ssl_howto.html

apach加密模块

<html>
<head>
<title>mod_ssl: HowTo</title>

<!--
  Copyright (c) 1998-2000 Ralf S. Engelschall. All rights reserved.

  Redistribution and use in source and binary forms, with or without
  modification, are permitted provided that the following conditions
  are met:

  1. Redistributions of source code must retain the above
     copyright notice, this list of conditions and the following
     disclaimer. 
 
  2. Redistributions in binary form must reproduce the above
     copyright notice, this list of conditions and the following
     disclaimer in the documentation and/or other materials
     provided with the distribution.
 
  3. All advertising materials mentioning features or use of this
     software must display the following acknowledgment: 
     "This product includes software developed by 
      Ralf S. Engelschall <rse@engelschall.com> for use in the
      mod_ssl project (http://www.modssl.org/)."
 
  4. The name "mod_ssl" must not be used to endorse or promote
     products derived from this software without prior written
     permission.  

  5. Redistributions of any form whatsoever must retain the
     following acknowledgment:
     "This product includes software developed by 
      Ralf S. Engelschall <rse@engelschall.com> for use in the
      mod_ssl project (http://www.modssl.org/)."
 
  THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL ``AS IS'' AND ANY
  EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL RALF S. ENGELSCHALL OR
  HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  OF THE POSSIBILITY OF SUCH DAMAGE.
-->
<style type="text/css"><!--
A:link {
    text-decoration: none;
    color: #6666cc;
}
A:active {
    text-decoration: none;
    color: #6666cc;
}
A:visited {
    text-decoration: none;
    color: #6666cc;
}
#sf {
    font-family: arial,helvetica;
    font-variant: normal;
    font-style: normal;
}
H1 {
    font-weight: bold;
    font-size: 24pt;
    line-height: 24pt;
    font-family: arial,helvetica;
    font-variant: normal;
    font-style: normal;
}
H2 {
    font-weight: bold;
    font-size: 18pt;
    line-height: 18pt;
    font-family: arial,helvetica;
    font-variant: normal;
    font-style: normal;
}
H3 {
    font-weight: bold;
    font-size: 14pt;
    line-height: 14pt;
    font-family: arial,helvetica;
    font-variant: normal;
    font-style: normal;
}
H4 {
    font-weight: bold;
    font-size: 12pt;
    line-height: 12pt;
    font-family: arial,helvetica;
    font-variant: normal;
    font-style: normal;
}
#H {
}
#D {
    background-color: #f0f0f0;
}
#faq {
    font-weight: bold;
    font-size: 16pt;
    line-height: 16pt;
    font-family: arial,helvetica;
    font-variant: normal;
    font-style: normal;
}
#howto {
    font-weight: bold;
    font-size: 16pt;
    line-height: 16pt;
    font-family: arial,helvetica;
    font-variant: normal;
    font-style: normal;
}
#term {
    font-weight: bold;
    font-size: 16pt;
    line-height: 16pt;
    font-family: arial,helvetica;
    font-variant: normal;
    font-style: normal;
}
--></style>
</head>
<body bgcolor="#ffffff" text="#000000" link="#333399" alink="#9999ff" vlink="#000066">
<div align="center">
<table width="600" cellspacing="0" cellpadding="0" border="0">
<tr>
  <td>
          <img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="600" height="1" align="bottom" border="0"><br>
      <table width="600" cellspacing="0" cellpadding="0">
      <tr>
        <td>
        <table width="600">
        <tr>
            <td align="left" valign="bottom">
            <font face="Arial,Helvetica" size="+2"><b>mod_ssl</b></font>
            </td>
            <td align="right">
                            <img src="ssl_template.head-chapter.gif" alt="Chapter" width="175" height="94"> <img src="ssl_template.head-num-5.gif" alt="5" width="74" height="89">
            </td>
        </tr>
        </table>
        </td>
      </tr>
      <tr>
        <td><img src="ssl_template.imgdot-1x1-000000.gif" alt="" width="600" height="2" align="bottom" border="0"></td>
      </tr>
      <tr>
        <td>
           <table width="600" border="0">
           <tr>
            <td valign="top" align="left" width="250">
<script type="text/javascript" language="JavaScript">
<!-- Hiding the code
function ro_imgNormal(imgName) {
    if (document.images) {
        document[imgName].src = eval(imgName + "_n.src");
        self.status = '';
    }
}
function ro_imgOver(imgName, descript) {
    if (document.images) {
        document[imgName].src = eval(imgName + "_o.src");
