server config, virtual host<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Status><STRONG>Status:</STRONG></A> Extension<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Module><STRONG>Module:</STRONG></A> Apache-SSL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Compatibility><STRONG>Compatibility:</STRONG></A> ??<BR>
<P>This is the private key of your certificate, PEM-encoded. If the
key is not combined with the
<A HREF=#SSLCertificateFile>SSLCertificateFile</A>, use this directive to
point at the key file. If the filename starts with /, it specifies an
absolute path; otherwise, it is relative to the default certificate
area that is currently defined by SSLeay to be either:
/usr/local/ssl/private or
<EM>wherever_you_told_ssl_to_install</EM>/private.</P>
<P><STRONG>Examples:</STRONG>
<BLOCKQUOTE><PRE>
SSLCertificateKeyFile /usr/local/apache/certs/my.server.key.pem
</PRE>
or
<PRE>
SSLCertificateKeyFile certs/my.server.key.pem
</PRE></BLOCKQUOTE></P>
<HR>
<H2><A NAME=SSLCheckClientDN>SSLCheckClientDN</A></H2>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Syntax><STRONG>Syntax:</STRONG></A> SSLCheckClientDN <EM>file</EM><BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Context><STRONG>Context:</STRONG></A> server config, virtual host<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Status><STRONG>Status:</STRONG></A> Extension<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Module><STRONG>Module:</STRONG></A> Apache-SSL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Compatibility><STRONG>Compatibility:</STRONG></A> apache_1.3.19+ssl_1.43<BR>
<P>The client DN is checked against the file. If it appears in the
file, access is permitted, if it does not, it isn't. This allows client
certificates to be checked and basic auth to be used as well, which
cannot happen with the alternative, <A
HREF=#SSLFakeBasicAuth>SSLFakeBasicAuth</A>.</P>
<HR>
<H2><A NAME=SSLDenySSL>SSLDenySSL</A></H2>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Syntax><STRONG>Syntax:</STRONG></A> SSLDenySSL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Context><STRONG>Context:</STRONG></A> server config, virtual host, .htaccess, directory<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Override><STRONG>Override:</STRONG></A> FileInfo<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Status><STRONG>Status:</STRONG></A> Extension<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Module><STRONG>Module:</STRONG></A> Apache-SSL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Compatibility><STRONG>Compatibility:</STRONG></A> apache_1.3.6+ssl_1.36<BR>
<P>Deny SSL. The opposite of <A HREF=#SSLRequireSSL>SSLRequireSSL</A>. Access will
be denied if SSL is active.</P>
<P><STRONG>Example:</STRONG>
<BLOCKQUOTE><PRE>
<Directory /some/where/that/must/be/in/the/clear>
<B>SSLDenySSL</B>
</Directory>
</PRE></BLOCKQUOTE></P>
<HR>
<H2><A NAME=SSLDisable>SSLDisable</A></H2>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Syntax><STRONG>Syntax:</STRONG></A> SSLDisable<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Default><STRONG>Default:</STRONG></A> <CODE>SSLEnable</CODE><BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Context><STRONG>Context:</STRONG></A> server config, virtual host<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Status><STRONG>Status:</STRONG></A> Extension<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Module><STRONG>Module:</STRONG></A> Apache-SSL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Compatibility><STRONG>Compatibility:</STRONG></A> ??<BR>
<P>Disable SSL. This is useful if you wish to run both secure and
nonsecure hosts on the same server. Conversely, SSL is enabled via
<A HREF="#SSLEnable">SSLEnable</A>.</P>
<HR>
<H2><A NAME=SSLEnable>SSLEnable</A></H2>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Syntax><STRONG>Syntax:</STRONG></A> SSLEnable<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Default><STRONG>Default:</STRONG></A> <CODE>SSLEnable</CODE><BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Context><STRONG>Context:</STRONG></A> server config, virtual host<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Status><STRONG>Status:</STRONG></A> Extension<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Module><STRONG>Module:</STRONG></A> Apache-SSL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Compatibility><STRONG>Compatibility:</STRONG></A> ??<BR>
<P>Enable SSL. The default, but if you've used <A
HREF=#SSLDisable>SSLDisable</A> in the main server, you can enable SSL
again for virtual hosts using this directive.</P>
<HR>
<H2><A NAME=SSLExportClientCertificates>SSLExportClientCertificates</A></H2>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Syntax><STRONG>Syntax:</STRONG></A> SSLExportClientCertificates<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Context><STRONG>Context:</STRONG></A> server config, virtual host, .htaccess, directory<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Status><STRONG>Status:</STRONG></A> Extension<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Module><STRONG>Module:</STRONG></A> Apache-SSL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Compatibility><STRONG>Compatibility:</STRONG></A> apache_1.3.2+ssl_1.27<BR>
<P>Export client certificates and the certificate chain behind them to CGIs.
