mod_ssl.html

这个是我在web培训时老师提供的手册

per-server context it applies to the standard SSL handshake when a connection
is established. In per-directory context it forces a SSL renegotation with the
reconfigured Cipher Suite after the HTTP request was read but before the HTTP
response is sent.</p>
<p>
An SSL cipher specification in <em>cipher-spec</em> is composed of 4 major
attributes plus a few extra minor ones:</p>
<ul>
<li><em>Key Exchange Algorithm</em>:<br />
    RSA or Diffie-Hellman variants.
</li>
<li><em>Authentication Algorithm</em>:<br />
    RSA, Diffie-Hellman, DSS or none.
</li>
<li><em>Cipher/Encryption Algorithm</em>:<br />
    DES, Triple-DES, RC4, RC2, IDEA or none.
</li>
<li><em>MAC Digest Algorithm</em>:<br />
    MD5, SHA or SHA1.
</li>
</ul>
<p>An SSL cipher can also be an export cipher and is either a SSLv2 or SSLv3/TLSv1
cipher (here TLSv1 is equivalent to SSLv3). To specify which ciphers to use,
one can either specify all the Ciphers, one at a time, or use aliases to
specify the preference and order for the ciphers (see <a href="#table1">Table
1</a>).</p>

<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA" class="bordered">
<tr><th><a name="table1">Tag</a></th><th>Description</th></tr>
<tr><td colspan="2"><em>Key Exchange Algorithm:</em></td></tr>
<tr><td><code>kRSA</code></td><td>RSA key exchange</td></tr>
<tr><td><code>kDHr</code></td><td>Diffie-Hellman key exchange with RSA key</td></tr>
<tr><td><code>kDHd</code></td><td>Diffie-Hellman key exchange with DSA key</td></tr>
<tr><td><code>kEDH</code></td><td>Ephemeral (temp.key) Diffie-Hellman key exchange (no cert)</td></tr>
<tr><td colspan="2"><em>Authentication Algorithm:</em></td></tr>
<tr><td><code>aNULL</code></td><td>No authentication</td></tr>
<tr><td><code>aRSA</code></td><td>RSA authentication</td></tr>
<tr><td><code>aDSS</code></td><td>DSS authentication</td></tr>
<tr><td><code>aDH</code></td><td>Diffie-Hellman authentication</td></tr>
<tr><td colspan="2"><em>Cipher Encoding Algorithm:</em></td></tr>
<tr><td><code>eNULL</code></td><td>No encoding</td></tr>
<tr><td><code>DES</code></td><td>DES encoding</td></tr>
<tr><td><code>3DES</code></td><td>Triple-DES encoding</td></tr>
<tr><td><code>RC4</code></td><td>RC4 encoding</td></tr>
<tr><td><code>RC2</code></td><td>RC2 encoding</td></tr>
<tr><td><code>IDEA</code></td><td>IDEA encoding</td></tr>
<tr><td colspan="2"><em>MAC Digest Algorithm</em>:</td></tr>
<tr><td><code>MD5</code></td><td>MD5 hash function</td></tr>
<tr><td><code>SHA1</code></td><td>SHA1 hash function</td></tr>
<tr><td><code>SHA</code></td><td>SHA hash function</td></tr>
<tr><td colspan="2"><em>Aliases:</em></td></tr>
<tr><td><code>SSLv2</code></td><td>all SSL version 2.0 ciphers</td></tr>
<tr><td><code>SSLv3</code></td><td>all SSL version 3.0 ciphers</td></tr>
<tr><td><code>TLSv1</code></td><td>all TLS version 1.0 ciphers</td></tr>
<tr><td><code>EXP</code></td><td>all export ciphers</td></tr>
<tr><td><code>EXPORT40</code></td><td>all 40-bit export ciphers only</td></tr>
<tr><td><code>EXPORT56</code></td><td>all 56-bit export ciphers only</td></tr>
<tr><td><code>LOW</code></td><td>all low strength ciphers (no export, single DES)</td></tr>
<tr><td><code>MEDIUM</code></td><td>all ciphers with 128 bit encryption</td></tr>
<tr><td><code>HIGH</code></td><td>all ciphers using Triple-DES</td></tr>
<tr><td><code>RSA</code></td><td>all ciphers using RSA key exchange</td></tr>
<tr><td><code>DH</code></td><td>all ciphers using Diffie-Hellman key exchange</td></tr>
<tr><td><code>EDH</code></td><td>all ciphers using Ephemeral Diffie-Hellman key exchange</td></tr>
<tr><td><code>ADH</code></td><td>all ciphers using Anonymous Diffie-Hellman key exchange</td></tr>
<tr><td><code>DSS</code></td><td>all ciphers using DSS authentication</td></tr>
<tr><td><code>NULL</code></td><td>all ciphers using no encryption</td></tr>
</table>
<p>
Now where this becomes interesting is that these can be put together
to specify the order and ciphers you wish to use. To speed this up
there are also aliases (<code>SSLv2, SSLv3, TLSv1, EXP, LOW, MEDIUM,
HIGH</code>) for certain groups of ciphers. These tags can be joined
together with prefixes to form the <em>cipher-spec</em>. Available
prefixes are:</p>
<ul>
<li>none: add cipher to list</li>
<li><code>+</code>: add ciphers to list and pull them to current location in list</li>
<li><code>-</code>: remove cipher from list (can be added later again)</li>
<li><code>!</code>: kill cipher from list completely (can <strong>not</strong> be added later again)</li>
</ul>
<p>A simpler way to look at all of this is to use the "<code>openssl ciphers
-v</code>" command which provides a nice way to successively create the
correct <em>cipher-spec</em> string. The default <em>cipher-spec</em> string
is "<code>ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</code>" which
