mod_ssl.html

这个是我在web培训时老师提供的手册

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<meta name="keywords" content="Apache, 中文, 手册, 中文版, 中文手册, 中文版手册, 参考手册, 中文参考手册, 金步国" />
<meta name="description" content="Apache 2.2 中文版参考手册" />
<meta name="author" content="金步国" />
<link href="../style/css/manual-zip.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
<link href="../style/css/manual-zip-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" />
<title>mod_ssl － Apache 2.2 中文版参考手册</title>
</head>
<body><div id="page-header">
<p class="menu"><a href="../mod/index.html">模块索引</a> | <a href="../mod/directives.html">指令索引</a> | <a href="../faq/index.html">常见问题</a> | <a href="../glossary.html">词汇表</a> | <a href="../sitemap.html">站点导航</a></p><p class="apache">Apache HTTP Server 版本2.2</p><img alt="" src="../images/feather.gif" /></div>
<div class="up"><a href="./index.html"><img title="&lt;-" alt="&lt;-" src="../images/left.gif" /></a></div>
<div id="path"><a href="http://www.apache.org/">Apache</a> &gt; <a href="http://httpd.apache.org/">HTTP Server</a> &gt; <a href="http://httpd.apache.org/docs/">文档</a> &gt; <a href="../index.html">版本2.2</a> &gt; <a href="./index.html">模块</a></div>

<div id="translation-info">　　 <a href="../translator_announcement.html#thanks">致谢</a> | <a href="../translator_announcement.html#announcement">译者声明</a> | 本篇译者：&lt;<a href="../translator_announcement.html#join">虚位以待</a>&gt; | 本篇译稿完成时间：?年?月?日 | <a href="../translator_announcement.html#last_new">获取最新版本</a></div>
<div id="page-content"><div id="preamble"><h1>Apache模块 mod_ssl</h1>

<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA" class="module">
<tr><th><a href="module-dict.html#Description">说明</a></th><td>使用安全套接字层(SSL)和传输层安全(TLS)协议实现高强度加密传输</td></tr>
<tr><th><a href="module-dict.html#Status">状态</a></th><td>扩展(E)</td></tr>
<tr><th><a href="module-dict.html#ModuleIdentifier">模块名</a></th><td>ssl_module</td></tr>
<tr><th><a href="module-dict.html#SourceFile">源文件</a></th><td>mod_ssl.c</td></tr>
</table>
<h3>概述</h3>

<p>This module provides SSL v2/v3 and TLS v1 support for the Apache
HTTP Server.  It was contributed by Ralf S. Engeschall based on his
mod_ssl project and originally derived from work by Ben Laurie.</p>

<p>This module relies on <a href="http://www.openssl.org/">OpenSSL</a>
to provide the cryptography engine.</p>

<p>Further details, discussion, and examples are provided in the
<a href="../ssl/index.html">SSL documentation</a>.</p>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="envvars" id="envvars">Environment Variables</a></h2>

<p>This module provides a lot of SSL information as additional environment
variables to the SSI and CGI namespace. The generated variables are listed in
the table below. For backward compatibility the information can
be made available under different names, too. Look in the <a href="../ssl/ssl_compat.html">Compatibility</a> chapter for details on the
compatibility variables.</p>

