Apache HTTP Server Version 2.4
Description: | Strong cryptography using the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols |
---|---|
Status: | Extension |
Module Identifier: | ssl_module |
Source File: | mod_ssl.c |
This module provides SSL v3 and TLS v1.x support for the Apache HTTP Server. SSL v2 is no longer supported.
This module relies on OpenSSL to provide the cryptography engine.
Further details, discussion, and examples are provided in the SSL documentation.
This module can be configured to provide several items of SSL information
as additional environment variables to the SSI and CGI namespace. Except for
HTTPS
and SSL_TLS_SNI
which are always defined, this
information is not provided by default for performance reasons. (See
SSLOptions
StdEnvVars
, below)
The generated variables
are listed in the table below. For backward compatibility the information can
be made available under different names, too. Look in the Compatibility chapter for details on the
compatibility variables.
Variable Name | Value Type | Description |
---|---|---|
HTTPS | flag | HTTPS is being used. |
SSL_PROTOCOL | string | The SSL protocol version (SSLv3, TLSv1, TLSv1.1, TLSv1.2) |
SSL_SESSION_ID | string | The hex-encoded SSL session id |
SSL_SESSION_RESUMED | string | Initial or Resumed SSL Session. Note: multiple requests may be served over the same (Initial or Resumed) SSL session if HTTP KeepAlive is in use |
SSL_SECURE_RENEG | string | true if secure renegotiation is supported, else false |
SSL_CIPHER | string | The cipher specification name |
SSL_CIPHER_EXPORT | string | true if cipher is an export cipher |
SSL_CIPHER_USEKEYSIZE | number | Number of cipher bits (actually used) |
SSL_CIPHER_ALGKEYSIZE | number | Number of cipher bits (possible) |
SSL_COMPRESS_METHOD | string | SSL compression method negotiated |
SSL_VERSION_INTERFACE | string | The mod_ssl program version |
SSL_VERSION_LIBRARY | string | The OpenSSL program version |
SSL_CLIENT_M_VERSION | string | The version of the client certificate |
SSL_CLIENT_M_SERIAL | string | The serial of the client certificate |
SSL_CLIENT_S_DN | string | Subject DN in client's certificate |
SSL_CLIENT_S_DN_ x509 | string | Component of client's Subject DN |
SSL_CLIENT_SAN_Email_ n | string | Client certificate's subjectAltName extension entries of type rfc822Name |
SSL_CLIENT_SAN_DNS_ n | string | Client certificate's subjectAltName extension entries of type dNSName |
SSL_CLIENT_SAN_OTHER_msUPN_ n | string | Client certificate's subjectAltName extension entries of type otherName, Microsoft User Principal Name form (OID 1.3.6.1.4.1.311.20.2.3) |
SSL_CLIENT_I_DN | string | Issuer DN of client's certificate |
SSL_CLIENT_I_DN_ x509 | string | Component of client's Issuer DN |
SSL_CLIENT_V_START | string | Validity of client's certificate (start time) |
SSL_CLIENT_V_END | string | Validity of client's certificate (end time) |
SSL_CLIENT_V_REMAIN | string | Number of days until client's certificate expires |
SSL_CLIENT_A_SIG | string | Algorithm used for the signature of client's certificate |
SSL_CLIENT_A_KEY | string | Algorithm used for the public key of client's certificate |
SSL_CLIENT_CERT | string | PEM-encoded client certificate |
SSL_CLIENT_CERT_CHAIN_ n | string | PEM-encoded certificates in client certificate chain |
SSL_CLIENT_CERT_RFC4523_CEA | string | Serial number and issuer of the certificate. The format matches that of the CertificateExactAssertion in RFC4523 |
SSL_CLIENT_VERIFY | string | NONE , SUCCESS , GENEROUS or FAILED: reason |
SSL_SERVER_M_VERSION | string | The version of the server certificate |
