ssl_reference.html

mod_ssl-2.8.31-1.3.41.tar.gz 好用的ssl工具

 href="../directive-dict.html#Syntax"
 rel="Help"
><font face="Arial,Helvetica"><b>Syntax:</b></font></a> </td><td> <code>SSLProtocol</code> [+-]<em>protocol</em> ...</td></tr>
<tr><td><a
 href="../directive-dict.html#Default"
 rel="Help"
><font face="Arial,Helvetica"><b>Default:</b></font></a> </td><td> <code>SSLProtocol all</code></td></tr>
<tr><td><a
 href="../directive-dict.html#Context"
 rel="Help"
><font face="Arial,Helvetica"><b>Context:</b></font></a> </td><td> server config, virtual host</td></tr>
<tr><td><a
 href="../directive-dict.html#Override"
 rel="Help"
><font face="Arial,Helvetica"><b>Override:</b></font></a> </td><td> Options</td></tr>
<tr><td><a
 href="../directive-dict.html#Status"
 rel="Help"
><font face="Arial,Helvetica"><b>Status:</b></font></a> </td><td> Extension</td></tr>
<tr><td><a
 href="../directive-dict.html#Module"
 rel="Help"
><font face="Arial,Helvetica"><b>Module:</b></font></a> </td><td> mod_ssl</td></tr>
<tr><td><a
 href="../directive-dict.html#Compatibility"
 rel="Help"
><font face="Arial,Helvetica"><b>Compatibility:</b></font></a> </td><td> mod_ssl 2.2 </td></tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
<p>
This directive can be used to control the SSL protocol flavors mod_ssl should
use when establishing its server environment. Clients then can only connect
with one of the provided protocols.
<p>
The available (case-insensitive) <em>protocol</em>s are:
<ul>
<li><code>SSLv2</code>
    <p>
    This is the Secure Sockets Layer (SSL) protocol, version 2.0. It is the
    original SSL protocol as designed by Netscape Corporation.
<p>
<li><code>SSLv3</code>
    <p>
    This is the Secure Sockets Layer (SSL) protocol, version 3.0. It is the
    successor to SSLv2 and the currently (as of February 1999) de-facto
    standardized SSL protocol from Netscape Corporation. It's supported by
    almost all popular browsers.
<p>
<li><code>TLSv1</code>
    <p>
    This is the Transport Layer Security (TLS) protocol, version 1.0. It is the
    successor to SSLv3 and currently (as of February 1999) still under
    construction by the Internet Engineering Task Force (IETF). It's still
    not supported by any popular browsers.
<p>
<li><code>All</code>
    <p>
    This is a shortcut for ``<code>+SSLv2 +SSLv3 +TLSv1</code>'' and a
    convinient way for enabling all protocols except one when used in
    combination with the minus sign on a protocol as the example above shows.