<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA" class="bordered">
<tr><th><a name="table3">Variable Name:</a></th><th>Value Type:</th><th>Description:</th></tr>
<tr><td><code>HTTPS</code></td><td>flag</td><td>HTTPS is being used.</td></tr>
<tr><td><code>SSL_PROTOCOL</code></td><td>string</td><td>The SSL protocol version (SSLv2, SSLv3, TLSv1)</td></tr>
<tr><td><code>SSL_SESSION_ID</code></td><td>string</td><td>The hex-encoded SSL session id</td></tr>
<tr><td><code>SSL_CIPHER</code></td><td>string</td><td>The cipher specification name</td></tr>
<tr><td><code>SSL_CIPHER_EXPORT</code></td><td>string</td><td><code>true</code> if cipher is an export cipher</td></tr>
<tr><td><code>SSL_CIPHER_USEKEYSIZE</code></td><td>number</td><td>Number of cipher bits (actually used)</td></tr>
<tr><td><code>SSL_CIPHER_ALGKEYSIZE</code></td><td>number</td><td>Number of cipher bits (possible)</td></tr>
<tr><td><code>SSL_COMPRESS_METHOD</code></td><td>string</td><td>SSL compression method negotiated</td></tr>
<tr><td><code>SSL_VERSION_INTERFACE</code></td><td>string</td><td>The mod_ssl program version</td></tr>
<tr><td><code>SSL_VERSION_LIBRARY</code></td><td>string</td><td>The OpenSSL program version</td></tr>
<tr><td><code>SSL_CLIENT_M_VERSION</code></td><td>string</td><td>The version of the client certificate</td></tr>
<tr><td><code>SSL_CLIENT_M_SERIAL</code></td><td>string</td><td>The serial of the client certificate</td></tr>
<tr><td><code>SSL_CLIENT_S_DN</code></td><td>string</td><td>Subject DN in client's certificate</td></tr>
<tr><td><code>SSL_CLIENT_S_DN_</code><em>x509</em></td><td>string</td><td>Component of client's Subject DN</td></tr>
<tr><td><code>SSL_CLIENT_I_DN</code></td><td>string</td><td>Issuer DN of client's certificate</td></tr>
<tr><td><code>SSL_CLIENT_I_DN_</code><em>x509</em></td><td>string</td><td>Component of client's Issuer DN</td></tr>
<tr><td><code>SSL_CLIENT_V_START</code></td><td>string</td><td>Validity of client's certificate (start time)</td></tr>
<tr><td><code>SSL_CLIENT_V_END</code></td><td>string</td><td>Validity of client's certificate (end time)</td></tr>
<tr><td><code>SSL_CLIENT_V_REMAIN</code></td><td>string</td><td>Number of days until client's certificate expires</td></tr>
<tr><td><code>SSL_CLIENT_A_SIG</code></td><td>string</td><td>Algorithm used for the signature of client's certificate</td></tr>
<tr><td><code>SSL_CLIENT_A_KEY</code></td><td>string</td><td>Algorithm used for the public key of client's certificate</td></tr>
<tr><td><code>SSL_CLIENT_CERT</code></td><td>string</td><td>PEM-encoded client certificate</td></tr>
<tr><td><code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em></td><td>string</td><td>PEM-encoded certificates in client certificate chain</td></tr>
<tr><td><code>SSL_CLIENT_VERIFY</code></td><td>string</td><td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS</code>或<code>FAILED:</code><em>reason</em></td></tr>
<tr><td><code>SSL_SERVER_M_VERSION</code></td><td>string</td><td>The version of the server certificate</td></tr>
<tr><td><code>SSL_SERVER_M_SERIAL</code></td><td>string</td><td>The serial of the server certificate</td></tr>
<tr><td><code>SSL_SERVER_S_DN</code></td><td>string</td><td>Subject DN in server's certificate</td></tr>
<tr><td><code>SSL_SERVER_S_DN_</code><em>x509</em></td><td>string</td><td>Component of server's Subject DN</td></tr>
<tr><td><code>SSL_SERVER_I_DN</code></td><td>string</td><td>Issuer DN of server's certificate</td></tr>
<tr><td><code>SSL_SERVER_I_DN_</code><em>x509</em></td><td>string</td><td>Component of server's Issuer DN</td></tr>
<tr><td><code>SSL_SERVER_V_START</code></td><td>string</td><td>Validity of server's certificate (start time)</td></tr>
<tr><td><code>SSL_SERVER_V_END</code></td><td>string</td><td>Validity of server's certificate (end time)</td></tr>
<tr><td><code>SSL_SERVER_A_SIG</code></td><td>string</td><td>Algorithm used for the signature of server's certificate</td></tr>
<tr><td><code>SSL_SERVER_A_KEY</code></td><td>string</td><td>Algorithm used for the public key of server's certificate</td></tr>
<tr><td><code>SSL_SERVER_CERT</code></td><td>string</td><td>PEM-encoded server certificate</td></tr>
</table>

<p><em>x509</em> specifies a component of an X.509 DN; one of
<code>C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email</code>.  In Apache 2.1 and
later, <em>x509</em> may also include a numeric <code>_n</code>
suffix.  If the DN in question contains multiple attributes of the
same name, this suffix is used as an index to select a particular
attribute.  For example, where the server certificate subject DN
included two OU fields, <code>SSL_SERVER_S_DN_OU_0</code>和<code>SSL_SERVER_S_DN_OU_1</code> could be used to reference each.</p>

<p><code>SSL_CLIENT_V_REMAIN</code> is only available in version 2.1
and later.</p>

</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="logformats" id="logformats">Custom Log Formats</a></h2>

<p>When <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> is built into Apache or at least
loaded (under DSO situation) additional functions exist for the <a href="mod_log_config.html#formats">Custom Log Format</a> of 
<code class="module"><a href="../mod/mod_log_config.html">mod_log_config</a></code>. First there is an
additional "<code>%{</code><em>varname</em><code>}x</code>"
eXtension format function which can be used to expand any variables
provided by any module, especially those provided by mod_ssl which can
you find in the above table.</p>
<p>
For backward compatibility there is additionally a special
"<code>%{</code><em>name</em><code>}c</code>" cryptography format function
provided. Information about this function is provided in the <a href="../ssl/ssl_compat.html">Compatibility</a> chapter.</p>
<div class="example"><h3>示例</h3><p><code>
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</code></p></div>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLCACertificateFile" id="SSLCACertificateFile">SSLCACertificateFile</a> <a name="sslcacertificatefile" id="sslcacertificatefile">指令</a></h2>
<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA" class="directive">
<tr><th><a href="directive-dict.html#Description">说明</a></th><td>File of concatenated PEM-encoded CA Certificates 
for Client Auth</td></tr>
<tr><th><a href="directive-dict.html#Syntax">语法</a></th><td><code>SSLCACertificateFile <em>file-path</em></code></td></tr>
<tr><th><a href="directive-dict.html#Context">作用域</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">状态</a></th><td>扩展(E)</td></tr>
<tr><th><a href="directive-dict.html#Module">模块</a></th><td>mod_ssl</td></tr>
</table>
<p>
This directive sets the <em>all-in-one</em> file where you can assemble the
Certificates of Certification Authorities (CA) whose <em>clients</em> you deal
with. These are used for Client Authentication. Such a file is simply the
concatenation of the various PEM-encoded Certificate files, in order of
preference. This can be used alternatively and/or additionally to 
<code class="directive"><a href="#sslcacertificatepath">SSLCACertificatePath</a></code>.</p>
<div class="example"><h3>示例</h3><p><code>
SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-client.crt
</code></p></div>

</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLCACertificatePath" id="SSLCACertificatePath">SSLCACertificatePath</a> <a name="sslcacertificatepath" id="sslcacertificatepath">指令</a></h2>
<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA" class="directive">
<tr><th><a href="directive-dict.html#Description">说明</a></th><td>Directory of PEM-encoded CA Certificates for 
Client Auth</td></tr>
<tr><th><a href="directive-dict.html#Syntax">语法</a></th><td><code>SSLCACertificatePath <em>directory-path</em></code></td></tr>
<tr><th><a href="directive-dict.html#Context">作用域</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">状态</a></th><td>扩展(E)</td></tr>
<tr><th><a href="directive-dict.html#Module">模块</a></th><td>mod_ssl</td></tr>
</table>
<p>
This directive sets the directory where you keep the Certificates of
Certification Authorities (CAs) whose clients you deal with. These are used to
verify the client certificate on Client Authentication.</p>
<p>
The files in this directory have to be PEM-encoded and are accessed through
hash filenames. So usually you can't just place the Certificate files
there: you also have to create symbolic links named
<em>hash-value</em><code>.N</code>. And you should always make sure this directory
contains the appropriate symbolic links. Use the <code>Makefile</code> which
comes with mod_ssl to accomplish this task.</p>
<div class="example"><h3>示例</h3><p><code>
SSLCACertificatePath /usr/local/apache2/conf/ssl.crt/
</code></p></div>

</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLCADNRequestFile" id="SSLCADNRequestFile">SSLCADNRequestFile</a> <a name="sslcadnrequestfile" id="sslcadnrequestfile">指令</a></h2>
<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA" class="directive">
<tr><th><a href="directive-dict.html#Description">说明</a></th><td>File of concatenated PEM-encoded CA Certificates 
for defining acceptable CA names</td></tr>
<tr><th><a href="directive-dict.html#Syntax">语法</a></th><td><code>SSLCADNRequestFile <em>file-path</em></code></td></tr>
<tr><th><a href="directive-dict.html#Context">作用域</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">状态</a></th><td>扩展(E)</td></tr>
<tr><th><a href="directive-dict.html#Module">模块</a></th><td>mod_ssl</td></tr>
</table>
<p>When a client certificate is requested by mod_ssl, a list of
<em>acceptable Certificate Authority names</em> is sent to the client
in the SSL handshake.  These CA names can be used by the client to
select an appropriate client certificate out of those it has
available.</p>

<p>If neither of the directives <code class="directive"><a href="#sslcadnrequestpath">SSLCADNRequestPath</a></code>或<code class="directive"><a href="#sslcadnrequestfile">SSLCADNRequestFile</a></code> are given, then the
set of acceptable CA names sent to the client is the names of all the
CA certificates given by the <code class="directive"><a href="#sslcacertificatefile">SSLCACertificateFile</a></code>和<code class="directive"><a href="#sslcacertificatepath">SSLCACertificatePath</a></code> directives; in other
words, the names of the CAs which will actually be used to verify the
client certificate.</p>

<p>In some circumstances, it is useful to be able to send a set of
acceptable CA names which differs from the actual CAs used to verify
the client certificate - for example, if the client certificates are
signed by intermediate CAs.  In such cases, <code class="directive"><a href="#sslcadnrequestpath">SSLCADNRequestPath</a></code> and/or <code class="directive"><a href="#sslcadnrequestfile">SSLCADNRequestFile</a></code> can be used; the