diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-25 04:41:26 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-25 04:41:26 +0000 |
commit | 7b31d4f4901cdb89a79f2f7de4a6b8bb637b523b (patch) | |
tree | fdeb0b5ff80273f95ce61607fc3613dff0b9a235 /docs/manual/mod/mod_ssl.html.en | |
parent | Adding upstream version 2.4.38. (diff) | |
download | apache2-7b31d4f4901cdb89a79f2f7de4a6b8bb637b523b.tar.xz apache2-7b31d4f4901cdb89a79f2f7de4a6b8bb637b523b.zip |
Adding upstream version 2.4.59.upstream/2.4.59upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'docs/manual/mod/mod_ssl.html.en')
-rw-r--r-- | docs/manual/mod/mod_ssl.html.en | 262 |
1 files changed, 182 insertions, 80 deletions
diff --git a/docs/manual/mod/mod_ssl.html.en b/docs/manual/mod/mod_ssl.html.en index 29afc96..ee92ffb 100644 --- a/docs/manual/mod/mod_ssl.html.en +++ b/docs/manual/mod/mod_ssl.html.en @@ -1,7 +1,7 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> +<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head> -<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type" /> +<meta content="text/html; charset=UTF-8" http-equiv="Content-Type" /> <!-- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX This file is generated from xml source: DO NOT EDIT @@ -27,13 +27,13 @@ <div id="preamble"><h1>Apache Module mod_ssl</h1> <div class="toplang"> <p><span>Available Languages: </span><a href="../en/mod/mod_ssl.html" title="English"> en </a> | -<a href="../fr/mod/mod_ssl.html" hreflang="fr" rel="alternate" title="Français"> fr </a></p> +<a href="../fr/mod/mod_ssl.html" hreflang="fr" rel="alternate" title="Français"> fr </a></p> </div> <table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Strong cryptography using the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols</td></tr> <tr><th><a href="module-dict.html#Status">Status:</a></th><td>Extension</td></tr> -<tr><th><a href="module-dict.html#ModuleIdentifier">Module Identifier:</a></th><td>ssl_module</td></tr> -<tr><th><a href="module-dict.html#SourceFile">Source File:</a></th><td>mod_ssl.c</td></tr></table> +<tr><th><a href="module-dict.html#ModuleIdentifier">Module Identifier:</a></th><td>ssl_module</td></tr> +<tr><th><a href="module-dict.html#SourceFile">Source File:</a></th><td>mod_ssl.c</td></tr></table> <h3>Summary</h3> <p>This module provides SSL v3 and TLS v1.x support for the Apache @@ -134,66 +134,66 @@ to provide the cryptography engine.</p> <h2><a name="envvars" id="envvars">Environment Variables</a></h2> <p>This module can be configured to provide several items of SSL information -as additional environment variables to the SSI and CGI namespace. This +as additional environment variables to the SSI and CGI namespace. Except for +<code>HTTPS</code> and <code>SSL_TLS_SNI</code> which are always defined, this information is not provided by default for performance reasons. (See -<code class="directive">SSLOptions</code> StdEnvVars, below.) The generated variables +<code class="directive"><a href="#ssloptions">SSLOptions</a></code> <code>StdEnvVars</code>, below) +The generated variables are listed in the table below. For backward compatibility the information can be made available under different names, too. Look in the <a href="../ssl/ssl_compat.html">Compatibility</a> chapter for details on the compatibility variables.</p> -<table class="bordered"> - -<tr> - <th><a name="table3">Variable Name:</a></th> - <th>Value Type:</th> - <th>Description:</th> +<table class="bordered"><tr class="header"> + <th><a name="table3">Variable Name</a></th> + <th>Value Type</th> + <th>Description</th> </tr> <tr><td><code>HTTPS</code></td> <td>flag</td> <td>HTTPS is being used.</td></tr> -<tr><td><code>SSL_PROTOCOL</code></td> <td>string</td> <td>The SSL protocol version (SSLv3, TLSv1, TLSv1.1, TLSv1.2)</td></tr> +<tr class="odd"><td><code>SSL_PROTOCOL</code></td> <td>string</td> <td>The SSL protocol version (SSLv3, TLSv1, TLSv1.1, TLSv1.2)</td></tr> <tr><td><code>SSL_SESSION_ID</code></td> <td>string</td> <td>The hex-encoded SSL session id</td></tr> -<tr><td><code>SSL_SESSION_RESUMED</code></td> <td>string</td> <td>Initial or Resumed SSL Session. Note: multiple requests may be served over the same (Initial or Resumed) SSL session if HTTP KeepAlive is in use</td></tr> +<tr class="odd"><td><code>SSL_SESSION_RESUMED</code></td> <td>string</td> <td>Initial or Resumed SSL Session. Note: multiple requests may be served over the same (Initial or Resumed) SSL session if HTTP KeepAlive is in use</td></tr> <tr><td><code>SSL_SECURE_RENEG</code></td> <td>string</td> <td><code>true</code> if secure renegotiation is supported, else <code>false</code></td></tr> -<tr><td><code>SSL_CIPHER</code></td> <td>string</td> <td>The cipher specification name</td></tr> +<tr