summaryrefslogtreecommitdiffstats
path: root/docs/manual/mod/mod_tls.html.en
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 15:01:30 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 15:01:30 +0000
commit6beeb1b708550be0d4a53b272283e17e5e35fe17 (patch)
tree1ce8673d4aaa948e5554000101f46536a1e4cc29 /docs/manual/mod/mod_tls.html.en
parentInitial commit. (diff)
downloadapache2-6beeb1b708550be0d4a53b272283e17e5e35fe17.tar.xz
apache2-6beeb1b708550be0d4a53b272283e17e5e35fe17.zip
Adding upstream version 2.4.57.upstream/2.4.57
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'docs/manual/mod/mod_tls.html.en')
-rw-r--r--docs/manual/mod/mod_tls.html.en663
1 files changed, 663 insertions, 0 deletions
diff --git a/docs/manual/mod/mod_tls.html.en b/docs/manual/mod/mod_tls.html.en
new file mode 100644
index 0000000..9b7ccc4
--- /dev/null
+++ b/docs/manual/mod/mod_tls.html.en
@@ -0,0 +1,663 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head>
+<meta content="text/html; charset=UTF-8" http-equiv="Content-Type" />
+<!--
+ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+ This file is generated from xml source: DO NOT EDIT
+ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+ -->
+<title>mod_tls - Apache HTTP Server Version 2.4</title>
+<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
+<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
+<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
+<script src="../style/scripts/prettify.min.js" type="text/javascript">
+</script>
+
+<link href="../images/favicon.ico" rel="shortcut icon" /></head>
+<body>
+<div id="page-header">
+<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
+<p class="apache">Apache HTTP Server Version 2.4</p>
+<img alt="" src="../images/feather.png" /></div>
+<div class="up"><a href="./"><img title="&lt;-" alt="&lt;-" src="../images/left.gif" /></a></div>
+<div id="path">
+<a href="http://www.apache.org/">Apache</a> &gt; <a href="http://httpd.apache.org/">HTTP Server</a> &gt; <a href="http://httpd.apache.org/docs/">Documentation</a> &gt; <a href="../">Version 2.4</a> &gt; <a href="./">Modules</a></div>
+<div id="page-content">
+<div id="preamble"><h1>Apache Module mod_tls</h1>
+<div class="toplang">
+<p><span>Available Languages: </span><a href="../en/mod/mod_tls.html" title="English">&nbsp;en&nbsp;</a></p>
+</div>
+<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>TLS v1.2 and v1.3 implemented in memory-safe Rust via
+ the rustls library
+ </td></tr>
+<tr><th><a href="module-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
+<tr><th><a href="module-dict.html#ModuleIdentifier">Module Identifier:</a></th><td>tls_module</td></tr>
+<tr><th><a href="module-dict.html#SourceFile">Source File:</a></th><td>mod_tls.c</td></tr>
+<tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Available in version 2.4.52 and later</td></tr></table>
+<h3>Summary</h3>
+
+ <p>
+ mod_tls is an alternative to <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> for providing https to a server.
+ It's feature set is a subset, described in more detail below. It can
+ be used as a companion to <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>, e.g. both modules can be loaded at
+ the same time.
+ </p><p>
+ mod_tls, being written in C, used the Rust implementation of TLS named
+ <a href="https://github.com/rustls/rustls">rustls</a> via its C interface
+ <a href="https://github.com/rustls/rustls-ffi">rustls-ffi</a>. This gives
+ <em>memory safe</em> cryptography and protocol handling at comparable
+ performance.
+ </p><p>
+ It can be configured for frontend and backend connections. The configuration
+ directive have been kept mostly similar to <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> ones.