The certificates are base 64 encoded in the environment variables
<CODE>SSL_CLIENT_CERT</CODE> and <CODE>SSL_CLIENT_CERT_CHAIN_<I>n</I></CODE>,
where <CODE><I>n</I></CODE> runs from 1 upwards.</P>
<P><STRONG>Example:</STRONG>
<BLOCKQUOTE>
<P>For a working example, see: <A HREF="https://www.apache-ssl.org/cgi/cert-export">https://www.apache-ssl.org/cgi/cert-export</A><BR>
Simple shell script source for the above example can be found <A HREF="cert-export.txt">here</A>.
</BLOCKQUOTE>
<P>N.B. This directive is only enabled if <CODE>APACHE_SSL_EXPORT_CERTS</CODE>
is set to <CODE>TRUE</CODE> in <I>.../src/include/buff.h</I>.
<HR>
<H2><A NAME=SSLFakeBasicAuth>SSLFakeBasicAuth</A></H2>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Syntax><STRONG>Syntax:</STRONG></A> SSLFakeBasicAuth<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Context><STRONG>Context:</STRONG></A> server config, virtual host<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Status><STRONG>Status:</STRONG></A> Extension<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Module><STRONG>Module:</STRONG></A> Apache-SSL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Compatibility><STRONG>Compatibility:</STRONG></A> ??<BR>
<P>This directive simulates user logons using <A
HREF="http://www.apache.org/docs/mod/mod_auth.html">basic
authentication</A>, using the one-line certificate name - a version of
the client's certificate produced by the SSLeay function
X509_NAME_oneline() (note that this may be the Distinguished Name of
the subject of the cert, but SSLeay appears to make no promise of
this). If enabled with <A HREF=#SSLVerifyClient>SSLVerifyClient</A>,
you should see the name in the error log when a non-authorised user
attempts a connection, and access will be refused. To allow access to
the user, add the name and fixed password
''<CODE>xxj31ZMTZzkVA</CODE>'' (which is ''password'' encrypted) to
the auth file.</P>
<P><STRONG>Example:</STRONG>
<BLOCKQUOTE><PRE>
SSLFakeBasicAuth
<Directory /www/watchdog/htdocs>
AllowOverride none
AuthUserFile /www/auth/watchdog/users
AuthType Basic
AuthName Watchdog
Require valid-user
</Directory>
</BLOCKQUOTE></PRE></P>
<P>See also <A HREF=#SSLCheckClientDN>CheckClientDN</A>.</P>
<HR>
<H2><A NAME=SSLNoCAList>SSLNoCAList</A></H2>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Syntax><STRONG>Syntax:</STRONG></A> SSLNoCAList<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Context><STRONG>Context:</STRONG></A> server config, virtual host<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Status><STRONG>Status:</STRONG></A> Extension<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Module><STRONG>Module:</STRONG></A> Apache-SSL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Compatibility><STRONG>Compatibility:</STRONG></A> apache_1.3.6+ssl_1.34<BR>
<P>Disable presentation of CA list for client certificate authentication. Unlikely
to be useful in a production environment, but extremely handy for testing purposes.
<HR>
<H2><A NAME=SSLNoV2>SSLNoV2</A></H2>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Syntax><STRONG>Syntax:</STRONG></A> SSLNoV2<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Context><STRONG>Context:</STRONG></A> server config, virtual host<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Status><STRONG>Status:</STRONG></A> Extension<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Module><STRONG>Module:</STRONG></A> Apache-SSL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Compatibility><STRONG>Compatibility:</STRONG></A> apache_1.3.29+ssl_1.53<BR>
<P>Disable SSL version 2 - this version has know security issues,
so unless there's a good reason, always use this command.</P>
<HR>
<H2><A NAME=SSLOnCRLExpirySetEnv>SSLOnCRLExpirySetEnv</A></H2>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Syntax><STRONG>Syntax:</STRONG></A> SSLOnCRLExpirySetEnv <EM>var</EM><BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Context><STRONG>Context:</STRONG></A> server config, virtual host<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Status><STRONG>Status:</STRONG></A> Extension<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Module><STRONG>Module:</STRONG></A> Apache-SSL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Compatibility><STRONG>Compatibility:</STRONG></A> apache_1.3.28+ssl_1.52<BR>
<P>If the CRL has expired, instead of returning an error to the
client, permit the SSL session to be established and set the named
environment variable to "YES". Note that there is no SSL error to
handle this situation, so when this directive isn't use, the error
returned by OpenSSL is that the client certificate has expired.