class="odd"><td><code>SSL_CIPHER</code></td> <td>string</td> <td>The cipher specification name</td></tr> <tr><td><code>SSL_CIPHER_EXPORT</code></td> <td>string</td> <td><code>true</code> if cipher is an export cipher</td></tr> -<tr><td><code>SSL_CIPHER_USEKEYSIZE</code></td> <td>number</td> <td>Number of cipher bits (actually used)</td></tr> +<tr class="odd"><td><code>SSL_CIPHER_USEKEYSIZE</code></td> <td>number</td> <td>Number of cipher bits (actually used)</td></tr> <tr><td><code>SSL_CIPHER_ALGKEYSIZE</code></td> <td>number</td> <td>Number of cipher bits (possible)</td></tr> -<tr><td><code>SSL_COMPRESS_METHOD</code></td> <td>string</td> <td>SSL compression method negotiated</td></tr> +<tr class="odd"><td><code>SSL_COMPRESS_METHOD</code></td> <td>string</td> <td>SSL compression method negotiated</td></tr> <tr><td><code>SSL_VERSION_INTERFACE</code></td> <td>string</td> <td>The mod_ssl program version</td></tr> -<tr><td><code>SSL_VERSION_LIBRARY</code></td> <td>string</td> <td>The OpenSSL program version</td></tr> +<tr class="odd"><td><code>SSL_VERSION_LIBRARY</code></td> <td>string</td> <td>The OpenSSL program version</td></tr> <tr><td><code>SSL_CLIENT_M_VERSION</code></td> <td>string</td> <td>The version of the client certificate</td></tr> -<tr><td><code>SSL_CLIENT_M_SERIAL</code></td> <td>string</td> <td>The serial of the client certificate</td></tr> +<tr class="odd"><td><code>SSL_CLIENT_M_SERIAL</code></td> <td>string</td> <td>The serial of the client certificate</td></tr> <tr><td><code>SSL_CLIENT_S_DN</code></td> <td>string</td> <td>Subject DN in client's certificate</td></tr> -<tr><td><code>SSL_CLIENT_S_DN_</code><em>x509</em></td> <td>string</td> <td>Component of client's Subject DN</td></tr> +<tr class="odd"><td><code>SSL_CLIENT_S_DN_</code><em>x509</em></td> <td>string</td> <td>Component of client's Subject DN</td></tr> <tr><td><code>SSL_CLIENT_SAN_Email_</code><em>n</em></td> <td>string</td> <td>Client certificate's subjectAltName extension entries of type rfc822Name</td></tr> -<tr><td><code>SSL_CLIENT_SAN_DNS_</code><em>n</em></td> <td>string</td> <td>Client certificate's subjectAltName extension entries of type dNSName</td></tr> +<tr class="odd"><td><code>SSL_CLIENT_SAN_DNS_</code><em>n</em></td> <td>string</td> <td>Client certificate's subjectAltName extension entries of type dNSName</td></tr> <tr><td><code>SSL_CLIENT_SAN_OTHER_msUPN_</code><em>n</em></td> <td>string</td> <td>Client certificate's subjectAltName extension entries of type otherName, Microsoft User Principal Name form (OID 1.3.6.1.4.1.311.20.2.3)</td></tr> -<tr><td><code>SSL_CLIENT_I_DN</code></td> <td>string</td> <td>Issuer DN of client's certificate</td></tr> +<tr class="odd"><td><code>SSL_CLIENT_I_DN</code></td> <td>string</td> <td>Issuer DN of client's certificate</td></tr> <tr><td><code>SSL_CLIENT_I_DN_</code><em>x509</em></td> <td>string</td> <td>Component of client's Issuer DN</td></tr> -<tr><td><code>SSL_CLIENT_V_START</code></td> <td>string</td> <td>Validity of client's certificate (start time)</td></tr> +<tr class="odd"><td><code>SSL_CLIENT_V_START</code></td> <td>string</td> <td>Validity of client's certificate (start time)</td></tr> <tr><td><code>SSL_CLIENT_V_END</code></td> <td>string</td> <td>Validity of client's certificate (end time)</td></tr> -<tr><td><code>SSL_CLIENT_V_REMAIN</code></td> <td>string</td> <td>Number of days until client's certificate expires</td></tr> +<tr class="odd"><td><code>SSL_CLIENT_V_REMAIN</code></td> <td>string</td> <td>Number of days until client's certificate expires</td></tr> <tr><td><code>SSL_CLIENT_A_SIG</code></td> <td>string</td> <td>Algorithm used for the signature of client's certificate</td></tr> -<tr><td><code>SSL_CLIENT_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of client's certificate</td></tr> +<tr class="odd"><td><code>SSL_CLIENT_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of client's certificate</td></tr> <tr><td><code>SSL_CLIENT_CERT</code></td> <td>string</td> <td>PEM-encoded client certificate</td></tr> -<tr><td><code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em></td> <td>string</td> <td>PEM-encoded certificates in client certificate chain</td></tr> +<tr class="odd"><td><code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em></td> <td>string</td> <td>PEM-encoded certificates in client certificate chain</td></tr> <tr><td><code>SSL_CLIENT_CERT_RFC4523_CEA</code></td> <td>string</td> <td>Serial number and issuer of the certificate. The format matches that of the CertificateExactAssertion in RFC4523</td></tr> -<tr><td><code>SSL_CLIENT_VERIFY</code></td> <td>string</td> <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS</code> or <code>FAILED:</code><em>reason</em></td></tr> +<tr class="odd"><td><code>SSL_CLIENT_VERIFY</code></td> <td>string</td> <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS</code> or <code>FAILED:</code><em>reason</em></td></tr> <tr><td><code>SSL_SERVER_M_VERSION</code></td> <td>string</td> <td>The version of the server certificate</td></tr> -<tr><td><code>SSL_SERVER_M_SERIAL</code></td> <td>string</td> <td>The serial of the server certificate</td></tr> +<tr class="odd"><td><code>SSL_SERVER_M_SERIAL</code></td> <td>string</td> <td>The serial of the server certificate</td></tr> <tr><td><code>SSL_SERVER_S_DN</code></td> <td>string</td> <td>Subject DN in server's certificate</td></tr> -<tr><td><code>SSL_SERVER_SAN_Email_</code><em>n</em></td> <td>string</td> <td>Server certificate's subjectAltName extension entries of type rfc822Name</td></tr> +<tr class="odd"><td><code>SSL_SERVER_SAN_Email_</code><em>n</em></td> <td>string</td> <td>Server certificate's subjectAltName extension entries of type rfc822Name</td></tr> <tr><td><code>SSL_SERVER_SAN_DNS_</code><em>n</em></td> <td>string</td> <td>Server certificate's subjectAltName extension entries of type dNSName</td></tr> -<tr><td><code>SSL_SERVER_SAN_OTHER_dnsSRV_</code><em>n</em></td> <td>string</td> <td>Server certificate's subjectAltName extension entries of type otherName, SRVName form (OID 1.3.6.1.5.5.7.8.7, RFC 4985)</td></tr> +<tr class="odd"><td><code>SSL_SERVER_SAN_OTHER_dnsSRV_</code><em>n</em></td> <td>string</td> <td>Server certificate's subjectAltName extension entries of type otherName, SRVName form (OID 1.3.6.1.5.5.7.8.7, RFC 4985)</td></tr> <tr><td><code>SSL_SERVER_S_DN_</code><em>x509</em></td> <td>string</td> <td>Component of server's Subject DN</td></tr> -<tr><td><code>SSL_SERVER_I_DN</code></td> <td>string</td> <td>Issuer DN of server's certificate</td></tr> +<tr class="odd"><td><code>SSL_SERVER_I_DN</code></td> <td>string</td> <td>Issuer DN of server's certificate</td></tr> <tr><td><code>SSL_SERVER_I_DN_</code><em>x509</em></td> <td>string</td> <td>Component of server's Issuer DN</td></tr> -<tr><td><code>SSL_SERVER_V_START</code></td> <td>string</td> <td>Validity of server's certificate (start time)</td></tr> +<tr class="odd"><td><code>SSL_SERVER_V_START</code></td> <td>string</td> <td>Validity of server's certificate (start time)</td></tr> <tr><td><code>SSL_SERVER_V_END</code></td> <td>string</td> <td>Validity of server's certificate (end time)</td></tr> -<tr><td><code>SSL_SERVER_A_SIG</code></td> <td>string</td> <td>Algorithm used for the signature of server's certificate</td></tr> +<tr class="odd"><td><code>SSL_SERVER_A_SIG</code></td> <td>string</td> <td>Algorithm used for the signature of server's certificate</td></tr> <tr><td><code>SSL_SERVER_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of server's certificate</td></tr> -<tr><td><code>SSL_SERVER_CERT</code></td> <td>string</td> <td>PEM-encoded server certificate</td></tr> +<tr class="odd"><td><code>SSL_SERVER_CERT</code></td> <td>string</td> <td>PEM-encoded server certificate</td></tr> <tr><td><code>SSL_SRP_USER</code></td> <td>string</td> <td>SRP username</td></tr> -<tr><td><code>SSL_SRP_USERINFO</code></td> <td>string</td> <td>SRP user info</td></tr> +<tr class="odd"><td><code>SSL_SRP_USERINFO</code></td> <td>string</td> <td>SRP user info</td></tr> <tr><td><code>SSL_TLS_SNI</code></td> <td>string</td> <td>Contents of the SNI TLS extension (if supplied with ClientHello)</td></tr> </table> @@ -365,7 +365,7 @@ Require valid-user</pre> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>File of concatenated PEM-encoded CA Certificates for Client Auth</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCACertificateFile <em>file-path</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCACertificateFile <var>file-path</var></code></td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> @@ -410,7 +410,7 @@ contains the appropriate symbolic links.</p> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>File of concatenated PEM-encoded CA Certificates for defining acceptable CA names</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCADNRequestFile <em>file-path</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCADNRequestFile <var>file-path</var></code></td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> @@ -472,7 +472,7 @@ this directory contains the appropriate symbolic links.</p> <div class="directive-section"><h2><a name="SSLCARevocationCheck" id="SSLCARevocationCheck">SSLCARevocationCheck</a> <a name="sslcarevocationcheck" id="sslcarevocationcheck">Directive</a></h2> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enable CRL-based revocation checking</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCARevocationCheck chain|leaf|none <em>flag</em>s</code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCARevocationCheck chain|leaf|none [<em>flag</em>s ...]