ssl_reference.html

mod_ssl-2.8.31-1.3.41.tar.gz 好用的ssl工具

<li><code>file:/path/to/source</code>
    <p>
    This variant uses an external file <code>/path/to/source</code> as the
    source for seeding the PRNG. When <em>bytes</em> is specified, only the
    first <em>bytes</em> number of bytes of the file form the entropy (and
    <em>bytes</em> is given to <code>/path/to/source</code> as the first
    argument). When <em>bytes</em> is not specified the whole file forms the
    entropy (and <code>0</code> is given to <code>/path/to/source</code> as
    the first argument). Use this especially at startup time, for instance
    with an available <code>/dev/random</code> and/or
    <code>/dev/urandom</code> devices (which usually exist on modern Unix
    derivates like FreeBSD and Linux).
    <p>
    <em>But be careful</em>: Usually <code>/dev/random</code> provides only as
    much entropy data as it actually has, i.e. when you request 512 bytes of
    entropy, but the device currently has only 100 bytes available two things
    can happen: On some platforms you receive only the 100 bytes while on
    other platforms the read blocks until enough bytes are available (which
    can take a long time). Here using an existing <code>/dev/urandom</code> is
    better, because it never blocks and actually gives the amount of requested
    data. The drawback is just that the quality of the received data may not
    be the best.
    <p>
    On some platforms like FreeBSD one can even control how the entropy is
    actually generated, i.e. by which system interrupts. More details one can
    find under <i>rndcontrol(8)</i> on those platforms. Alternatively, when
    your system lacks such a random device, you can use tool
    like <a href="http://www.lothar.com/tech/crypto/">EGD</a>
    (Entropy Gathering Daemon) and run it's client program with the
    <code>exec:/path/to/program/</code> variant (see below) or use
    <code>egd:/path/to/egd-socket</code> (see below).
<p>
<li><code>exec:/path/to/program</code>
    <p>
    This variant uses an external executable <code>/path/to/program</code> as
    the source for seeding the PRNG. When <em>bytes</em> is specified, only the
    first <em>bytes</em> number of bytes of its <code>stdout</code> contents
    form the entropy. When <em>bytes</em> is not specified, the entirety of
    the data produced on <code>stdout</code> form the entropy. Use this only
    at startup time when you need a very strong seeding with the help of an
    external program (for instance as in the example above with the
    <code>truerand</code> utility you can find in the mod_ssl distribution
    which is based on the AT&amp;T <em>truerand</em> library). Using this in
    the connection context slows down the server too dramatically, of course.
    So usually you should avoid using external programs in that context.
<p>
<li><code>egd:/path/to/egd-socket</code> (Unix only)
    <p>
    This variant uses the Unix domain socket of the
    external Entropy Gathering Daemon (EGD) (see <a
    href="http://www.lothar.com/tech/crypto/">http://www.lothar.com/tech
    /crypto/</a>) to seed the PRNG. Use this if no random device exists
    on your platform.
</ul>
<p>
Example:
<blockquote>
<pre>
SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/random
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed startup exec:/usr/local/bin/truerand 16
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/random
SSLRandomSeed connect file:/dev/urandom 1024
</pre>
</blockquote>
<!-- SSLSessionCache ------------------------------------------------>
<p>
<br>
<a name="SSLSessionCache"></a>
<h2><a name="ToC5">SSLSessionCache</a></h2>
<table cellspacing="0" cellpadding="1" bgcolor="#cccccc" border="0" summary="">
<tr>
<td>
<table bgcolor="white" width="600" cellspacing="0" cellpadding="5" border="0" summary="">
<tr>
<td>
<table cellspacing="0" cellpadding="1" border="0" summary="">
<tr><td>
<font face="Arial,Helvetica"><b>Name:</b></font></a> </td><td> <b>SSLSessionCache</b></td></tr>
<tr><td>
<font face="Arial,Helvetica"><b>Description:</b></font></a> </td><td> Type of the global/inter-process SSL Session Cache</td></tr>
<tr><td><a
 href="../directive-dict.html#Syntax"
 rel="Help"
><font face="Arial,Helvetica"><b>Syntax:</b></font></a> </td><td> <code>SSLSessionCache</code> <em>type</em></td></tr>
<tr><td><a
 href="../directive-dict.html#Default"
 rel="Help"
><font face="Arial,Helvetica"><b>Default:</b></font></a> </td><td> <code>SSLSessionCache none</code></td></tr>
<tr><td><a
 href="../directive-dict.html#Context"
 rel="Help"
><font face="Arial,Helvetica"><b>Context:</b></font></a> </td><td> server config</td></tr>
<tr><td><a
 href="../directive-dict.html#Override"
 rel="Help"
><font face="Arial,Helvetica"><b>Override:</b></font></a> </td><td> <em>Not applicable</em></td></tr>
<tr><td><a
 href="../directive-dict.html#Status"
 rel="Help"
><font face="Arial,Helvetica"><b>Status:</b></font></a> </td><td> Extension</td></tr>
<tr><td><a
 href="../directive-dict.html#Module"
 rel="Help"
><font face="Arial,Helvetica"><b>Module:</b></font></a> </td><td> mod_ssl</td></tr>
<tr><td><a
 href="../directive-dict.html#Compatibility"
 rel="Help"
><font face="Arial,Helvetica"><b>Compatibility:</b></font></a> </td><td> mod_ssl 2.1 </td></tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
<p>
This configures the storage type of the global/inter-process SSL Session
Cache. This cache is an optional facility which speeds up parallel request
processing. For requests to the same server process (via HTTP keep-alive),
OpenSSL already caches the SSL session information locally. But because modern
clients request inlined images and other data via parallel requests (usually
up to four parallel requests are common) those requests are served by
<em>different</em> pre-forked server processes. Here an inter-process cache
helps to avoid unneccessary session handshakes.
<p>
The following two storage <em>type</em>s are currently supported:
<ul>
<li><code>none</code>
    <p>
    This is the default and just disables the global/inter-process Session
    Cache. There is no drawback in functionality, but a noticeable speed
    penalty can be observed.
<p>
<li><code>dbm:/path/to/datafile</code>
    <p>
    This makes use of a DBM hashfile on the local disk to synchronize the
    local OpenSSL memory caches of the server processes. The slight increase
    in I/O on the server results in a visible request speedup for your
    clients, so this type of storage is generally recommended.
<p>
<li><code>shm:/path/to/datafile</code>[<code>(</code><i>size</i><code>)</code>]
    <p>
    This makes use of a high-performance hash table (approx. <i>size</i> bytes
    in size) inside a shared memory segment in RAM (established via
    <code>/path/to/datafile</code>) to synchronize the local OpenSSL memory
    caches of the server processes. This storage type is not available on all
    platforms. See the mod_ssl <code>INSTALL</code> document for details on
    how to build Apache+EAPI with shared memory support.
</ul>
<p>
Examples:
<blockquote>
<pre>
SSLSessionCache dbm:/usr/local/apache/logs/ssl_gcache_data
SSLSessionCache shm:/usr/local/apache/logs/ssl_gcache_data(512000)
</pre>
</blockquote>
<!-- SSLSessionCacheTimeout ----------------------------------------->
<p>
<br>
<a name="SSLSessionCacheTimeout"></a>
<h2><a name="ToC6">SSLSessionCacheTimeout</a></h2>
<table cellspacing="0" cellpadding="1" bgcolor="#cccccc" border="0" summary="">
<tr>
<td>
<table bgcolor="white" width="600" cellspacing="0" cellpadding="5" border="0" summary="">
<tr>
<td>
<table cellspacing="0" cellpadding="1" border="0" summary="">
<tr><td>
<font face="Arial,Helvetica"><b>Name:</b></font></a> </td><td> <b>SSLSessionCacheTimeout</b></td></tr>
<tr><td>
<font face="Arial,Helvetica"><b>Description:</b></font></a> </td><td> Number of seconds before an SSL session expires in the Session Cache</td></tr>
<tr><td><a
 href="../directive-dict.html#Syntax"
 rel="Help"
><font face="Arial,Helvetica"><b>Syntax:</b></font></a> </td><td> <code>SSLSessionCacheTimeout</code> <em>seconds</em></td></tr>
<tr><td><a
 href="../directive-dict.html#Default"
 rel="Help"
><font face="Arial,Helvetica"><b>Default:</b></font></a> </td><td> <code>SSLSessionCacheTimeout 300</code></td></tr>
<tr><td><a
 href="../directive-dict.html#Context"
 rel="Help"
><font face="Arial,Helvetica"><b>Context:</b></font></a> </td><td> server config, virtual host</td></tr>
<tr><td><a
 href="../directive-dict.html#Override"
 rel="Help"
><font face="Arial,Helvetica"><b>Override:</b></font></a> </td><td> <em>Not applicable</em></td></tr>
<tr><td><a
 href="../directive-dict.html#Status"
 rel="Help"
><font face="Arial,Helvetica"><b>Status:</b></font></a> </td><td> Extension</td></tr>
<tr><td><a
 href="../directive-dict.html#Module"
 rel="Help"
><font face="Arial,Helvetica"><b>Module:</b></font></a> </td><td> mod_ssl</td></tr>
<tr><td><a
 href="../directive-dict.html#Compatibility"
 rel="Help"
><font face="Arial,Helvetica"><b>Compatibility:</b></font></a> </td><td> mod_ssl 2.0 </td></tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
<p>
This directive sets the timeout in seconds for the information stored in the
global/inter-process SSL Session Cache and the OpenSSL internal memory cache.