</ul>
<p>
Example:
<blockquote>
<pre>
#   enable SSLv3 and TLSv1, but not SSLv2
SSLProtocol all -SSLv2
</pre>
</blockquote>
<!-- SSLCipherSuite ------------------------------------------------->
<p>
<br>
<a name="SSLCipherSuite"></a>
<h2><a name="ToC9">SSLCipherSuite</a></h2>
<table cellspacing="0" cellpadding="1" bgcolor="#cccccc" border="0" summary="">
<tr>
<td>
<table bgcolor="white" width="600" cellspacing="0" cellpadding="5" border="0" summary="">
<tr>
<td>
<table cellspacing="0" cellpadding="1" border="0" summary="">
<tr><td>
<font face="Arial,Helvetica"><b>Name:</b></font></a> </td><td> <b>SSLCipherSuite</b></td></tr>
<tr><td>
<font face="Arial,Helvetica"><b>Description:</b></font></a> </td><td> Cipher Suite available for negotiation in SSL handshake</td></tr>
<tr><td><a
 href="../directive-dict.html#Syntax"
 rel="Help"
><font face="Arial,Helvetica"><b>Syntax:</b></font></a> </td><td> <code>SSLCipherSuite</code> <em>cipher-spec</em></td></tr>
<tr><td><a
 href="../directive-dict.html#Default"
 rel="Help"
><font face="Arial,Helvetica"><b>Default:</b></font></a> </td><td> <code>SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</code></td></tr>
<tr><td><a
 href="../directive-dict.html#Context"
 rel="Help"
><font face="Arial,Helvetica"><b>Context:</b></font></a> </td><td> server config, virtual host, directory, .htaccess</td></tr>
<tr><td><a
 href="../directive-dict.html#Override"
 rel="Help"
><font face="Arial,Helvetica"><b>Override:</b></font></a> </td><td> AuthConfig</td></tr>
<tr><td><a
 href="../directive-dict.html#Status"
 rel="Help"
><font face="Arial,Helvetica"><b>Status:</b></font></a> </td><td> Extension</td></tr>
<tr><td><a
 href="../directive-dict.html#Module"
 rel="Help"
><font face="Arial,Helvetica"><b>Module:</b></font></a> </td><td> mod_ssl</td></tr>
<tr><td><a
 href="../directive-dict.html#Compatibility"
 rel="Help"
><font face="Arial,Helvetica"><b>Compatibility:</b></font></a> </td><td> mod_ssl 2.1 </td></tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
<p>
This complex directive uses a colon-separated <em>cipher-spec</em> string
consisting of OpenSSL cipher specifications to configure the Cipher Suite the
client is permitted to negotiate in the SSL handshake phase. Notice that this
directive can be used both in per-server and per-directory context. In
per-server context it applies to the standard SSL handshake when a connection
is established. In per-directory context it forces a SSL renegotation with the
reconfigured Cipher Suite after the HTTP request was read but before the HTTP
response is sent.
<p>
An SSL cipher specification in <em>cipher-spec</em> is composed of 4 major
attributes plus a few extra minor ones:
<ul>
<li><em>Key Exchange Algorithm</em>:<br>
    RSA or Diffie-Hellman variants.
<p>
<li><em>Authentication Algorithm</em>:<br>
    RSA, Diffie-Hellman, DSS or none.
<p>
<li><em>Cipher/Encryption Algorithm</em>:<br>
    DES, Triple-DES, RC4, RC2, IDEA or none.
<p>
<li><em>MAC Digest Algorithm</em>:<br>
    MD5, SHA or SHA1.
</ul>
An SSL cipher can also be an export cipher and is either a SSLv2 or SSLv3/TLSv1
cipher (here TLSv1 is equivalent to SSLv3). To specify which ciphers to use,
one can either specify all the Ciphers, one at a time, or use aliases to
specify the preference and order for the ciphers (see <a href="#table1">Table
1</a>).
