Install mod_ssl.so

It only takes a minute to sign up. Connect and share knowledge within a single location that is structured and easy to search. On a solaris SunOS xxxxxxxxxx5. Sign up to join this community. The best answers are voted up and rise to the top. Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? Learn more.

Asked 10 years, 11 months ago. Active 3 years, 9 months ago. Viewed 21k times. I've got version 2. As an alternative to storing private keys in files, a key identifier can be used to identify a private key stored in a token.

This complex directive uses a colon-separated cipher-spec string consisting of OpenSSL cipher specifications to configure the Cipher Suite the client is permitted to negotiate in the SSL handshake phase.

Notice that this directive can be used both in per-server and per-directory context. In per-server context it applies to the standard SSL handshake when a connection is established. Since TLSv1. For a list of TLSv1. An SSL cipher specification in cipher-spec is composed of 4 major attributes plus a few extra minor ones:. An SSL cipher can also be an export cipher. SSLv2 ciphers are no longer supported. To specify which ciphers to use, one can either specify all the Ciphers, one at a time, or use aliases to specify the preference and order for the ciphers see Table 1.

The actually available ciphers and aliases depends on the used openssl version. Newer openssl versions may include additional ciphers. Now where this becomes interesting is that these can be put together to specify the order and ciphers you wish to use.

These tags can be joined together with prefixes to form the cipher-spec. Available prefixes are:. EXP to any cipher string at initialization. The default cipher-spec string depends on the version of the OpenSSL libraries used. We do this, because these ciphers offer a good compromise between speed and security. Next, include high and medium security ciphers. Finally, remove all ciphers which do not authenticate, i. This directive enables use of a cryptographic hardware accelerator board to offload some of the SSL processing overhead.

In Apache 2. At this time no web browsers support RFC The mode applies to all SSL library operations. If this directive is enabled, the server's preference will be used instead. This vulnerability allowed an attacker to "prefix" a chosen plaintext to the HTTP request as seen by the web server.

A protocol extension was developed which fixed this vulnerability if supported by both client and server. If this directive is enabled, renegotiation will be allowed with old unpatched clients, albeit insecurely. This option sets the default OCSP responder to use. This option enables OCSP validation of the client certificate chain. If this option is enabled, certificates in the client's certificate chain will be validated against an OCSP responder after normal verification including CRL checks have taken place.

In mode 'leaf', only the client certificate itself will be validated. The supplied certificates are implicitly trusted without any further validation.

This option sets the maximum allowable age "freshness" for OCSP responses. The default value -1 does not enforce a maximum age, which means that OCSP responses are considered valid as long as their nextUpdate field is in the future. This option sets the maximum allowable time skew for OCSP responses when checking their thisUpdate and nextUpdate fields. This option determines whether queries to OCSP responders should contain a nonce or not.

By default, a query nonce is always used and checked against the response's one. When the responder does not use nonces e. This directive can be used to control various run-time options on a per-directory basis.

Normally, if multiple SSLOptions could apply to a directory, then the most specific one is taken completely; the options are not merged. This per default is disabled for performance reasons, because the information extraction step is a rather expensive operation. These contain the PEM-encoded X.

Additionally all other certificates of the client certificate chain are provided, too. This bloats up the environment a little bit which is why you have to use this option to enable it on demand. This means that the standard Apache authentication methods can be used for access control. The user name is just the Subject of the Client's X Certificate can be determined by running OpenSSL's openssl x command: openssl x -noout -subject -in certificate.

Note that no password is obtained from the user. By default a strict scheme is enabled where every per-directory reconfiguration of SSL parameters causes a full SSL renegotiation handshake.

Nevertheless these granular checks sometimes may not be what the user expects, so enable this on a per-directory basis only, please. Since version 2. This uses commas as delimiters between the attributes, allows the use of non-ASCII characters which are converted to UTF8 , escapes various special characters with backslashes, and sorts the attributes with the "C" attribute last.

This query can be done in two ways which can be configured by type :. This is the default where an interactive terminal dialog occurs at startup time just before Apache detaches from the terminal. Here the administrator has to manually enter the Pass Phrase for each encrypted Private Key file.

Because a lot of SSL-enabled virtual hosts can be configured, the following reuse-scheme is used to minimize the dialog: When a Private Key file is encrypted, all known Pass Phrases at the beginning there are none, of course are tried. If one of those known Pass Phrases succeeds no dialog pops up for this particular Private Key file.

If none succeeded, another Pass Phrase is queried on the terminal and remembered for the next round where it perhaps can be reused. This mode allows an external program to be used which acts as a pipe to a particular input device; the program is sent the standard prompt text used for the builtin mode on stdin , and is expected to write password strings on stdout. If several passwords are needed or an incorrect password is entered , additional prompt text will be written subsequent to the first password being returned, and more passwords must then be written back.

Here an external program is configured which is called at startup for each encrypted Private Key file. In versions 2. The intent is that this external program first runs security checks to make sure that the system is not compromised by an attacker, and only when these checks were passed successfully it provides the Pass Phrase. Both these security checks, and the way the Pass Phrase is determined, can be as complex as you like. Nothing more or less!

So, if you're really paranoid about security, here is your interface. Anything else has to be left as an exercise to the administrator, because local security requirements are so different. The reuse-algorithm above is used here, too. In other words: The external program is called only once per unique Pass Phrase. It is supported by nearly every client. A revision of the TLS 1.

Before OpenSSL 1. For compatibility with previous versions, if no SSLProtocol is configured in a name-based virtual host, the one from the base virtual host still applies, unless SSLProtocol is configured globally in which case the global value applies this latter exception is more sensible than compatible, though.

This directive sets the all-in-one file where you can assemble the Certificates of Certification Authorities CA whose remote servers you deal with. These are used for Remote Server Authentication. This directive sets the directory where you keep the Certificates of Certification Authorities CAs whose remote servers you deal with. These are used to verify the remote server certificate on Remote Server Authentication. Enables certificate revocation list CRL checking for the remote servers you deal with.

With the introduction of this directive, the behavior has been changed: when checking is enabled, CRLs must be present for the validation to succeed - otherwise it will fail with an "unable to get certificate CRL" error.

These are used to revoke the remote server certificate on Remote Server Authentication. This directive sets whether the remote server certificate's CN field is compared against the hostname of the request URL. If both are not equal a status code Bad Gateway is sent. In all releases 2. In these releases, both directives must be set to off to completely avoid remote server certificate name validation. Oscar Gallardo Oscar Gallardo 1, 3 3 gold badges 17 17 silver badges 38 38 bronze badges.

Sign up or log in Sign up using Google. Sign up using Facebook. Sign up using Email and Password. Post as a guest Name. Email Required, but never shown. The Overflow Blog.

Podcast Making Agile work for data science. Stack Gives Back Featured on Meta. New post summary designs on greatest hits now, everywhere else eventually. Visit chat. Linked Related Hot Network Questions. Question feed. Stack Overflow works best with JavaScript enabled.