<HR>
<H2><A NAME=SSLOnNoCRLSetEnv>SSLOnNoCRLSetEnv</A></H2>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Syntax><STRONG>Syntax:</STRONG></A> SSLOnNoCRLSetEnv <EM>var</EM><BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Context><STRONG>Context:</STRONG></A> server config, virtual host<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Status><STRONG>Status:</STRONG></A> Extension<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Module><STRONG>Module:</STRONG></A> Apache-SSL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Compatibility><STRONG>Compatibility:</STRONG></A> apache_1.3.28+ssl_1.52<BR>
<P>If there is no CRL for the client certificate, instead of returning
an error to the client, permit the SSL session to be established and
set the named environment variable to "YES".
<HR>
<H2><A NAME=SSLOnRevocationSetEnv>SSLOnRevocationSetEnv</A></H2>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Syntax><STRONG>Syntax:</STRONG></A> SSLOnRevocationSetEnv <EM>var</EM><BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Context><STRONG>Context:</STRONG></A> server config, virtual host<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Status><STRONG>Status:</STRONG></A> Extension<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Module><STRONG>Module:</STRONG></A> Apache-SSL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Compatibility><STRONG>Compatibility:</STRONG></A> apache_1.3.28+ssl_1.50<BR>
<P>Instead of returning an SSL error to the client, permit the SSL
session to be established and set the named environment variable to
"YES".
<HR>
<H2><A NAME=SSLRandomFile>SSLRandomFile</A></H2>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Syntax><STRONG>Syntax:</STRONG></A> SSLRandomFile file|egd <EM>file|egd-socket bytes</EM><BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Context><STRONG>Context:</STRONG></A> server config<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Status><STRONG>Status:</STRONG></A> Extension<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Module><STRONG>Module:</STRONG></A> Apache-SSL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Compatibility><STRONG>Compatibility:</STRONG></A> apache_1.3.4+ssl_1.31<BR>
<P>Load some randomness. This is loaded at startup, reading at most <EM>bytes</EM>
bytes from <EM>file</EM>. The randomness will be <EM>shared</EM> between
all server instances. You can have as many of these as you want.
<P><STRONG>Example:</STRONG>
<BLOCKQUOTE><PRE>
SSLRandomFile file /dev/urandom 1024
or
SSLRandomFile egd /path/to/egd/socket 1024
</PRE></BLOCKQUOTE>
<P>N.B. This directive may cause your server to hang until the requested number of random bytes have
been read from the device. If in doubt, check the functionality of <I>/dev/random</I> on your platform, but
as a general rule, the alternate device <I>/dev/urandom</I> will return immediately (at the potential
cost of less randomness). On systems that have no random device, tools such as the <A HREF="http://www.lothar.com/tech/crypto/">
Entropy Gathering Daemon</A> can be used to provide random data. The first argument specifies if the random source is a file/device
or the egd socket.
On a Sun, it is rumoured you can install a package called SUNski that will give you /etc/random. It is also part of patch 105710-01.
<HR>
<H2><A NAME=SSLRandomFilePerConnection>SSLRandomFilePerConnection</A></H2>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Syntax><STRONG>Syntax:</STRONG></A> SSLRandomFilePerConnection file|egd <I>file|egd-socket bytes</I><BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Context><STRONG>Context:</STRONG></A> server config<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Status><STRONG>Status:</STRONG></A> Extension<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Module><STRONG>Module:</STRONG></A> Apache-SSL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Compatibility><STRONG>Compatibility:</STRONG></A> apache_1.3.4+ssl_1.31<BR>
<P>Load some randomness (per connection). This will be loaded before SSL is negotiated for each connection.
Again, you can have as many of these as you want, and they will all be used at each connection.
