Lines 81-87
Link Here
|
81 |
<tr><td><code>SSL_CLIENT_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of client's certificate</td></tr> |
81 |
<tr><td><code>SSL_CLIENT_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of client's certificate</td></tr> |
82 |
<tr><td><code>SSL_CLIENT_CERT</code></td> <td>string</td> <td>PEM-encoded client certificate</td></tr> |
82 |
<tr><td><code>SSL_CLIENT_CERT</code></td> <td>string</td> <td>PEM-encoded client certificate</td></tr> |
83 |
<tr><td><code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em></td> <td>string</td> <td>PEM-encoded certificates in client certificate chain</td></tr> |
83 |
<tr><td><code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em></td> <td>string</td> <td>PEM-encoded certificates in client certificate chain</td></tr> |
84 |
<tr><td><code>SSL_CLIENT_VERIFY</code></td> <td>string</td> <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS</code> or <code>FAILED:</code><em>reason</em></td></tr> |
84 |
<tr><td><code>SSL_CLIENT_VERIFY</code></td> <td>string</td> <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS:<em>reason</em></code> or <code>FAILED:</code><em>reason</em></td></tr> |
85 |
<tr><td><code>SSL_SERVER_M_VERSION</code></td> <td>string</td> <td>The version of the server certificate</td></tr> |
85 |
<tr><td><code>SSL_SERVER_M_VERSION</code></td> <td>string</td> <td>The version of the server certificate</td></tr> |
86 |
<tr><td><code>SSL_SERVER_M_SERIAL</code></td> <td>string</td> <td>The serial of the server certificate</td></tr> |
86 |
<tr><td><code>SSL_SERVER_M_SERIAL</code></td> <td>string</td> <td>The serial of the server certificate</td></tr> |
87 |
<tr><td><code>SSL_SERVER_S_DN</code></td> <td>string</td> <td>Subject DN in server's certificate</td></tr> |
87 |
<tr><td><code>SSL_SERVER_S_DN</code></td> <td>string</td> <td>Subject DN in server's certificate</td></tr> |
Lines 890-895
Link Here
|
890 |
specify an <em>all-in-one</em> file containing a concatenation of |
890 |
specify an <em>all-in-one</em> file containing a concatenation of |
891 |
PEM-encoded CA certificates.</p> |
891 |
PEM-encoded CA certificates.</p> |
892 |
|
892 |
|
|
|
893 |
<p>For testing purposes, any available certificate (signed by any CA) |
894 |
may be requested by specifying a file containing only a single space |
895 |
character. However note that while this trick happens to work with |
896 |
most browsers, the SSL/TLS standards do not define the appropriate |
897 |
behavior when the set of acceptable CA names is empty, so this is not |
898 |
guaranteed to work with all browsers.</p> |
899 |
|
893 |
<example><title>Example</title> |
900 |
<example><title>Example</title> |
894 |
SSLCADNRequestFile /usr/local/apache2/conf/ca-names.crt |
901 |
SSLCADNRequestFile /usr/local/apache2/conf/ca-names.crt |
895 |
</example> |
902 |
</example> |
Lines 987-1017
Link Here
|
987 |
|
994 |
|
988 |
<usage> |
995 |
<usage> |
989 |
<p> |
996 |
<p> |
990 |
This directive sets the Certificate verification level for the Client |
997 |
This directive sets the Certificate verification level for Client Certificate |
991 |
Authentication. Notice that this directive can be used both in per-server and |
998 |
Authentication. Notice that this directive can be used both in per-server and |
992 |
per-directory context. In per-server context it applies to the client |
999 |
per-directory context. In per-server context it applies to the client |
993 |
authentication process used in the standard SSL handshake when a connection is |
1000 |
authentication process in the initial SSL handshake when a connection is |
994 |
established. In per-directory context it forces a SSL renegotation with the |
1001 |
established. In per-directory context it forces a SSL renegotation with the |
995 |
reconfigured client verification level after the HTTP request was read but |
1002 |
reconfigured client verification level after the HTTP request is read but |
996 |
before the HTTP response is sent.</p> |
1003 |
before the HTTP response is sent.</p> |
997 |
<p> |
1004 |
<p> |
998 |
The following levels are available for <em>level</em>:</p> |
1005 |
The following levels are available for <em>level</em>:</p> |
999 |
<ul> |
1006 |
<ul> |
1000 |
<li><strong>none</strong>: |
1007 |
<li><code>none</code> |
1001 |
no client Certificate is required at all</li> |
1008 |
<p>No client Certificate is requested.</p></li> |
1002 |
<li><strong>optional</strong>: |
1009 |
<li><code>optional_no_verify</code> |
1003 |
the client <em>may</em> present a valid Certificate</li> |
1010 |
<p>The client is asked to present a Certificate signed by one of the |
1004 |
<li><strong>require</strong>: |
1011 |
acceptable CA Certificates, but will be accepted even if no Certificate is |
1005 |
the client <em>has to</em> present a valid Certificate</li> |