means the following: first, remove from consideration any ciphers that do not
authenticate, i.e. for SSL only the Anonymous Diffie-Hellman ciphers. Next,
use ciphers using RC4 and RSA. Next include the high, medium and then the low
security ciphers. Finally <em>pull</em> all SSLv2 and export ciphers to the
end of the list.</p>
<div class="example"><pre>
$ openssl ciphers -v 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP'
NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1
NULL-MD5                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=MD5
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
...                     ...               ...     ...           ...
EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
</pre></div>
<p>The complete list of particular RSA &amp; DH ciphers for SSL is given in <a href="#table2">Table 2</a>.</p>
<div class="example"><h3>示例</h3><p><code>
SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW
</code></p></div>
<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA" class="bordered">
<tr><th><a name="table2">Cipher-Tag</a></th><th>Protocol</th><th>Key Ex.</th><th>Auth.</th><th>Enc.</th><th>MAC</th><th>Type</th></tr>
<tr><td colspan="7"><em>RSA Ciphers:</em></td></tr>
<tr><td><code>DES-CBC3-SHA</code></td><td>SSLv3</td><td>RSA</td><td>RSA</td><td>3DES(168)</td><td>SHA1</td><td /></tr>
<tr><td><code>DES-CBC3-MD5</code></td><td>SSLv2</td><td>RSA</td><td>RSA</td><td>3DES(168)</td><td>MD5</td><td /></tr>
<tr><td><code>IDEA-CBC-SHA</code></td><td>SSLv3</td><td>RSA</td><td>RSA</td><td>IDEA(128)</td><td>SHA1</td><td /></tr>
<tr><td><code>RC4-SHA</code></td><td>SSLv3</td><td>RSA</td><td>RSA</td><td>RC4(128)</td><td>SHA1</td><td /></tr>
<tr><td><code>RC4-MD5</code></td><td>SSLv3</td><td>RSA</td><td>RSA</td><td>RC4(128)</td><td>MD5</td><td /></tr>
<tr><td><code>IDEA-CBC-MD5</code></td><td>SSLv2</td><td>RSA</td><td>RSA</td><td>IDEA(128)</td><td>MD5</td><td /></tr>
<tr><td><code>RC2-CBC-MD5</code></td><td>SSLv2</td><td>RSA</td><td>RSA</td><td>RC2(128)</td><td>MD5</td><td /></tr>
<tr><td><code>RC4-MD5</code></td><td>SSLv2</td><td>RSA</td><td>RSA</td><td>RC4(128)</td><td>MD5</td><td /></tr>
<tr><td><code>DES-CBC-SHA</code></td><td>SSLv3</td><td>RSA</td><td>RSA</td><td>DES(56)</td><td>SHA1</td><td /></tr>
<tr><td><code>RC4-64-MD5</code></td><td>SSLv2</td><td>RSA</td><td>RSA</td><td>RC4(64)</td><td>MD5</td><td /></tr>
<tr><td><code>DES-CBC-MD5</code></td><td>SSLv2</td><td>RSA</td><td>RSA</td><td>DES(56)</td><td>MD5</td><td /></tr>
<tr><td><code>EXP-DES-CBC-SHA</code></td><td>SSLv3</td><td>RSA(512)</td><td>RSA</td><td>DES(40)</td><td>SHA1</td><td> export</td></tr>
<tr><td><code>EXP-RC2-CBC-MD5</code></td><td>SSLv3</td><td>RSA(512)</td><td>RSA</td><td>RC2(40)</td><td>MD5</td><td>  export</td></tr>
<tr><td><code>EXP-RC4-MD5</code></td><td>SSLv3</td><td>RSA(512)</td><td>RSA</td><td>RC4(40)</td><td>MD5</td><td>  export</td></tr>
<tr><td><code>EXP-RC2-CBC-MD5</code></td><td>SSLv2</td><td>RSA(512)</td><td>RSA</td><td>RC2(40)</td><td>MD5</td><td>  export</td></tr>
<tr><td><code>EXP-RC4-MD5</code></td><td>SSLv2</td><td>RSA(512)</td><td>RSA</td><td>RC4(40)</td><td>MD5</td><td>  export</td></tr>
<tr><td><code>NULL-SHA</code></td><td>SSLv3</td><td>RSA</td><td>RSA</td><td>None</td><td>SHA1</td><td /></tr>
<tr><td><code>NULL-MD5</code></td><td>SSLv3</td><td>RSA</td><td>RSA</td><td>None</td><td>MD5</td><td /></tr>
<tr><td colspan="7"><em>Diffie-Hellman Ciphers:</em></td></tr>
<tr><td><code>ADH-DES-CBC3-SHA</code></td><td>SSLv3</td><td>DH</td><td>None</td><td>3DES(168)</td><td>SHA1</td><td /></tr>
<tr><td><code>ADH-DES-CBC-SHA</code></td><td>SSLv3</td><td>DH</td><td>None</td><td>DES(56)</td><td>SHA1</td><td /></tr>
<tr><td><code>ADH-RC4-MD5</code></td><td>SSLv3</td><td>DH</td><td>None</td><td>RC4(128)</td><td>MD5</td><td /></tr>
<tr><td><code>EDH-RSA-DES-CBC3-SHA</code></td><td>SSLv3</td><td>DH</td><td>RSA</td><td>3DES(168)</td><td>SHA1</td><td /></tr>
<tr><td><code>EDH-DSS-DES-CBC3-SHA</code></td><td>SSLv3</td><td>DH</td><td>DSS</td><td>3DES(168)</td><td>SHA1</td><td /></tr>
<tr><td><code>EDH-RSA-DES-CBC-SHA</code></td><td>SSLv3</td><td>DH</td><td>RSA</td><td>DES(56)</td><td>SHA1</td><td /></tr>
<tr><td><code>EDH-DSS-DES-CBC-SHA</code></td><td>SSLv3</td><td>DH</td><td>DSS</td><td>DES(56)</td><td>SHA1</td><td /></tr>
<tr><td><code>EXP-EDH-RSA-DES-CBC-SHA</code></td><td>SSLv3</td><td>DH(512)</td><td>RSA</td><td>DES(40)</td><td>SHA1</td><td> export</td></tr>
<tr><td><code>EXP-EDH-DSS-DES-CBC-SHA</code></td><td>SSLv3</td><td>DH(512)</td><td>DSS</td><td>DES(40)</td><td>SHA1</td><td> export</td></tr>
<tr><td><code>EXP-ADH-DES-CBC-SHA</code></td><td>SSLv3</td><td>DH(512)</td><td>None</td><td>DES(40)</td><td>SHA1</td><td> export</td></tr>
<tr><td><code>EXP-ADH-RC4-MD5</code></td><td>SSLv3</td><td>DH(512)</td><td>None</td><td>RC4(40)</td><td>MD5</td><td>  export</td></tr>
</table>