<P><STRONG>Example:</STRONG>
<BLOCKQUOTE><PRE>
SSLRandomFilePerConnection file /dev/urandom 1024
or
SSLRandomFilePerConnection egd /path/to/egd/socket 1024
</PRE></BLOCKQUOTE>
<P>N.B. See footnote for <A HREF=#SSLRandomFile>SSLRandomFile</A> above.
<HR>
<H2><A NAME=SSLRequireCipher>SSLRequireCipher</A></H2>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Syntax><STRONG>Syntax:</STRONG></A> SSLRequireCipher <EM>cipher-list</EM><BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Context><STRONG>Context:</STRONG></A> server config, virtual host, .htaccess, directory<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Override><STRONG>Override:</STRONG></A> FileInfo<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Status><STRONG>Status:</STRONG></A> Extension<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Module><STRONG>Module:</STRONG></A> Apache-SSL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Compatibility><STRONG>Compatibility:</STRONG></A> ??<BR>
<P>This directive specifies a space-separated list of cipher suites,
used after the connection is established to verify the cipher. This is
a per-directory option. Possible suites are listed
<A HREF=#Ciphers>below</A>.</P>
<P><STRONG>Example:</STRONG>
<BLOCKQUOTE><PRE>
SSLRequireCipher RC4-MD5 EXP-RC4-MD5
</PRE></BLOCKQUOTE></P>
<HR>
<H2><A NAME=SSLRequireSSL>SSLRequireSSL</A></H2>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Syntax><STRONG>Syntax:</STRONG></A> SSLRequireSSL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Context><STRONG>Context:</STRONG></A> server config, virtual host, .htaccess, directory<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Override><STRONG>Override:</STRONG></A> FileInfo<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Status><STRONG>Status:</STRONG></A> Extension<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Module><STRONG>Module:</STRONG></A> Apache-SSL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Compatibility><STRONG>Compatibility:</STRONG></A> ??<BR>
<P>Require SSL. This can be used in <Directory...> sections (and
elsewhere) to protect against inadvertantly disabling SSL. If SSL is
not in use when this directive applies, access will be refused. This
is a useful belt-and-braces measure for critical information. Conversely,
deny SSL connections with <A HREF="#SSLDenySSL">SSLDenySSL</A>.</P>
<P><STRONG>Example:</STRONG>
<BLOCKQUOTE><PRE>
<Directory /some/where/important>
<B>SSLRequireSSL</B>
</Directory>
</PRE></BLOCKQUOTE></P>
<HR>
<H2><A NAME=SSLRequiredCiphers>SSLRequiredCiphers</A></H2>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Syntax><STRONG>Syntax:</STRONG></A> SSLRequiredCiphers <EM>cipher-list</EM><BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Context><STRONG>Context:</STRONG></A> server config, virtual host<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Status><STRONG>Status:</STRONG></A> Extension<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Module><STRONG>Module:</STRONG></A> Apache-SSL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Compatibility><STRONG>Compatibility:</STRONG></A> ??<BR>
<P>This directive specifies a colon-separated list of cipher suites,
used by SSLeay to limit what the client end can do. Possible suites are listed
<A HREF=#Ciphers>below</A>.
The SSL protocol does not restrict clients and servers to a single
encryption brew for the secure exchange of information. There are a
number of possible cryptographic ingredients, but as in any cooking pot,
some ingredients go better together than others. The seriously
interested can refer to Bruce Schneier's <I>Applied Crytography</I>, published
by John Wiley & Sons, in conjunction with the SSL specification (from
<A HREF="http://www.netscape.com/">Netscape</A>). The list of cipher suites is also in the <A HREF="http://www.psy.uq.oz.au/~ftp/Crypto/">SSLeay</A>
