ssl_reference.wml

mod_ssl-2.8.31-1.3.41.tar.gz 好用的ssl工具

<li><code>egd:/path/to/egd-socket</code> (Unix only)
    <p>
    This variant uses the Unix domain socket of the
    external Entropy Gathering Daemon (EGD) (see <a
    href="http://www.lothar.com/tech/crypto/">http://www.lothar.com/tech
    /crypto/</a>) to seed the PRNG. Use this if no random device exists
    on your platform.
</ul>

<p>
Example:
<blockquote>
<pre>
SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/random
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed startup exec:/usr/local/bin/truerand 16
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/random
SSLRandomSeed connect file:/dev/urandom 1024
</pre>
</blockquote>


<!-- SSLSessionCache ------------------------------------------------>

<p>
<br>
<a name="SSLSessionCache"></a>
<h2>SSLSessionCache</h2>

<directive
    name="SSLSessionCache"
    description="Type of the global/inter-process SSL Session Cache"
    syntax="<code>SSLSessionCache</code> <em>type</em>"
    default="<code>SSLSessionCache none</code>"
    context="server config"
    override="<em>Not applicable</em>"
    compat="mod_ssl 2.1"
>

<p>
This configures the storage type of the global/inter-process SSL Session
Cache. This cache is an optional facility which speeds up parallel request
processing. For requests to the same server process (via HTTP keep-alive),
OpenSSL already caches the SSL session information locally. But because modern
clients request inlined images and other data via parallel requests (usually
up to four parallel requests are common) those requests are served by
<em>different</em> pre-forked server processes. Here an inter-process cache
helps to avoid unneccessary session handshakes.

<p>
The following two storage <em>type</em>s are currently supported:

<ul>
<li><code>none</code>
    <p>
    This is the default and just disables the global/inter-process Session
    Cache. There is no drawback in functionality, but a noticeable speed
    penalty can be observed.
<p>
<li><code>dbm:/path/to/datafile</code>
    <p>
    This makes use of a DBM hashfile on the local disk to synchronize the
    local OpenSSL memory caches of the server processes. The slight increase
    in I/O on the server results in a visible request speedup for your
    clients, so this type of storage is generally recommended.
<p>
<li><code>shm:/path/to/datafile</code>[<code>(</code><i>size</i><code>)</code>]
    <p>
    This makes use of a high-performance hash table (approx. <i>size</i> bytes
    in size) inside a shared memory segment in RAM (established via
    <code>/path/to/datafile</code>) to synchronize the local OpenSSL memory
    caches of the server processes.  This storage type is not available on all
    platforms. See the mod_ssl <code>INSTALL</code> document for details on
    how to build Apache+EAPI with shared memory support.
</ul>

<p>
Examples:
<blockquote>
<pre>
SSLSessionCache dbm:/usr/local/apache/logs/ssl_gcache_data
SSLSessionCache shm:/usr/local/apache/logs/ssl_gcache_data(512000)
</pre>
</blockquote>


<!-- SSLSessionCacheTimeout ----------------------------------------->

<p>
<br>
<a name="SSLSessionCacheTimeout"></a>
<h2>SSLSessionCacheTimeout</h2>

<directive
    name="SSLSessionCacheTimeout"
    description="Number of seconds before an SSL session expires in the Session Cache"
    syntax="<code>SSLSessionCacheTimeout</code> <em>seconds</em>"
    default="<code>SSLSessionCacheTimeout 300</code>"
    context="server config, virtual host"
    override="<em>Not applicable</em>"
    compat="mod_ssl 2.0"
>

<p>
This directive sets the timeout in seconds for the information stored in the
global/inter-process SSL Session Cache and the OpenSSL internal memory cache.
It can be set as low as 15 for testing, but should be set to higher
values like 300 in real life.

<p>
Example:
<blockquote>
<pre>
SSLSessionCacheTimeout 600
</pre>
</blockquote>


<!-- SSLEngine ------------------------------------------------------>

<p>
<br>
<a name="SSLEngine"></a>
<h2>SSLEngine</h2>

<directive
    name="SSLEngine"
    description="SSL Engine Operation Switch"
    syntax="<code>SSLEngine</code> <em>on|off</em>"
    default="<code>SSLEngine off</code>"
    context="server config, virtual host"
    override="<em>Not applicable</em>"
    compat="mod_ssl 2.1"
>

<p>
This directive toggles the usage of the SSL/TLS Protocol Engine. This is
usually used inside a &lt;VirtualHost&gt; section to enable SSL/TLS for a
particular virtual host. By default the SSL/TLS Protocol Engine is disabled
for both the main server and all configured virtual hosts. 

<p>
Example:
<blockquote>
<pre>
&lt;VirtualHost _default_:443&gt;
SSLEngine on
...
&lt;/VirtualHost&gt;
</pre>
</blockquote>


<!-- SSLProtocol ---------------------------------------------------->

<p>
<br>
<a name="SSLProtocol"></a>
<h2>SSLProtocol</h2>

<directive
    name="SSLProtocol"
    description="Configure usable SSL protocol flavors"
    syntax="<code>SSLProtocol</code> [+-]<em>protocol</em> ..."
    default="<code>SSLProtocol all</code>"
    context="server config, virtual host"
    override="Options"
    compat="mod_ssl 2.2"
>

<p>
This directive can be used to control the SSL protocol flavors mod_ssl should
use when establishing its server environment.  Clients then can only connect
with one of the provided protocols.

<p>
The available (case-insensitive) <em>protocol</em>s are:

<ul>
<li><code>SSLv2</code>
    <p>
    This is the Secure Sockets Layer (SSL) protocol, version 2.0. It is the
    original SSL protocol as designed by Netscape Corporation.
<p>
<li><code>SSLv3</code>
    <p>
    This is the Secure Sockets Layer (SSL) protocol, version 3.0.  It is the
    successor to SSLv2 and the currently (as of February 1999) de-facto
    standardized SSL protocol from Netscape Corporation. It's supported by
    almost all popular browsers.
<p>
<li><code>TLSv1</code>
    <p>
    This is the Transport Layer Security (TLS) protocol, version 1.0.  It is the
    successor to SSLv3 and currently (as of February 1999) still under
    construction by the Internet Engineering Task Force (IETF).  It's still
    not supported by any popular browsers.
<p>
<li><code>All</code>
    <p>
    This is a shortcut for ``<code>+SSLv2 +SSLv3 +TLSv1</code>'' and a
    convinient way for enabling all protocols except one when used in
    combination with the minus sign on a protocol as the example above shows.
</ul>

<p>
Example:
<blockquote>
<pre>
\#   enable SSLv3 and TLSv1, but not SSLv2
SSLProtocol all -SSLv2
</pre>
</blockquote>


<!-- SSLCipherSuite ------------------------------------------------->

<p>
<br>
<a name="SSLCipherSuite"></a>
<h2>SSLCipherSuite</h2>

<directive
    name="SSLCipherSuite"
    description="Cipher Suite available for negotiation in SSL handshake"
    syntax="<code>SSLCipherSuite</code> <em>cipher-spec</em>"
    default="<code>SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</code>"
    context="server config, virtual host, directory, .htaccess"
    override="AuthConfig"
    compat="mod_ssl 2.1"
>

<p>
This complex directive uses a colon-separated <em>cipher-spec</em> string
consisting of OpenSSL cipher specifications to configure the Cipher Suite the
client is permitted to negotiate in the SSL handshake phase. Notice that this
directive can be used both in per-server and per-directory context. In
per-server context it applies to the standard SSL handshake when a connection
is established. In per-directory context it forces a SSL renegotation with the
reconfigured Cipher Suite after the HTTP request was read but before the HTTP
response is sent.

<p>
An SSL cipher specification in <em>cipher-spec</em> is composed of 4 major
attributes plus a few extra minor ones:

<ul>
<li><em>Key Exchange Algorithm</em>:<br>
    RSA or Diffie-Hellman variants.
<p>
<li><em>Authentication Algorithm</em>:<br>
    RSA, Diffie-Hellman, DSS or none.
<p>
<li><em>Cipher/Encryption Algorithm</em>:<br>
    DES, Triple-DES, RC4, RC2, IDEA or none.
<p>
<li><em>MAC Digest Algorithm</em>:<br>
    MD5, SHA or SHA1.
</ul>

An SSL cipher can also be an export cipher and is either a SSLv2 or SSLv3/TLSv1
cipher (here TLSv1 is equivalent to SSLv3). To specify which ciphers to use,
one can either specify all the Ciphers, one at a time, or use aliases to
specify the preference and order for the ciphers (see <a href="#table1">Table
1</a>).  

<p>
<float name="table1" caption="Table 1: OpenSSL Cipher Specification Tags">
<table border="0" cellspacing="0" cellpadding="2" width=598>
<tr id=D><td><b>Tag</b></td> <td><b>Description</b></td>

<tr id=H><td colspan=2><em>Key Exchange Algorithm:</em></td></tr>
<tr id=D><td><code>kRSA</code></td>   <td>RSA key exchange</td></tr>
<tr id=H><td><code>kDHr</code></td>   <td>Diffie-Hellman key exchange with RSA key</td></tr>
<tr id=D><td><code>kDHd</code></td>   <td>Diffie-Hellman key exchange with DSA key</td></tr>
<tr id=H><td><code>kEDH</code></td>   <td>Ephemeral (temp.key) Diffie-Hellman key exchange (no cert)</td>   </tr>

<tr id=H><td colspan=2><em>Authentication Algorithm:</em></td></tr>
<tr id=D><td><code>aNULL</code></td>  <td>No authentication</td></tr>
<tr id=H><td><code>aRSA</code></td>   <td>RSA authentication</td></tr>
<tr id=D><td><code>aDSS</code></td>   <td>DSS authentication</td> </tr>
<tr id=H><td><code>aDH</code></td>    <td>Diffie-Hellman authentication</td></tr>

<tr id=D><td colspan=2><em>Cipher Encoding Algorithm:</em></td></tr></tr>
<tr id=H><td><code>eNULL</code></td>  <td>No encoding</td>         </tr>
<tr id=D><td><code>DES</code></td>    <td>DES encoding</td>        </tr>
<tr id=H><td><code>3DES</code></td>   <td>Triple-DES encoding</td> </tr>
<tr id=D><td><code>RC4</code></td>    <td>RC4 encoding</td>       </tr>
<tr id=H><td><code>RC2</code></td>    <td>RC2 encoding</td>       </tr>
<tr id=D><td><code>IDEA</code></td>   <td>IDEA encoding</td>       </tr>

<tr id=H><td colspan=2><em>MAC Digest Algorithm</em>:</td></tr>
<tr id=D><td><code>MD5</code></td>    <td>MD5 hash function</td></tr>
<tr id=H><td><code>SHA1</code></td>   <td>SHA1 hash function</td></tr>
<tr id=D><td><code>SHA</code></td>    <td>SHA hash function</td> </tr>

<tr id=H><td colspan=2><em>Aliases:</em></td></tr>
<tr id=D><td><code>SSLv2</code></td>  <td>all SSL version 2.0 ciphers</td></tr>
<tr id=H><td><code>SSLv3</code></td>  <td>all SSL version 3.0 ciphers</td> </tr>
<tr id=D><td><code>TLSv1</code></td>  <td>all TLS version 1.0 ciphers</td> </tr>
<tr id=H><td><code>EXP</code></td>    <td>all export ciphers</td>  </tr>
<tr id=D><td><code>EXPORT40</code></td> <td>all 40-bit export ciphers only</td>  </tr>
<tr id=H><td><code>EXPORT56</code></td> <td>all 56-bit export ciphers only</td>  </tr>
<tr id=D><td><code>LOW</code></td>    <td>all low strength ciphers (no export, single DES)</td></tr>
<tr id=H><td><code>MEDIUM</code></td> <td>all ciphers with 128 bit encryption</td> </tr>
<tr id=D><td><code>HIGH</code></td>   <td>all ciphers using Triple-DES</td>     </tr>
<tr id=H><td><code>RSA</code></td>    <td>all ciphers using RSA key exchange</td> </tr>
<tr id=D><td><code>DH</code></td>     <td>all ciphers using Diffie-Hellman key exchange</td> </tr>
<tr id=H><td><code>EDH</code></td>    <td>all ciphers using Ephemeral Diffie-Hellman key exchange</td> </tr>
<tr id=D><td><code>ADH</code></td>    <td>all ciphers using Anonymous Diffie-Hellman key exchange</td> </tr>
<tr id=H><td><code>DSS</code></td>    <td>all ciphers using DSS authentication</td> </tr>
<tr id=D><td><code>NULL</code></td>   <td>all ciphers using no encryption</td> </tr>

</table>
</float>