<p>
<div align="center">
<a name="table1"></a>
<table width="600" cellspacing="0" cellpadding="1" border="0" summary="">
<caption align="bottom" id="sf">Table 1: OpenSSL Cipher Specification Tags</caption>
<tr><td bgcolor="#cccccc">
<table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
<tr><td valign="top" align="center" bgcolor="#ffffff">
<table border="0" cellspacing="0" cellpadding="2" width="598" summary="">
<tr id="D"><td><b>Tag</b></td> <td><b>Description</b></td>
<tr id="H"><td colspan="2"><em>Key Exchange Algorithm:</em></td></tr>
<tr id="D"><td><code>kRSA</code></td>   <td>RSA key exchange</td></tr>
<tr id="H"><td><code>kDHr</code></td>   <td>Diffie-Hellman key exchange with RSA key</td></tr>
<tr id="D"><td><code>kDHd</code></td>   <td>Diffie-Hellman key exchange with DSA key</td></tr>
<tr id="H"><td><code>kEDH</code></td>   <td>Ephemeral (temp.key) Diffie-Hellman key exchange (no cert)</td>   </tr>
<tr id="H"><td colspan="2"><em>Authentication Algorithm:</em></td></tr>
<tr id="D"><td><code>aNULL</code></td>  <td>No authentication</td></tr>
<tr id="H"><td><code>aRSA</code></td>   <td>RSA authentication</td></tr>
<tr id="D"><td><code>aDSS</code></td>   <td>DSS authentication</td> </tr>
<tr id="H"><td><code>aDH</code></td>    <td>Diffie-Hellman authentication</td></tr>
<tr id="D"><td colspan="2"><em>Cipher Encoding Algorithm:</em></td></tr></tr>
<tr id="H"><td><code>eNULL</code></td>  <td>No encoding</td>         </tr>
<tr id="D"><td><code>DES</code></td>    <td>DES encoding</td>        </tr>
<tr id="H"><td><code>3DES</code></td>   <td>Triple-DES encoding</td> </tr>
<tr id="D"><td><code>RC4</code></td>    <td>RC4 encoding</td>       </tr>
<tr id="H"><td><code>RC2</code></td>    <td>RC2 encoding</td>       </tr>
<tr id="D"><td><code>IDEA</code></td>   <td>IDEA encoding</td>       </tr>
<tr id="H"><td colspan="2"><em>MAC Digest Algorithm</em>:</td></tr>
<tr id="D"><td><code>MD5</code></td>    <td>MD5 hash function</td></tr>
<tr id="H"><td><code>SHA1</code></td>   <td>SHA1 hash function</td></tr>
<tr id="D"><td><code>SHA</code></td>    <td>SHA hash function</td> </tr>
<tr id="H"><td colspan="2"><em>Aliases:</em></td></tr>
<tr id="D"><td><code>SSLv2</code></td>  <td>all SSL version 2.0 ciphers</td></tr>
<tr id="H"><td><code>SSLv3</code></td>  <td>all SSL version 3.0 ciphers</td> </tr>
<tr id="D"><td><code>TLSv1</code></td>  <td>all TLS version 1.0 ciphers</td> </tr>
<tr id="H"><td><code>EXP</code></td>    <td>all export ciphers</td>  </tr>
<tr id="D"><td><code>EXPORT40</code></td> <td>all 40-bit export ciphers only</td>  </tr>
<tr id="H"><td><code>EXPORT56</code></td> <td>all 56-bit export ciphers only</td>  </tr>
<tr id="D"><td><code>LOW</code></td>    <td>all low strength ciphers (no export, single DES)</td></tr>
<tr id="H"><td><code>MEDIUM</code></td> <td>all ciphers with 128 bit encryption</td> </tr>
<tr id="D"><td><code>HIGH</code></td>   <td>all ciphers using Triple-DES</td>     </tr>
<tr id="H"><td><code>RSA</code></td>    <td>all ciphers using RSA key exchange</td> </tr>
<tr id="D"><td><code>DH</code></td>     <td>all ciphers using Diffie-Hellman key exchange</td> </tr>
<tr id="H"><td><code>EDH</code></td>    <td>all ciphers using Ephemeral Diffie-Hellman key exchange</td> </tr>
<tr id="D"><td><code>ADH</code></td>    <td>all ciphers using Anonymous Diffie-Hellman key exchange</td> </tr>
<tr id="H"><td><code>DSS</code></td>    <td>all ciphers using DSS authentication</td> </tr>
<tr id="D"><td><code>NULL</code></td>   <td>all ciphers using no encryption</td> </tr>
</table>
</td>
</tr></table>
</td></tr></table>
</div>
<p>
Now where this becomes interesting is that these can be put together
to specify the order and ciphers you wish to use. To speed this up
there are also aliases (<code>SSLv2, SSLv3, TLSv1, EXP, LOW, MEDIUM,
HIGH</code>) for certain groups of ciphers. These tags can be joined
together with prefixes to form the <em>cipher-spec</em>. Available
prefixes are:
<ul>
<li>none: add cipher to list
<li><code>+</code>: add ciphers to list and pull them to current location in list
<li><code>-</code>: remove cipher from list (can be added later again)
<li><code>!</code>: kill cipher from list completely (can <b>not</b> be added later again)
</ul>
A simpler way to look at all of this is to use the ``<code>openssl ciphers
-v</code>'' command which provides a nice way to successively create the
correct <em>cipher-spec</em> string. The default <em>cipher-spec</em> string
is ``<code>ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</code>'' which
means the following: first, remove from consideration any ciphers that do not
authenticate, i.e. for SSL only the Anonymous Diffie-Hellman ciphers. Next,
use ciphers using RC4 and RSA. Next include the high, medium and then the low
security ciphers. Finally <em>pull</em> all SSLv2 and export ciphers to the
end of the list.