software at .../ssl/ssl.h. The macro names give a better idea of what is
meant than the text strings.</P>
<P><STRONG>Example:</STRONG>
<BLOCKQUOTE><PRE>
SSLRequiredCiphers RC4-MD5:RC4-SHA:IDEA-CBC-MD5:DES-CBC3-SHA
</PRE></BLOCKQUOTE></P>
<HR>
<H2><A NAME=SSLSessionCacheTimeout>SSLSessionCacheTimeout</A></H2>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Syntax><STRONG>Syntax:</STRONG></A> SSLSessionCacheTimeout <EM>seconds</EM><BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Context><STRONG>Context:</STRONG></A> server config, virtual host<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Status><STRONG>Status:</STRONG></A> Extension<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Module><STRONG>Module:</STRONG></A> Apache-SSL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Compatibility><STRONG>Compatibility:</STRONG></A> ??<BR>
<P>A session key is generated when a client connects to the server for
the first time. This directive sets the length of time in seconds that
the session key will be cached locally. Lower values are safer (an
attacker then has a limited time to crack the key before a new one
will be used) but also slower, as the key will be regenerated at each
timeout. If client certificates are being requested by the server,
they will also be required to be re-presented at each timeout. For
many purposes timeouts measured in hours are perfectly safe.</P>
<P><STRONG>Example:</STRONG>
<BLOCKQUOTE><PRE>
SSLSessionCacheTimeout 3600
</PRE></BLOCKQUOTE></P>
<HR>
<H2><A NAME=SSLUseCRL>SSLUseCRL</A></H2>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Syntax><STRONG>Syntax:</STRONG></A> SSLUseCRL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Context><STRONG>Context:</STRONG></A> server config, virtual host<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Status><STRONG>Status:</STRONG></A> Extension<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Module><STRONG>Module:</STRONG></A> Apache-SSL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Compatibility><STRONG>Compatibility:</STRONG></A> apache_1.3.28+ssl_1.50<BR>
<P>Client certificates are checked against an appropriate CRL. The CRL
is expected to be in the path set by <A
HREF=#SSLCACerificatePath>SSLCACerificatePath</A>. The CRL should be
in PEM format, and softlinked to a file of the form
<TT><hash>.r<number></TT>. Assuming no hash collisions
this can be generated like this:
<BLOCKQUOTE><PRE>
hash=`openssl crl -hash -in $file -noout`
ln -sf $file $hash.r0
</PRE></BLOCKQUOTE>
<P><B>N.B. The CRL is <I>not</I> reloaded when updated - Apache must
be restarted for that to happen!</B>
<HR>
<H2><A NAME=SSLVerifyClient>SSLVerifyClient</A></H2>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Syntax><STRONG>Syntax:</STRONG></A> SSLVerifyClient <EM>level</EM><BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Default><STRONG>Default:</STRONG></A> <CODE>SSLVerifyClient 0</CODE><BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Context><STRONG>Context:</STRONG></A> server config, virtual host<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Status><STRONG>Status:</STRONG></A> Extension<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Module><STRONG>Module:</STRONG></A> Apache-SSL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Compatibility><STRONG>Compatibility:</STRONG></A> ??<BR>
<P>This directive defines what certification you require of clients:
<BLOCKQUOTE>
0 - No certificate required.<BR>
1 - The client <STRONG>may</STRONG> present a valid certificate. If a certificate is presented, it must be from a Certification Authority for which the server holds a certificate.<BR>
2 - The client <STRONG>must</STRONG> present a valid certificate.<BR>
3 - The client <STRONG>may</STRONG> present a valid certificate, but not necessarily from
