Quick Nav
- SSLEngine
- SSLProtocol
- SSLCipherSuite
- SSLCertificateFile
- SSLCertificateKeyFile
- SSLCACertificateFile
- SSLCACertificatePath
- SSLVerifyClient
See Also
SSL Directives
SSLEngine
Description | Enable SSL processing. |
Synopsis | SSLEngine [on | off] |
Context | Default Server, Virtual Host |
Example | <VirtualHost *:443> SSLEngine on </VirtualHost> |
Notes |
The SSLEngine directive enables SSL processing for the enclosing block of directives. They may be for either the default server or a Virtual Host. By default the SSL engine is not enabled. |
SSLProtocol
Description | Specify the SSL protocols to enable. |
Synopsis | SSLProtocol [+ | -] protocol ... |
Context | Default Server, Virtual Host |
Example | SSLProtocol all -SSLV2 |
Notes |
The SSLProtocol directive defines which SSL protocol variants to enable for use. The following protocol options are available: SSLv2This is the original Secure Sockets Layer (SSL) protocol defined by Netscape. It has several flaws and should not be used if SSLv3 or TLSv1 are available. SSLv3This is the Secure Sockets Layer (SSL) protocol version 3. TLSv1This is the Transport Layer Security (TLS) protcol version 1. It is the most current SSL standard defined by the IETF and should be used if available. ALLEnables all SSL protocol variants. |
Security |
You should not use SSLv2 if possible. The following examples is the recommended configuration for the SSLProtocol directive. It will enable SSLv3 and TLSv1 and will disable SSLv2. SSLProtocol all -SSLv2 |
SSLCipherSuite
Description | Selects the Cipher suite to use when negotiating SSL sessions. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Synopsis | SSLCipherSuite cipher-spec | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Context | Default Server, Virtual Host | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Example | LogLevel 2 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Notes |
The SSLCipherSuite directive specifies the cipher algorithms to use when handshaking and negotiating SSL sessions. It specifies the ciphers that Appweb will accept the client using. This is a complex directive. Don't change it unless you really know what you are doing. It is easy to weaken your security via bad edits. The follow explanation has been taken from the Apache documentation: An SSL cipher specification in cipher-spec is composed of 4 major attributes plus a few extra minor ones:
An SSL cipher can also be an export cipher and is either a SSLv2 or SSLv3/TLSv1 cipher (here TLSv1 is equivalent to SSLv3). To specify which ciphers to use, one can either specify all the Ciphers, one at a time, or use aliases to specify the preference and order for the ciphers (see Table 1).
Now where this becomes interesting is that these can be put together to specify the
order and ciphers you wish to use. To speed this up there are also aliases (
A simpler way to look at all of this is to use the ``
which means the following: first, remove from consideration any ciphers that do not
authenticate, i.e. for SSL only the Anonymous Diffie-Hellman ciphers. Next, use ciphers
using RC4 and RSA. Next include the high, medium and then the low security ciphers. Finally
pull all SSLv2 and export ciphers to the end of the list. |
SSLCertificateFile
Description | Defines the location of the X.509 file containing the server certificate |
Synopsis | SSLCertificateFile path |
Context | Default Server, Virtual Host |
Example | SSLCertificateFile /var/appweb/server.crt |
Notes |
The SSLCertificateFile directive defines the file containing the PEM encoded X.509 certificate for the server. The file may also contain the private key for the server in which case you do not need to use the SSLCertificateKeyFile directive. The path may be an absolute path or it may be relative to the ServerRoot. |
SSLCertificateKeyFile
Description | Defines the location of the server's private key |
Synopsis | SSLCertificateKeyFile |
Context | Default Server, Virtual Host |
Example | SSLCertificateKeyFile /var/appweb/server.key.pem |
Notes |
The SSLCertificateKeyFile directive defines the file containing the PEM encoded private key file for the server. This directive is not required if the server's private key is combined with the certificate file. If the private key is encrypted, you will be prompted to enter the pass-phrase to decript the private key on system reboot. |
Security | There is a delima here. If you use a crypted private key, the server will pause until you enter the pass-phrase which makes headless operation impossible. If you do not encrypt the private key, your private key is more vulnerable should the server be compromised. Which option you choose depends on whether headless operation is essential or not. |
SSLCACertificateFile
Description | Defines the location of the certificate file for client authentication |
Synopsis | SSLCACertificateFile path |
Context | Default Server, Virtual Host |
Example | SSLCACertificateFile /var/appweb/ca.crt |
Notes |
The SSLCACertificateFile directive defines the file containing the certificates to use when authenticating client certificates. This directive is only necessary if you wish to verify client certificates. If so, you must specify the "SSLVerifyClient Require" directive. The certificate file contains the concatenated certificates to use in preference order. The path may be an absolute path or it may be relative to the ServerRoot. You may alternatively use SSLCACertificatePath if you have separate certificates. |
SSLCACertificatePath
Description | Defines the directory containing the certificates to use for client authentication. |
Synopsis | SSLCACertificatePath |
Context | Default Server, Virtual Host |
Example | SSLCACertificatePath /var/appweb/certs |
Notes |
The SSLCACertificatePath directive defines the directory containing the certificates to use when authenticating client certificates. This directive is only necessary if you wish to verify client certificates. If so, you must specify the "SSLVerifyClient Require" directive. The path may be an absolute path or it may be relative to the ServerRoot. You may alternatively use SSLCACertificateFile if you have a bundle of certificates concatenated together. |
SSLVerifyClient
Description | Defines the type of client certificate verification. |
Synopsis | SSLVerifyClient [none | require] |
Context | Default Server, Virtual Host, Directory |
Example | SSLVerifyClient require |
Notes |
This directive controls whether the client must provide a client certificate for the server to verify the identity of the client. If set to none, no certificate is required. If one is supplied, it will be ignored. If the directive is set to required, the client must provide a valid certificate. |