It can be set as low as 15 for testing, but should be set to higher
values like 300 in real life.
<p>
Example:
<blockquote>
<pre>
SSLSessionCacheTimeout 600
</pre>
</blockquote>
<!-- SSLEngine ------------------------------------------------------>
<p>
<br>
<a name="SSLEngine"></a>
<h2><a name="ToC7">SSLEngine</a></h2>
<table cellspacing="0" cellpadding="1" bgcolor="#cccccc" border="0" summary="">
<tr>
<td>
<table bgcolor="white" width="600" cellspacing="0" cellpadding="5" border="0" summary="">
<tr>
<td>
<table cellspacing="0" cellpadding="1" border="0" summary="">
<tr><td>
<font face="Arial,Helvetica"><b>Name:</b></font></a> </td><td> <b>SSLEngine</b></td></tr>
<tr><td>
<font face="Arial,Helvetica"><b>Description:</b></font></a> </td><td> SSL Engine Operation Switch</td></tr>
<tr><td><a
 href="../directive-dict.html#Syntax"
 rel="Help"
><font face="Arial,Helvetica"><b>Syntax:</b></font></a> </td><td> <code>SSLEngine</code> <em>on|off</em></td></tr>
<tr><td><a
 href="../directive-dict.html#Default"
 rel="Help"
><font face="Arial,Helvetica"><b>Default:</b></font></a> </td><td> <code>SSLEngine off</code></td></tr>
<tr><td><a
 href="../directive-dict.html#Context"
 rel="Help"
><font face="Arial,Helvetica"><b>Context:</b></font></a> </td><td> server config, virtual host</td></tr>
<tr><td><a
 href="../directive-dict.html#Override"
 rel="Help"
><font face="Arial,Helvetica"><b>Override:</b></font></a> </td><td> <em>Not applicable</em></td></tr>
<tr><td><a
 href="../directive-dict.html#Status"
 rel="Help"
><font face="Arial,Helvetica"><b>Status:</b></font></a> </td><td> Extension</td></tr>
<tr><td><a
 href="../directive-dict.html#Module"
 rel="Help"
><font face="Arial,Helvetica"><b>Module:</b></font></a> </td><td> mod_ssl</td></tr>
<tr><td><a
 href="../directive-dict.html#Compatibility"
 rel="Help"
><font face="Arial,Helvetica"><b>Compatibility:</b></font></a> </td><td> mod_ssl 2.1 </td></tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
<p>
This directive toggles the usage of the SSL/TLS Protocol Engine. This is
usually used inside a &lt;VirtualHost&gt; section to enable SSL/TLS for a
particular virtual host. By default the SSL/TLS Protocol Engine is disabled
for both the main server and all configured virtual hosts.
<p>
Example:
<blockquote>
<pre>
&lt;VirtualHost _default_:443&gt;
SSLEngine on
...
&lt;/VirtualHost&gt;
</pre>
</blockquote>
<!-- SSLProtocol ---------------------------------------------------->
<p>
<br>
<a name="SSLProtocol"></a>
<h2><a name="ToC8">SSLProtocol</a></h2>
<table cellspacing="0" cellpadding="1" bgcolor="#cccccc" border="0" summary="">
<tr>
<td>
<table bgcolor="white" width="600" cellspacing="0" cellpadding="5" border="0" summary="">
<tr>
<td>
<table cellspacing="0" cellpadding="1" border="0" summary="">
<tr><td>
<font face="Arial,Helvetica"><b>Name:</b></font></a> </td><td> <b>SSLProtocol</b></td></tr>
<tr><td>
<font face="Arial,Helvetica"><b>Description:</b></font></a> </td><td> Configure usable SSL protocol flavors</td></tr>
<tr><td><a