a Certification Authority for which the server holds a certificate.
</BLOCKQUOTE></P>
<P><STRONG>Example:</STRONG>
<BLOCKQUOTE><PRE>
SSLVerifyClient 2
</PRE></BLOCKQUOTE></P>
<HR>
<H2><A NAME=SSLVerifyDepth>SSLVerifyDepth</A></H2>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Syntax><STRONG>Syntax:</STRONG></A> SSLVertifyDepth <EM>depth</EM><BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Default><STRONG>Default:</STRONG></A> <CODE>SSLVerifyDepth 0</CODE><BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Context><STRONG>Context:</STRONG></A> server config, virtual host<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Status><STRONG>Status:</STRONG></A> Extension<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Module><STRONG>Module:</STRONG></A> Apache-SSL<BR>
<A HREF=http://www.apache.org/docs/mod/directive-dict.html#Compatibility><STRONG>Compatibility:</STRONG></A> ??<BR>
<P>In real life, the certificate we are dealing with was issued by a
CA who in turn relied on another CA to validate them, and so on, back
to a root certificate. This directive specifies how far up or down the
chain we are prepared to go before giving up. What happens when we
give up is determined by the setting given to <A
HREF="#SSLVerifyClient">SSLVerifyClient</A>. Normally you only trust
certificates signed directly by a CA you've authorised, so this should
be set to 1.</P>
<P><STRONG>Example:</STRONG>
<BLOCKQUOTE><PRE>
SSLVerifyDepth 1
</PRE></BLOCKQUOTE></P>
<HR>
<H2><A NAME=Ciphers>Cipher Suites</A></H2>
<PRE>
Encrypted
SSLeay name Config name Keysize Keysize
<HR>
SSL3_TXT_RSA_IDEA_128_SHA IDEA-CBC-SHA 128 128
SSL3_TXT_RSA_NULL_MD5 NULL-MD5 0 0
SSL3_TXT_RSA_NULL_SHA NULL-SHA 0 0
SSL3_TXT_RSA_RC4_40_MD5 EXP-RC4-MD5 128 40
SSL3_TXT_RSA_RC4_128_MD5 RC4-MD5 128 128
SSL3_TXT_RSA_RC4_128_SHA RC4-SHA 128 128
SSL3_TXT_RSA_RC2_40_MD5 EXP-RC2-CBC-MD5 128 40
SSL3_TXT_RSA_IDEA_128_SHA IDEA-CBC-MD5 128 128
SSL3_TXT_RSA_DES_40_CBC_SHA EXP-DES-CBC-SHA 56 40
SSL3_TXT_RSA_DES_64_CBC_SHA DES-CBC-SHA 56 56
SSL3_TXT_RSA_DES_192_CBC3_SHA DES-CBC3-SHA 168 168
SSL3_TXT_DH_DSS_DES_40_CBC_SHA EXP-DH-DSS-DES-CBC-SHA 56 40
SSL3_TXT_DH_DSS_DES_64_CBC_SHA DH-DSS-DES-CBC-SHA 56 56
SSL3_TXT_DH_DSS_DES_192_CBC3_SHA DH-DSS-DES-CBC3-SHA 168 168
SSL3_TXT_DH_RSA_DES_40_CBC_SHA EXP-DH-RSA-DES-CBC-SHA 56 40
SSL3_TXT_DH_RSA_DES_64_CBC_SHA DH-RSA-DES-CBC-SHA 56 56
SSL3_TXT_DH_RSA_DES_192_CBC3_SHA DH-RSA-DES-CBC3-SHA 168 168
SSL3_TXT_EDH_DSS_DES_40_CBC_SHA EXP-EDH-DSS-DES-CBC-SHA 56 40
SSL3_TXT_EDH_DSS_DES_64_CBC_SHA EDH-DSS-DES-CBC-SHA 56 56
SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA EDH-DSS-DES-CBC3-SHA 168 168
SSL3_TXT_EDH_RSA_DES_40_CBC_SHA EXP-EDH-RSA-DES-CBC 56 40
SSL3_TXT_EDH_RSA_DES_64_CBC_SHA EDH-RSA-DES-CBC-SHA 56 56
SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA EDH-RSA-DES-CBC3-SHA 168 168
SSL3_TXT_ADH_RC4_40_MD5 EXP-ADH-RC4-MD5 128 40
SSL3_TXT_ADH_RC4_128_MD5 ADH-RC4-MD5 128 128
SSL3_TXT_ADH_DES_40_CBC_SHA EXP-ADH-DES-CBC-SHA 128 40
SSL3_TXT_ADH_DES_64_CBC_SHA ADH-DES-CBC-SHA 56 56
SSL3_TXT_ADH_DES_192_CBC_SHA ADH-DES-CBC3-SHA 168 168
SSL3_TXT_FZA_DMS_NULL_SHA FZA-NULL-SHA 0 0
SSL3_TXT_FZA_DMS_FZA_SHA FZA-FZA-CBC-SHA -1 -1
SSL3_TXT_FZA_DMS_RC4_SHA FZA-RC4-SHA 128 128
SSL2_TXT_DES_64_CFB64_WITH_MD5_1 DES-CFB-M1 56 56
SSL2_TXT_RC2_128_CBC_WITH_MD5 RC2-CBC-MD5 128 128
SSL2_TXT_DES_64_CBC_WITH_MD5 DES-CBC-MD5 56 56
SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5 DES-CBC3-MD5 168 168
SSL2_TXT_RC4_64_WITH_MD5 RC4-64-MD5 64 64
SSL2_TXT_NULL NULL 0 0
</PRE>
<A HREF="http://www.apache-ssl.org">Return</A> to the Apache-SSL homepage.<P>
<HR><BR>
<CENTER><IMG SRC="SmallSSL.gif" HEIGHT=64 WIDTH=259></CENTER>
<FONT SIZE=1>Copyright © 1995,6,7,8,9,2000,1,2,3 Ben Laurie, Adam Laurie.
<BR>With acknowledgement to Ralf S. Engelschall.</FONT>
</BODY>
|
