mod_ssl.html.en

最新apache的源代码

<tr><td><code>eNULL</code></td>  <td>No encoding</td>         </tr>
<tr><td><code>DES</code></td>    <td>DES encoding</td>        </tr>
<tr><td><code>3DES</code></td>   <td>Triple-DES encoding</td> </tr>
<tr><td><code>RC4</code></td>    <td>RC4 encoding</td>       </tr>
<tr><td><code>RC2</code></td>    <td>RC2 encoding</td>       </tr>
<tr><td><code>IDEA</code></td>   <td>IDEA encoding</td>       </tr>
<tr><td colspan="2"><em>MAC Digest Algorithm</em>:</td></tr>
<tr><td><code>MD5</code></td>    <td>MD5 hash function</td></tr>
<tr><td><code>SHA1</code></td>   <td>SHA1 hash function</td></tr>
<tr><td><code>SHA</code></td>    <td>SHA hash function</td> </tr>
<tr><td colspan="2"><em>Aliases:</em></td></tr>
<tr><td><code>SSLv2</code></td>  <td>all SSL version 2.0 ciphers</td></tr>
<tr><td><code>SSLv3</code></td>  <td>all SSL version 3.0 ciphers</td> </tr>
<tr><td><code>TLSv1</code></td>  <td>all TLS version 1.0 ciphers</td> </tr>
<tr><td><code>EXP</code></td>    <td>all export ciphers</td>  </tr>
<tr><td><code>EXPORT40</code></td> <td>all 40-bit export ciphers only</td>  </tr>
<tr><td><code>EXPORT56</code></td> <td>all 56-bit export ciphers only</td>  </tr>
<tr><td><code>LOW</code></td>    <td>all low strength ciphers (no export, single DES)</td></tr>
<tr><td><code>MEDIUM</code></td> <td>all ciphers with 128 bit encryption</td> </tr>
<tr><td><code>HIGH</code></td>   <td>all ciphers using Triple-DES</td>     </tr>
<tr><td><code>RSA</code></td>    <td>all ciphers using RSA key exchange</td> </tr>
<tr><td><code>DH</code></td>     <td>all ciphers using Diffie-Hellman key exchange</td> </tr>
<tr><td><code>EDH</code></td>    <td>all ciphers using Ephemeral Diffie-Hellman key exchange</td> </tr>
<tr><td><code>ADH</code></td>    <td>all ciphers using Anonymous Diffie-Hellman key exchange</td> </tr>
<tr><td><code>DSS</code></td>    <td>all ciphers using DSS authentication</td> </tr>
<tr><td><code>NULL</code></td>   <td>all ciphers using no encryption</td> </tr>
</table>
<p>
Now where this becomes interesting is that these can be put together
to specify the order and ciphers you wish to use. To speed this up
there are also aliases (<code>SSLv2, SSLv3, TLSv1, EXP, LOW, MEDIUM,
HIGH</code>) for certain groups of ciphers. These tags can be joined
together with prefixes to form the <em>cipher-spec</em>. Available
prefixes are:</p>
<ul>
<li>none: add cipher to list</li>
<li><code>+</code>: add ciphers to list and pull them to current location in list</li>
<li><code>-</code>: remove cipher from list (can be added later again)</li>
<li><code>!</code>: kill cipher from list completely (can <strong>not</strong> be added later again)</li>
</ul>
<p>A simpler way to look at all of this is to use the ``<code>openssl ciphers
-v</code>'' command which provides a nice way to successively create the
correct <em>cipher-spec</em> string. The default <em>cipher-spec</em> string
is ``<code>ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</code>'' which
means the following: first, remove from consideration any ciphers that do not
authenticate, i.e. for SSL only the Anonymous Diffie-Hellman ciphers. Next,
use ciphers using RC4 and RSA. Next include the high, medium and then the low
security ciphers. Finally <em>pull</em> all SSLv2 and export ciphers to the
end of the list.</p>
<div class="example"><pre>
$ openssl ciphers -v 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP'
NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1
NULL-MD5                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=MD5
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
...                     ...               ...     ...           ...
EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
</pre></div>
<p>The complete list of particular RSA &amp; DH ciphers for SSL is given in <a href="#table2">Table 2</a>.</p>
<div class="example"><h3>Example</h3><p><code>
SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW
</code></p></div>
<table class="bordered">

<tr><th><a name="table2">Cipher-Tag</a></th> <th>Protocol</th> <th>Key Ex.</th> <th>Auth.</th> <th>Enc.</th> <th>MAC</th> <th>Type</th> </tr>
<tr><td colspan="7"><em>RSA Ciphers:</em></td></tr>
<tr><td><code>DES-CBC3-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>3DES(168)</td> <td>SHA1</td> <td /> </tr>
<tr><td><code>DES-CBC3-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>3DES(168)</td> <td>MD5</td> <td /> </tr>
<tr><td><code>IDEA-CBC-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>IDEA(128)</td> <td>SHA1</td> <td /> </tr>
<tr><td><code>RC4-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>RC4(128)</td> <td>SHA1</td> <td /> </tr>
<tr><td><code>RC4-MD5</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>RC4(128)</td> <td>MD5</td> <td /> </tr>
<tr><td><code>IDEA-CBC-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>IDEA(128)</td> <td>MD5</td> <td /> </tr>
<tr><td><code>RC2-CBC-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>RC2(128)</td> <td>MD5</td> <td /> </tr>
<tr><td><code>RC4-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>RC4(128)</td> <td>MD5</td> <td /> </tr>
<tr><td><code>DES-CBC-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>DES(56)</td> <td>SHA1</td> <td /> </tr>
<tr><td><code>RC4-64-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>RC4(64)</td> <td>MD5</td> <td /> </tr>
<tr><td><code>DES-CBC-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>DES(56)</td> <td>MD5</td> <td /> </tr>
<tr><td><code>EXP-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>RSA(512)</td> <td>RSA</td> <td>DES(40)</td> <td>SHA1</td> <td> export</td> </tr>
<tr><td><code>EXP-RC2-CBC-MD5</code></td> <td>SSLv3</td> <td>RSA(512)</td> <td>RSA</td> <td>RC2(40)</td> <td>MD5</td> <td>  export</td> </tr>
<tr><td><code>EXP-RC4-MD5</code></td> <td>SSLv3</td> <td>RSA(512)</td> <td>RSA</td> <td>RC4(40)</td> <td>MD5</td> <td>  export</td> </tr>
<tr><td><code>EXP-RC2-CBC-MD5</code></td> <td>SSLv2</td> <td>RSA(512)</td> <td>RSA</td> <td>RC2(40)</td> <td>MD5</td> <td>  export</td> </tr>
<tr><td><code>EXP-RC4-MD5</code></td> <td>SSLv2</td> <td>RSA(512)</td> <td>RSA</td> <td>RC4(40)</td> <td>MD5</td> <td>  export</td> </tr>
<tr><td><code>NULL-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>None</td> <td>SHA1</td> <td /> </tr>
<tr><td><code>NULL-MD5</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>None</td> <td>MD5</td> <td /> </tr>
<tr><td colspan="7"><em>Diffie-Hellman Ciphers:</em></td></tr>
<tr><td><code>ADH-DES-CBC3-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>None</td> <td>3DES(168)</td> <td>SHA1</td> <td /> </tr>
<tr><td><code>ADH-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>None</td> <td>DES(56)</td> <td>SHA1</td> <td /> </tr>
<tr><td><code>ADH-RC4-MD5</code></td> <td>SSLv3</td> <td>DH</td> <td>None</td> <td>RC4(128)</td> <td>MD5</td> <td /> </tr>
<tr><td><code>EDH-RSA-DES-CBC3-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>RSA</td> <td>3DES(168)</td> <td>SHA1</td> <td /> </tr>
<tr><td><code>EDH-DSS-DES-CBC3-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>DSS</td> <td>3DES(168)</td> <td>SHA1</td> <td /> </tr>
<tr><td><code>EDH-RSA-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>RSA</td> <td>DES(56)</td> <td>SHA1</td> <td /> </tr>
<tr><td><code>EDH-DSS-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>DSS</td> <td>DES(56)</td> <td>SHA1</td> <td /> </tr>
<tr><td><code>EXP-EDH-RSA-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH(512)</td> <td>RSA</td> <td>DES(40)</td> <td>SHA1</td> <td> export</td> </tr>
<tr><td><code>EXP-EDH-DSS-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH(512)</td> <td>DSS</td> <td>DES(40)</td> <td>SHA1</td> <td> export</td> </tr>
<tr><td><code>EXP-ADH-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH(512)</td> <td>None</td> <td>DES(40)</td> <td>SHA1</td> <td> export</td> </tr>
<tr><td><code>EXP-ADH-RC4-MD5</code></td> <td>SSLv3</td> <td>DH(512)</td> <td>None</td> <td>RC4(40)</td> <td>MD5</td> <td>  export</td> </tr>
</table>