SSL_SERVER_M_SERIAL | string | The serial of the server certificate |
SSL_SERVER_S_DN | string | Subject DN in server's certificate |
SSL_SERVER_SAN_Email_ n | string | Server certificate's subjectAltName extension entries of type rfc822Name |
SSL_SERVER_SAN_DNS_ n | string | Server certificate's subjectAltName extension entries of type dNSName |
SSL_SERVER_SAN_OTHER_dnsSRV_ n | string | Server certificate's subjectAltName extension entries of type otherName, SRVName form (OID 1.3.6.1.5.5.7.8.7, RFC 4985) |
SSL_SERVER_S_DN_ x509 | string | Component of server's Subject DN |
SSL_SERVER_I_DN | string | Issuer DN of server's certificate |
SSL_SERVER_I_DN_ x509 | string | Component of server's Issuer DN |
SSL_SERVER_V_START | string | Validity of server's certificate (start time) |
SSL_SERVER_V_END | string | Validity of server's certificate (end time) |
SSL_SERVER_A_SIG | string | Algorithm used for the signature of server's certificate |
SSL_SERVER_A_KEY | string | Algorithm used for the public key of server's certificate |
SSL_SERVER_CERT | string | PEM-encoded server certificate |
SSL_SRP_USER | string | SRP username |
SSL_SRP_USERINFO | string | SRP user info |
SSL_TLS_SNI | string | Contents of the SNI TLS extension (if supplied with ClientHello) |
x509 specifies a component of an X.509 DN; one of
C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email
. In httpd 2.2.0 and
later, x509 may also include a numeric _n
suffix. If the DN in question contains multiple attributes of the
same name, this suffix is used as a zero-based index to select a
particular attribute. For example, where the server certificate
subject DN included two OU attributes, SSL_SERVER_S_DN_OU_0
and
SSL_SERVER_S_DN_OU_1
could be used to reference each. A
variable name without a _n
suffix is equivalent to that
name with a _0
suffix; the first (or only) attribute.
When the environment table is populated using
the StdEnvVars
option of
the SSLOptions
directive, the
first (or only) attribute of any DN is added only under a non-suffixed
name; i.e. no _0
suffixed entries are added.
In httpd 2.4.32 and later, an optional _RAW suffix may be
added to x509 in a DN component, to suppress conversion of
the attribute value to UTF-8. This must be placed after the index
suffix (if any). For example, SSL_SERVER_S_DN_OU_RAW
or
SSL_SERVER_S_DN_OU_0_RAW
could be used.
The format of the *_DN variables has changed in Apache HTTPD
2.3.11. See the LegacyDNStringFormat
option for
SSLOptions
for details.
SSL_CLIENT_V_REMAIN
is only available in version 2.1
and later.
A number of additional environment variables can also be used
in SSLRequire
expressions, or in custom log
formats:
HTTP_USER_AGENT PATH_INFO AUTH_TYPE HTTP_REFERER QUERY_STRING SERVER_SOFTWARE HTTP_COOKIE REMOTE_HOST API_VERSION HTTP_FORWARDED REMOTE_IDENT TIME_YEAR HTTP_HOST IS_SUBREQ TIME_MON HTTP_PROXY_CONNECTION DOCUMENT_ROOT TIME_DAY HTTP_ACCEPT SERVER_ADMIN TIME_HOUR THE_REQUEST SERVER_NAME TIME_MIN REQUEST_FILENAME SERVER_PORT TIME_SEC REQUEST_METHOD SERVER_PROTOCOL TIME_WDAY REQUEST_SCHEME REMOTE_ADDR TIME REQUEST_URI REMOTE_USER
In these contexts, two special formats can also be used:
ENV:variablename
HTTP:headername
When mod_ssl
is built into Apache or at least
loaded (under DSO situation) additional functions exist for the Custom Log Format of
mod_log_config
. First there is an
additional ``%{
varname}x
''
eXtension format function which can be used to expand any variables
provided by any module, especially those provided by mod_ssl which can
you find in the above table.