</code></td></tr> <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLCARevocationCheck none</code></td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> @@ -521,7 +521,7 @@ CRL checks are applied to all certificates in the chain, while setting it to <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>File of concatenated PEM-encoded CA CRLs for Client Auth</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCARevocationFile <em>file-path</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCARevocationFile <var>file-path</var></code></td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> @@ -565,7 +565,7 @@ contains the appropriate symbolic links.</p> <div class="directive-section"><h2><a name="SSLCertificateChainFile" id="SSLCertificateChainFile">SSLCertificateChainFile</a> <a name="sslcertificatechainfile" id="sslcertificatechainfile">Directive</a></h2> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>File of PEM-encoded Server CA Certificates</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCertificateChainFile <em>file-path</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCertificateChainFile <var>file-path</var></code></td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> @@ -607,15 +607,16 @@ confused in this situation.</p> <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> <div class="directive-section"><h2><a name="SSLCertificateFile" id="SSLCertificateFile">SSLCertificateFile</a> <a name="sslcertificatefile" id="sslcertificatefile">Directive</a></h2> <table class="directive"> -<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Server PEM-encoded X.509 certificate data file</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCertificateFile <em>file-path</em></code></td></tr> +<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Server PEM-encoded X.509 certificate data file or token identifier</td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCertificateFile <var>file-path</var>|<var>certid</var></code></td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td><var>certid</var> available in 2.4.42 and later.</td></tr> </table> <p> -This directive points to a file with certificate data in PEM format. -At a minimum, the file must include an end-entity (leaf) certificate. +This directive points to a file with certificate data in PEM format, or the certificate identifier through a configured cryptographic token. +If using a PEM file, at minimum, the file must include an end-entity (leaf) certificate. The directive can be used multiple times (referencing different filenames) to support multiple algorithms for server authentication - typically RSA, DSA, and ECC. The number of supported algorithms depends on the @@ -656,6 +657,14 @@ after the certificates using a separate key file. If the private key is encrypted, the pass phrase dialog is forced at startup time. </p> +<p>As an alternative to storing certificates and private keys in +files, a certificate identifier can be used to identify a certificate +stored in a token. Currently, only <a href="https://tools.ietf.org/html/rfc7512">PKCS#11 URIs</a> are +recognized as certificate identifiers, and can be used in conjunction +with the OpenSSL <code>pkcs11</code> engine. If <code class="directive"><a href="#sslcertificatekeyfile">SSLCertificateKeyFile</a></code> is omitted, the +certificate and private key can be loaded through the single +identifier specified with <code class="directive"><a href="#sslcertificatefile">SSLCertificateFile</a></code>.</p> + <div class="note"> <h3>DH parameter interoperability with primes > 1024 bit</h3> <p> @@ -699,7 +708,10 @@ thus using a custom/suitable length. </p> </div> -<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLCertificateFile "/usr/local/apache2/conf/ssl.crt/server.crt"</pre> +<div class="example"><h3>Example</h3><pre class="prettyprint lang-config"># Example using a PEM-encoded file. +SSLCertificateFile "/usr/local/apache2/conf/ssl.crt/server.crt" +# Example use of a certificate and private key from a PKCS#11 token: +SSLCertificateFile "pkcs11:token=My%20Token%20Name;id=45"</pre> </div> </div> @@ -707,15 +719,17 @@ thus using a custom/suitable length. <div class="directive-section"><h2><a name="SSLCertificateKeyFile" id="SSLCertificateKeyFile">SSLCertificateKeyFile</a> <a name="sslcertificatekeyfile" id="sslcertificatekeyfile">Directive</a></h2> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Server PEM-encoded private key file</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCertificateKeyFile <em>file-path</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCertificateKeyFile <var>file-path</var>|<var>keyid</var></code></td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td><var>keyid</var> available in 2.4.42 and later.