diff options
Diffstat (limited to '')
| -rw-r--r-- | docs/manual/mod/mod_ssl.html | 2 | ||||
| -rw-r--r-- | docs/manual/mod/mod_ssl.html.en | 262 | ||||
| -rw-r--r-- | docs/manual/mod/mod_ssl.html.fr.utf8 | 285 |
3 files changed, 388 insertions, 161 deletions
diff --git a/docs/manual/mod/mod_ssl.html b/docs/manual/mod/mod_ssl.html index b96885e..fb09d4e 100644 --- a/docs/manual/mod/mod_ssl.html +++ b/docs/manual/mod/mod_ssl.html @@ -2,7 +2,7 @@ URI: mod_ssl.html.en Content-Language: en -Content-type: text/html; charset=ISO-8859-1 +Content-type: text/html; charset=UTF-8 URI: mod_ssl.html.fr.utf8 Content-Language: fr diff --git a/docs/manual/mod/mod_ssl.html.en b/docs/manual/mod/mod_ssl.html.en index 29afc96..ee92ffb 100644 --- a/docs/manual/mod/mod_ssl.html.en +++ b/docs/manual/mod/mod_ssl.html.en @@ -1,7 +1,7 @@ -<?xml version="1.0" encoding="ISO-8859-1"?> +<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head> -<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type" /> +<meta content="text/html; charset=UTF-8" http-equiv="Content-Type" /> <!-- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX This file is generated from xml source: DO NOT EDIT @@ -27,13 +27,13 @@ <div id="preamble"><h1>Apache Module mod_ssl</h1> <div class="toplang"> <p><span>Available Languages: </span><a href="../en/mod/mod_ssl.html" title="English"> en </a> | -<a href="../fr/mod/mod_ssl.html" hreflang="fr" rel="alternate" title="Français"> fr </a></p> +<a href="../fr/mod/mod_ssl.html" hreflang="fr" rel="alternate" title="Français"> fr </a></p> </div> <table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Strong cryptography using the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols</td></tr> <tr><th><a href="module-dict.html#Status">Status:</a></th><td>Extension</td></tr> -<tr><th><a href="module-dict.html#ModuleIdentifier">Module Identifier:</a></th><td>ssl_module</td></tr> -<tr><th><a href="module-dict.html#SourceFile">Source File:</a></th><td>mod_ssl.c</td></tr></table> +<tr><th><a href="module-dict.html#ModuleIdentifier">Module Identifier:</a></th><td>ssl_module</td></tr> +<tr><th><a href="module-dict.html#SourceFile">Source File:</a></th><td>mod_ssl.c</td></tr></table> <h3>Summary</h3> <p>This module provides SSL v3 and TLS v1.x support for the Apache @@ -134,66 +134,66 @@ to provide the cryptography engine.</p> <h2><a name="envvars" id="envvars">Environment Variables</a></h2> <p>This module can be configured to provide several items of SSL information -as additional environment variables to the SSI and CGI namespace. This +as additional environment variables to the SSI and CGI namespace. Except for +<code>HTTPS</code> and <code>SSL_TLS_SNI</code> which are always defined, this information is not provided by default for performance reasons. (See -<code class="directive">SSLOptions</code> StdEnvVars, below.) The generated variables +<code class="directive"><a href="#ssloptions">SSLOptions</a></code> <code>StdEnvVars</code>, below) +The generated variables are listed in the table below. For backward compatibility the information can be made available under different names, too. Look in the <a href="../ssl/ssl_compat.html">Compatibility</a> chapter for details on the compatibility variables.</p> -<table class="bordered"> - -<tr> - <th><a name="table3">Variable Name:</a></th> - <th>Value Type:</th> - <th>Description:</th> +<table class="bordered"><tr class="header"> + <th><a name="table3">Variable Name</a></th> + <th>Value Type</th> + <th>Description</th> </tr> <tr><td><code>HTTPS</code></td> <td>flag</td> <td>HTTPS is being used.</td></tr> -<tr><td><code>SSL_PROTOCOL</code></td> <td>string</td> <td>The SSL protocol version (SSLv3, TLSv1, TLSv1.1, TLSv1.2)</td></tr> +<tr class="odd"><td><code>SSL_PROTOCOL</code></td> <td>string</td> <td>The SSL protocol version (SSLv3, TLSv1, TLSv1.1, TLSv1.2)</td></tr> <tr><td><code>SSL_SESSION_ID</code></td> <td>string</td> <td>The hex-encoded SSL session id</td></tr> -<tr><td><code>SSL_SESSION_RESUMED</code></td> <td>string</td> <td>Initial or Resumed SSL Session. Note: multiple requests may be served over the same (Initial or Resumed) SSL session if HTTP KeepAlive is in use</td></tr> +<tr class="odd"><td><code>SSL_SESSION_RESUMED</code></td> <td>string</td> <td>Initial or Resumed SSL Session. Note: multiple requests may be served over the same (Initial or Resumed) SSL session if HTTP KeepAlive is in use</td></tr> <tr><td><code>SSL_SECURE_RENEG</code></td> <td>string</td> <td><code>true</code> if secure renegotiation is supported, else <code>false</code></td></tr> -<tr><td><code>SSL_CIPHER</code></td> <td>string</td> <td>The cipher specification name</td></tr> +<tr class="odd"><td><code>SSL_CIPHER</code></td> <td>string</td> <td>The cipher specification name</td></tr> <tr><td><code>SSL_CIPHER_EXPORT</code></td> <td>string</td> <td><code>true</code> if cipher is an export cipher</td></tr> -<tr><td><code>SSL_CIPHER_USEKEYSIZE</code></td> <td>number</td> <td>Number of cipher bits (actually used)</td></tr> +<tr class="odd"><td><code>SSL_CIPHER_USEKEYSIZE</code></td> <td>number</td> <td>Number of cipher bits (actually used)</td></tr> <tr><td><code>SSL_CIPHER_ALGKEYSIZE</code></td> <td>number</td> <td>Number of cipher bits (possible)</td></tr> -<tr><td><code>SSL_COMPRESS_METHOD</code></td> <td>string</td> <td>SSL compression method negotiated</td></tr> +<tr class="odd"><td><code>SSL_COMPRESS_METHOD</code></td> <td>string</td> <td>SSL compression method negotiated</td></tr> <tr><td><code>SSL_VERSION_INTERFACE</code></td> <td>string</td> <td>The mod_ssl program version</td></tr> -<tr><td><code>SSL_VERSION_LIBRARY</code></td> <td>string</td> <td>The OpenSSL program version</td></tr> +<tr class="odd"><td><code>SSL_VERSION_LIBRARY</code></td> <td>string</td> <td>The OpenSSL program version</td></tr> <tr><td><code>SSL_CLIENT_M_VERSION</code></td> <td>string</td> <td>The version of the client certificate</td></tr> -<tr><td><code>SSL_CLIENT_M_SERIAL</code></td> <td>string</td> <td>The serial of the client certificate</td></tr> +<tr class="odd"><td><code>SSL_CLIENT_M_SERIAL</code></td> <td>string</td> <td>The serial of the client certificate</td></tr> <tr><td><code>SSL_CLIENT_S_DN</code></td> <td>string</td> <td>Subject DN in client's certificate</td></tr> -<tr><td><code>SSL_CLIENT_S_DN_</code><em>x509</em></td> <td>string</td> <td>Component of client's Subject DN</td></tr> +<tr class="odd"><td><code>SSL_CLIENT_S_DN_</code><em>x509</em></td> <td>string</td> <td>Component of client's Subject DN</td></tr> <tr><td><code>SSL_CLIENT_SAN_Email_</code><em>n</em></td> <td>string</td> <td>Client certificate's subjectAltName extension entries of type rfc822Name</td></tr> -<tr><td><code>SSL_CLIENT_SAN_DNS_</code><em>n</em></td> <td>string</td> <td>Client certificate's subjectAltName extension entries of type dNSName</td></tr> +<tr class="odd"><td><code>SSL_CLIENT_SAN_DNS_</code><em>n</em></td> <td>string</td> <td>Client certificate's subjectAltName extension entries of type dNSName</td></tr> <tr><td><code>SSL_CLIENT_SAN_OTHER_msUPN_</code><em>n</em></td> <td>string</td> <td>Client certificate's subjectAltName extension entries of type otherName, Microsoft User Principal Name form (OID 1.3.6.1.4.1.311.20.2.3)</td></tr> -<tr><td><code>SSL_CLIENT_I_DN</code></td> <td>string</td> <td>Issuer DN of client's certificate</td></tr> +<tr class="odd"><td><code>SSL_CLIENT_I_DN</code></td> <td>string</td> <td>Issuer DN of client's certificate</td></tr> <tr><td><code>SSL_CLIENT_I_DN_</code><em>x509</em></td> <td>string</td> <td>Component of client's Issuer DN</td></tr> -<tr><td><code>SSL_CLIENT_V_START</code></td> <td>string</td> <td>Validity of client's certificate (start time)</td></tr> +<tr class="odd"><td><code>SSL_CLIENT_V_START</code></td> <td>string</td> <td>Validity of client's certificate (start time)</td></tr> <tr><td><code>SSL_CLIENT_V_END</code></td> <td>string</td> <td>Validity of client's certificate (end time)</td></tr> -<tr><td><code>SSL_CLIENT_V_REMAIN</code></td> <td>string</td> <td>Number of days until client's certificate expires</td></tr> +<tr class="odd"><td><code>SSL_CLIENT_V_REMAIN</code></td> <td>string</td> <td>Number of days until client's certificate expires</td></tr> <tr><td><code>SSL_CLIENT_A_SIG</code></td> <td>string</td> <td>Algorithm used for the signature of client's certificate</td></tr> -<tr><td><code>SSL_CLIENT_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of client's certificate</td></tr> +<tr class="odd"><td><code>SSL_CLIENT_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of client's certificate</td></tr> <tr><td><code>SSL_CLIENT_CERT</code></td> <td>string</td> <td>PEM-encoded client certificate</td></tr> -<tr><td><code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em></td> <td>string</td> <td>PEM-encoded certificates in client certificate chain</td></tr> +<tr class="odd"><td><code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em></td> <td>string</td> <td>PEM-encoded certificates in client certificate chain</td></tr> <tr><td><code>SSL_CLIENT_CERT_RFC4523_CEA</code></td> <td>string</td> <td>Serial number and issuer of the certificate. The format matches that of the CertificateExactAssertion in RFC4523</td></tr> -<tr><td><code>SSL_CLIENT_VERIFY</code></td> <td>string</td> <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS</code> or <code>FAILED:</code><em>reason</em></td></tr> +<tr class="odd"><td><code>SSL_CLIENT_VERIFY</code></td> <td>string</td> <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS</code> or <code>FAILED:</code><em>reason</em></td></tr> <tr><td><code>SSL_SERVER_M_VERSION</code></td> <td>string</td> <td>The version of the server certificate</td></tr> -<tr><td><code>SSL_SERVER_M_SERIAL</code></td> <td>string</td> <td>The serial of the server certificate</td></tr> +<tr class="odd"><td><code>SSL_SERVER_M_SERIAL</code></td> <td>string</td> <td>The serial of the server certificate</td></tr> <tr><td><code>SSL_SERVER_S_DN</code></td> <td>string</td> <td>Subject DN in server's certificate</td></tr> -<tr><td><code>SSL_SERVER_SAN_Email_</code><em>n</em></td> <td>string</td> <td>Server certificate's subjectAltName extension entries of type rfc822Name</td></tr> +<tr class="odd"><td><code>SSL_SERVER_SAN_Email_</code><em>n</em></td> <td>string</td> <td>Server certificate's subjectAltName extension entries of type rfc822Name</td></tr> <tr><td><code>SSL_SERVER_SAN_DNS_</code><em>n</em></td> <td>string</td> <td>Server certificate's subjectAltName extension entries of type dNSName</td></tr> -<tr><td><code>SSL_SERVER_SAN_OTHER_dnsSRV_</code><em>n</em></td> <td>string</td> <td>Server certificate's subjectAltName extension entries of type otherName, SRVName form (OID 1.3.6.1.5.5.7.8.7, RFC 4985)</td></tr> +<tr class="odd"><td><code>SSL_SERVER_SAN_OTHER_dnsSRV_</code><em>n</em></td> <td>string</td> <td>Server certificate's subjectAltName extension entries of type otherName, SRVName form (OID 1.3.6.1.5.5.7.8.7, RFC 4985)</td></tr> <tr><td><code>SSL_SERVER_S_DN_</code><em>x509</em></td> <td>string</td> <td>Component of server's Subject DN</td></tr> -<tr><td><code>SSL_SERVER_I_DN</code></td> <td>string</td> <td>Issuer DN of server's certificate</td></tr> +<tr class="odd"><td><code>SSL_SERVER_I_DN</code></td> <td>string</td> <td>Issuer DN of server's certificate</td></tr> <tr><td><code>SSL_SERVER_I_DN_</code><em>x509</em></td> <td>string</td> <td>Component of server's Issuer DN</td></tr> -<tr><td><code>SSL_SERVER_V_START</code></td> <td>string</td> <td>Validity of server's certificate (start time)</td></tr> +<tr class="odd"><td><code>SSL_SERVER_V_START</code></td> <td>string</td> <td>Validity of server's certificate (start time)</td></tr> <tr><td><code>SSL_SERVER_V_END</code></td> <td>string</td> <td>Validity of server's certificate (end time)</td></tr> -<tr><td><code>SSL_SERVER_A_SIG</code></td> <td>string</td> <td>Algorithm used for the signature of server's certificate</td></tr> +<tr class="odd"><td><code>SSL_SERVER_A_SIG</code></td> <td>string</td> <td>Algorithm used for the signature of server's certificate</td></tr> <tr><td><code>SSL_SERVER_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of server's certificate</td></tr> -<tr><td><code>SSL_SERVER_CERT</code></td> <td>string</td> <td>PEM-encoded server certificate</td></tr> +<tr class="odd"><td><code>SSL_SERVER_CERT</code></td> <td>string</td> <td>PEM-encoded server certificate</td></tr> <tr><td><code>SSL_SRP_USER</code></td> <td>string</td> <td>SRP username</td></tr> -<tr><td><code>SSL_SRP_USERINFO</code></td> <td>string</td> <td>SRP user info</td></tr> +<tr class="odd"><td><code>SSL_SRP_USERINFO</code></td> <td>string</td> <td>SRP user info</td></tr> <tr><td><code>SSL_TLS_SNI</code></td> <td>string</td> <td>Contents of the SNI TLS extension (if supplied with ClientHello)</td></tr> </table> @@ -365,7 +365,7 @@ Require valid-user</pre> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>File of concatenated PEM-encoded CA Certificates for Client Auth</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCACertificateFile <em>file-path</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCACertificateFile <var>file-path</var></code></td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> @@ -410,7 +410,7 @@ contains the appropriate symbolic links.</p> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>File of concatenated PEM-encoded CA Certificates for defining acceptable CA names</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCADNRequestFile <em>file-path</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCADNRequestFile <var>file-path</var></code></td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> @@ -472,7 +472,7 @@ this directory contains the appropriate symbolic links.</p> <div class="directive-section"><h2><a name="SSLCARevocationCheck" id="SSLCARevocationCheck">SSLCARevocationCheck</a> <a name="sslcarevocationcheck" id="sslcarevocationcheck">Directive</a></h2> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enable CRL-based revocation checking</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCARevocationCheck chain|leaf|none <em>flag</em>s</code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCARevocationCheck chain|leaf|none [<em>flag</em>s ...]</code></td></tr> <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLCARevocationCheck none</code></td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> @@ -521,7 +521,7 @@ CRL checks are applied to all certificates in the chain, while setting it to <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>File of concatenated PEM-encoded CA CRLs for Client Auth</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCARevocationFile <em>file-path</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCARevocationFile <var>file-path</var></code></td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> @@ -565,7 +565,7 @@ contains the appropriate symbolic links.</p> <div class="directive-section"><h2><a name="SSLCertificateChainFile" id="SSLCertificateChainFile">SSLCertificateChainFile</a> <a name="sslcertificatechainfile" id="sslcertificatechainfile">Directive</a></h2> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>File of PEM-encoded Server CA Certificates</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCertificateChainFile <em>file-path</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCertificateChainFile <var>file-path</var></code></td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> @@ -607,15 +607,16 @@ confused in this situation.</p> <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> <div class="directive-section"><h2><a name="SSLCertificateFile" id="SSLCertificateFile">SSLCertificateFile</a> <a name="sslcertificatefile" id="sslcertificatefile">Directive</a></h2> <table class="directive"> -<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Server PEM-encoded X.509 certificate data file</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCertificateFile <em>file-path</em></code></td></tr> +<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Server PEM-encoded X.509 certificate data file or token identifier</td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCertificateFile <var>file-path</var>|<var>certid</var></code></td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td><var>certid</var> available in 2.4.42 and later.</td></tr> </table> <p> -This directive points to a file with certificate data in PEM format. -At a minimum, the file must include an end-entity (leaf) certificate. +This directive points to a file with certificate data in PEM format, or the certificate identifier through a configured cryptographic token. +If using a PEM file, at minimum, the file must include an end-entity (leaf) certificate. The directive can be used multiple times (referencing different filenames) to support multiple algorithms for server authentication - typically RSA, DSA, and ECC. The number of supported algorithms depends on the @@ -656,6 +657,14 @@ after the certificates using a separate key file. If the private key is encrypted, the pass phrase dialog is forced at startup time. </p> +<p>As an alternative to storing certificates and private keys in +files, a certificate identifier can be used to identify a certificate +stored in a token. Currently, only <a href="https://tools.ietf.org/html/rfc7512">PKCS#11 URIs</a> are +recognized as certificate identifiers, and can be used in conjunction +with the OpenSSL <code>pkcs11</code> engine. If <code class="directive"><a href="#sslcertificatekeyfile">SSLCertificateKeyFile</a></code> is omitted, the +certificate and private key can be loaded through the single +identifier specified with <code class="directive"><a href="#sslcertificatefile">SSLCertificateFile</a></code>.</p> + <div class="note"> <h3>DH parameter interoperability with primes > 1024 bit</h3> <p> @@ -699,7 +708,10 @@ thus using a custom/suitable length. </p> </div> -<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLCertificateFile "/usr/local/apache2/conf/ssl.crt/server.crt"</pre> +<div class="example"><h3>Example</h3><pre class="prettyprint lang-config"># Example using a PEM-encoded file. +SSLCertificateFile "/usr/local/apache2/conf/ssl.crt/server.crt" +# Example use of a certificate and private key from a PKCS#11 token: +SSLCertificateFile "pkcs11:token=My%20Token%20Name;id=45"</pre> </div> </div> @@ -707,15 +719,17 @@ thus using a custom/suitable length. <div class="directive-section"><h2><a name="SSLCertificateKeyFile" id="SSLCertificateKeyFile">SSLCertificateKeyFile</a> <a name="sslcertificatekeyfile" id="sslcertificatekeyfile">Directive</a></h2> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Server PEM-encoded private key file</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCertificateKeyFile <em>file-path</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLCertificateKeyFile <var>file-path</var>|<var>keyid</var></code></td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td><var>keyid</var> available in 2.4.42 and later.</td></tr> </table> <p> This directive points to the PEM-encoded private key file for the -server. If the contained private key is encrypted, the pass phrase -dialog is forced at startup time.</p> +server, or the key ID through a configured cryptographic token. If the +contained private key is encrypted, the pass phrase dialog is forced +at startup time.</p> <p> The directive can be used multiple times (referencing different filenames) @@ -731,7 +745,16 @@ is highly discouraged. If it is used, the certificate files using such an embedded key must be configured after the certificates using a separate key file.</p> -<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLCertificateKeyFile "/usr/local/apache2/conf/ssl.key/server.key"</pre> +<p>As an alternative to storing private keys in files, a key +identifier can be used to identify a private key stored in a +token. Currently, only <a href="https://tools.ietf.org/html/rfc7512">PKCS#11 URIs</a> are recognized as private key +identifiers, and can be used in conjunction with the OpenSSL +<code>pkcs11</code> engine.</p> + +<div class="example"><h3>Example</h3><pre class="prettyprint lang-config"># To use a private key from a PEM-encoded file: +SSLCertificateKeyFile "/usr/local/apache2/conf/ssl.key/server.key" +# To use a private key from a PKCS#11 token: +SSLCertificateKeyFile "pkcs11:token=My%20Token%20Name;id=45"</pre> </div> </div> @@ -1077,7 +1100,7 @@ supported for a given SSL connection.</p> <div class="directive-section"><h2><a name="SSLOCSPDefaultResponder" id="SSLOCSPDefaultResponder">SSLOCSPDefaultResponder</a> <a name="sslocspdefaultresponder" id="sslocspdefaultresponder">Directive</a></h2> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Set the default responder URI for OCSP validation</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLOCSDefaultResponder <em>uri</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLOCSPDefaultResponder <em>uri</em></code></td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> @@ -1121,8 +1144,8 @@ SSLOCSPOverrideResponder on</pre> <div class="directive-section"><h2><a name="SSLOCSPNoverify" id="SSLOCSPNoverify">SSLOCSPNoverify</a> <a name="sslocspnoverify" id="sslocspnoverify">Directive</a></h2> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>skip the OCSP responder certificates verification</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLOCSPNoverify <em>On/Off</em></code></td></tr> -<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLOCSPNoverify Off</code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLOCSPNoverify on|off</code></td></tr> +<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLOCSPNoverify off</code></td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> @@ -1287,10 +1310,10 @@ SSLOpenSSLConfCmd SignatureAlgorithms RSA+SHA384:ECDSA+SHA256</pre> </table> <p> This directive can be used to control various run-time options on a -per-directory basis. Normally, if multiple <code>SSLOptions</code> +per-directory basis. Normally, if multiple <code class="directive">SSLOptions</code> could apply to a directory, then the most specific one is taken completely; the options are not merged. However if <em>all</em> the -options on the <code>SSLOptions</code> directive are preceded by a +options on the <code class="directive">SSLOptions</code> directive are preceded by a plus (<code>+</code>) or minus (<code>-</code>) symbol, the options are merged. Any options preceded by a <code>+</code> are added to the options currently in force, and any options preceded by a @@ -1340,8 +1363,8 @@ The available <em>option</em>s are:</p> </li> <li><code>StrictRequire</code> <p> - This <em>forces</em> forbidden access when <code>SSLRequireSSL</code> or - <code>SSLRequire</code> successfully decided that access should be + This <em>forces</em> forbidden access when <code class="directive"><a href="#sslrequiressl">SSLRequireSSL</a></code> or + <code class="directive"><a href="#sslrequire">SSLRequire</a></code> successfully decided that access should be forbidden. Usually the default is that in the case where a ``<code>Satisfy any</code>'' directive is used, and other access restrictions are passed, denial of access due to <code>SSLRequireSSL</code> or @@ -1523,6 +1546,31 @@ The available (case-insensitive) <em>protocol</em>s are:</p> </ul> <div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProtocol TLSv1</pre> </div> +<div class="note"> +<h3><code class="directive">SSLProtocol</code> for name-based virtual hosts</h3> +<p> +Before OpenSSL 1.1.1, even though the Server Name Indication (SNI) allowed to +determine the targeted virtual host early in the TLS handshake, it was not +possible to switch the TLS protocol version of the connection at this point, +and thus the <code class="directive">SSLProtocol</code> negotiated was always based off +the one of the <em>base virtual host</em> (first virtual host declared on the +listening <code>IP:port</code> of the connection). +</p> +<p> +Beginning with Apache HTTP server version 2.4.42, when built/linked against +OpenSSL 1.1.1 or later, and when the SNI is provided by the client in the TLS +handshake, the <code class="directive">SSLProtocol</code> of each (name-based) virtual +host can and will be honored. +</p> +<p> +For compatibility with previous versions, if no +<code class="directive">SSLProtocol</code> is configured in a name-based virtual host, +the one from the base virtual host still applies, <strong>unless</strong> +<code class="directive">SSLProtocol</code> is configured globally in which case the +global value applies (this latter exception is more sensible than compatible, +though). +</p> +</div> </div> <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> @@ -1530,10 +1578,11 @@ The available (case-insensitive) <em>protocol</em>s are:</p> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>File of concatenated PEM-encoded CA Certificates for Remote Server Auth</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProxyCACertificateFile <em>file-path</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProxyCACertificateFile <var>file-path</var></code></td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The proxy section context is allowed in httpd 2.4.30 and later</td></tr> </table> <p> This directive sets the <em>all-in-one</em> file where you can assemble the @@ -1555,6 +1604,7 @@ Remote Server Auth</td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The proxy section context is allowed in httpd 2.4.30 and later</td></tr> </table> <p> This directive sets the directory where you keep the Certificates of @@ -1579,6 +1629,7 @@ contains the appropriate symbolic links.</p> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The proxy section context is allowed in httpd 2.4.30 and later</td></tr> </table> <p> Enables certificate revocation list (CRL) checking for the @@ -1612,10 +1663,11 @@ to succeed - otherwise it will fail with an <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>File of concatenated PEM-encoded CA CRLs for Remote Server Auth</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProxyCARevocationFile <em>file-path</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLProxyCARevocationFile <var>file-path</var></code></td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The proxy section context is allowed in httpd 2.4.30 and later</td></tr> </table> <p> This directive sets the <em>all-in-one</em> file where you can @@ -1637,6 +1689,7 @@ Remote Server Auth</td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The proxy section context is allowed in httpd 2.4.30 and later</td></tr> </table> <p> This directive sets the directory where you keep the Certificate Revocation @@ -1662,6 +1715,7 @@ contains the appropriate symbolic links.</p> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The proxy section context is allowed in httpd 2.4.30 and later</td></tr> </table> <p> This directive sets whether the remote server certificate's CN field is @@ -1703,6 +1757,7 @@ SSLProxyCheckPeerName off</pre> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The proxy section context is allowed in httpd 2.4.30 and later</td></tr> </table> <p> This directive sets whether it is checked if the remote server certificate @@ -1723,7 +1778,8 @@ sent. <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> -<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Apache HTTP Server 2.4.5 and later</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Apache HTTP Server 2.4.5 and later<br /> +The proxy section context is allowed in httpd 2.4.30 and later</td></tr> </table> <p> This directive configures host name checking for server certificates when @@ -1763,6 +1819,7 @@ proxy handshake</td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The proxy section context is allowed in httpd 2.4.30 and later</td></tr> </table> <p>Equivalent to <code class="directive"><a href="#sslciphersuite">SSLCipherSuite</a></code>, but for the proxy connection. @@ -1779,6 +1836,7 @@ for additional information.</p> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The proxy section context is allowed in httpd 2.4.30 and later</td></tr> </table> <p> This directive toggles the usage of the SSL/TLS Protocol Engine for proxy. This @@ -1808,6 +1866,7 @@ server to proxy SSL/TLS requests.</p> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The proxy section context is allowed in httpd 2.4.30 and later</td></tr> </table> <p> This directive sets the all-in-one file where you keep the certificate chain @@ -1837,19 +1896,50 @@ SSLProxyCACertificateFile</a></code>.</p> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The proxy section context is allowed in httpd 2.4.30 and later<br /> +Inclusion of non-leaf (CA) certificates is permitted only in httpd 2.4.59 and later.</td></tr> </table> <p> This directive sets the all-in-one file where you keep the certificates and keys used for authentication of the proxy server to remote servers. </p> <p> -This referenced file is simply the concatenation of the various PEM-encoded -certificate files, in order of preference. Use this directive alternatively -or additionally to <code>SSLProxyMachineCertificatePath</code>. -</p> +This referenced file is simply the concatenation of the various +PEM-encoded certificate files. Use this directive alternatively or +additionally to <code>SSLProxyMachineCertificatePath</code>. The referenced file can contain any number of pairs of client +certificate and associated private key. Each pair can be specified in +either (certificate, key) or (key, certificate) order. Non-leaf (CA) certificates can +also be included in the file, and are treated as if configured with <code class="directive"><a href="#sslproxymachinecertificatechainfile">SSLProxyMachineCertificateChainFile</a></code>.</p> + +<p>When challenged to provide a client certificate by a remote server, +the server should provide a list of <em>acceptable certificate +authority names</em> in the challenge. If such a list is <em>not</em> +provided, <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> will use the first configured +client cert/key. If a list of CA names <em>is</em> provided, +<code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> will iterate through that list, and attempt +to find a configured client cert which was issued either directly by +that CA, or indirectly via any number of intermediary CA certificates. +The chain of intermediate CA certificates can be built from those +included in the file, or configured with <code class="directive"><a href="#sslproxymachinecertificatechainfile">SSLProxyMachineCertificateChainFile</a></code>. The +first configured matching certificate will then be supplied in +response to the challenge.</p> + +<p>If the list of CA names <em>is</em> provided by the remote server, +and <em>no</em> matching client certificate can be found, no client +certificate will be provided by <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>, which will +likely fail the SSL/TLS handshake (depending on the remote server +configuration).</p> + <div class="warning"> <p>Currently there is no support for encrypted private keys</p> </div> +<div class="warning"> +<p>Only keys encoded in PKCS1 RSA, DSA or EC format are supported. +Keys encoded in PKCS8 format, ie. starting with +"<code>-----BEGIN PRIVATE KEY-----</code>", +must be converted, eg. using +"<code>openssl rsa -in private-pkcs8.pem -outform pem</code>".</p> +</div> <div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProxyMachineCertificateFile "/usr/local/apache2/conf/ssl.crt/proxy.pem"</pre> </div> @@ -1862,18 +1952,27 @@ or additionally to <code>SSLProxyMachineCertificatePath</code>. <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The proxy section context is allowed in httpd 2.4.30 and later</td></tr> </table> <p> -This directive sets the directory where you keep the certificates and -keys used for authentication of the proxy server to remote servers. +This directive sets the directory where you keep the client +certificates and keys used for authentication of the proxy server to +remote servers. +</p> +<p> +mod_ssl will attempt to load every file inside the specified directory +as if it was configured individually with <code class="directive"><a href="#sslproxymachinecertificatefile">SSLProxyMachineCertificateFile</a></code>. </p> -<p>The files in this directory must be PEM-encoded and are accessed through -hash filenames. Additionally, you must create symbolic links named -<code><em>hash-value</em>.N</code>. And you should always make sure this -directory contains the appropriate symbolic links.</p> <div class="warning"> <p>Currently there is no support for encrypted private keys</p> </div> +<div class="warning"> +<p>Only keys encoded in PKCS1 RSA, DSA or EC format are supported. +Keys encoded in PKCS8 format, ie. starting with +"<code>-----BEGIN PRIVATE KEY-----</code>", +must be converted, eg. using +"<code>openssl rsa -in private-pkcs8.pem -outform pem</code>".</p> +</div> <div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProxyMachineCertificatePath "/usr/local/apache2/conf/proxy.crt/"</pre> </div> @@ -1887,6 +1986,7 @@ directory contains the appropriate symbolic links.</p> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The proxy section context is allowed in httpd 2.4.30 and later</td></tr> </table> <p> @@ -1907,6 +2007,7 @@ for additional information. <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The proxy section context is allowed in httpd 2.4.30 and later</td></tr> </table> <p>When a proxy is configured to forward requests to a remote SSL @@ -1944,6 +2045,7 @@ Certificate verification</td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>The proxy section context is allowed in httpd 2.4.30 and later</td></tr> </table> <p> This directive sets how deeply mod_ssl should verify before deciding that the @@ -2152,9 +2254,9 @@ function ::= funcname "<strong>(</strong>" funcargs "<strong>)</strong>"</pre> the <a href="../expr.html#functions">ap_expr documentation</a>.</p> <p>The <em>expression</em> is parsed into an internal machine -representation when the configuration is loaded, and then evaluated -during request processing. In .htaccess context, the <em>expression</em> is -both parsed and executed each time the .htaccess file is encountered during +representation when the configuration is loaded, and then evaluated +during request processing. In .htaccess context, the <em>expression</em> is +both parsed and executed each time the .htaccess file is encountered during request processing.</p> <div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \ @@ -2328,7 +2430,7 @@ values like 300 in real life.</p> <div class="directive-section"><h2><a name="SSLSessionTicketKeyFile" id="SSLSessionTicketKeyFile">SSLSessionTicketKeyFile</a> <a name="sslsessionticketkeyfile" id="sslsessionticketkeyfile">Directive</a></h2> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Persistent encryption/decryption key for TLS session tickets</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLSessionTicketKeyFile <em>file-path</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLSessionTicketKeyFile <var>file-path</var></code></td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> @@ -2342,7 +2444,7 @@ should be shared between multiple nodes. For single-instance httpd setups, it is recommended to <em>not</em> configure a ticket key file, but to rely on (random) keys generated by mod_ssl at startup, instead.</p> <p>The ticket key file must contain 48 bytes of random data, -preferrably created from a high-entropy source. On a Unix-based system, +preferably created from a high-entropy source. On a Unix-based system, a ticket key file can be created as follows:</p> <div class="example"><p><code> @@ -2409,7 +2511,7 @@ SSLSRPUnknownUserSeed "secret" <div class="directive-section"><h2><a name="SSLSRPVerifierFile" id="SSLSRPVerifierFile">SSLSRPVerifierFile</a> <a name="sslsrpverifierfile" id="sslsrpverifierfile">Directive</a></h2> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Path to SRP verifier file</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLSRPVerifierFile <em>file-path</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLSRPVerifierFile <var>file-path</var></code></td></tr> <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> <tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> @@ -2430,7 +2532,7 @@ utility:</p> openssl srp -srpvfile passwd.srpv -userinfo "some info" -add username </code></p></div> <p> The value given with the optional <code>-userinfo</code> parameter is -avalable in the <code>SSL_SRP_USERINFO</code> request environment variable.</p> +available in the <code>SSL_SRP_USERINFO</code> request environment variable.</p> </div> @@ -2756,8 +2858,8 @@ known to the server (i.e. the CA's certificate is under </div> <div class="bottomlang"> <p><span>Available Languages: </span><a href="../en/mod/mod_ssl.html" title="English"> en </a> | -<a href="../fr/mod/mod_ssl.html" hreflang="fr" rel="alternate" title="Français"> fr </a></p> -</div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div> +<a href="../fr/mod/mod_ssl.html" hreflang="fr" rel="alternate" title="Français"> fr </a></p> +</div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Libera.chat, or sent to our <a href="https://httpd.apache.org/lists.html">mailing lists</a>.</div> <script type="text/javascript"><!--//--><![CDATA[//><!-- var comments_shortname = 'httpd'; var comments_identifier = 'http://httpd.apache.org/docs/2.4/mod/mod_ssl.html'; @@ -2775,7 +2877,7 @@ var comments_identifier = 'http://httpd.apache.org/docs/2.4/mod/mod_ssl.html'; } })(window, document); //--><!]]></script></div><div id="footer"> -<p class="apache">Copyright 2019 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> +<p class="apache">Copyright 2024 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!-- if (typeof(prettyPrint) !== 'undefined') { prettyPrint(); diff --git a/docs/manual/mod/mod_ssl.html.fr.utf8 b/docs/manual/mod/mod_ssl.html.fr.utf8 index 7f1c70f..8f3a9b6 100644 --- a/docs/manual/mod/mod_ssl.html.fr.utf8 +++ b/docs/manual/mod/mod_ssl.html.fr.utf8 @@ -137,125 +137,124 @@ disponibles avec Require</a></li> <p>Ce module peut être configuré pour fournir aux espaces de nommage SSI et CGI de nombreux éléments d'informations concernant SSL par le biais -de variables d'environnement supplémentaires. Par défaut, et pour -des raisons de performances, ces informations ne sont pas fournies (Voir -la directive <code class="directive">SSLOptions</code> StdEnvVars ci-dessous). +de variables d'environnement supplémentaires. Par défaut, sauf pour +<code>HTTPS</code> et <code>SSL_TLS_SNI</code> qui sont toujours définies, ces +informations ne sont pas fournies pour des raisons de performances (Voir +la directive <code class="directive"><a href="#ssloptions">SSLOptions</a></code> +<code>StdEnvVars</code> ci-dessous). Les variables générées se trouvent dans la table ci-dessous. Ces informations peuvent également être disponible sous des noms différents à des fins de compatibilité ascendante. Reportez-vous au chapitre <a href="../ssl/ssl_compat.html">Compatibilité</a> pour plus de détails à propos des variables de compatibilité.</p> -<table class="bordered"> - -<tr> - <th><a name="table3">Nom de la variable :</a></th> - <th>Type de valeur :</th> - <th>Description :</th> +<table class="bordered"><tr class="header"> + <th><a name="table3">Nom de la variable</a></th> + <th>Type de valeur</th> + <th>Description</th> </tr> <tr><td><code>HTTPS</code></td> <td>drapeau</td> <td>HTTPS est utilisé.</td></tr> -<tr><td><code>SSL_PROTOCOL</code></td> <td>chaîne</td> +<tr class="odd"><td><code>SSL_PROTOCOL</code></td> <td>chaîne</td> <td>La version du protocole SSL (SSLv3, TLSv1, TLSv1.1, TLSv1.2)</td></tr> <tr><td><code>SSL_SESSION_ID</code></td> <td>chaîne</td> <td>L'identifiant de session SSL codé en hexadécimal</td></tr> -<tr><td><code>SSL_SESSION_RESUMED</code></td> <td>chaîne</td> +<tr class="odd"><td><code>SSL_SESSION_RESUMED</code></td> <td>chaîne</td> <td>Session SSL initiale ou reprise. Note : plusieurs requêtes peuvent être servies dans le cadre de la même session SSL (initiale ou reprise) si les connexions persistantes (HTTP KeepAlive) sont utilisées</td></tr> <tr><td><code>SSL_SECURE_RENEG</code></td> <td>chaîne</td> <td><code>true</code> si la renégociation sécurisée est supportée, <code>false</code> dans le cas contraire</td></tr> -<tr><td><code>SSL_CIPHER</code></td> <td>chaîne</td> +<tr class="odd"><td><code>SSL_CIPHER</code></td> <td>chaîne</td> <td>Le nom de l'algorithme de chiffrement</td></tr> <tr><td><code>SSL_CIPHER_EXPORT</code></td> <td>chaîne</td> <td><code>true</code> si l'algorithme de chiffrement est un algorithme exporté</td></tr> -<tr><td><code>SSL_CIPHER_USEKEYSIZE</code></td> <td>nombre</td> +<tr class="odd"><td><code>SSL_CIPHER_USEKEYSIZE</code></td> <td>nombre</td> <td>Nombre de bits de chiffrement (réellement utilisés)</td></tr> <tr><td><code>SSL_CIPHER_ALGKEYSIZE</code></td> <td>nombre</td> <td>Nombre de bits de chiffrement (possible)</td></tr> -<tr><td><code>SSL_COMPRESS_METHOD</code></td> <td>chaîne</td> +<tr class="odd"><td><code>SSL_COMPRESS_METHOD</code></td> <td>chaîne</td> <td>Méthode de compression SSL négociée</td></tr> - <tr><td><code>SSL_VERSION_INTERFACE</code></td> <td>chaîne</td> <td>La version du programme mod_ssl</td></tr> -<tr><td><code>SSL_VERSION_LIBRARY</code></td> <td>chaîne</td> +<tr class="odd"><td><code>SSL_VERSION_LIBRARY</code></td> <td>chaîne</td> <td>La version du programme OpenSSL</td></tr> <tr><td><code>SSL_CLIENT_M_VERSION</code></td> <td>chaîne</td> <td>La version du certificat client</td></tr> -<tr><td><code>SSL_CLIENT_M_SERIAL</code></td> <td>chaîne</td> +<tr class="odd"><td><code>SSL_CLIENT_M_SERIAL</code></td> <td>chaîne</td> <td>Le numéro de série du certificat client</td></tr> <tr><td><code>SSL_CLIENT_S_DN</code></td> <td>chaîne</td> <td>Le DN sujet du certificat client</td></tr> -<tr><td><code>SSL_CLIENT_S_DN_</code><em>x509</em></td> <td>chaîne</td> +<tr class="odd"><td><code>SSL_CLIENT_S_DN_</code><em>x509</em></td> <td>chaîne</td> <td>Elément du DN sujet du client</td></tr> <tr><td><code>SSL_CLIENT_SAN_Email_</code><em>n</em></td> <td>chaîne</td> <td>Les entrées d'extension subjectAltName du certificat client de type rfc822Name</td></tr> -<tr><td><code>SSL_CLIENT_SAN_DNS_</code><em>n</em></td> <td>chaîne</td> +<tr class="odd"><td><code>SSL_CLIENT_SAN_DNS_</code><em>n</em></td> <td>chaîne</td> <td>Les entrées d'extension subjectAltName du certificat client de type dNSName</td></tr> <tr><td><code>SSL_CLIENT_SAN_OTHER_msUPN_</code><em>n</em></td> <td>chaîne</td> <td>Extensions subjectAltName de type otherName du certificat client, forme Microsoft du nom principal de l'utilisateur (OID 1.3.6.1.4.1.311.20.2.3)</td></tr> -<tr><td><code>SSL_CLIENT_I_DN</code></td> <td>chaîne</td> +<tr class="odd"><td><code>SSL_CLIENT_I_DN</code></td> <td>chaîne</td> <td>DN de l'émetteur du certificat du client</td></tr> <tr><td><code>SSL_CLIENT_I_DN_</code><em>x509</em></td> <td>chaîne</td> <td>Elément du DN de l'émetteur du certificat du client</td></tr> -<tr><td><code>SSL_CLIENT_V_START</code></td> <td>chaîne</td> +<tr class="odd"><td><code>SSL_CLIENT_V_START</code></td> <td>chaîne</td> <td>Validité du certificat du client (date de début)</td></tr> <tr><td><code>SSL_CLIENT_V_END</code></td> <td>chaîne</td> <td>Validité du certificat du client (date de fin)</td></tr> -<tr><td><code>SSL_CLIENT_V_REMAIN</code></td> <td>chaîne</td> +<tr class="odd"><td><code>SSL_CLIENT_V_REMAIN</code></td> <td>chaîne</td> <td>Nombre de jours avant expiration du certificat du client</td></tr> <tr><td><code>SSL_CLIENT_A_SIG</code></td> <td>chaîne</td> <td>Algorithme utilisé pour la signature du certificat du client</td></tr> -<tr><td><code>SSL_CLIENT_A_KEY</code></td> <td>chaîne</td> +<tr class="odd"><td><code>SSL_CLIENT_A_KEY</code></td> <td>chaîne</td> <td>Algorithme utilisé pour la clé publique du certificat du client</td></tr> <tr><td><code>SSL_CLIENT_CERT</code></td> <td>chaîne</td> <td>Certificat du client au format PEM</td></tr> -<tr><td><code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em></td> +<tr class="odd"><td><code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em></td> <td>chaîne</td> <td>Certificats de la chaîne de certification du client au format PEM</td></tr> <tr><td><code>SSL_CLIENT_CERT_RFC4523_CEA</code></td> <td>chaîne</td> <td>Numéro de série et fournisseur du certificat. le format correspond à celui de la CertificateExactAssertion dans la RFC4523</td></tr> -<tr><td><code>SSL_CLIENT_VERIFY</code></td> <td>chaîne</td> +<tr class="odd"><td><code>SSL_CLIENT_VERIFY</code></td> <td>chaîne</td> <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS</code> ou <code>FAILED:</code><em>raison</em></td></tr> <tr><td><code>SSL_SERVER_M_VERSION</code></td> <td>chaîne</td> <td>La version du certificat du serveur</td></tr> -<tr><td><code>SSL_SERVER_M_SERIAL</code></td> <td>chaîne</td> <td> +<tr class="odd"><td><code>SSL_SERVER_M_SERIAL</code></td> <td>chaîne</td> <td> The serial of the server certificate</td></tr> <tr><td><code>SSL_SERVER_S_DN</code></td> <td>chaîne</td> <td>DN sujet du certificat du serveur</td></tr> -<tr><td><code>SSL_SERVER_S_DN_</code><em>x509</em></td> <td>chaîne</td> +<tr class="odd"><td><code>SSL_SERVER_S_DN_</code><em>x509</em></td> <td>chaîne</td> <td>Elément du DN sujet du certificat du serveur</td></tr> <tr><td><code>SSL_SERVER_SAN_Email_</code><em>n</em></td> <td>chaîne</td> <td>Les entrées d'extension subjectAltName du certificat de serveur de type rfc822Name</td></tr> -<tr><td><code>SSL_SERVER_SAN_DNS_</code><em>n</em></td> <td>chaîne</td> +<tr class="odd"><td><code>SSL_SERVER_SAN_DNS_</code><em>n</em></td> <td>chaîne</td> <td>Les entrées d'extension subjectAltName du certificat de serveur de type dNSName</td></tr> <tr><td><code>SSL_SERVER_SAN_OTHER_dnsSRV_</code><em>n</em></td> <td>chaîne</td> <td>Extensions subjectAltName de type otherName du certificat serveur, sous la forme SRVName (OID 1.3.6.1.5.5.7.8.7, RFC 4985)</td></tr> -<tr><td><code>SSL_SERVER_I_DN</code></td> <td>chaîne</td> +<tr class="odd"><td><code>SSL_SERVER_I_DN</code></td> <td>chaîne</td> <td>DN de l'émetteur du certificat du serveur</td></tr> <tr><td><code>SSL_SERVER_I_DN_</code><em>x509</em></td> <td>chaîne</td> <td>Elément du DN de l'émetteur du certificat du serveur</td></tr> -<tr><td><code>SSL_SERVER_V_START</code></td> <td>chaîne</td> +<tr class="odd"><td><code>SSL_SERVER_V_START</code></td> <td>chaîne</td> <td>Validité du certificat du serveur (date de dédut)</td></tr> <tr><td><code>SSL_SERVER_V_END</code></td> <td>chaîne</td> <td>Validité du certificat du serveur (date de fin)</td></tr> -<tr><td><code>SSL_SERVER_A_SIG</code></td> <td>chaîne</td> +<tr class="odd"><td><code>SSL_SERVER_A_SIG</code></td> <td>chaîne</td> <td>Algorithme utilisé pour la signature du certificat du serveur</td></tr> <tr><td><code>SSL_SERVER_A_KEY</code></td> <td>chaîne</td> <td>Algorithme utilisé pour la clé publique du certificat du serveur</td></tr> -<tr><td><code>SSL_SERVER_CERT</code></td> <td>chaîne</td> +<tr class="odd"><td><code>SSL_SERVER_CERT</code></td> <td>chaîne</td> <td>Certificat du serveur au format PEM</td></tr> <tr><td><code>SSL_SRP_USER</code></td> <td>chaîne</td> <td>nom d'utilisateur SRP</td></tr> -<tr><td><code>SSL_SRP_USERINFO</code></td> <td>chaîne</td> +<tr class="odd"><td><code>SSL_SRP_USERINFO</code></td> <td>chaîne</td> <td>informations sur l'utilisateur SRP</td></tr> <tr><td><code>SSL_TLS_SNI</code></td> <td>string</td> <td>Contenu de l'extension SNI TLS (si supporté par ClientHello)</td></tr> @@ -440,7 +439,7 @@ Require valid-user</pre> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Fichier contenant une concaténation des certificats de CA codés en PEM pour l'authentification des clients</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntaxe:</a></th><td><code>SSLCACertificateFile <em>chemin-fichier</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntaxe:</a></th><td><code>SSLCACertificateFile <var>file-path</var></code></td></tr> <tr><th><a href="directive-dict.html#Context">Contexte:</a></th><td>configuration globale, serveur virtuel</td></tr> <tr><th><a href="directive-dict.html#Status">Statut:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> @@ -488,7 +487,7 @@ assurer que ce répertoire contient les liens symboliques appropriés.</p> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Fichier contenant la concaténation des certificats de CA codés en PEM pour la définition de noms de CA acceptables</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntaxe:</a></th><td><code>SSLCADNRequestFile <em>chemin-fichier</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntaxe:</a></th><td><code>SSLCADNRequestFile <var>file-path</var></code></td></tr> <tr><th><a href="directive-dict.html#Context">Contexte:</a></th><td>configuration globale, serveur virtuel</td></tr> <tr><th><a href="directive-dict.html#Status">Statut:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> @@ -552,7 +551,7 @@ assurer que ce répertoire contient les liens symboliques appropriés.</p> <div class="directive-section"><h2><a name="sslcarevocationcheck" id="sslcarevocationcheck">Directive</a> <a name="SSLCARevocationCheck" id="SSLCARevocationCheck">SSLCARevocationCheck</a></h2> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Active la vérification des révocations basée sur les CRL</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntaxe:</a></th><td><code>SSLCARevocationCheck chain|leaf|none <em>flag</em>s</code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntaxe:</a></th><td><code>SSLCARevocationCheck chain|leaf|none [<em>flag</em>s ...]</code></td></tr> <tr><th><a href="directive-dict.html#Default">Défaut:</a></th><td><code>SSLCARevocationCheck none</code></td></tr> <tr><th><a href="directive-dict.html#Context">Contexte:</a></th><td>configuration globale, serveur virtuel</td></tr> <tr><th><a href="directive-dict.html#Status">Statut:</a></th><td>Extension</td></tr> @@ -596,7 +595,7 @@ retrouver le comportement précédent.</p> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Fichier contenant la concaténation des CRLs des CA codés en PEM pour l'authentification des clients</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntaxe:</a></th><td><code>SSLCARevocationFile <em>chemin-fichier</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntaxe:</a></th><td><code>SSLCARevocationFile <var>file-path</var></code></td></tr> <tr><th><a href="directive-dict.html#Context">Contexte:</a></th><td>configuration globale, serveur virtuel</td></tr> <tr><th><a href="directive-dict.html#Status">Statut:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> @@ -646,7 +645,7 @@ assurer que ce répertoire contient les liens symboliques appropriés.</p> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Fichier contenant les certificats de CA du serveur codés en PEM</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntaxe:</a></th><td><code>SSLCertificateChainFile <em>chemin-fichier</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntaxe:</a></th><td><code>SSLCertificateChainFile <var>file-path</var></code></td></tr> <tr><th><a href="directive-dict.html#Context">Contexte:</a></th><td>configuration globale, serveur virtuel</td></tr> <tr><th><a href="directive-dict.html#Status">Statut:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> @@ -693,17 +692,20 @@ navigateurs.</p> <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> <div class="directive-section"><h2><a name="sslcertificatefile" id="sslcertificatefile">Directive</a> <a name="SSLCertificateFile" id="SSLCertificateFile">SSLCertificateFile</a></h2> <table class="directive"> -<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Fichier de données contenant le certificat X.509 du serveur codé en -PEM</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntaxe:</a></th><td><code>SSLCertificateFile <em>chemin-fichier</em></code></td></tr> +<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Fichier de données contenant les informations de certificat X.509 du serveur +codées au format PEM ou identificateur de jeton</td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntaxe:</a></th><td><code>SSLCertificateFile <var>file-path</var>|<var>certid</var></code></td></tr> <tr><th><a href="directive-dict.html#Context">Contexte:</a></th><td>configuration globale, serveur virtuel</td></tr> <tr><th><a href="directive-dict.html#Status">Statut:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibilité:</a></th><td>L'option <var>certid</var> est disponible à partir de la version +2.4.42 du serveur HTTP Apache.</td></tr> </table> -<p>Cette directive permet de définir le fichier de données contenant -les informations de certificat -X.509 du serveur codées au format PEM. Ce fichier doit contenir -au minimum un certificat d'entité finale (feuille). +<p>Cette directive permet de définir le fichier de données contenant les +informations de certificat X.509 du serveur codées au format PEM ou +l'identificateur de certificat via un jeton cryptographique. Si on utilise un +fichier au format PEM, ce dernier doit contenir au minimum un certificat +d'entité finale (feuille). La directive peut être utilisée plusieurs fois (elle référence des fichiers différents) pour accepter plusieurs algorithmes d'authentification au niveau du serveur - souvent RSA, DSA et ECC. Le @@ -736,13 +738,21 @@ indépendamment de l'algorithme d'authentification utilisé. <p>Enfin, il est aussi possible d'ajouter la clé privée du certificat de l'entité finale au fichier de certificat, ce qui permet de se passer d'une directive <code class="directive"><a href="#sslcertificatekeyfile">SSLCertificateKeyFile</a></code> séparée. Cette -pratique est cependant fortement déconseillée. En effet, les fichiers de -certificats qui contiennent de tels clés embarquées doivent être définis -avant les certificats en utilisant un fichier de clé séparé. En outre, +pratique est cependant fortement déconseillée. Dans ce cas, les fichiers de +certificat qui contiennent de telles clés embarquées doivent être définis +après les certificats qui utilisent un fichier de clé séparé. En outre, si la clé est chiffrée, une boîte de dialogue pour entrer le mot de passe de la clé s'ouvre au démarrage du serveur. </p> +<p>Plutôt que de stocker les certificats et les clés privées dans des fichiers, +on peut utiliser un identificateur de certificat pour identifier un certificat +stocké dans un jeton. Actuellement, seuls les <a href="https://tools.ietf.org/html/rfc7512">URIs PKCS#11</a> sont reconnus comme +identificateurs de certificats et peuvent être utilisés en conjonction avec le +moteur OpenSSL <code>pkcs11</code>. Si la directive <code class="directive"><a href="#sslcertificatekeyfile">SSLCertificateKeyFile</a></code> est absente, le certificat et +la clé privée peuvent être chargés avec l'identificateur spécifié via la +directive <code class="directive"><a href="#sslcertificatefile">SSLCertificateFile</a></code>.</p> + <div class="note"> <h3>Interopérabilité des paramètres DH avec les nombres premiers de plus de 1024 bits</h3> @@ -790,7 +800,11 @@ et appropriée. </p> </div> -<div class="example"><h3>Exemple</h3><pre class="prettyprint lang-config">SSLCertificateFile "/usr/local/apache2/conf/ssl.crt/server.crt"</pre> +<div class="example"><h3>Exemple</h3><pre class="prettyprint lang-config"># Exemple utilisant un fichier codé en PEM. +SSLCertificateFile "/usr/local/apache2/conf/ssl.crt/server.crt" +# Exemple d'utilisation d'un certificat et d'une clé privés issus d'un jeton +# PKCS#11 : +SSLCertificateFile "pkcs11:token=My%20Token%20Name;id=45"</pre> </div> </div> @@ -799,15 +813,18 @@ et appropriée. <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Fichier contenant la clé privée du serveur codée en PEM</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntaxe:</a></th><td><code>SSLCertificateKeyFile <em>chemin-fichier</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntaxe:</a></th><td><code>SSLCertificateKeyFile <var>file-path</var>|<var>keyid</var></code></td></tr> <tr><th><a href="directive-dict.html#Context">Contexte:</a></th><td>configuration globale, serveur virtuel</td></tr> <tr><th><a href="directive-dict.html#Status">Statut:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibilité:</a></th><td><var>keyid</var> est disponible à partir de la version 2.4.42 du +serveur HTTP Apache.</td></tr> </table> -<p>Cette directive permet de définir le fichier contenant la clé privée du -serveur codée en PEM. Si la clé privée est -chiffrée, une boîte de dialogue demandant le mot de passe s'ouvre au -démarrage.</p> +<p> +Cette directive permet de définir le fichier contenant la clé privée du serveur +codée en PEM ou l'identifiant de la clé via un jeton cryptographique défini. Si +la clé privée est chiffrée, une boîte de dialogue demandant le mot de passe de +cette dernière s'ouvre au démarrage du serveur.</p> <p> Cette directive peut être utilisée plusieurs fois pour référencer @@ -817,13 +834,22 @@ une directive <code class="directive">SSLCertificateFile</code> correspondante. </p> <p> -La clé privé peut aussi être ajoutée au fichier défini par la directive +La clé privée peut aussi être ajoutée au fichier défini par la directive <code class="directive"><a href="#sslcertificatefile">SSLCertificateFile</a></code>, mais cette -pratique est fortement déconseillée. En effet, les fichiers de +pratique est fortement déconseillée. Dans ce cas, les fichiers de certificats qui comportent une telle clé doivent être définis après les -certificats en utilisant un fichier de clé séparé.</p> +certificats qui utilisent un fichier de clé séparé.</p> -<div class="example"><h3>Exemple</h3><pre class="prettyprint lang-config">SSLCertificateKeyFile "/usr/local/apache2/conf/ssl.key/server.key"</pre> +<p>Plutôt que de stocker des clés privées dans des fichiers, il est possible +d'identifier une clé privée via un identifiant stocké dans un jeton. +Actuellement, seuls les <a href="https://tools.ietf.org/html/rfc7512">PKCS#11 +URIs</a> sont reconnus comme identifiants de clés privées et peuvent être +utilisés en conjonction avec le moteur OpenSSL <code>pkcs11</code>.</p> + +<div class="example"><h3>Exemple</h3><pre class="prettyprint lang-config"># Pour utiliser une clé privée stockée dans fichier encodé PEM : +SSLCertificateKeyFile "/usr/local/apache2/conf/ssl.key/server.key" +# Pour utiliser une clé privée à partir d'un jeton PKCS#11 : +SSLCertificateKeyFile "pkcs11:token=My%20Token%20Name;id=45"</pre> </div> </div> @@ -1225,7 +1251,7 @@ sécurisée est supportée pour une connexion SSL donnée.</p> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Définit l'URI du répondeur par défaut pour la validation OCSP</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntaxe:</a></th><td><code>SSLOCSDefaultResponder <em>uri</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntaxe:</a></th><td><code>SSLOCSPDefaultResponder <em>uri</em></code></td></tr> <tr><th><a href="directive-dict.html#Context">Contexte:</a></th><td>configuration globale, serveur virtuel</td></tr> <tr><th><a href="directive-dict.html#Status">Statut:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> @@ -1269,8 +1295,8 @@ SSLOCSPOverrideResponder on</pre> <div class="directive-section"><h2><a name="sslocspnoverify" id="sslocspnoverify">Directive</a> <a name="SSLOCSPNoverify" id="SSLOCSPNoverify">SSLOCSPNoverify</a></h2> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Evite la vérification des certificats des répondeurs OCSP</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntaxe:</a></th><td><code>SSLOCSPNoverify <em>On/Off</em></code></td></tr> -<tr><th><a href="directive-dict.html#Default">Défaut:</a></th><td><code>SSLOCSPNoverify Off</code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntaxe:</a></th><td><code>SSLOCSPNoverify on|off</code></td></tr> +<tr><th><a href="directive-dict.html#Default">Défaut:</a></th><td><code>SSLOCSPNoverify off</code></td></tr> <tr><th><a href="directive-dict.html#Context">Contexte:</a></th><td>configuration globale, serveur virtuel</td></tr> <tr><th><a href="directive-dict.html#Status">Statut:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> @@ -1444,7 +1470,7 @@ SSLOpenSSLConfCmd SignatureAlgorithms RSA+SHA384:ECDSA+SHA256</pre> <p> Cette directive permet de contrôler différentes options d'exécution du moteur SSL dans un contexte de répertoire. Normalement, si plusieurs -<code>SSLOptions</code> peuvent s'appliquer à un répertoire, c'est la +<code class="directive">SSLOptions</code> peuvent s'appliquer à un répertoire, c'est la plus spécifique qui est véritablement prise en compte ; les options ne se combinent pas entre elles. Elles se combinent cependant entre elles si elles sont <em>toutes</em> précédées par un symbole plus @@ -1506,7 +1532,7 @@ Les <em>option</em>s disponibles sont :</p> <li><code>StrictRequire</code> <p> Cette option <em>force</em> l'interdiction d'accès lorsque - <code>SSLRequireSSL</code> ou <code>SSLRequire</code> a décidé que + <code class="directive"><a href="#sslrequiressl">SSLRequireSSL</a></code> ou <code class="directive"><a href="#sslrequire">SSLRequire</a></code> a décidé que l'accès devait être interdit. Par défaut, dans le cas où une directive ``<code>Satisfy any</code>'' est utilisée, et si d'autres restrictions d'accès ont été franchies, on passe en général @@ -1710,6 +1736,34 @@ casse) :</p> </ul> <div class="example"><h3>Exemple</h3><pre class="prettyprint lang-config">SSLProtocol TLSv1</pre> </div> +<div class="note"> +<h3>La directive <code class="directive">SSLProtocol</code> et les serveurs virtuels +basés sur le nom</h3> +<p> +Avant OpenSSL 1.1.1, et même si l'indication du nom de serveur (Server Name +Indication ou SNI) permettait de déterminer le serveur virtuel cible assez tôt +au cours de la négociation TLS, il était impossible de changer de version de +protocole TLS à ce point, si bien que le <code class="directive">SSLProtocol</code> +négocié se basait toujours sur celui du <em>serveur virtuel de base</em> (le +premier serveur virtuel déclaré avec le couple <code>IP:port</code> de la +connexion). +</p> +<p> +A partir de la version 2.4.42, si le serveur HTTP Apache est compilé avec une +version 1.1.1. ou supérieure d'OpenSSL, et si le client fournit la SNI dans la +négociation TLS, le <code class="directive">SSLProtocol</code> de chaque serveur virtuel +(basé sur le nom) pourra être pris en compte et le sera. +</p> +<p> +A des fins de compatibilité avec les versions précédentes, si un serveur virtuel +basé sur le nom n'a aucune directive <code class="directive">SSLProtocol</code> définie, +c'est le protocole du serveur virtuel de base qui s'appliquera, <strong>à +moins</strong> qu'une directive <code class="directive">SSLProtocol</code> ne soit +configurée au niveau global, auquel cas c'est le protocole défini par cette +directive qui s'appliquera (ce dernier cas relève cependant plus d'un +comportement logique que d'un souci de compatibilité). +</p> +</div> </div> <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> @@ -1717,10 +1771,12 @@ casse) :</p> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Fichier contenant la concaténation des certificats de CA codés en PEM pour l'authentification des serveurs distants</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntaxe:</a></th><td><code>SSLProxyCACertificateFile <em>file-path</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntaxe:</a></th><td><code>SSLProxyCACertificateFile <var>file-path</var></code></td></tr> <tr><th><a href="directive-dict.html#Context">Contexte:</a></th><td>configuration globale, serveur virtuel, section proxy</td></tr> <tr><th><a href="directive-dict.html#Status">Statut:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibilité:</a></th><td>Le contexte d'une section proxy est supporté à partir de la +version 2.4.30 du serveur HTTP Apache</td></tr> </table> <p> Cette directive permet de définir le fichier <em>tout-en-un</em> où sont @@ -1744,6 +1800,8 @@ l'authentification des serveurs distants</td></tr> <tr><th><a href="directive-dict.html#Context">Contexte:</a></th><td>configuration globale, serveur virtuel, section proxy</td></tr> <tr><th><a href="directive-dict.html#Status">Statut:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibilité:</a></th><td>Le contexte d'une section proxy est supporté à partir de la +version 2.4.30 du serveur HTTP Apache</td></tr> </table> <p> Cette directive permet de spécifier le répertoire où sont stockés les @@ -1772,6 +1830,8 @@ pour l'authentification du serveur distant</td></tr> <tr><th><a href="directive-dict.html#Context">Contexte:</a></th><td>configuration globale, serveur virtuel, section proxy</td></tr> <tr><th><a href="directive-dict.html#Status">Statut:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibilité:</a></th><td>Le contexte d'une section proxy est supporté à partir de la +version 2.4.30 du serveur HTTP Apache</td></tr> </table> <p> Active la vérification des révocations basée sur les Listes de @@ -1805,10 +1865,12 @@ erreur <code>"CRL introuvable"</code>. <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Fichier contenant la concaténation des CRLs de CA codés en PEM pour l'authentification des serveurs distants</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntaxe:</a></th><td><code>SSLProxyCARevocationFile <em>chemin-fichier</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntaxe:</a></th><td><code>SSLProxyCARevocationFile <var>file-path</var></code></td></tr> <tr><th><a href="directive-dict.html#Context">Contexte:</a></th><td>configuration globale, serveur virtuel, section proxy</td></tr> <tr><th><a href="directive-dict.html#Status">Statut:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibilité:</a></th><td>Le contexte d'une section proxy est supporté à partir de la +version 2.4.30 du serveur HTTP Apache</td></tr> </table> <p> Cette directive permet de définir le fichier <em>tout-en-un</em> où sont @@ -1833,6 +1895,8 @@ l'authentification des serveurs distants</td></tr> <tr><th><a href="directive-dict.html#Context">Contexte:</a></th><td>configuration globale, serveur virtuel, section proxy</td></tr> <tr><th><a href="directive-dict.html#Status">Statut:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibilité:</a></th><td>Le contexte d'une section proxy est supporté à partir de la +version 2.4.30 du serveur HTTP Apache</td></tr> </table> <p> Cette directive permet de définir le répertoire où sont stockées les @@ -1862,6 +1926,8 @@ du serveur distant <tr><th><a href="directive-dict.html#Context">Contexte:</a></th><td>configuration globale, serveur virtuel, section proxy</td></tr> <tr><th><a href="directive-dict.html#Status">Statut:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibilité:</a></th><td>Le contexte d'une section proxy est supporté à partir de la +version 2.4.30 du serveur HTTP Apache</td></tr> </table> <p> Cette directive permet de définir si le champ CN du certificat du serveur @@ -1904,6 +1970,8 @@ certificat du serveur distant <tr><th><a href="directive-dict.html#Context">Contexte:</a></th><td>configuration globale, serveur virtuel, section proxy</td></tr> <tr><th><a href="directive-dict.html#Status">Statut:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibilité:</a></th><td>Le contexte d'une section proxy est supporté à partir de la +version 2.4.30 du serveur HTTP Apache</td></tr> </table> <p> Cette directive permet de définir si l'expiration du certificat du @@ -1926,7 +1994,9 @@ certificats serveur distants <tr><th><a href="directive-dict.html#Status">Statut:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> <tr><th><a href="directive-dict.html#Compatibility">Compatibilité:</a></th><td>Disponible à partir de la version 2.4.5 du serveur HTTP -Apache</td></tr> +Apache<br /> +Le contexte d'une section proxy est supporté à partir de la +version 2.4.30 du serveur HTTP Apache</td></tr> </table> <p> Cette directive permet de configurer la vérification du nom d'hôte pour @@ -1967,6 +2037,8 @@ lors de l'initialisation d'une connexion SSL de mandataire</td></tr> <tr><th><a href="directive-dict.html#Context">Contexte:</a></th><td>configuration globale, serveur virtuel, section proxy</td></tr> <tr><th><a href="directive-dict.html#Status">Statut:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibilité:</a></th><td>Le contexte d'une section proxy est supporté à partir de la +version 2.4.30 du serveur HTTP Apache</td></tr> </table> <p>Cette directive est équivalente à la directive <code class="directive"><a href="#sslciphersuite">SSLCipherSuite</a></code>, mais s'applique à une connexion de mandataire. Veuillez vous reporter à la directive <code class="directive"><a href="#sslciphersuite">SSLCipherSuite</a></code> pour plus d'informations.</p> @@ -1982,6 +2054,8 @@ SSL</td></tr> <tr><th><a href="directive-dict.html#Context">Contexte:</a></th><td>configuration globale, serveur virtuel, section proxy</td></tr> <tr><th><a href="directive-dict.html#Status">Statut:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibilité:</a></th><td>Le contexte d'une section proxy est supporté à partir de la +version 2.4.30 du serveur HTTP Apache</td></tr> </table> <p> Cette directive permet d'activer/désactiver l'utilisation du moteur de @@ -2015,6 +2089,8 @@ mandataire de choisir un certificat</td></tr> <tr><th><a href="directive-dict.html#Context">Contexte:</a></th><td>configuration globale, serveur virtuel, section proxy</td></tr> <tr><th><a href="directive-dict.html#Status">Statut:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibilité:</a></th><td>Le contexte d'une section proxy est supporté à partir de la +version 2.4.30 du serveur HTTP Apache</td></tr> </table> <p> Cette directive permet de définir le fichier global où est enregistrée @@ -2048,6 +2124,10 @@ clients codés en PEM que le mandataire doit utiliser</td></tr> <tr><th><a href="directive-dict.html#Context">Contexte:</a></th><td>configuration globale, serveur virtuel, section proxy</td></tr> <tr><th><a href="directive-dict.html#Status">Statut:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibilité:</a></th><td>Le contexte d'une section proxy est pris en charge à partir de la +version 2.4.30 du serveur HTTP Apache<br /> +L'inclusion de certificats non-feuilles (CA) est prise en charge à partir de la +version 2.4.59.</td></tr> </table> <p> Cette directive permet de définir le fichier tout-en-un où sont stockés @@ -2055,14 +2135,46 @@ les clés et certificats permettant au serveur mandataire de s'authentifier auprès des serveurs distants. </p> <p> -Le fichier spécifié est la simple concaténation des différents fichiers -de certificats codés en PEM, classés par ordre de préférence. Cette -directive s'utilise à la place ou en complément de la directive -<code>SSLProxyMachineCertificatePath</code>. +Le fichier spécifié est la simple concaténation des différents fichiers de +certificats codés en PEM. Cette directive s'utilise à la place ou en complément +de la directive <code>SSLProxyMachineCertificatePath</code>. Le fichier spécifié +peut contenir un nombre quelconque de paires certificat client/clé privée +associée, et chaque paire peut être spécifiée selon l'ordre (certificat, clé) ou +(clé, certificat). Des certificats non-feuilles (CA) peuvent aussi être inclus +dans le fichier et sont traités comme s'ils avaient été définis à l'aide de la +directive <code class="directive"><a href="#sslproxymachinecertificatechainfile">SSLProxyMachineCertificateChainFile</a></code>. </p> + +<p>Lorsqu'un serveur distant sollicite le serveur pour obtenir un certificat +client, ce dernier doit fournir une liste de <em>noms d'autorités de +certification acceptables</em> au cours de la négociation. Si cette liste n'est +<em>pas</em> fournie, <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> utilisera la première paire certificat/clé +client définie. Si par contre cette liste <em>est</em> fournie, +<code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> va la parcourir afin de trouver un certificat client +défini qui a été fourni soit directement par l'autorité de certification +considérée, soit indirectement via un nombre quelconque de certificats d'autorités de +certification intermédiaires. La chaîne de certificats d'autorités de +certification intermédiaires peut être construite à partir de ceux qui sont +inclus dans le fichier ou configurés +à l'aide de la directive <code class="directive"><a href="#sslproxymachinecertificatechainfile">SSLProxyMachineCertificateChainFile</a></code>. Le premier +certificat défini correspondant sera alors fourni comme réponse au cours de la +négociation</p> + +<p>Si la liste de noms de CA <em>est</em> fournie au serveur distant, et si +<em>aucun</em> certificat client correspondant n'est trouvé, aucun certificat +client ne sera fourni par <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>, ce qui fera probablement +échouer la négociation SSL/TLS (en fonction de la configuration du serveur +distant).</p> + <div class="warning"> <p>Actuellement, les clés privées chiffrées ne sont pas supportées.</p> </div> +<div class="warning"> +<p>Seules les clés au format PKCS1 RSA, DSA ou EC sont supportées. Les clés +au format PKCS8, autrement dit celles commençant par "<code>-----BEGIN +PRIVATE KEY-----</code>", doivent être converties via une commande du style +"<code>openssl rsa -in private-pkcs8.pem -outform pem</code>".</p> +</div> <div class="example"><h3>Exemple</h3><pre class="prettyprint lang-config">SSLProxyMachineCertificateFile "/usr/local/apache2/conf/ssl.crt/proxy.pem"</pre> </div> @@ -2077,20 +2189,27 @@ le mandataire doit utiliser</td></tr> <tr><th><a href="directive-dict.html#Context">Contexte:</a></th><td>configuration globale, serveur virtuel, section proxy</td></tr> <tr><th><a href="directive-dict.html#Status">Statut:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibilité:</a></th><td>Le contexte d'une section proxy est supporté à partir de la +version 2.4.30 du serveur HTTP Apache</td></tr> </table> <p> Cette directive permet de définir le répertoire où sont stockés les clés -et certificats permettant au serveur mandataire de s'authentifier auprès +et certificats clients permettant au serveur mandataire de s'authentifier auprès des serveurs distants. </p> -<p>Les fichiers de ce répertoire doivent être codés en PEM et ils sont -accédés via des noms de fichier sous forme de condensés ou hash. Vous -devez donc aussi créer des liens symboliques nommés -<em>valeur-de-hashage</em><code>.N</code>, et vous devez toujours vous -assurer que ce répertoire contient les liens symboliques appropriés.</p> +<p>mod_ssl va essayer de charger tous les fichiers contenus dans le répertoire +spécifié, comme si ces derniers étaient définis individuellement via la +directive <code class="directive"><a href="#sslproxymachinecertificatefile">SSLProxyMachineCertificateFile</a></code>.</p> + <div class="warning"> <p>Actuellement, les clés privées chiffrées ne sont pas supportées.</p> </div> +<div class="warning"> +<p>Seules les clés au format PKCS1 RSA, DSA ou EC sont supportées. Les clés +au format PKCS8, autrement dit celles commençant par "<code>-----BEGIN +PRIVATE KEY-----</code>", doivent être converties via une commande du style +"<code>openssl rsa -in private-pkcs8.pem -outform pem</code>".</p> +</div> <div class="example"><h3>Exemple</h3><pre class="prettyprint lang-config">SSLProxyMachineCertificatePath "/usr/local/apache2/conf/proxy.crt/"</pre> </div> @@ -2105,6 +2224,8 @@ mandataire</td></tr> <tr><th><a href="directive-dict.html#Context">Contexte:</a></th><td>configuration globale, serveur virtuel, section proxy</td></tr> <tr><th><a href="directive-dict.html#Status">Statut:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibilité:</a></th><td>Le contexte d'une section proxy est supporté à partir de la +version 2.4.30 du serveur HTTP Apache</td></tr> </table> <p> @@ -2126,6 +2247,8 @@ distant</td></tr> <tr><th><a href="directive-dict.html#Context">Contexte:</a></th><td>configuration globale, serveur virtuel, section proxy</td></tr> <tr><th><a href="directive-dict.html#Status">Statut:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibilité:</a></th><td>Le contexte d'une section proxy est supporté à partir de la +version 2.4.30 du serveur HTTP Apache</td></tr> </table> <p>Lorsqu'un mandataire est configuré pour faire suivre les requêtes @@ -2166,6 +2289,8 @@ lors de la vérification du certificat du serveur distant</td></tr> <tr><th><a href="directive-dict.html#Context">Contexte:</a></th><td>configuration globale, serveur virtuel, section proxy</td></tr> <tr><th><a href="directive-dict.html#Status">Statut:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> +<tr><th><a href="directive-dict.html#Compatibility">Compatibilité:</a></th><td>Le contexte d'une section proxy est supporté à partir de la +version 2.4.30 du serveur HTTP Apache</td></tr> </table> <p> Cette directive permet de définir le niveau de profondeur maximum @@ -2583,7 +2708,7 @@ valeur très supérieure comme 300 en production.</p> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Clé de chiffrement/déchiffrement permanente pour les tickets de session TLS</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntaxe:</a></th><td><code>SSLSessionTicketKeyFile <em>chemin-fichier</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntaxe:</a></th><td><code>SSLSessionTicketKeyFile <var>file-path</var></code></td></tr> <tr><th><a href="directive-dict.html#Context">Contexte:</a></th><td>configuration globale, serveur virtuel</td></tr> <tr><th><a href="directive-dict.html#Status">Statut:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> @@ -2672,7 +2797,7 @@ SSLSRPUnknownUserSeed "secret" <div class="directive-section"><h2><a name="sslsrpverifierfile" id="sslsrpverifierfile">Directive</a> <a name="SSLSRPVerifierFile" id="SSLSRPVerifierFile">SSLSRPVerifierFile</a></h2> <table class="directive"> <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Chemin du fichier de vérification SRP</td></tr> -<tr><th><a href="directive-dict.html#Syntax">Syntaxe:</a></th><td><code>SSLSRPVerifierFile <em>file-path</em></code></td></tr> +<tr><th><a href="directive-dict.html#Syntax">Syntaxe:</a></th><td><code>SSLSRPVerifierFile <var>file-path</var></code></td></tr> <tr><th><a href="directive-dict.html#Context">Contexte:</a></th><td>configuration globale, serveur virtuel</td></tr> <tr><th><a href="directive-dict.html#Status">Statut:</a></th><td>Extension</td></tr> <tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> @@ -3048,7 +3173,7 @@ certificat de la CA doit être référencé par la directive <code class="direct <div class="bottomlang"> <p><span>Langues Disponibles: </span><a href="../en/mod/mod_ssl.html" hreflang="en" rel="alternate" title="English"> en </a> | <a href="../fr/mod/mod_ssl.html" title="Français"> fr </a></p> -</div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Commentaires</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div> +</div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Commentaires</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Libera.chat, or sent to our <a href="https://httpd.apache.org/lists.html">mailing lists</a>.</div> <script type="text/javascript"><!--//--><![CDATA[//><!-- var comments_shortname = 'httpd'; var comments_identifier = 'http://httpd.apache.org/docs/2.4/mod/mod_ssl.html'; @@ -3066,7 +3191,7 @@ var comments_identifier = 'http://httpd.apache.org/docs/2.4/mod/mod_ssl.html'; } })(window, document); //--><!]]></script></div><div id="footer"> -<p class="apache">Copyright 2019 The Apache Software Foundation.<br />Autorisé sous <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> +<p class="apache">Copyright 2024 The Apache Software Foundation.<br />Autorisé sous <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossaire</a> | <a href="../sitemap.html">Plan du site</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!-- if (typeof(prettyPrint) !== 'undefined') { prettyPrint(); |