For backward compatibility there is additionally a special
``%{
name}c
'' cryptography format function
provided. Information about this function is provided in the Compatibility chapter.
CustomLog "logs/ssl_request_log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
These formats even work without setting the StdEnvVars
option of the SSLOptions
directive.
mod_ssl
sets "notes" for the request which can be
used in logging with the %{name}n
format
string in mod_log_config
.
The notes supported are as follows:
ssl-access-forbidden
1
if access was
denied due to an SSLRequire
or SSLRequireSSL
directive.ssl-secure-reneg
mod_ssl
is built against a version of
OpenSSL which supports the secure renegotiation extension, this note
is set to the value 1
if SSL is in used for the current
connection, and the client also supports the secure renegotiation
extension. If the client does not support the secure renegotiation
extension, the note is set to the value 0
.
If mod_ssl
is not built against a version of
OpenSSL which supports secure renegotiation, or if SSL is not in use
for the current connection, the note is not set.When mod_ssl
is built into Apache or at least
loaded (under DSO situation) any variables
provided by mod_ssl
can be used in expressions
for the ap_expr Expression Parser.
The variables can be referenced using the syntax
``%{
varname}
''. Starting
with version 2.4.18 one can also use the
mod_rewrite
style syntax
``%{SSL:
varname}
'' or
the function style syntax
``ssl(
varname)
''.
mod_headers
)Header set X-SSL-PROTOCOL "expr=%{SSL_PROTOCOL}" Header set X-SSL-CIPHER "expr=%{SSL:SSL_CIPHER}"
This feature even works without setting the StdEnvVars
option of the SSLOptions
directive.
mod_ssl
provides a few authentication providers for use
with mod_authz_core
's
Require
directive.
The ssl
provider denies access if a connection is not
encrypted with SSL. This is similar to the
SSLRequireSSL
directive.
Require ssl
The ssl
provider allows access if the user is
authenticated with a valid client certificate. This is only
useful if SSLVerifyClient optional
is in effect.
The following example grants access if the user is authenticated either with a client certificate or by username and password.
Require ssl-verify-client Require valid-user
Description: | File of concatenated PEM-encoded CA Certificates for Client Auth |
---|---|
Syntax: | SSLCACertificateFile file-path |
Context: | server config, virtual host |
Status: | Extension |
Module: | mod_ssl |
This directive sets the all-in-one file where you can assemble the
Certificates of Certification Authorities (CA) whose clients you deal
with. These are used for Client Authentication. Such a file is simply the
concatenation of the various PEM-encoded Certificate files, in order of
preference. This can be used alternatively and/or additionally to
SSLCACertificatePath
.
SSLCACertificateFile "/usr/local/apache2/conf/ssl.crt/ca-bundle-client.crt"
Description: | Directory of PEM-encoded CA Certificates for Client Auth |
---|---|
Syntax: | SSLCACertificatePath directory-path |
Context: | server config, virtual host |
Status: | Extension |
Module: | mod_ssl |
This directive sets the directory where you keep the Certificates of Certification Authorities (CAs) whose clients you deal with. These are used to verify the client certificate on Client Authentication.
The files in this directory have to be PEM-encoded and are accessed through
hash filenames. So usually you can't just place the Certificate files
there: you also have to create symbolic links named
hash-value.N
. And you should always make sure this directory
contains the appropriate symbolic links.
SSLCACertificatePath "/usr/local/apache2/conf/ssl.crt/"
Description: | File of concatenated PEM-encoded CA Certificates for defining acceptable CA names |
---|---|
Syntax: | SSLCADNRequestFile file-path |
Context: | server config, virtual host |
Status: | Extension |
Module: | mod_ssl |
When a client certificate is requested by mod_ssl, a list of acceptable Certificate Authority names is sent to the client in the SSL handshake. These CA names can be used by the client to select an appropriate client certificate out of those it has available.