+ </p>
+ </div>
+<div id="quickview"><a href="https://www.apache.org/foundation/contributing.html" class="badge"><img src="https://www.apache.org/images/SupportApache-small.png" alt="Support Apache!" /></a><h3>Topics</h3>
+<ul id="topics">
+<li><img alt="" src="../images/down.gif" /> <a href="#vhost_context">TLS in a VirtualHost context</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#comparison">Feature Comparison with mod_ssl</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#protocols">TLS Protocols</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#ciphers">TLS Ciphers</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#vhosts">Virtual Hosts</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#ACME">ACME Certificates</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#OCSP">OCSP Stapling</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#variables">TLS Variables</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#certificates">Client Certificates</a></li>
+</ul><h3 class="directives">Directives</h3>
+<ul id="toc">
+<li><img alt="" src="../images/down.gif" /> <a href="#tlscertificate">TLSCertificate</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#tlsciphersprefer">TLSCiphersPrefer</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#tlscipherssuppress">TLSCiphersSuppress</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#tlsengine">TLSEngine</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#tlshonorclientorder">TLSHonorClientOrder</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#tlsoptions">TLSOptions</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#tlsprotocol">TLSProtocol</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#tlsproxyca">TLSProxyCA</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#tlsproxyciphersprefer">TLSProxyCiphersPrefer</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#tlsproxycipherssuppress">TLSProxyCiphersSuppress</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#tlsproxyengine">TLSProxyEngine</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#tlsproxymachinecertificate">TLSProxyMachineCertificate</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#tlsproxyprotocol">TLSProxyProtocol</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#tlssessioncache">TLSSessionCache</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#tlsstrictsni">TLSStrictSNI</a></li>
+</ul>
+<h3>Bugfix checklist</h3><ul class="seealso"><li><a href="https://www.apache.org/dist/httpd/CHANGES_2.4">httpd changelog</a></li><li><a href="https://bz.apache.org/bugzilla/buglist.cgi?bug_status=__open__&amp;list_id=144532&amp;product=Apache%20httpd-2&amp;query_format=specific&amp;order=changeddate%20DESC%2Cpriority%2Cbug_severity&amp;component=mod_tls">Known issues</a></li><li><a href="https://bz.apache.org/bugzilla/enter_bug.cgi?product=Apache%20httpd-2&amp;component=mod_tls">Report a bug</a></li></ul><h3>See also</h3>
+<ul class="seealso">
+<li><a href="#comments_section">Comments</a></li></ul></div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="vhost_context" id="vhost_context">TLS in a VirtualHost context</a></h2>
+
+ <pre class="prettyprint lang-config">Listen 443
+TLSEngine 443
+
+&lt;VirtualHost *:443&gt;
+ ServerName example.net
+ TLSCertificate file_with_certificate.pem file_with_key.pem
+ ...
+&lt;/VirtualHost&gt;</pre>
+
+ <p>
+ The above is a minimal configuration. Instead of enabling mod_tls
+ in every virtual host, the port for incoming TLS connections is
+ specified.
+ </p><p>
+ You cannot mix virtual hosts with <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> and mod_tls on the same
+ port. It's either or. SNI and ALPN are supported. You may use several
+ virtual hosts on the same port and a mix of protocols like http/1.1
+ and h2.
+ </p>
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="comparison" id="comparison">Feature Comparison with mod_ssl</a></h2>
+ <p>
+ The table below gives a comparison of feature between
+ <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> and mod_tls. If a feature of <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> is no listed here,
+ it is not supported by mod_tls. The one difference, probably most relevant
+ is the lack for client certificate support in the current version of
+ mod_tls.
+ </p>
+ <table>
+ <tr><th>Feature</th><th>mod_ssl</th><th>mod_tls</th><th>Comment</th></tr>
+<tr><td>Frontend TLS</td><td>yes</td><td>yes</td><td /></tr>
+<tr><td>Backend TLS</td><td>yes</td><td>yes</td><td /></tr>
+<tr><td>TLS v1.3</td><td>yes*</td><td>yes</td><td>*)with recent OpenSSL</td></tr>
+<tr><td>TLS v1.2</td><td>yes</td><td>yes</td><td /></tr>
+<tr><td>TLS v1.0</td><td>yes*</td><td>no</td><td>*)if enabled in OpenSSL</td></tr>
+<tr><td>SNI Virtual Hosts</td><td>yes</td><td>yes</td><td /></tr>
+<tr><td>Client Certificates</td><td>yes</td><td>no</td><td /></tr>
+<tr><td>Machine Certificates for Backend</td><td>yes</td><td>yes</td><td /></tr>
+<tr><td>OCSP Stapling</td><td>yes</td><td>yes*</td><td>*)via <code class="module"><a href="../mod/mod_md.html">mod_md</a></code></td></tr>
+<tr><td>Backend OCSP check</td><td>yes</td><td>no*</td><td>*)stapling will be verified</td></tr>
+<tr><td>TLS version to allow</td><td>min-max</td><td>min</td><td /></tr>
+<tr><td>TLS ciphers</td><td>exclusive list</td><td>preferred/suppressed</td><td /></tr>
+<tr><td>TLS cipher ordering</td><td>client/server</td><td>client/server</td><td /></tr>
+<tr><td>TLS sessions</td><td>yes</td><td>yes</td><td /></tr>
+<tr><td>SNI strictness</td><td>default no</td><td>default yes</td><td /></tr>
+<tr><td>Option EnvVars</td><td>exhaustive</td><td>limited*</td><td>*)see var list</td></tr>
+<tr><td>Option ExportCertData</td><td>client+server</td><td>server</td><td /></tr>
+<tr><td>Backend CA</td><td>file/dir</td><td>file</td><td /></tr>
+<tr><td>Revocation CRLs</td><td>yes</td><td>no</td><td /></tr>
+<tr><td>TLS Renegotiation</td><td>yes*</td><td>no</td><td>*)in TLS v1.2</td></tr>
+<tr><td>Encrypted Cert Keys</td><td>yes</td><td>no</td><td /></tr>
+ </table>
+ <p>
+ </p>
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="protocols" id="protocols">TLS Protocols</a></h2>
+ <p>
+ mod_tls supports TLS protocol version 1.2 and 1.3. Should there ever be
+ a version 1.4 and <code>rustls</code> supports it, it will be available as well.
+ </p>
+ <p>
+ In mod_tls, you configure the <em>minimum</em> version to use, never the maximum:
+ </p>
+ <pre class="prettyprint lang-config">TLSProtocol TLSv1.3+</pre>
+
+ <p>
+ This allows only version 1.3 and whatever may be its successor one day when talking
+ to your server or to a particular virtual host.
+ </p>
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="ciphers" id="ciphers">TLS Ciphers</a></h2>
+ <p>
+ The list of TLS ciphers supported in the <code>rustls</code> library,
+ can be found <a href="https://docs.rs/rustls/">here</a>. All TLS v1.3
+ ciphers are supported. For TLS v1.2, only ciphers that rustls considers
+ secure are available.
+ </p><p>
+ mod_tls supports the following names for TLS ciphers:
+ </p>
+ <ol>
+ <li>
+ The <a href="https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4">IANA assigned name</a>
+ which uses `_` to separate parts. Example: <code>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384</code>
+ </li>
+ <li>
+ The OpenSSL name, using `-` as separator (for 1.2). Example: <code>ECDHE-ECDSA-AES256-SHA384</code>.
+ Such names often appear in documentation. `mod_tls` defines them for all TLS v1.2 ciphers.
+ For TLS v1.3 ciphers, names starting with <code>TLS13_</code> are also supported.
+ </li>
+ <li>
+ The <a href="https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4">IANA assigned identifier</a>,
+ which is a 16-bit numeric value. Example: <code>0xc024</code>.
+ You can use this in configurations as <code>TLS_CIPHER_0xc024</code>.
+ </li>
+ </ol>
+ <p>
+ You can configure a preference for ciphers, which means they will be used
+ for clients that support them. If you do not configure a preference, <code>rustls</code>
+ will use the one that it considers best. This is recommended.
+ </p>
+ <p>
+ Should you nevertheless have the need to prefer one cipher over another, you
+ may configure it like this:
+ </p>
+ <pre class="prettyprint lang-config">TLSCiphersPrefer ECDHE-ECDSA-AES256-SHA384
+# or several
+TLSCiphersPrefer ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305</pre>
+
+ <p>
+ If you name a cipher that is unknown, the configuration will fail.
+ If you name a cipher is not supported by <code>rustls</code> (or no
+ longer supported in an updated version of <code>rustls</code> for security
+ reasons), mod_tls will log a <code>WARNING</code>, but continue to work.
+ </p>
+ <p>
+ A similar mechanism exists, if you want to disable a particular cipher:
+ </p>
+ <pre class="prettyprint lang-config">TLSCipherSuppress ECDHE-ECDSA-AES256-SHA384</pre>
+
+ <p>
+ A suppressed cipher will not longer be used.
+ If you name a cipher that is unknown, the configuration will fail.
+ If you name a cipher is not supported by <code>rustls</code> (or no
+ longer supported in an updated version of <code>rustls</code> for security
+ reasons), mod_tls will log a <code>WARNING</code>, but continue to work.
+ </p>
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="vhosts" id="vhosts">Virtual Hosts</a></h2>
+ <p>
+ mod_tls uses the SNI (Server Name Indicator) to select one of the
+ configured virtual hosts that match the port being served. Should
+ the client not provide an SNI, the <em>first</em> configured
+ virtual host will be selected. If the client <em>does</em> provide
+ an SNI (as all today's clients do), it <em>must</em> match one
+ virtual host (<code class="directive"><a href="../mod/core.html#servername">ServerName</a></code> or
+ <code class="directive"><a href="../mod/core.html#serveralias">ServerAlias</a></code>)
+ or the connection will fail.
+ </p>
+ <p>
+ As with <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>, you may specify ciphers and protocol
+ versions for the base server (global) and/or individual virtual hosts
+ that are selected via SNI by the client.
+ </p>
+ <pre class="prettyprint lang-config">Listen 443
+TLSEngine 443
+
+&lt;VirtualHost *:443&gt;
+ ServerName example1.net
+ TLSCertificate example1-cert.pem
+ ...
+&lt;/VirtualHost&gt;
+
+&lt;VirtualHost *:443&gt;
+ ServerName example2.net
+ TLSCertificate example2-cert.pem
+ ...
+ TLSProtocol v1.3+
+&lt;/VirtualHost&gt;</pre>
+
+ <p>
+ The example above show different TLS settings for virtual hosts on the
+ same port. This is supported. <code>example1</code> can be contacted via
+ all TLS versions and <code>example2</code> only allows v1.3 or later.
+ </p>
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="ACME" id="ACME">ACME Certificates</a></h2>
+ <p>
+ ACME certificates via <code class="module"><a href="../mod/mod_md.html">mod_md</a></code> are supported, just as
+ for <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>. A minimal configuration:
+ </p>
+ <pre class="prettyprint lang-config">Listen 443
+TLSEngine 443
+MDomain example.net
+
+&lt;VirtualHost *:443&gt;
+ ServerName example.net
+ ...
+&lt;/VirtualHost&gt;</pre>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="OCSP" id="OCSP">OCSP Stapling</a></h2>
+ <p>
+ mod_tls has no own implementation to retrieve OCSP information for
+ a certificate. However, it will use such for Stapling if it is provided
+ by <code class="module"><a href="../mod/mod_md.html">mod_md</a></code>. See <code class="module"><a href="../mod/mod_md.html">mod_md</a></code>'s documentation
+ on how to enable this.
+ </p>
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="variables" id="variables">TLS Variables</a></h2>
+ <p>
+ Via the directive <code class="directive"><a href="#tlsoptions">TLSOptions</a></code>, several variables
+ are placed into the environment of requests and can be inspected, for
+ example in a CGI script.
+ </p>
+ <p>
+ The variable names are given by <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>. Note that these
+ are only a subset of the many variables that <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> exposes.
+ </p>
+ <table>
+ <tr><th>Variable</th><th>TLSOption</th><th>Description</th></tr>
+ <tr><td>SSL_TLS_SNI</td><td>*</td><td>the server name indicator (SNI) send by the client</td></tr>
+ <tr><td>SSL_PROTOCOL</td><td>*</td><td>the TLS protocol negotiated</td></tr>
+ <tr><td>SSL_CIPHER</td><td>*</td><td>the name of the TLS cipher negotiated</td></tr>
+ <tr><td>SSL_VERSION_INTERFACE</td><td>StdEnvVars</td><td>the module version</td></tr>
+ <tr><td>SSL_VERSION_LIBRARY</td><td>StdEnvVars</td><td>the rustls-ffi version</td></tr>
+ <tr><td>SSL_SECURE_RENEG</td><td>StdEnvVars</td><td>always `false`</td></tr>
+ <tr><td>SSL_COMPRESS_METHOD</td><td>StdEnvVars</td><td>always `false`</td></tr>
+ <tr><td>SSL_CIPHER_EXPORT</td><td>StdEnvVars</td><td>always `false`</td></tr>
+ <tr><td>SSL_CLIENT_VERIFY</td><td>StdEnvVars</td><td>always `false`</td></tr>
+ <tr><td>SSL_SESSION_RESUMED</td><td>StdEnvVars</td><td>either `Resumed` if a known TLS session id was presented by the client or `Initial` otherwise</td></tr>
+ <tr><td>SSL_SERVER_CERT</td><td>ExportCertData</td><td>the selected server certificate in PEM format</td></tr>
+ </table>
+ <p>
+ The variable <code>SSL_SESSION_ID</code> is intentionally not supported as
+ it contains sensitive information.
+ </p>
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="certificates" id="certificates">Client Certificates</a></h2>
+ <p>
+ While <code>rustls</code> supports client certificates in principle, parts
+ of the infrastructure to make <em>use</em> of these in a server are not
+ offered.
+ </p>
+ <p>
+ Among these features are: revocation lists, inspection of certificate
+ extensions and the matched issuer chain for OCSP validation. Without these,
+ revocation of client certificates is not possible. Offering authentication
+ without revocation is not considered an option.
+ </p>
+ <p>
+ Work will continue on this and client certificate support may become
+ available in a future release.
+ </p>
+ </div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="TLSCertificate" id="TLSCertificate">TLSCertificate</a> <a name="tlscertificate" id="tlscertificate">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>adds a certificate and key (PEM encoded) to a server/virtual host.</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>TLSCertificate <em>cert_file</em> [<em>key_file</em>]</code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_tls</td></tr>
+</table>
+ <p>
+ If you do not specify a separate key file, the key is assumed to also be
+ found in the first file. You may add more than one certificate to a
+ server/virtual host. The first certificate suitable for a client is then chosen.
+ </p><p>
+ The path can be specified relative to the server root.
+ </p>
+
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="TLSCiphersPrefer" id="TLSCiphersPrefer">TLSCiphersPrefer</a> <a name="tlsciphersprefer" id="tlsciphersprefer">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>defines ciphers that are preferred.</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>TLSCiphersPrefer <em>cipher(-list)</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_tls</td></tr>
+</table>
+ <p>
+ This will not disable any ciphers supported by `rustls`. If you
+ specify a cipher that is completely unknown, the configuration will
+ fail. If you specify a cipher that is known but not supported by `rustls`,
+ a warning will be logged but the server will continue.
+ </p><p>
+ </p>
+ <div class="example"><h3>Example</h3><pre class="prettyprint lang-config">TLSCiphersPrefer ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305</pre>
+</div>
+ <p>
+ The example gives 2 ciphers preference over others, in the
+ order they are mentioned.
+ </p>
+
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="TLSCiphersSuppress" id="TLSCiphersSuppress">TLSCiphersSuppress</a> <a name="tlscipherssuppress" id="tlscipherssuppress">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>defines ciphers that are not to be used.</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>TLSCiphersSuppress <em>cipher(-list)</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_tls</td></tr>
+</table>
+ <p>
+ This will not disable any unmentioned ciphers supported by `rustls`.
+ If you specify a cipher that is completely unknown, the configuration will fail.
+ If you specify a cipher that is known but not supported by `rustls`,
+ a warning will be logged but the server will continue.
+ </p><p>
+ </p>
+ <div class="example"><h3>Example</h3><pre class="prettyprint lang-config">TLSCiphersSuppress ECDHE-ECDSA-CHACHA20-POLY1305</pre>
+</div>
+ <p>
+ The example removes a cipher for use in connections.
+ </p>
+
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="TLSEngine" id="TLSEngine">TLSEngine</a> <a name="tlsengine" id="tlsengine">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>defines on which address+port the module shall handle incoming connections.</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>TLSEngine [<em>address</em>:]<em>port</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_tls</td></tr>
+</table>
+ <p>
+ This is set on a global level, not in individual <code class="directive"><a href="../mod/core.html#virtualhost">&lt;VirtualHost&gt;</a></code>s.
+ It will affect all <code class="directive"><a href="../mod/core.html#virtualhost">&lt;VirtualHost&gt;</a></code>
+ that match the specified address/port.
+ You can use <code class="directive">TLSEngine</code> several times to use more than one address/port.
+ </p><p>
+ </p>
+ <div class="example"><h3>Example</h3><pre class="prettyprint lang-config">TLSEngine 443</pre>
+</div>
+ <p>
+ The example tells mod_tls to handle incoming connection on port 443 for
+ all listeners.
+ </p>
+
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="TLSHonorClientOrder" id="TLSHonorClientOrder">TLSHonorClientOrder</a> <a name="tlshonorclientorder" id="tlshonorclientorder">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>determines if the order of ciphers supported by the client is honored</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>TLSHonorClientOrder on|off</code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>TLSHonorClientOrder on</code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_tls</td></tr>
+</table>
+ <p>
+ <code class="directive">TLSHonorClientOrder</code> determines if the order of ciphers
+ supported by the client is honored.
+ </p><p>
+ </p>
+
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="TLSOptions" id="TLSOptions">TLSOptions</a> <a name="tlsoptions" id="tlsoptions">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>enables SSL variables for requests.</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>TLSOptions [+|-]<em>option</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_tls</td></tr>
+</table>
+ <p>
+ <code class="directive">TLSOptions</code> is analog to <code class="directive"><a href="../mod/mod_ssl.html#ssloptions">SSLOptions</a></code> in <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>.
+ It can be set per directory/location and `option` can be:
+ </p>
+ <ul>
+ <li>`StdEnvVars`: adds more variables to the requests environment,
+ as forwarded for example to CGI processing and other applications.
+ </li>
+ <li>`ExportCertData`: adds certificate related variables to the request environment.
+ </li>
+ <li>`Defaults`: resets all options to their default values.</li>
+ </ul>
+ <p>
+ Adding variables to a request environment adds overhead, especially
+ when certificates need to be inspected and fields extracted.
+ Therefore most variables are not set by default.
+ </p>
+ <p>
+ You can configure <code class="directive">TLSOptions</code> per location or generally on a
+ server/virtual host. Prefixing an option with `-` disables this
+ option while leaving others unchanged.
+ A `+` prefix is the same as writing the option without one.
+ </p>
+ <p>
+ The `Defaults` value can be used to reset any options that are
+ inherited from other locations or the virtual host/server.
+ </p>
+ <div class="example"><h3>Example</h3><pre class="prettyprint lang-config">&lt;Location /myplace/app&gt;
+ TLSOptions Defaults StdEnvVars
+ ...
+&lt;/Location&gt;</pre>
+</div>
+
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="TLSProtocol" id="TLSProtocol">TLSProtocol</a> <a name="tlsprotocol" id="tlsprotocol">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>specifies the minimum version of the TLS protocol to use.</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>TLSProtocol <em>version</em>+</code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>TLSProtocol v1.2+</code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_tls</td></tr>
+</table>
+ <p>
+ The default is `v1.2+`. Settings this to `v1.3+` would disable TLSv1.2.
+ </p>
+
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="TLSProxyCA" id="TLSProxyCA">TLSProxyCA</a> <a name="tlsproxyca" id="tlsproxyca">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>sets the root certificates to validate the backend server with.</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>TLSProxyCA <em>file.pem</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_tls</td></tr>
+</table>
+ <p>
+
+ </p>
+
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="TLSProxyCiphersPrefer" id="TLSProxyCiphersPrefer">TLSProxyCiphersPrefer</a> <a name="tlsproxyciphersprefer" id="tlsproxyciphersprefer">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>defines ciphers that are preferred for a proxy connection.</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>TLSProxyCiphersPrefer <em>cipher(-list)</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_tls</td></tr>
+</table>
+ <p>
+ This will not disable any ciphers supported by `rustls`.
+ If you specify a cipher that is completely unknown, the configuration will fail.
+ If you specify a cipher that is known but not supported by `rustls`,
+ a warning will be logged but the server will continue.
+ </p>
+
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="TLSProxyCiphersSuppress" id="TLSProxyCiphersSuppress">TLSProxyCiphersSuppress</a> <a name="tlsproxycipherssuppress" id="tlsproxycipherssuppress">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>defines ciphers that are not to be used for a proxy connection.</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>TLSProxyCiphersSuppress <em>cipher(-list)</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_tls</td></tr>
+</table>
+ <p>
+ This will not disable any unmentioned ciphers supported by `rustls`.
+ If you specify a cipher that is completely unknown, the configuration will fail.
+ If you specify a cipher that is known but not supported by `rustls`,
+ a warning will be logged but the server will continue.
+ </p>
+
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="TLSProxyEngine" id="TLSProxyEngine">TLSProxyEngine</a> <a name="tlsproxyengine" id="tlsproxyengine">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>enables TLS for backend connections.</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>TLSProxyEngine on|off</code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_tls</td></tr>
+</table>
+ <p>
+ <code class="directive">TLSProxyEngine</code> is analog to <code class="directive"><a href="../mod/mod_ssl.html#sslproxyengine">SSLProxyEngine</a></code> in <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>.
+ </p><p>
+ This can be used in a server/virtual host or <code class="directive"><a href="../mod/mod_proxy.html#proxy">&lt;Proxy&gt;</a></code> section to
+ enable the module for outgoing connections using <code class="module"><a href="../mod/mod_proxy.html">mod_proxy</a></code>.
+ </p>
+
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="TLSProxyMachineCertificate" id="TLSProxyMachineCertificate">TLSProxyMachineCertificate</a> <a name="tlsproxymachinecertificate" id="tlsproxymachinecertificate">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>adds a certificate and key file (PEM encoded) to a proxy setup.</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>TLSProxyMachineCertificate <em>cert_file</em> [<em>key_file</em>]</code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_tls</td></tr>
+</table>
+ <p>
+ The certificate is used to authenticate against a proxied backend server.
+ </p><p>
+ If you do not specify a separate key file, the key is assumed to also be
+ found in the first file. You may add more than one certificate to a proxy
+ setup. The first certificate suitable for a proxy connection to a backend
+ is then chosen by <code>rustls</code>.
+ </p>
+ <p>
+ The path can be specified relative to the server root.
+ </p>
+
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="TLSProxyProtocol" id="TLSProxyProtocol">TLSProxyProtocol</a> <a name="tlsproxyprotocol" id="tlsproxyprotocol">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>specifies the minimum version of the TLS protocol to use in proxy connections.</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>TLSProxyProtocol <em>version</em>+</code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>TLSProxyProtocol v1.2+</code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, proxy section</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_tls</td></tr>
+</table>
+ <p>
+ The default is `v1.2+`. Settings this to `v1.3+` would disable TLSv1.2.
+ </p>
+
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="TLSSessionCache" id="TLSSessionCache">TLSSessionCache</a> <a name="tlssessioncache" id="tlssessioncache">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>specifies the cache for TLS session resumption.</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>TLSSessionCache <em>cache-spec</em></code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_tls</td></tr>
+</table>
+ <p>
+ This uses a cache on the server side to allow clients to resume connections.
+ </p><p>
+ You can set this to `none` or define a cache as in the <code class="directive"><a href="../mod/mod_ssl.html#sslsessioncache">SSLSessionCache</a></code>
+ directive of <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>.
+ </p><p>
+ If not configured, `mod_tls` will try to create a shared memory cache on its own,
+ using `shmcb:tls/session-cache` as specification.
+ Should that fail, a warning is logged, but the server continues.
+ </p>
+
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="TLSStrictSNI" id="TLSStrictSNI">TLSStrictSNI</a> <a name="tlsstrictsni" id="tlsstrictsni">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>enforces exact matches of client server indicators (SNI) against host names.</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>TLSStrictSNI on|off</code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>TLSStrictSNI on</code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Experimental</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_tls</td></tr>
+</table>
+ <p>
+ Client connections using SNI will be unsuccessful if no match is found.
+ </p>
+
+</div>
+</div>
+<div class="bottomlang">
+<p><span>Available Languages: </span><a href="../en/mod/mod_tls.html" title="English">&nbsp;en&nbsp;</a></p>
+</div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&amp;A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Libera.chat, or sent to our <a href="https://httpd.apache.org/lists.html">mailing lists</a>.</div>
+<script type="text/javascript"><!--//--><![CDATA[//><!--
+var comments_shortname = 'httpd';
+var comments_identifier = 'http://httpd.apache.org/docs/2.4/mod/mod_tls.html';
+(function(w, d) {
+ if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
+ d.write('<div id="comments_thread"><\/div>');
+ var s = d.createElement('script');
+ s.type = 'text/javascript';
+ s.async = true;
+ s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
+ (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
+ }
+ else {
+ d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
+ }
+})(window, document);
+//--><!]]></script></div><div id="footer">
+<p class="apache">Copyright 2023 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
+<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
+if (typeof(prettyPrint) !== 'undefined') {
+ prettyPrint();
+}
+//--><!]]></script>
+</body></html> \ No newline at end of file