</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLCryptoDevice" id="SSLCryptoDevice">SSLCryptoDevice</a> <a name="sslcryptodevice" id="sslcryptodevice">指令</a></h2>
<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA" class="directive">
<tr><th><a href="directive-dict.html#Description">说明</a></th><td>Enable use of a cryptographic hardware accelerator</td></tr>
<tr><th><a href="directive-dict.html#Syntax">语法</a></th><td><code>SSLCryptoDevice <em>engine</em></code></td></tr>
<tr><th><a href="directive-dict.html#Default">默认值</a></th><td><code>SSLCryptoDevice builtin</code></td></tr>
<tr><th><a href="directive-dict.html#Context">作用域</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">状态</a></th><td>扩展(E)</td></tr>
<tr><th><a href="directive-dict.html#Module">模块</a></th><td>mod_ssl</td></tr>
<tr><th><a href="directive-dict.html#Compatibility">兼容性</a></th><td>Available if mod_ssl is built using <code>-DSSL_ENGINE_EXPERIMENTAL</code></td></tr>
</table>
<p>
This directive enables use of a cryptographic hardware accelerator
board to offload some of the SSL processing overhead.  This directive
can only be used if the SSL toolkit is built with "engine" support;
OpenSSL 0.9.7 and later releases have "engine" support by default, the
separate "-engine" releases of OpenSSL 0.9.6 must be used.</p>