If neither of the directives SSLCADNRequestPath
or SSLCADNRequestFile
are given, then the
set of acceptable CA names sent to the client is the names of all the
CA certificates given by the SSLCACertificateFile
and SSLCACertificatePath
directives; in other
words, the names of the CAs which will actually be used to verify the
client certificate.
In some circumstances, it is useful to be able to send a set of
acceptable CA names which differs from the actual CAs used to verify
the client certificate - for example, if the client certificates are
signed by intermediate CAs. In such cases, SSLCADNRequestPath
and/or SSLCADNRequestFile
can be used; the
acceptable CA names are then taken from the complete set of
certificates in the directory and/or file specified by this pair of
directives.
SSLCADNRequestFile
must
specify an all-in-one file containing a concatenation of
PEM-encoded CA certificates.
SSLCADNRequestFile "/usr/local/apache2/conf/ca-names.crt"
Description: | Directory of PEM-encoded CA Certificates for defining acceptable CA names |
---|---|
Syntax: | SSLCADNRequestPath directory-path |
Context: | server config, virtual host |
Status: | Extension |
Module: | mod_ssl |
This optional directive can be used to specify the set of
acceptable CA names which will be sent to the client when a
client certificate is requested. See the SSLCADNRequestFile
directive for more
details.
The files in this directory have to be PEM-encoded and are accessed
through hash filenames. So usually you can't just place the
Certificate files there: you also have to create symbolic links named
hash-value.N
. And you should always make sure
this directory contains the appropriate symbolic links.
SSLCADNRequestPath "/usr/local/apache2/conf/ca-names.crt/"
Description: | Enable CRL-based revocation checking |
---|---|
Syntax: | SSLCARevocationCheck chain|leaf|none [flags ...] |
Default: | SSLCARevocationCheck none |
Context: | server config, virtual host |
Status: | Extension |
Module: | mod_ssl |
Compatibility: | Optional flags available in httpd 2.4.21 or later |
Enables certificate revocation list (CRL) checking. At least one of
SSLCARevocationFile
or SSLCARevocationPath
must be
configured. When set to chain
(recommended setting),
CRL checks are applied to all certificates in the chain, while setting it to
leaf
limits the checks to the end-entity cert.
The available flags are:
no_crl_for_cert_ok
Prior to version 2.3.15, CRL checking in mod_ssl also succeeded when
no CRL(s) for the checked certificate(s) were found in any of the locations
configured with SSLCARevocationFile
or SSLCARevocationPath
.
With the introduction of SSLCARevocationFile
,
the behavior has been changed: by default with chain
or
leaf
, CRLs must be present for the
validation to succeed - otherwise it will fail with an
"unable to get certificate CRL"
error.
The flag no_crl_for_cert_ok
allows to restore
previous behaviour.
SSLCARevocationCheck chain
SSLCARevocationCheck chain no_crl_for_cert_ok
Description: | File of concatenated PEM-encoded CA CRLs for Client Auth |
---|---|
Syntax: | SSLCARevocationFile file-path |
Context: | server config, virtual host |
Status: | Extension |
Module: | mod_ssl |
This directive sets the all-in-one file where you can
assemble the Certificate Revocation Lists (CRL) of Certification
Authorities (CA) whose clients you deal with. These are used
for Client Authentication. Such a file is simply the concatenation of
the various PEM-encoded CRL files, in order of preference. This can be
used alternatively and/or additionally to SSLCARevocationPath
.
SSLCARevocationFile "/usr/local/apache2/conf/ssl.crl/ca-bundle-client.crl"
Description: | Directory of PEM-encoded CA CRLs for Client Auth |
---|---|
Syntax: | SSLCARevocationPath directory-path |
Context: | server config, virtual host |
Status: | Extension |
Module: | mod_ssl |
This directive sets the directory where you keep the Certificate Revocation Lists (CRL) of Certification Authorities (CAs) whose clients you deal with. These are used to revoke the client certificate on Client Authentication.
The files in this directory have to be PEM-encoded and are accessed through
hash filenames. So usually you have not only to place the CRL files there.