<blockquote>
<pre>
$ openssl ciphers -v 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP'
NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1
NULL-MD5                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=MD5
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
...                     ...               ...     ...           ...
EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
</pre>
</blockquote>
The complete list of particular RSA &amp; DH ciphers for SSL is given in <a
href="#table2">Table 2</a>.
<p>
Example:
<blockquote>
<pre>
SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW
</pre>
</blockquote>
<p>
<div align="center">
<a name="table2"></a>
<table width="600" cellspacing="0" cellpadding="1" border="0" summary="">
<caption align="bottom" id="sf">Table 2: Particular SSL Ciphers</caption>
<tr><td bgcolor="#cccccc">
<table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
<tr><td valign="top" align="center" bgcolor="#ffffff">
<table border="0" cellspacing="0" cellpadding="2" width="598" summary="">
<tr id="D"><td><b>Cipher-Tag</b></td> <td><b>Protocol</b></td> <td><b>Key Ex.</b></td> <td><b>Auth.</b></td> <td><b>Enc.</b></td> <td><b>MAC</b></td> <td><b>Type</b></td> </tr>
<tr id="H"><td colspan="7"><em>RSA Ciphers:</em></td></tr>
<tr id="D"><td><code>DES-CBC3-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>3DES(168)</td> <td>SHA1</td> <td>&nbsp;</td> </tr>
<tr id="H"><td><code>DES-CBC3-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>3DES(168)</td> <td>MD5</td> <td>&nbsp; </td> </tr>
<tr id="D"><td><code>IDEA-CBC-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>IDEA(128)</td> <td>SHA1</td> <td>&nbsp;</td> </tr>
<tr id="H"><td><code>RC4-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>RC4(128)</td> <td>SHA1</td> <td>&nbsp;</td> </tr>
<tr id="D"><td><code>RC4-MD5</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>RC4(128)</td> <td>MD5</td> <td>&nbsp; </td> </tr>
<tr id="H"><td><code>IDEA-CBC-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>IDEA(128)</td> <td>MD5</td> <td>&nbsp; </td> </tr>
<tr id="D"><td><code>RC2-CBC-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>RC2(128)</td> <td>MD5</td> <td>&nbsp; </td> </tr>
<tr id="H"><td><code>RC4-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>RC4(128)</td> <td>MD5</td> <td>&nbsp; </td> </tr>
<tr id="D"><td><code>DES-CBC-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>DES(56)</td> <td>SHA1</td> <td>&nbsp;</td> </tr>
<tr id="H"><td><code>RC4-64-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>RC4(64)</td> <td>MD5</td> <td>&nbsp; </td> </tr>
<tr id="D"><td><code>DES-CBC-MD5</code></td> <td>SSLv2</td> <td>RSA</td> <td>RSA</td> <td>DES(56)</td> <td>MD5</td> <td>&nbsp; </td> </tr>
<tr id="H"><td><code>EXP-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>RSA(512)</td> <td>RSA</td> <td>DES(40)</td> <td>SHA1</td> <td> export</td> </tr>