</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLEngine" id="SSLEngine">SSLEngine</a> <a name="sslengine" id="sslengine">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>SSL Engine Operation Switch</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLEngine on|off</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLEngine off</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
</table>
<p>
This directive toggles the usage of the SSL/TLS Protocol Engine. This
is usually used inside a <code class="directive"><a href="../mod/core.html#virtualhost">&lt;VirtualHost&gt;</a></code> section to enable SSL/TLS for a
particular virtual host. By default the SSL/TLS Protocol Engine is
disabled for both the main server and all configured virtual hosts.</p>
<div class="example"><h3>Example</h3><p><code>
&lt;VirtualHost _default_:443&gt;<br />
SSLEngine on<br />
...<br />
&lt;/VirtualHost&gt;
</code></p></div>

</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLMutex" id="SSLMutex">SSLMutex</a> <a name="sslmutex" id="sslmutex">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Semaphore for internal mutual exclusion of 
operations</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLMutex <em>type</em></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLMutex none</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
</table>
<p>
This configures the SSL engine's semaphore (aka. lock) which is used for mutual
exclusion of operations which have to be done in a synchronized way between the
pre-forked Apache server processes. This directive can only be used in the
global server context because it's only useful to have one global mutex.
This directive is designed to closely match the
<a href="http://httpd.apache.org/docs-2.0/mod/mpm_common.html#acceptmutex">AcceptMutex</a> directive</p>
<p>
The following Mutex <em>types</em> are available:</p>
<ul>
<li><code>none | no</code>
    <p>
    This is the default where no Mutex is used at all. Use it at your own
    risk. But because currently the Mutex is mainly used for synchronizing
    write access to the SSL Session Cache you can live without it as long
    as you accept a sometimes garbled Session Cache. So it's not recommended
    to leave this the default. Instead configure a real Mutex.</p></li>
<li><code>posixsem</code>
    <p>
    This is an elegant Mutex variant where a Posix Semaphore is used when possible.
    It is only available when the underlying platform
    and APR supports it.</p></li>
<li><code>sysvsem</code>
    <p>
    This is a somewhat elegant Mutex variant where a SystemV IPC Semaphore is used when
    possible. It is possible to "leak" SysV semaphores if processes crash before
    the semaphore is removed. It is only available when the underlying platform
    and APR supports it.</p></li>
<li><code>sem</code>
    <p>
    This directive tells the SSL Module to pick the "best" semaphore implementation
    available to it, choosing between Posix and SystemV IPC, in that order. It is only
    available when the underlying platform and APR supports at least one of the 2.</p></li>
<li><code>pthread</code>
    <p>
    This directive tells the SSL Module to use Posix thread mutexes. It is only available
    if the underlying platform and APR supports it.</p></li>
<li><code>fcntl:/path/to/mutex</code>
    <p>
    This is a portable Mutex variant where a physical (lock-)file and the <code>fcntl()</code>
    fucntion are used as the Mutex.
    Always use a local disk filesystem for <code>/path/to/mutex</code> and never a file
    residing on a NFS- or AFS-filesystem. It is only available when the underlying platform
    and APR supports it. Note: Internally, the Process ID (PID) of the
    Apache parent process is automatically appended to
    <code>/path/to/mutex</code> to make it unique, so you don't have to worry
    about conflicts yourself. Notice that this type of mutex is not available
    under the Win32 environment. There you <em>have</em> to use the semaphore
    mutex.</p></li>
<li><code>flock:/path/to/mutex</code>
    <p>
    This is similar to the <code>fcntl:/path/to/mutex</code> method with the
    exception that the <code>flock()</code> function is used to provide file
    locking. It is only available when the underlying platform
    and APR supports it.</p></li>
<li><code>file:/path/to/mutex</code>
    <p>
    This directive tells the SSL Module to pick the "best" file locking implementation
    available to it, choosing between <code>fcntl</code> and <code>flock</code>,
    in that order. It is only available when the underlying platform and APR supports
    at least one of the 2.</p></li>
<li><code>default | yes</code>
    <p>
    This directive tells the SSL Module to pick the default locking implementation