<p>To discover which engine names are supported, run the command
"<code>openssl engine</code>".</p>

<div class="example"><h3>示例</h3><p><code>
# For a Broadcom accelerator:<br />
SSLCryptoDevice ubsec
</code></p></div>

</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLEngine" id="SSLEngine">SSLEngine</a> <a name="sslengine" id="sslengine">指令</a></h2>
<table border="1" cellpadding="0" cellspacing="0" bordercolor="#AAAAAA" class="directive">
<tr><th><a href="directive-dict.html#Description">说明</a></th><td>SSL Engine Operation Switch</td></tr>
<tr><th><a href="directive-dict.html#Syntax">语法</a></th><td><code>SSLEngine on|off|optional</code></td></tr>
<tr><th><a href="directive-dict.html#Default">默认值</a></th><td><code>SSLEngine off</code></td></tr>
<tr><th><a href="directive-dict.html#Context">作用域</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">状态</a></th><td>扩展(E)</td></tr>
<tr><th><a href="directive-dict.html#Module">模块</a></th><td>mod_ssl</td></tr>
</table>
<p>
This directive toggles the usage of the SSL/TLS Protocol Engine. This
is usually used inside a <code class="directive"><a href="../mod/core.html#virtualhost">&lt;VirtualHost&gt;</a></code> section to enable SSL/TLS for a
particular virtual host. By default the SSL/TLS Protocol Engine is
disabled for both the main server and all configured virtual hosts.</p>
<div class="example"><h3>示例</h3><p><code>
&lt;VirtualHost _default_:443&gt;<br />
SSLEngine on<br />
...<br />
&lt;/VirtualHost&gt;
</code></p></div>
<p>In Apache 2.1 and later, <code class="directive">SSLEngine</code> can be set to 
<code>optional</code>. This enables support for 
<a href="http://www.ietf.org/rfc/rfc2817.txt">RFC 2817</a>, Upgrading to TLS 
Within HTTP/1.1. At this time no web browsers support RFC 2817.</p>