</td></tr> </table> <p> This directive points to the PEM-encoded private key file for the -server. If the contained private key is encrypted, the pass phrase -dialog is forced at startup time.</p> +server, or the key ID through a configured cryptographic token. If the +contained private key is encrypted, the pass phrase dialog is forced +at startup time.</p> <p> The directive can be used multiple times (referencing different filenames) @@ -731,7 +745,16 @@ is highly discouraged. If it is used, the certificate files using such an embedded key must be configured after the certificates using a separate key file.</p> -<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLCertificateKeyFile "/usr/local/apache2/conf/ssl.key/server.key"</pre> +<p>As an alternative to storing private keys in files, a key +identifier can be used to identify a private key stored in a +token. Currently, only <a href="https://tools.ietf.org/html/rfc7512">PKCS#11 URIs</a> are recognized as private key +identifiers, and can be used in conjunction with the OpenSSL +<code>pkcs11</code> engine.</p> + +<div class="example"><h3>Example</h3><pre class="prettyprint lang-config"># To use a private key from a PEM-encoded file: +SSLCertificateKeyFile "/usr/local/apache2/conf/ssl.key/server.key" +# To use a private key from a PKCS#11 token: +SSLCertificateKeyFile "pkcs11:token=My%20Token%20Name;id=45"</pre> </div> </div> @@ -1077,7 +1100,7 @@ supported for a given SSL connection.</p> <div class="directive-section"><h2><a name="SSLOCSPDefaultResponder" id="SSLOCSPDefaultResponder">SSLOCSPDefaultResponder</a> <a name="sslocspdefaultresponder" id="sslocspdefaultresponder">Directive</a></h2> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Set the default responder URI for OCSP validation</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLOCSDefaultResponder <em>uri</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLOCSPDefaultResponder <em>uri</em></code></td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> @@ -1121,8 +1144,8 @@ SSLOCSPOverrideResponder on</pre> <div class="directive-section"><h2><a name="SSLOCSPNoverify" id="SSLOCSPNoverify">SSLOCSPNoverify</a> <a name="sslocspnoverify" id="sslocspnoverify">Directive</a></h2> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>skip the OCSP responder certificates verification</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLOCSPNoverify <em>On/Off</em></code></td></tr> -<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLOCSPNoverify Off</code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLOCSPNoverify on|off</code></td></tr> +<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLOCSPNoverify off</code></td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> @@ -1287,10 +1310,10 @@ SSLOpenSSLConfCmd SignatureAlgorithms RSA+SHA384:ECDSA+SHA256</pre> </table> <p> This directive can be used to control various run-time options on a -per-directory basis. Normally, if multiple <code>SSLOptions</code> +per-directory basis. Normally, if multiple <code class="directive">SSLOptions</code> could apply to a directory, then the most specific one is taken completely; the options are not merged. However if <em>all</em> the -options on the <code>SSLOptions</code> directive are preceded by a +options on the <code class="directive">SSLOptions</code> directive are preceded by a plus (<code>+</code>) or minus (<code>-</code>) symbol, the options are merged. Any options preceded by a <code>+</code> are added to the options currently in force, and any options preceded by a @@ -1340,8 +1363,8 @@ The available <em>option</em>s are:</p> </li> <li><code>StrictRequire</code> <p> - This <em>forces</em> forbidden access when <code>SSLRequireSSL</code> or - <code>SSLRequire</code> successfully decided that access should be + This <em>forces</em> forbidden access when <code class="directive"><a href="#sslrequiressl">SSLRequireSSL</a></code> or + <code class="directive"><a href="#sslrequire">SSLRequire</a></code> successfully decided that access should be forbidden. Usually the default is that in the case where a ``<code>Satisfy any</code>'' directive is used, and other access restrictions are passed, denial of access due to <code>SSLRequireSSL</code> or @@ -1523,6 +1546,31 @@ The available (case-insensitive) <em>protocol</em>s are:</p> </ul> <div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProtocol TLSv1</pre> </div> +<div class="note"> +<h3><code class="directive">SSLProtocol</code> for name-based virtual hosts</h3> +<p> +Before OpenSSL 1.1.1, even though the Server Name Indication (SNI) allowed to +determine the targeted virtual host early in the TLS handshake, it was not +possible to switch the TLS protocol version of the connection at this point, +and thus the <code class="directive">SSLProtocol</code> negotiated was always based off +the one of the <em>base virtual host</em> (first virtual host declared on the +listening <code>IP:port</code> of the connection). +</p> +<p> +Beginning with Apache HTTP server version 2.4.42, when built/linked against +OpenSSL 1.1.1 or later, and when the SNI is provided by the client in the TLS +handshake, the <code class="directive">SSLProtocol</code> of each (name-based) virtual +host can and will be honored. +</p> +<p> +For compatibility with previous versions, if no +<code class="directive">SSLProtocol</code> is configured in a name-based virtual host, +the one from the base virtual host still applies, <strong>unless</strong> +<code class="directive">SSLProtocol</code> is configured globally in which case the +global value applies (this latter exception is more sensible than compatible, +though). +</p> +</div> </div> <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> @@ -1530,10 +1578,11 @@ The available (case-insensitive) <em>protocol</em>s are:</p> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>File of concatenated PEM-encoded CA Certificates for Remote Server Auth</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProxyCACertificateFile <em>file-path</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProxyCACertificateFile <var>file-path</var></code></td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The proxy section context is allowed in httpd 2.4.30 and later</td></tr> </table> <p> This directive sets the <em>all-in-one</em> file where you can assemble the @@ -1555,6 +1604,7 @@ Remote Server Auth</td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The proxy section context is allowed in httpd 2.4.30 and later</td></tr> </table> <p> This directive sets the directory where you keep the Certificates of @@ -1579,6 +1629,7 @@ contains the appropriate symbolic links.</p> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The proxy section context is allowed in httpd 2.4.30 and later</td></tr> </table> <p> Enables certificate revocation list (CRL) checking for the @@ -1612,10 +1663,11 @@ to succeed - otherwise it will fail with an <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>File of concatenated PEM-encoded CA CRLs for Remote Server Auth</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProxyCARevocationFile <em>file-path</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProxyCARevocationFile <var>file-path</var></code></td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The proxy section context is allowed in httpd 2.4.30 and later</td></tr> </table> <p> This directive sets the <em>all-in-one</em> file where you can @@ -1637,6 +1689,7 @@ Remote Server Auth</td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The proxy section context is allowed in httpd 2.4.30 and later</td></tr> </table> <p> This directive sets the directory where you keep the Certificate Revocation @@ -1662,6 +1715,7 @@ contains the appropriate symbolic links.</p> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The proxy section context is allowed in httpd 2.4.30 and later</td></tr> </table> <p> This directive sets whether the remote server certificate's CN field is @@ -1703,6 +1757,7 @@ SSLProxyCheckPeerName off</pre> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The proxy section context is allowed in httpd 2.4.30 and later</td></tr> </table> <p> This directive sets whether it is checked if the remote server certificate @@ -1723,7 +1778,8 @@ sent. <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> -<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Apache HTTP Server 2.4.5 and later</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Apache HTTP Server 2.4.5 and later<br /> +The proxy section context is allowed in httpd 2.4.30 and later</td></tr> </table> <p> This directive configures host name checking for server certificates when @@ -1763,6 +1819,7 @@ proxy handshake</td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The proxy section context is allowed in httpd 2.4.30 and later</td></tr> </table> <p>Equivalent to <code class="directive"><a href="#sslciphersuite">SSLCipherSuite</a></code>, but for the proxy connection. @@ -1779,6 +1836,7 @@ for additional information.</p> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The proxy section context is allowed in httpd 2.4.30 and later</td></tr> </table> <p> This directive toggles the usage of the SSL/TLS Protocol Engine for proxy. This @@ -1808,6 +1866,7 @@ server to proxy SSL/TLS requests.