<tr id="D"><td><code>EXP-RC2-CBC-MD5</code></td> <td>SSLv3</td> <td>RSA(512)</td> <td>RSA</td> <td>RC2(40)</td> <td>MD5</td> <td>  export</td> </tr>
<tr id="H"><td><code>EXP-RC4-MD5</code></td> <td>SSLv3</td> <td>RSA(512)</td> <td>RSA</td> <td>RC4(40)</td> <td>MD5</td> <td>  export</td> </tr>
<tr id="D"><td><code>EXP-RC2-CBC-MD5</code></td> <td>SSLv2</td> <td>RSA(512)</td> <td>RSA</td> <td>RC2(40)</td> <td>MD5</td> <td>  export</td> </tr>
<tr id="H"><td><code>EXP-RC4-MD5</code></td> <td>SSLv2</td> <td>RSA(512)</td> <td>RSA</td> <td>RC4(40)</td> <td>MD5</td> <td>  export</td> </tr>
<tr id="D"><td><code>NULL-SHA</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>None</td> <td>SHA1</td> <td>&nbsp;</td> </tr>
<tr id="H"><td><code>NULL-MD5</code></td> <td>SSLv3</td> <td>RSA</td> <td>RSA</td> <td>None</td> <td>MD5</td> <td>&nbsp; </td> </tr>
<tr id="D"><td colspan="7"><em>Diffie-Hellman Ciphers:</em></td></tr>
<tr id="H"><td><code>ADH-DES-CBC3-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>None</td> <td>3DES(168)</td> <td>SHA1</td> <td>&nbsp;</td> </tr>
<tr id="D"><td><code>ADH-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>None</td> <td>DES(56)</td> <td>SHA1</td> <td>&nbsp;</td> </tr>
<tr id="H"><td><code>ADH-RC4-MD5</code></td> <td>SSLv3</td> <td>DH</td> <td>None</td> <td>RC4(128)</td> <td>MD5</td> <td>&nbsp; </td> </tr>
<tr id="D"><td><code>EDH-RSA-DES-CBC3-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>RSA</td> <td>3DES(168)</td> <td>SHA1</td> <td>&nbsp;</td> </tr>
<tr id="H"><td><code>EDH-DSS-DES-CBC3-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>DSS</td> <td>3DES(168)</td> <td>SHA1</td> <td>&nbsp;</td> </tr>
<tr id="D"><td><code>EDH-RSA-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>RSA</td> <td>DES(56)</td> <td>SHA1</td> <td>&nbsp;</td> </tr>
<tr id="H"><td><code>EDH-DSS-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH</td> <td>DSS</td> <td>DES(56)</td> <td>SHA1</td> <td>&nbsp;</td> </tr>
<tr id="D"><td><code>EXP-EDH-RSA-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH(512)</td> <td>RSA</td> <td>DES(40)</td> <td>SHA1</td> <td> export</td> </tr>
<tr id="H"><td><code>EXP-EDH-DSS-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH(512)</td> <td>DSS</td> <td>DES(40)</td> <td>SHA1</td> <td> export</td> </tr>
<tr id="D"><td><code>EXP-ADH-DES-CBC-SHA</code></td> <td>SSLv3</td> <td>DH(512)</td> <td>None</td> <td>DES(40)</td> <td>SHA1</td> <td> export</td> </tr>
<tr id="H"><td><code>EXP-ADH-RC4-MD5</code></td> <td>SSLv3</td> <td>DH(512)</td> <td>None</td> <td>RC4(40)</td> <td>MD5</td> <td>  export</td> </tr>
</table>
</td>
</tr></table>
</td></tr></table>
</div>
<!-- SSLCertificateFile --------------------------------------------->
<p>
<br>
<a name="SSLCertificateFile"></a>
<h2><a name="ToC10">SSLCertificateFile</a></h2>
<table cellspacing="0" cellpadding="1" bgcolor="#cccccc" border="0" summary="">
<tr>
<td>
<table bgcolor="white" width="600" cellspacing="0" cellpadding="5" border="0" summary="">
<tr>