1012 |
provided, if the provided Certificate is not signed by one of the trusted |
1006 |
<li><strong>optional_no_ca</strong>: |
1013 |
CA Certificates, or if the provided Certificate has been revoked or is |
1007 |
the client may present a valid Certificate<br /> |
1014 |
otherwise invalid.</p></li> |
1008 |
but it need not to be (successfully) verifiable.</li> |
1015 |
<li><code>optional_no_ca</code> |
|
|
1016 |
<p>The client is asked to present a Certificate signed by one of the |
1017 |
acceptable CA Certificates, and will be accepted even if no Certificate is |
1018 |
provided or if the provided Certificate is not signed by one of the |
1019 |
trusted CA Certificates, but will be disconnected if the provided |
1020 |
Certificate has been revoked or is otherwise invalid.</p></li> |
1021 |
<li><code>optional</code> |
1022 |
<p>The client is asked to present a Certificate signed by one of the |
1023 |
acceptable CA Certificates, and will be accepted even if no Certificate is |
1024 |
provided, but will be disconnected if the provided Certificate is not |
1025 |
signed by one of the trusted CA Certificates, has been revoked, or is |
1026 |
otherwise invalid.</p></li> |
1027 |
<li><code>require</code> |
1028 |
<p>The client is asked to present a Certificate signed by one of the |
1029 |
acceptable CA Certificates, and will be disconnected if no Certificate is |
1030 |
provided, if the provided Certificate is not signed by on of the trusted CA |
1031 |
Certificates, or if the provided Certificate has been revoked or is |
1032 |
otherwise invalid.</p></li> |
1009 |
</ul> |
1033 |
</ul> |
1010 |
<p>In practice only levels <strong>none</strong> and |
1034 |
<p>In practice, most users will want either <strong>none</strong> or |
1011 |
<strong>require</strong> are really interesting, because level |
1035 |
<strong>require</strong>, as the other levels allow users to bypass the |
1012 |
<strong>optional</strong> doesn't work with all browsers and level |
1036 |
authentication mechanism. However, the other levels may be useful for testing, |
1013 |
<strong>optional_no_ca</strong> is actually against the idea of |
1037 |
or if your web application does it's own Certificate verification.</p> |
1014 |
authentication (but can be used to establish SSL test pages, etc.)</p> |
1038 |
<p>See the <directive module="mod_ssl">SSLCADNRequestFile</directive> and |
|
|
1039 |
<directive module="mod_ssl">SSLCADNRequestPath</directive> directives to |
1040 |
configure the list of acceptable CA Certificates, and see the |
1041 |
<directive module="mod_ssl">SSLCACertificateFile</directive> and |
1042 |
<directive module="mod_ssl">SSLCACertificatePath</directive> directives to |
1043 |
configure the list of trusted CA Certificates.</p> |
1044 |
<p>Note that if SSLv2 is used with one of the <strong>optional</strong> levels |
1045 |
and no Certificate signed by one of the acceptable CA Certificates is available, |
1046 |
the browser may give up and disconnect rather than continuing without providing |
1047 |
a Certificate. If SSLv3 or TLS are used, the browser should always either |
1048 |
provide a Certificate or attempt to continue without a Certificate.</p> |
1015 |
<example><title>Example</title> |
1049 |
<example><title>Example</title> |
1016 |
SSLVerifyClient require |
1050 |
SSLVerifyClient require |
1017 |
</example> |
1051 |
</example> |
Lines 1440-1461
Link Here
|
1440 |
<syntax>SSLProxyVerify <em>level</em></syntax> |
1474 |
<syntax>SSLProxyVerify <em>level</em></syntax> |
1441 |
<default>SSLProxyVerify none</default> |
1475 |
<default>SSLProxyVerify none</default> |
1442 |
<contextlist><context>server config</context> |
1476 |
<contextlist><context>server config</context> |
1443 |
<context>virtual host</context> |
1477 |
<context>virtual host</context></contextlist> |
1444 |
<context>directory</context> |
|
|
1445 |
<context>.htaccess</context></contextlist> |
1446 |
<override>AuthConfig</override> |
1447 |
|
1478 |
|
1448 |
<usage> |
1479 |
<usage> |
1449 |
|
1480 |
|
1450 |
<p>When a proxy is configured to forward requests to a remote SSL |
1481 |
<p>When a proxy is configured to forward requests to a remote SSL |
1451 |
server, this directive can be used to configure certificate |
1482 |
server, this directive can be used to configure verification of the |
1452 |
verification of the remote server. Notice that this directive can be |
1483 |
remote server's SSL Certificate.</p> |
1453 |
used both in per-server and per-directory context. In per-server |
|
|
1454 |
context it applies to the remote server authentication process used in |
1455 |
the standard SSL handshake when a connection is established by the |
1456 |
proxy. In per-directory context it forces a SSL renegotation with the |
1457 |
reconfigured remote server verification level after the HTTP request |