</p> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The proxy section context is allowed in httpd 2.4.30 and later</td></tr> </table> <p> This directive sets the all-in-one file where you keep the certificate chain @@ -1837,19 +1896,50 @@ SSLProxyCACertificateFile</a></code>.</p> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The proxy section context is allowed in httpd 2.4.30 and later<br /> +Inclusion of non-leaf (CA) certificates is permitted only in httpd 2.4.59 and later.</td></tr> </table> <p> This directive sets the all-in-one file where you keep the certificates and keys used for authentication of the proxy server to remote servers. </p> <p> -This referenced file is simply the concatenation of the various PEM-encoded -certificate files, in order of preference. Use this directive alternatively -or additionally to <code>SSLProxyMachineCertificatePath</code>. -</p> +This referenced file is simply the concatenation of the various +PEM-encoded certificate files. Use this directive alternatively or +additionally to <code>SSLProxyMachineCertificatePath</code>. The referenced file can contain any number of pairs of client +certificate and associated private key. Each pair can be specified in +either (certificate, key) or (key, certificate) order. Non-leaf (CA) certificates can +also be included in the file, and are treated as if configured with <code class="directive"><a href="#sslproxymachinecertificatechainfile">SSLProxyMachineCertificateChainFile</a></code>.</p> + +<p>When challenged to provide a client certificate by a remote server, +the server should provide a list of <em>acceptable certificate +authority names</em> in the challenge. If such a list is <em>not</em> +provided, <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> will use the first configured +client cert/key. If a list of CA names <em>is</em> provided, +<code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> will iterate through that list, and attempt +to find a configured client cert which was issued either directly by +that CA, or indirectly via any number of intermediary CA certificates. +The chain of intermediate CA certificates can be built from those +included in the file, or configured with <code class="directive"><a href="#sslproxymachinecertificatechainfile">SSLProxyMachineCertificateChainFile</a></code>. The +first configured matching certificate will then be supplied in +response to the challenge.</p> + +<p>If the list of CA names <em>is</em> provided by the remote server, +and <em>no</em> matching client certificate can be found, no client +certificate will be provided by <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>, which will +likely fail the SSL/TLS handshake (depending on the remote server +configuration).</p> + <div class="warning"> <p>Currently there is no support for encrypted private keys</p> </div> +<div class="warning"> +<p>Only keys encoded in PKCS1 RSA, DSA or EC format are supported. +Keys encoded in PKCS8 format, ie. starting with +"<code>-----BEGIN PRIVATE KEY-----</code>", +must be converted, eg. using +"<code>openssl rsa -in private-pkcs8.pem -outform pem</code>".</p> +</div> <div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProxyMachineCertificateFile "/usr/local/apache2/conf/ssl.crt/proxy.pem"</pre> </div> @@ -1862,18 +1952,27 @@ or additionally to <code>SSLProxyMachineCertificatePath</code>. <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The proxy section context is allowed in httpd 2.4.30 and later</td></tr> </table> <p> -This directive sets the directory where you keep the certificates and -keys used for authentication of the proxy server to remote servers. +This directive sets the directory where you keep the client +certificates and keys used for authentication of the proxy server to +remote servers. +</p> +<p> +mod_ssl will attempt to load every file inside the specified directory +as if it was configured individually with <code class="directive"><a href="#sslproxymachinecertificatefile">SSLProxyMachineCertificateFile</a></code>. </p> -<p>The files in this directory must be PEM-encoded and are accessed through -hash filenames. Additionally, you must create symbolic links named -<code><em>hash-value</em>.N</code>. And you should always make sure this -directory contains the appropriate symbolic links.</p> <div class="warning"> <p>Currently there is no support for encrypted private keys</p> </div> +<div class="warning"> +<p>Only keys encoded in PKCS1 RSA, DSA or EC format are supported. +Keys encoded in PKCS8 format, ie. starting with +"<code>-----BEGIN PRIVATE KEY-----</code>", +must be converted, eg. using +"<code>openssl rsa -in private-pkcs8.pem -outform pem</code>".</p> +</div> <div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProxyMachineCertificatePath "/usr/local/apache2/conf/proxy.crt/"</pre> </div> @@ -1887,6 +1986,7 @@ directory contains the appropriate symbolic links.