📄 mod_ssl.html.en
字号:
<div class="directive-section"><h2><a name="SSLCryptoDevice" id="SSLCryptoDevice">SSLCryptoDevice</a> <a name="sslcryptodevice" id="sslcryptodevice">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enable use of a cryptographic hardware accelerator</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCryptoDevice <em>engine</em></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLCryptoDevice builtin</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available if mod_ssl is built using <code>-DSSL_ENGINE_EXPERIMENTAL</code></td></tr>
</table>
<p>
This directive enables use of a cryptographic hardware accelerator
board to offload some of the SSL processing overhead. This directive
can only be used if the SSL toolkit is built with "engine" support;
OpenSSL 0.9.7 and later releases have "engine" support by default, the
separate "-engine" releases of OpenSSL 0.9.6 must be used.</p>
<p>To discover which engine names are supported, run the command
"<code>openssl engine</code>".</p>
<div class="example"><h3>Example</h3><p><code>
# For a Broadcom accelerator:<br />
SSLCryptoDevice ubsec
</code></p></div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLEngine" id="SSLEngine">SSLEngine</a> <a name="sslengine" id="sslengine">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>SSL Engine Operation Switch</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLEngine on|off|optional</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLEngine off</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
</table>
<p>
This directive toggles the usage of the SSL/TLS Protocol Engine. This
is usually used inside a <code class="directive"><a href="../mod/core.html#virtualhost"><VirtualHost></a></code> section to enable SSL/TLS for a
particular virtual host. By default the SSL/TLS Protocol Engine is
disabled for both the main server and all configured virtual hosts.</p>
<div class="example"><h3>Example</h3><p><code>
<VirtualHost _default_:443><br />
SSLEngine on<br />
...<br />
</VirtualHost>
</code></p></div>
<p>In Apache 2.1 and later, <code class="directive">SSLEngine</code> can be set to
<code>optional</code>. This enables support for
<a href="http://www.ietf.org/rfc/rfc2817.txt">RFC 2817</a>, Upgrading to TLS
Within HTTP/1.1. At this time no web browsers support RFC 2817.</p>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLHonorCipherOrder" id="SSLHonorCipherOrder">SSLHonorCipherOrder</a> <a name="sslhonorcipherorder" id="sslhonorcipherorder">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Option to prefer the server's cipher preference order</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLHonorCiperOrder <em>flag</em></code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.1 and later, if using OpenSSL 0.9.7 or later</td></tr>
</table>
<p>When choosing a cipher during an SSLv3 or TLSv1 handshake, normally
the client's preference is used. If this directive is enabled, the
server's preference will be used instead.</p>
<div class="example"><h3>Example</h3><p><code>
SSLHonorCipherOrder on
</code></p></div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLMutex" id="SSLMutex">SSLMutex</a> <a name="sslmutex" id="sslmutex">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Semaphore for internal mutual exclusion of
operations</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLMutex <em>type</em></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLMutex none</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
</table>
<p>
This configures the SSL engine's semaphore (aka. lock) which is used for mutual
exclusion of operations which have to be done in a synchronized way between the
pre-forked Apache server processes. This directive can only be used in the
global server context because it's only useful to have one global mutex.
This directive is designed to closely match the
<code class="directive"><a href="../mod/mpm_common.html#acceptmutex">AcceptMutex</a></code> directive.</p>
<p>
The following Mutex <em>types</em> are available:</p>
<ul>
<li><code>none | no</code>
<p>
This is the default where no Mutex is used at all. Use it at your own
risk. But because currently the Mutex is mainly used for synchronizing
write access to the SSL Session Cache you can live without it as long
as you accept a sometimes garbled Session Cache. So it's not recommended
to leave this the default. Instead configure a real Mutex.</p></li>
<li><code>posixsem</code>
<p>
This is an elegant Mutex variant where a Posix Semaphore is used when possible.