Additionally you have to create symbolic links named
hash-value.rN
. And you should always make sure this directory
contains the appropriate symbolic links.
SSLCARevocationPath "/usr/local/apache2/conf/ssl.crl/"
Description: | File of PEM-encoded Server CA Certificates |
---|---|
Syntax: | SSLCertificateChainFile file-path |
Context: | server config, virtual host |
Status: | Extension |
Module: | mod_ssl |
SSLCertificateChainFile
became obsolete with version 2.4.8,
when SSLCertificateFile
was extended to also load intermediate CA certificates from the server
certificate file.
This directive sets the optional all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate. This starts with the issuing CA certificate of the server certificate and can range up to the root CA certificate. Such a file is simply the concatenation of the various PEM-encoded CA Certificate files, usually in certificate chain order.
This should be used alternatively and/or additionally to SSLCACertificatePath
for explicitly
constructing the server certificate chain which is sent to the browser
in addition to the server certificate. It is especially useful to
avoid conflicts with CA certificates when using client
authentication. Because although placing a CA certificate of the
server certificate chain into SSLCACertificatePath
has the same effect
for the certificate chain construction, it has the side-effect that
client certificates issued by this same CA certificate are also
accepted on client authentication.
But be careful: Providing the certificate chain works only if you are using a single RSA or DSA based server certificate. If you are using a coupled RSA+DSA certificate pair, this will work only if actually both certificates use the same certificate chain. Else the browsers will be confused in this situation.
SSLCertificateChainFile "/usr/local/apache2/conf/ssl.crt/ca.crt"
Description: | Server PEM-encoded X.509 certificate data file or token identifier |
---|---|
Syntax: | SSLCertificateFile file-path|certid |
Context: | server config, virtual host |
Status: | Extension |
Module: | mod_ssl |
Compatibility: | certid available in 2.4.42 and later. |
This directive points to a file with certificate data in PEM format, or the certificate identifier through a configured cryptographic token.
If using a PEM file, at minimum, the file must include an end-entity (leaf) certificate.
The directive can be used multiple times (referencing different filenames)
to support multiple algorithms for server authentication - typically
RSA, DSA, and ECC. The number of supported algorithms depends on the
OpenSSL version being used for mod_ssl: with version 1.0.0 or later,
openssl list-public-key-algorithms
will output a list
of supported algorithms, see also the note below about limitations
of OpenSSL versions prior to 1.0.2 and the ways to work around them.
The files may also include intermediate CA certificates, sorted from
leaf to root. This is supported with version 2.4.8 and later,
and obsoletes SSLCertificateChainFile
.
When running with OpenSSL 1.0.2 or later, this allows
to configure the intermediate CA chain on a per-certificate basis.
Custom DH parameters and an EC curve name for ephemeral keys,
can also be added to end of the first file configured using
SSLCertificateFile
.
This is supported in version 2.4.7 or later.
Such parameters can be generated using the commands
openssl dhparam
and openssl ecparam
.
The parameters can be added as-is to the end of the first
certificate file. Only the first file can be used for custom
parameters, as they are applied independently of the authentication
algorithm type.
Finally the end-entity certificate's private key can also be
added to the certificate file instead of using a separate
SSLCertificateKeyFile
directive. This practice is highly discouraged. If it is used,
the certificate files using such an embedded key must be configured
after the certificates using a separate key file. If the private
key is encrypted, the pass phrase dialog is forced at startup time.
As an alternative to storing certificates and private keys in
files, a certificate identifier can be used to identify a certificate
stored in a token. Currently, only PKCS#11 URIs are
recognized as certificate identifiers, and can be used in conjunction
with the OpenSSL pkcs11
engine. If SSLCertificateKeyFile
is omitted, the
certificate and private key can be loaded through the single
identifier specified with SSLCertificateFile
.