1458 |
was read but before the HTTP response is sent.</p> |
1459 |
|
1484 |
|
1460 |
<note type="warning"> |
1485 |
<note type="warning"> |
1461 |
<p>Note that even when certificate verification is enabled, |
1486 |
<p>Note that even when certificate verification is enabled, |
Lines 1477-1497
Link Here
|
1477 |
<p> |
1502 |
<p> |
1478 |
The following levels are available for <em>level</em>:</p> |
1503 |
The following levels are available for <em>level</em>:</p> |
1479 |
<ul> |
1504 |
<ul> |
1480 |
<li><strong>none</strong>: |
1505 |
<li><code>none</code> |
1481 |
no remote server Certificate is required at all</li> |
1506 |
<p>No remote server Certificate verification will be performed.</p></li> |
1482 |
<li><strong>optional</strong>: |
1507 |
<li><code>optional_no_verify</code> |
1483 |
the remote server <em>may</em> present a valid Certificate</li> |
1508 |
<p>If the remote server provides a Certificate, it will be verified, but |
1484 |
<li><strong>require</strong>: |
1509 |
the result will be ignored.</p></li> |
1485 |
the remote server <em>has to</em> present a valid Certificate</li> |
1510 |
<li><code>optional_no_ca</code> |
1486 |
<li><strong>optional_no_ca</strong>: |
1511 |
<p>If the remote server provides a Certificate, it will be verified. The |
1487 |
the remote server may present a valid Certificate<br /> |
1512 |
connection will be accepted even if the Certificate is not signed by one of |
1488 |
but it need not to be (successfully) verifiable.</li> |
1513 |
the CAs listed in |
|
|
1514 |
<directive module="mod_ssl">SSLProxyCACertificateFile</directive> or |
1515 |
<directive module="mod_ssl">SSLProxyCACertificatePath</directive>, but will |
1516 |
be rejected if verification fails for any other reason.</p></li> |
1517 |
<li><code>optional</code> |
1518 |
<p>If the remote server provides a Certificate, it will be verified, and the |
1519 |
connection will be rejected if verification fails.</p></li> |
1520 |
<li><code>require</code> |
1521 |
<p>The connection will be rejected unless the remote server provides a |
1522 |
Certificate and that Certificate is successfully verified.</p></li> |
1489 |
</ul> |
1523 |
</ul> |
1490 |
<p>In practice only levels <strong>none</strong> and |
1524 |
<p>In practice, most users will want either <strong>none</strong> or |
1491 |
<strong>require</strong> are really interesting, because level |
1525 |
<strong>require</strong>, as the other levels allow a remote server to bypass |
1492 |
<strong>optional</strong> doesn't work with all servers and level |
1526 |
the authentication mechanism. However, the other levels may be useful for |
1493 |
<strong>optional_no_ca</strong> is actually against the idea of |
1527 |
testing.</p> |
1494 |
authentication (but can be used to establish SSL test pages, etc.)</p> |
|
|
1495 |
<example><title>Example</title> |
1528 |
<example><title>Example</title> |
1496 |
SSLProxyVerify require |
1529 |
SSLProxyVerify require |
1497 |
</example> |
1530 |
</example> |
Lines 1505-1524
Link Here
|
1505 |
<syntax>SSLProxyVerifyDepth <em>number</em></syntax> |
1538 |
<syntax>SSLProxyVerifyDepth <em>number</em></syntax> |
1506 |
<default>SSLProxyVerifyDepth 1</default> |
1539 |
<default>SSLProxyVerifyDepth 1</default> |
1507 |
<contextlist><context>server config</context> |
1540 |
<contextlist><context>server config</context> |
1508 |
<context>virtual host</context> |
1541 |
<context>virtual host</context></contextlist> |
1509 |
<context>directory</context> |
|
|
1510 |
<context>.htaccess</context></contextlist> |
1511 |
<override>AuthConfig</override> |
1512 |
|
1542 |
|
1513 |
<usage> |
1543 |
<usage> |
1514 |
<p> |
1544 |
<p> |
1515 |
This directive sets how deeply mod_ssl should verify before deciding that the |
1545 |
This directive sets how deeply mod_ssl should verify before deciding that the |
1516 |
remote server does not have a valid certificate. Notice that this directive can be |
1546 |
remote server does not have a valid certificate.</p> |
1517 |
used both in per-server and per-directory context. In per-server context it |
|
|
1518 |
applies to the client authentication process used in the standard SSL |
1519 |
handshake when a connection is established. In per-directory context it forces |
1520 |
a SSL renegotation with the reconfigured remote server verification depth after the |
1521 |
HTTP request was read but before the HTTP response is sent.</p> |
1522 |
<p> |
1547 |
<p> |
1523 |
The depth actually is the maximum number of intermediate certificate issuers, |
1548 |
The depth actually is the maximum number of intermediate certificate issuers, |
1524 |
i.e. the number of CA certificates which are max allowed to be followed while |
1549 |
i.e. the number of CA certificates which are max allowed to be followed while |