</p> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The proxy section context is allowed in httpd 2.4.30 and later</td></tr> </table> <p> @@ -1907,6 +2007,7 @@ for additional information. <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The proxy section context is allowed in httpd 2.4.30 and later</td></tr> </table> <p>When a proxy is configured to forward requests to a remote SSL @@ -1944,6 +2045,7 @@ Certificate verification</td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The proxy section context is allowed in httpd 2.4.30 and later</td></tr> </table> <p> This directive sets how deeply mod_ssl should verify before deciding that the @@ -2152,9 +2254,9 @@ function ::= funcname "<strong>(</strong>" funcargs "<strong>)</strong>"</pre> the <a href="../expr.html#functions">ap_expr documentation</a>.</p> <p>The <em>expression</em> is parsed into an internal machine -representation when the configuration is loaded, and then evaluated -during request processing. In .htaccess context, the <em>expression</em> is -both parsed and executed each time the .htaccess file is encountered during +representation when the configuration is loaded, and then evaluated +during request processing. In .htaccess context, the <em>expression</em> is +both parsed and executed each time the .htaccess file is encountered during request processing.</p> <div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \ @@ -2328,7 +2430,7 @@ values like 300 in real life.</p> <div class="directive-section"><h2><a name="SSLSessionTicketKeyFile" id="SSLSessionTicketKeyFile">SSLSessionTicketKeyFile</a> <a name="sslsessionticketkeyfile" id="sslsessionticketkeyfile">Directive</a></h2> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Persistent encryption/decryption key for TLS session tickets</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLSessionTicketKeyFile <em>file-path</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLSessionTicketKeyFile <var>file-path</var></code></td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> @@ -2342,7 +2444,7 @@ should be shared between multiple nodes. For single-instance httpd setups, it is recommended to <em>not</em> configure a ticket key file, but to rely on (random) keys generated by mod_ssl at startup, instead.</p> <p>The ticket key file must contain 48 bytes of random data, -preferrably created from a high-entropy source. On a Unix-based system, +preferably created from a high-entropy source. On a Unix-based system, a ticket key file can be created as follows:</p> <div class="example"><p><code> @@ -2409,7 +2511,7 @@ SSLSRPUnknownUserSeed "secret" <div class="directive-section"><h2><a name="SSLSRPVerifierFile" id="SSLSRPVerifierFile">SSLSRPVerifierFile</a> <a name="sslsrpverifierfile" id="sslsrpverifierfile">Directive</a></h2> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Path to SRP verifier file</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLSRPVerifierFile <em>file-path</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLSRPVerifierFile <var>file-path</var></code></td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> @@ -2430,7 +2532,7 @@ utility:</p> openssl srp -srpvfile passwd.srpv -userinfo "some info" -add username </code></p></div> <p> The value given with the optional <code>-userinfo</code> parameter is -avalable in the <code>SSL_SRP_USERINFO</code> request environment variable.</p> +available in the <code>SSL_SRP_USERINFO</code> request environment variable.</p> </div> @@ -2756,8 +2858,8 @@ known to the server (i.e. the CA's certificate is under </div> <div class="bottomlang"> <p><span>Available Languages: </span><a href="../en/mod/mod_ssl.html" title="English"> en </a> | -<a href="../fr/mod/mod_ssl.html" hreflang="fr" rel="alternate" title="Français"> fr </a></p> -</div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div> +<a href="../fr/mod/mod_ssl.html" hreflang="fr" rel="alternate" title="Français"> fr </a></p> +</div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Libera.chat, or sent to our <a href="https://httpd.apache.org/lists.html">mailing lists</a>.</div> <script type="text/javascript"><!--//--><![CDATA[//><!-- var comments_shortname = 'httpd'; var comments_identifier = 'http://httpd.apache.org/docs/2.4/mod/mod_ssl.html'; @@ -2775,7 +2877,7 @@ var comments_identifier = 'http://httpd.apache.org/docs/2.4/mod/mod_ssl.html'; } })(window, document); //--><!]]></script></div><div id="footer"> -<p class="apache">Copyright 2019 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> +<p class="apache">Copyright 2024 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!-- if (typeof(prettyPrint) !== 'undefined') { prettyPrint(); |