Beginning with version 2.4.7, mod_ssl makes use of standardized DH parameters with prime lengths of 2048, 3072 and 4096 bits and with additional prime lengths of 6144 and 8192 bits beginning with version 2.4.10 (from RFC 3526), and hands them out to clients based on the length of the certificate's RSA/DSA key. With Java-based clients in particular (Java 7 or earlier), this may lead to handshake failures - see this FAQ answer for working around such issues.
When using multiple certificates to support different authentication algorithms
(like RSA, DSA, but mainly ECC) and OpenSSL prior to 1.0.2, it is recommended
to either use custom DH parameters (preferably) by adding them to the
first certificate file (as described above), or to order the
SSLCertificateFile
directives such that RSA/DSA
certificates are placed after the ECC one.
This is due to a limitation in older versions of OpenSSL which don't let the Apache HTTP Server determine the currently selected certificate at handshake time (when the DH parameters must be sent to the peer) but instead always provide the last configured certificate. Consequently, the server may select default DH parameters based on the length of the wrong certificate's key (ECC keys are much smaller than RSA/DSA ones and their length is not relevant for selecting DH primes).
Since custom DH parameters always take precedence over the default ones, this issue can be avoided by creating and configuring them (as described above), thus using a custom/suitable length.
# Example using a PEM-encoded file. SSLCertificateFile "/usr/local/apache2/conf/ssl.crt/server.crt" # Example use of a certificate and private key from a PKCS#11 token: SSLCertificateFile "pkcs11:token=My%20Token%20Name;id=45"
Description: | Server PEM-encoded private key file |
---|---|
Syntax: | SSLCertificateKeyFile file-path|keyid |
Context: | server config, virtual host |
Status: | Extension |
Module: | mod_ssl |
Compatibility: | keyid available in 2.4.42 and later. |
This directive points to the PEM-encoded private key file for the server, or the key ID through a configured cryptographic token. If the contained private key is encrypted, the pass phrase dialog is forced at startup time.
The directive can be used multiple times (referencing different filenames)
to support multiple algorithms for server authentication. For each
SSLCertificateKeyFile
directive, there must be a matching SSLCertificateFile
directive.
The private key may also be combined with the certificate in the file given by
SSLCertificateFile
, but this practice
is highly discouraged. If it is used, the certificate files using such
an embedded key must be configured after the certificates using a separate
key file.
As an alternative to storing private keys in files, a key
identifier can be used to identify a private key stored in a
token. Currently, only PKCS#11 URIs are recognized as private key
identifiers, and can be used in conjunction with the OpenSSL
pkcs11
engine.
# To use a private key from a PEM-encoded file: SSLCertificateKeyFile "/usr/local/apache2/conf/ssl.key/server.key" # To use a private key from a PKCS#11 token: SSLCertificateKeyFile "pkcs11:token=My%20Token%20Name;id=45"
Description: | Cipher Suite available for negotiation in SSL handshake |
---|---|
Syntax: | SSLCipherSuite [protocol] cipher-spec |
Default: | SSLCipherSuite DEFAULT (depends on OpenSSL version) |
Context: | server config, virtual host, directory, .htaccess |
Override: | AuthConfig |
Status: | Extension |
Module: | mod_ssl |
This complex directive uses a colon-separated cipher-spec string consisting of OpenSSL cipher specifications to configure the Cipher Suite the client is permitted to negotiate in the SSL handshake phase. The optional protocol specifier can configure the Cipher Suite for a specific SSL version. Possible values include "SSL" for all SSL Protocols up to and including TLSv1.2.
Notice that this directive can be used both in per-server and per-directory context. In per-server context it applies to the standard SSL handshake when a connection is established. In per-directory context it forces a SSL renegotiation with the reconfigured Cipher Suite after the HTTP request was read but before the HTTP response is sent.
If the SSL library supports TLSv1.3 (OpenSSL 1.1.1 and later), the protocol specifier "TLSv1.3" can be used to configure the cipher suites for that protocol. Since TLSv1.3 does not offer renegotiations, specifying ciphers for it in a directory context is not allowed.
For a list of TLSv1.3 cipher names, see the OpenSSL documentation.
An SSL cipher specification in cipher-spec is composed of 4 major attributes plus a few extra minor ones:
An SSL cipher can also be an export cipher. SSLv2 ciphers are no longer supported. To specify which ciphers to use, one can either specify all the Ciphers, one at a time, or use aliases to specify the preference and order for the ciphers (see Table 1). The actually available ciphers and aliases depends on the used openssl version. Newer openssl versions may include additional ciphers.
Tag | Description |
---|---|
Key Exchange Algorithm: | |
kRSA | RSA key exchange |
kDHr | Diffie-Hellman key exchange with RSA key |
kDHd | Diffie-Hellman key exchange with DSA key |
kEDH | Ephemeral (temp.key) Diffie-Hellman key exchange (no cert) |
kSRP | Secure Remote Password (SRP) key exchange |
Authentication Algorithm: | |
aNULL | No authentication |
aRSA | RSA authentication |
aDSS | DSS authentication |
aDH | Diffie-Hellman authentication |
Cipher Encoding Algorithm: | |
eNULL | No encryption |
NULL | alias for eNULL |
AES | AES encryption |
DES | DES encryption |
3DES | Triple-DES encryption |
RC4 | RC4 encryption |
RC2 | RC2 encryption |
IDEA | IDEA encryption |
MAC Digest Algorithm: | |
MD5 | MD5 hash function |
SHA1 | SHA1 hash function |
SHA | alias for SHA1 |
SHA256 | SHA256 hash function |
SHA384 | SHA384 hash function |
Aliases: | |
SSLv3 | all SSL version 3.0 ciphers |
TLSv1 | all TLS version 1.0 ciphers |
EXP | all export ciphers |
EXPORT40 | all 40-bit export ciphers only |
EXPORT56 | all 56-bit export ciphers only |
LOW | all low strength ciphers (no export, single DES) |
MEDIUM | all ciphers with 128 bit encryption |
HIGH | all ciphers using Triple-DES |
RSA | all ciphers using RSA key exchange |
DH | all ciphers using Diffie-Hellman key exchange |
EDH | all ciphers using Ephemeral Diffie-Hellman key exchange |
ECDH | Elliptic Curve Diffie-Hellman key exchange |
ADH | all ciphers using Anonymous Diffie-Hellman key exchange |
AECDH | all ciphers using Anonymous Elliptic Curve Diffie-Hellman key exchange |
SRP | all ciphers using Secure Remote Password (SRP) key exchange |
DSS | all ciphers using DSS authentication |
ECDSA | all ciphers using ECDSA authentication |
aNULL | all ciphers using no authentication |
Now where this becomes interesting is that these can be put together
to specify the order and ciphers you wish to use. To speed this up
there are also aliases (SSLv3, TLSv1, EXP, LOW, MEDIUM,
HIGH
) for certain groups of ciphers. These tags can be joined
together with prefixes to form the cipher-spec. Available
prefixes are:
+
: move matching ciphers to the current location in list-
: remove cipher from list (can be added later again)!
: kill cipher from list completely (can not be added later again)aNULL
, eNULL
and EXP
ciphers are always disabledBeginning with version 2.4.7, null and export-grade
ciphers are always disabled, as mod_ssl unconditionally adds
!aNULL:!eNULL:!EXP
to any cipher string at initialization.
A simpler way to look at all of this is to use the ``openssl ciphers
-v
'' command which provides a nice way to successively create the
correct cipher-spec string. The default cipher-spec string
depends on the version of the OpenSSL libraries used. Let's suppose it is
``RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
'' which
means the following: Put RC4-SHA
and AES128-SHA
at
the beginning. We do this, because these ciphers offer a good compromise
between speed and security. Next, include high and medium security ciphers.