It is only available when the underlying platform
and <a class="glossarylink" href="../glossary.html#apr" title="see glossary">APR</a> supports it.</p></li>
<li><code>sysvsem</code>
<p>
This is a somewhat elegant Mutex variant where a SystemV IPC Semaphore is used when
possible. It is possible to "leak" SysV semaphores if processes crash before
the semaphore is removed. It is only available when the underlying platform
and <a class="glossarylink" href="../glossary.html#apr" title="see glossary">APR</a> supports it.</p></li>
<li><code>sem</code>
<p>
This directive tells the SSL Module to pick the "best" semaphore implementation
available to it, choosing between Posix and SystemV IPC, in that order. It is only
available when the underlying platform and <a class="glossarylink" href="../glossary.html#apr" title="see glossary">APR</a> supports at least one of the 2.</p></li>
<li><code>pthread</code>
<p>
This directive tells the SSL Module to use Posix thread mutexes. It is only available
if the underlying platform and <a class="glossarylink" href="../glossary.html#apr" title="see glossary">APR</a> supports it.</p></li>
<li><code>fcntl:/path/to/mutex</code>
<p>
This is a portable Mutex variant where a physical (lock-)file and the <code>fcntl()</code>
fucntion are used as the Mutex.
Always use a local disk filesystem for <code>/path/to/mutex</code> and never a file
residing on a NFS- or AFS-filesystem. It is only available when the underlying platform
and <a class="glossarylink" href="../glossary.html#apr" title="see glossary">APR</a> supports it. Note: Internally, the Process ID (PID) of the
Apache parent process is automatically appended to
<code>/path/to/mutex</code> to make it unique, so you don't have to worry
about conflicts yourself. Notice that this type of mutex is not available
under the Win32 environment. There you <em>have</em> to use the semaphore
mutex.</p></li>
<li><code>flock:/path/to/mutex</code>
<p>
This is similar to the <code>fcntl:/path/to/mutex</code> method with the
exception that the <code>flock()</code> function is used to provide file
locking. It is only available when the underlying platform
and <a class="glossarylink" href="../glossary.html#apr" title="see glossary">APR</a> supports it.</p></li>
<li><code>file:/path/to/mutex</code>
<p>
This directive tells the SSL Module to pick the "best" file locking implementation
available to it, choosing between <code>fcntl</code> and <code>flock</code>,
in that order. It is only available when the underlying platform and <a class="glossarylink" href="../glossary.html#apr" title="see glossary">APR</a> supports
at least one of the 2.</p></li>
<li><code>default | yes</code>
<p>
This directive tells the SSL Module to pick the default locking implementation
as determined by the platform and <a class="glossarylink" href="../glossary.html#apr" title="see glossary">APR</a>.</p></li>
</ul>
<div class="example"><h3>Example</h3><p><code>
SSLMutex file:/usr/local/apache/logs/ssl_mutex
</code></p></div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLOptions" id="SSLOptions">SSLOptions</a> <a name="ssloptions" id="ssloptions">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Configure various SSL engine run-time options</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLOptions [+|-]<em>option</em> ...</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>Options</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
</table>
<p>
This directive can be used to control various run-time options on a
per-directory basis. Normally, if multiple <code>SSLOptions</code>
could apply to a directory, then the most specific one is taken
completely; the options are not merged. However if <em>all</em> the
options on the <code>SSLOptions</code> directive are preceded by a
plus (<code>+</code>) or minus (<code>-</code>) symbol, the options
are merged. Any options preceded by a <code>+</code> are added to the
options currently in force, and any options preceded by a
<code>-</code> are removed from the options currently in force.</p>
<p>
The available <em>option</em>s are:</p>
<ul>
<li><code>StdEnvVars</code>
<p>
When this option is enabled, the standard set of SSL related CGI/SSI
environment variables are created. This per default is disabled for
performance reasons, because the information extraction step is a
rather expensive operation. So one usually enables this option for
CGI and SSI requests only.</p>
</li>
<li><code>CompatEnvVars</code>
<p>
When this option is enabled, additional CGI/SSI environment variables are
created for backward compatibility to other Apache SSL solutions. Look in
the <a href="../ssl/ssl_compat.html">Compatibility</a> chapter for details
on the particular variables generated.</p>
</li>
<li><code>ExportCertData</code>
<p>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -