📄 ssl_howto.html
字号:
<table border="0" cellpadding="0" cellspacing="0" summary=""> <tr> <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> <td colspan="3" bgcolor="#ffffff"> <table border="0" cellspacing="4" summary=""> <tr> <td><pre>SSLProtocol -all +SSLv2SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP</pre></td> </tr> </table> </td> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr></table><p><li><a name="ToC3"></a> <a name="cipher-strong"></a> <strong id="howto">How can I create an SSL server which accepts strong encryption only?</strong> [<a href="http://www.modssl.org/docs/2.8/ssl_howto.html#cipher-strong"><b>L</b></a>] <p>The following enables only the seven strongest ciphers:<p><table border="0" cellpadding="0" cellspacing="0" summary=""> <tr> <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> <td colspan="3" bgcolor="#ffffff"> <table border="0" cellspacing="4" summary=""> <tr> <td><pre>SSLProtocol allSSLCipherSuite HIGH:MEDIUM</pre></td> </tr> </table> </td> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr></table><p><li><a name="ToC4"></a> <a name="cipher-sgc"></a> <strong id="howto">How can I create an SSL server which accepts strong encryption only,but allows export browsers to upgrade to stronger encryption?</strong> [<a href="http://www.modssl.org/docs/2.8/ssl_howto.html#cipher-sgc"><b>L</b></a>] <p>This facility is called Server Gated Cryptography (SGC) and details you canfind in the <code>README.GlobalID</code> document in the mod_ssl distribution.In short: The server has a Global ID server certificate, signed by a specialCA certificate from Verisign which enables strong encryption in exportbrowsers. This works as following: The browser connects with an export cipher,the server sends it's Global ID certificate, the browser verifies it andsubsequently upgrades the cipher suite before any HTTP communication takesplace. The question now is: How can we allow this upgrade, but enforce strongencryption. Or in other words: Browser either have to initially connect withstrong encryption or have to upgrade to strong encryption, but are not allowedto keep the export ciphers. The following does the trick:<p><table border="0" cellpadding="0" cellspacing="0" summary=""> <tr> <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> <td colspan="3" bgcolor="#ffffff"> <table border="0" cellspacing="4" summary=""> <tr> <td><pre># allow all ciphers for the inital handshake,# so export browsers can upgrade via SGC facilitySSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL<Directory /usr/local/apache/htdocs># but finally deny all browsers which haven't upgradedSSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128</Directory></pre></td> </tr> </table> </td> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr></table><p><li><a name="ToC5"></a> <a name="cipher-perdir"></a> <strong id="howto">How can I create an SSL server which accepts all types of ciphers in general,but requires a strong ciphers for access to a particular URL?</strong> [<a href="http://www.modssl.org/docs/2.8/ssl_howto.html#cipher-perdir"><b>L</b></a>] <p>Obviously you cannot just use a server-wide <code>SSLCipherSuite</code> whichrestricts the ciphers to the strong variants. But mod_ssl allows you toreconfigure the cipher suite in per-directory context and automatically forcesa renegotiation of the SSL parameters to meet the new configuration. So, thesolution is:<p><table border="0" cellpadding="0" cellspacing="0" summary=""> <tr> <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> <td colspan="3" bgcolor="#ffffff"> <table border="0" cellspacing="4" summary=""> <tr> <td><pre># be liberal in generalSSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL<Location /strong/area># but https://hostname/strong/area/ and below requires strong ciphersSSLCipherSuite HIGH:MEDIUM</Location></pre></td> </tr> </table> </td> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr></table></ul><h2><a name="ToC6">Client Authentication and Access Control</a></h2><ul><p><li><a name="ToC7"></a> <a name="auth-simple"></a> <strong id="howto">How can I authenticate clients based on certificates when I know all myclients?</strong> [<a href="http://www.modssl.org/docs/2.8/ssl_howto.html#auth-simple"><b>L</b></a>] <p>When you know your user community (i.e. a closed user group situation), asit's the case for instance in an Intranet, you can use plain certificateauthentication. All you have to do is to create client certificates signed byyour own CA certificate <code>ca.crt</code> and then verifiy the clientsagainst this certificate.<p><table border="0" cellpadding="0" cellspacing="0" summary=""> <tr> <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> <td colspan="3" bgcolor="#ffffff"> <table border="0" cellspacing="4" summary=""> <tr> <td><pre># require a client certificate which has to be directly# signed by our CA certificate in ca.crtSSLVerifyClient requireSSLVerifyDepth 1SSLCACertificateFile conf/ssl.crt/ca.crt</pre></td> </tr> </table> </td> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr></table><p><li><a name="ToC8"></a> <a name="auth-selective"></a> <strong id="howto">How can I authenticate my clients for a particular URL based on certificatesbut still allow arbitrary clients to access the remaining parts of the server?</strong> [<a href="http://www.modssl.org/docs/2.8/ssl_howto.html#auth-selective"><b>L</b></a>] <p>For this we again use the per-directory reconfiguration feature of mod_ssl:<p><table border="0" cellpadding="0" cellspacing="0" summary=""> <tr> <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> </tr> <tr> <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> <td colspan="3" bgcolor="#ffffff"> <table border="0" cellspacing="4" summary=""> <tr> <td><pre>SSLVerifyClient noneSSLCACertificateFile conf/ssl.crt/ca.crt<Location /secure/area>SSLVerifyClient requireSSLVerifyDepth 1</Location></pre></td>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -