Lines 83-89
Link Here
|
83 |
<tr><td><code>SSL_CLIENT_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of client's certificate</td></tr> |
83 |
<tr><td><code>SSL_CLIENT_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of client's certificate</td></tr> |
84 |
<tr><td><code>SSL_CLIENT_CERT</code></td> <td>string</td> <td>PEM-encoded client certificate</td></tr> |
84 |
<tr><td><code>SSL_CLIENT_CERT</code></td> <td>string</td> <td>PEM-encoded client certificate</td></tr> |
85 |
<tr><td><code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em></td> <td>string</td> <td>PEM-encoded certificates in client certificate chain</td></tr> |
85 |
<tr><td><code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em></td> <td>string</td> <td>PEM-encoded certificates in client certificate chain</td></tr> |
86 |
<tr><td><code>SSL_CLIENT_VERIFY</code></td> <td>string</td> <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS</code> or <code>FAILED:</code><em>reason</em></td></tr> |
86 |
<tr><td><code>SSL_CLIENT_VERIFY</code></td> <td>string</td> <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS:<em>reason</em></code> or <code>FAILED:</code><em>reason</em></td></tr> |
87 |
<tr><td><code>SSL_SERVER_M_VERSION</code></td> <td>string</td> <td>The version of the server certificate</td></tr> |
87 |
<tr><td><code>SSL_SERVER_M_VERSION</code></td> <td>string</td> <td>The version of the server certificate</td></tr> |
88 |
<tr><td><code>SSL_SERVER_M_SERIAL</code></td> <td>string</td> <td>The serial of the server certificate</td></tr> |
88 |
<tr><td><code>SSL_SERVER_M_SERIAL</code></td> <td>string</td> <td>The serial of the server certificate</td></tr> |
89 |
<tr><td><code>SSL_SERVER_S_DN</code></td> <td>string</td> <td>Subject DN in server's certificate</td></tr> |
89 |
<tr><td><code>SSL_SERVER_S_DN</code></td> <td>string</td> <td>Subject DN in server's certificate</td></tr> |
Lines 898-903
Link Here
|
898 |
specify an <em>all-in-one</em> file containing a concatenation of |
898 |
specify an <em>all-in-one</em> file containing a concatenation of |
899 |
PEM-encoded CA certificates.</p> |
899 |
PEM-encoded CA certificates.</p> |
900 |
|
900 |
|
|
|
901 |
<p>For testing purposes, any available certificate (signed by any CA) |
902 |
may be requested by specifying a file containing only a single space |
903 |
character. However note that while this trick happens to work with |
904 |
most browsers, the SSL/TLS standards do not define the appropriate |
905 |
behavior when the set of acceptable CA names is empty, so this is not |
906 |
guaranteed to work with all browsers.</p> |
907 |
|
901 |
<example><title>Example</title> |
908 |
<example><title>Example</title> |
902 |
SSLCADNRequestFile /usr/local/apache2/conf/ca-names.crt |
909 |
SSLCADNRequestFile /usr/local/apache2/conf/ca-names.crt |
903 |
</example> |
910 |
</example> |
Lines 995-1025
Link Here
|
995 |
|
1002 |
|
996 |
<usage> |
1003 |
<usage> |
997 |
<p> |
1004 |
<p> |
998 |
This directive sets the Certificate verification level for the Client |
1005 |
This directive sets the Certificate verification level for Client Certificate |
999 |
Authentication. Notice that this directive can be used both in per-server and |
1006 |
Authentication. Notice that this directive can be used both in per-server and |
1000 |
per-directory context. In per-server context it applies to the client |
1007 |
per-directory context. In per-server context it applies to the client |
1001 |
authentication process used in the standard SSL handshake when a connection is |
1008 |
authentication process in the initial SSL handshake when a connection is |
1002 |
established. In per-directory context it forces a SSL renegotation with the |
1009 |
established. In per-directory context it forces a SSL renegotation with the |
1003 |
reconfigured client verification level after the HTTP request was read but |
1010 |
reconfigured client verification level after the HTTP request is read but |
1004 |
before the HTTP response is sent.</p> |
1011 |
before the HTTP response is sent.</p> |
1005 |
<p> |
1012 |
<p> |
1006 |
The following levels are available for <em>level</em>:</p> |
1013 |
The following levels are available for <em>level</em>:</p> |
1007 |
<ul> |
1014 |
<ul> |
1008 |
<li><strong>none</strong>: |
1015 |
<li><code>none</code> |
1009 |
no client Certificate is required at all</li> |
1016 |
<p>No client Certificate is requested.</p></li> |
1010 |
<li><strong>optional</strong>: |
1017 |
<li><code>optional_no_verify</code> |
1011 |
the client <em>may</em> present a valid Certificate</li> |
1018 |
<p>The client is asked to present a Certificate signed by one of the |
1012 |
<li><strong>require</strong>: |
1019 |
acceptable CA Certificates, but will be accepted even if no Certificate is |
1013 |
the client <em>has to</em> present a valid Certificate</li> |
1020 |
provided, if the provided Certificate is not signed by one of the trusted |
1014 |
<li><strong>optional_no_ca</strong>: |
1021 |
CA Certificates, or if the provided Certificate has been revoked or is |
1015 |
the client may present a valid Certificate<br /> |
1022 |
otherwise invalid.</p></li> |
1016 |
but it need not to be (successfully) verifiable.</li> |
1023 |
<li><code>optional_no_ca</code> |
|
|
1024 |
<p>The client is asked to present a Certificate signed by one of the |
1025 |
acceptable CA Certificates, and will be accepted even if no Certificate is |
1026 |
provided or if the provided Certificate is not signed by one of the |
1027 |
trusted CA Certificates, but will be disconnected if the provided |
1028 |
Certificate has been revoked or is otherwise invalid.</p></li> |
1029 |
<li><code>optional</code> |
1030 |
<p>The client is asked to present a Certificate signed by one of the |
1031 |
acceptable CA Certificates, and will be accepted even if no Certificate is |
1032 |
provided, but will be disconnected if the provided Certificate is not |
1033 |
signed by one of the trusted CA Certificates, has been revoked, or is |
1034 |
otherwise invalid.</p></li> |
1035 |
<li><code>require</code> |
1036 |
<p>The client is asked to present a Certificate signed by one of the |
1037 |
acceptable CA Certificates, and will be disconnected if no Certificate is |
1038 |
provided, if the provided Certificate is not signed by on of the trusted CA |
1039 |
Certificates, or if the provided Certificate has been revoked or is |
1040 |
otherwise invalid.</p></li> |
1017 |
</ul> |
1041 |
</ul> |
1018 |
<p>In practice only levels <strong>none</strong> and |
1042 |
<p>In practice, most users will want either <strong>none</strong> or |
1019 |
<strong>require</strong> are really interesting, because level |
1043 |
<strong>require</strong>, as the other levels allow users to bypass the |
1020 |
<strong>optional</strong> doesn't work with all browsers and level |
1044 |
authentication mechanism. However, the other levels may be useful for testing, |
1021 |
<strong>optional_no_ca</strong> is actually against the idea of |
1045 |
or if your web application does it's own Certificate verification.</p> |
1022 |
authentication (but can be used to establish SSL test pages, etc.)</p> |
1046 |
<p>See the <directive module="mod_ssl">SSLCADNRequestFile</directive> and |
|
|
1047 |
<directive module="mod_ssl">SSLCADNRequestPath</directive> directives to |
1048 |
configure the list of acceptable CA Certificates, and see the |
1049 |
<directive module="mod_ssl">SSLCACertificateFile</directive> and |
1050 |
<directive module="mod_ssl">SSLCACertificatePath</directive> directives to |
1051 |
configure the list of trusted CA Certificates.</p> |
1052 |
<p>Note that if SSLv2 is used with one of the <strong>optional</strong> levels |
1053 |
and no Certificate signed by one of the acceptable CA Certificates is available, |
1054 |
the browser may give up and disconnect rather than continuing without providing |
1055 |
a Certificate. If SSLv3 or TLS are used, the browser should always either |
1056 |
provide a Certificate or attempt to continue without a Certificate.</p> |
1023 |
<example><title>Example</title> |
1057 |
<example><title>Example</title> |
1024 |
SSLVerifyClient require |
1058 |
SSLVerifyClient require |
1025 |
</example> |
1059 |
</example> |
Lines 1418-1458
Link Here
|
1418 |
<syntax>SSLProxyVerify <em>level</em></syntax> |
1452 |
<syntax>SSLProxyVerify <em>level</em></syntax> |
1419 |
<default>SSLProxyVerify none</default> |
1453 |
<default>SSLProxyVerify none</default> |
1420 |
<contextlist><context>server config</context> |
1454 |
<contextlist><context>server config</context> |
1421 |
<context>virtual host</context> |
1455 |
<context>virtual host</context></contextlist> |
1422 |
<context>directory</context> |
|
|
1423 |
<context>.htaccess</context></contextlist> |
1424 |
<override>AuthConfig</override> |
1425 |
|
1456 |
|
1426 |
<usage> |
1457 |
<usage> |
1427 |
|
|
|
1428 |
<p>When a proxy is configured to forward requests to a remote SSL |
1458 |
<p>When a proxy is configured to forward requests to a remote SSL |
1429 |
server, this directive can be used to configure certificate |
1459 |
server, this directive can be used to configure verification of the |
1430 |
verification of the remote server. Notice that this directive can be |
1460 |
remote server's SSL Certificate.</p> |
1431 |
used both in per-server and per-directory context. In per-server |
|
|
1432 |
context it applies to the remote server authentication process used in |
1433 |
the standard SSL handshake when a connection is established by the |
1434 |
proxy. In per-directory context it forces a SSL renegotation with the |
1435 |
reconfigured remote server verification level after the HTTP request |
1436 |
was read but before the HTTP response is sent.</p> |
1437 |
|
1438 |
<p> |
1461 |
<p> |
1439 |
The following levels are available for <em>level</em>:</p> |
1462 |
The following levels are available for <em>level</em>:</p> |
1440 |
<ul> |
1463 |
<ul> |
1441 |
<li><strong>none</strong>: |
1464 |
<li><code>none</code> |
1442 |
no remote server Certificate is required at all</li> |
1465 |
<p>No remote server Certificate verification will be performed.</p></li> |
1443 |
<li><strong>optional</strong>: |
1466 |
<li><code>optional_no_verify</code> |
1444 |
the remote server <em>may</em> present a valid Certificate</li> |
1467 |
<p>If the remote server provides a Certificate, it will be verified, but |
1445 |
<li><strong>require</strong>: |
1468 |
the result will be ignored.</p></li> |
1446 |
the remote server <em>has to</em> present a valid Certificate</li> |
1469 |
<li><code>optional_no_ca</code> |
1447 |
<li><strong>optional_no_ca</strong>: |
1470 |
<p>If the remote server provides a Certificate, it will be verified. The |
1448 |
the remote server may present a valid Certificate<br /> |
1471 |
connection will be accepted even if the Certificate is not signed by one of |
1449 |
but it need not to be (successfully) verifiable.</li> |
1472 |
the CAs listed in |
|
|
1473 |
<directive module="mod_ssl">SSLProxyCACertificateFile</directive> or |
1474 |
<directive module="mod_ssl">SSLProxyCACertificatePath</directive>, but will |
1475 |
be rejected if verification fails for any other reason.</p></li> |
1476 |
<li><code>optional</code> |
1477 |
<p>If the remote server provides a Certificate, it will be verified, and the |
1478 |
connection will be rejected if verification fails.</p></li> |
1479 |
<li><code>require</code> |
1480 |
<p>The connection will be rejected unless the remote server provides a |
1481 |
Certificate and that Certificate is successfully verified.</p></li> |
1450 |
</ul> |
1482 |
</ul> |
1451 |
<p>In practice only levels <strong>none</strong> and |
1483 |
<p>In practice, most users will want either <strong>none</strong> or |
1452 |
<strong>require</strong> are really interesting, because level |
1484 |
<strong>require</strong>, as the other levels allow a remote server to bypass |
1453 |
<strong>optional</strong> doesn't work with all servers and level |
1485 |
the authentication mechanism. However, the other levels may be useful for |
1454 |
<strong>optional_no_ca</strong> is actually against the idea of |
1486 |
testing.</p> |
1455 |
authentication (but can be used to establish SSL test pages, etc.)</p> |
|
|
1456 |
<example><title>Example</title> |
1487 |
<example><title>Example</title> |
1457 |
SSLProxyVerify require |
1488 |
SSLProxyVerify require |
1458 |
</example> |
1489 |
</example> |
Lines 1466-1485
Link Here
|
1466 |
<syntax>SSLProxyVerifyDepth <em>number</em></syntax> |
1497 |
<syntax>SSLProxyVerifyDepth <em>number</em></syntax> |
1467 |
<default>SSLProxyVerifyDepth 1</default> |
1498 |
<default>SSLProxyVerifyDepth 1</default> |
1468 |
<contextlist><context>server config</context> |
1499 |
<contextlist><context>server config</context> |
1469 |
<context>virtual host</context> |
1500 |
<context>virtual host</context></contextlist> |
1470 |
<context>directory</context> |
|
|
1471 |
<context>.htaccess</context></contextlist> |
1472 |
<override>AuthConfig</override> |
1473 |
|
1501 |
|
1474 |
<usage> |
1502 |
<usage> |
1475 |
<p> |
1503 |
<p> |
1476 |
This directive sets how deeply mod_ssl should verify before deciding that the |
1504 |
This directive sets how deeply mod_ssl should verify before deciding that the |
1477 |
remote server does not have a valid certificate. Notice that this directive can be |
1505 |
remote server does not have a valid certificate.</p> |
1478 |
used both in per-server and per-directory context. In per-server context it |
|
|
1479 |
applies to the client authentication process used in the standard SSL |
1480 |
handshake when a connection is established. In per-directory context it forces |
1481 |
a SSL renegotation with the reconfigured remote server verification depth after the |
1482 |
HTTP request was read but before the HTTP response is sent.</p> |
1483 |
<p> |
1506 |
<p> |
1484 |
The depth actually is the maximum number of intermediate certificate issuers, |
1507 |
The depth actually is the maximum number of intermediate certificate issuers, |
1485 |
i.e. the number of CA certificates which are max allowed to be followed while |
1508 |
i.e. the number of CA certificates which are max allowed to be followed while |