        self.status = descript;
    }
}
// done hiding -->
</script>
<script type="text/javascript" language="JavaScript">
<!-- Hiding the code
if (document.images) {
    ro_img_prev_top_n = new Image();
    ro_img_prev_top_n.src = "ssl_template.navbut-prev-n.gif";
    ro_img_prev_top_o = new Image();
    ro_img_prev_top_o.src = "ssl_template.navbut-prev-s.gif";
}
// done hiding -->
</script>
<a href="ssl_compat.html"
   onMouseOver="ro_imgOver('ro_img_prev_top', 'previous page'); return true"
   onMouseOut="ro_imgNormal('ro_img_prev_top'); return true"
><img
   name="ro_img_prev_top"
   src="ssl_template.navbut-prev-n.gif"
   alt="previous page"
   width="70" height="18"
   border="0"
></a><br><font color="#000000">Compatibility</font>
            </td>
            <td valign="top" align="right" width="250">
<script type="text/javascript" language="JavaScript">
<!-- Hiding the code
if (document.images) {
    ro_img_next_top_n = new Image();
    ro_img_next_top_n.src = "ssl_template.navbut-next-n.gif";
    ro_img_next_top_o = new Image();
    ro_img_next_top_o.src = "ssl_template.navbut-next-s.gif";
}
// done hiding -->
</script>
<a href="ssl_faq.html"
   onMouseOver="ro_imgOver('ro_img_next_top', 'next page'); return true"
   onMouseOut="ro_imgNormal('ro_img_next_top'); return true"
><img
   name="ro_img_next_top"
   src="ssl_template.navbut-next-n.gif"
   alt="next page"
   width="70" height="18"
   border="0"
></a><br><font color="#000000">F.A.Q. List</font>
            </td>
           </tr>
           </table>
         </td>
      </tr>
      <tr>
        <td>
                    <br>
          <img src="ssl_template.title-howto.gif" alt="HowTo" width="456" height="60">
        </td>
      </tr>
      </table>
<DIV align="right">
<table cellspacing="0" cellpadding="0" width="200">
<tr>
<td>
<em>``The solution of this problem is trivial
  and is left as an exercise for the reader.''</em>
</td>
</tr>
<tr>
<td align="right">
<font size="-1">
Standard textbook cookie
</font>
</td>
</tr>
</table>
</div>
<p>
<table cellspacing="0" cellpadding="0" border="0">
<tr valign="bottom">
<td>
<img src="ssl_howto.gfont000.gif" alt="H" width="40" height="34" border="0" align="left">
ow to solve particular security constraints for an SSL-aware webserver
is not always obvious because of the coherences between SSL, HTTP and Apache's
way of processing requests. This chapter gives instructions on how to solve
such typical situations. Treat is as a first step to find out the final
solution, but always try to understand the stuff before you use it. Nothing is
worse than using a security solution without knowing it's restrictions and
coherences.
</td>
<td>
&nbsp;&nbsp;
</td>
<td>
<DIV align="right">
<table cellspacing="0" cellpadding="5" border="0" bgcolor="#ccccff" width="300">
<tr>
<td bgcolor="#333399">
<font face="Arial,Helvetica" color="#ccccff">
<b>Table Of Contents</b>
</font>
</td>
</tr>
<tr>
<td>
<font face="Arial,Helvetica" size="-1">
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC1"><strong>Cipher Suites and Enforced Strong Security</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC2"><strong>SSLv2 only server</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC3"><strong>strong encryption only server</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC4"><strong>server gated cryptography</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC5"><strong>stronger per-directory requirements</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC6"><strong>Client Authentication and Access Control</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC7"><strong>simple certificate-based client authentication</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC8"><strong>selective certificate-based client authentication</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC9"><strong>particular certificate-based client authentication</strong></a><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="#ToC10"><strong>intranet vs. internet authentication</strong></a><br>
</font>
</td>
</tr>
</table>
</div>
</td>
</tr>
</table>
<H2><a name="ToC1">Cipher Suites and Enforced Strong Security</a></H2>
<ul>
<p>
<li><a name="ToC2"></a>
    <a name="cipher-sslv2"></a>
    <strong id="howto">How can I create a real SSLv2-only server?</strong>&nbsp;&nbsp;
    [<a href="http://www.modssl.org/docs/2.2/ssl_howto.html#cipher-sslv2"><b>L</b></a>]
    <p>
The following creates an SSL server which speaks only the SSLv2 protocol and
it's ciphers.