Finally, remove all ciphers which do not authenticate, i.e. for SSL the
Anonymous Diffie-Hellman ciphers, as well as all ciphers which use
MD5
as hash algorithm, because it has been proven insufficient.
$ openssl ciphers -v 'RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5' RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 ... ... ... ... ... SEED-SHA SSLv3 Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1 PSK-RC4-SHA SSLv3 Kx=PSK Au=PSK Enc=RC4(128) Mac=SHA1 KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1
The complete list of particular RSA & DH ciphers for SSL is given in Table 2.
SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW
Cipher-Tag | Protocol | Key Ex. | Auth. | Enc. | MAC | Type |
---|---|---|---|---|---|---|
RSA Ciphers: | ||||||
DES-CBC3-SHA | SSLv3 | RSA | RSA | 3DES(168) | SHA1 | |
IDEA-CBC-SHA | SSLv3 | RSA | RSA | IDEA(128) | SHA1 | |
RC4-SHA | SSLv3 | RSA | RSA | RC4(128) | SHA1 | |
RC4-MD5 | SSLv3 | RSA | RSA | RC4(128) | MD5 | |
DES-CBC-SHA | SSLv3 | RSA | RSA | DES(56) | SHA1 | |
EXP-DES-CBC-SHA | SSLv3 | RSA(512) | RSA | DES(40) | SHA1 | export |
EXP-RC2-CBC-MD5 | SSLv3 | RSA(512) | RSA | RC2(40) | MD5 | export |
EXP-RC4-MD5 | SSLv3 | RSA(512) | RSA | RC4(40) | MD5 | export |
NULL-SHA | SSLv3 | RSA | RSA | None | SHA1 | |
NULL-MD5 | SSLv3 | RSA | RSA | None | MD5 | |
Diffie-Hellman Ciphers: | ||||||
ADH-DES-CBC3-SHA | SSLv3 | DH | None | 3DES(168) | SHA1 | |
ADH-DES-CBC-SHA | SSLv3 | DH | None | DES(56) | SHA1 | |
ADH-RC4-MD5 | SSLv3 | DH | None | RC4(128) | MD5 | |
EDH-RSA-DES-CBC3-SHA | SSLv3 | DH | RSA | 3DES(168) | SHA1 | |
EDH-DSS-DES-CBC3-SHA | SSLv3 | DH | DSS | 3DES(168) | SHA1 | |
EDH-RSA-DES-CBC-SHA | SSLv3 | DH | RSA | DES(56) | SHA1 | |
EDH-DSS-DES-CBC-SHA | SSLv3 | DH | DSS | DES(56) | SHA1 | |
EXP-EDH-RSA-DES-CBC-SHA | SSLv3 | DH(512) | RSA | DES(40) | SHA1 | export |
EXP-EDH-DSS-DES-CBC-SHA | SSLv3 | DH(512) | DSS | DES(40) | SHA1 | export |
EXP-ADH-DES-CBC-SHA | SSLv3 | DH(512) | None | DES(40) | SHA1 | export |
EXP-ADH-RC4-MD5 | SSLv3 | DH(512) | None | RC4(40) | MD5 | export |
Description: | Enable compression on the SSL level |
---|---|
Syntax: | SSLCompression on|off |
Default: | SSLCompression off |
Context: | server config, virtual host |
Status: | Extension |
Module: | mod_ssl |
Compatibility: | Available in httpd 2.4.3 and later, if using OpenSSL 0.9.8 or later;
virtual host scope available if using OpenSSL 1.0.0 or later.
The default used to be on in version 2.4.3. |
This directive allows to enable compression on the SSL level.
Enabling compression causes security issues in most setups (the so called CRIME attack).
Description: | Enable use of a cryptographic hardware accelerator |
---|---|
Syntax: | SSLCryptoDevice engine |
Default: | SSLCryptoDevice builtin |
Context: | server config |
Status: | Extension |
Module: | mod_ssl |
This directive enables use of a cryptographic hardware accelerator board to offload some of the SSL processing overhead. This directive can only be used if the SSL