|
|
|
|
Apache HTTP Server Version 2.0
>
>
>
>
Apache Module mod_ssl
Available Languages:
Strong cryptography using the Secure Sockets Layer (SSL) and Transport Layer
Security (TLS) protocols
Extension
ssl_module
mod_ssl.c
Summary
This module provides SSL v2/v3 and TLS v1 support for the Apache HTTP Server.
It was contributed by Ralf S. Engeschall based on his mod_ssl project and
originally derived from work by Ben Laurie.
# 注释 :该模块提供 SSL v2/v3 和 TLS v1 支持。
This module relies on
to
provide the cryptography engine.
# 注释 :该模块需要 OpenSSL 软件的支持,由它来提供加密引擎
Further details, discussion, and examples are provided in the
.
Directives
SSLProxyMachineCertificateFile
SSLProxyMachineCertificatePath
Topics
Environment
Variables
Custom Log
Formats
Environment Variables
This module provides a lot of SSL information as additional environment
variables to the SSI and CGI namespace. The generated variables are listed in
the table below. For backward compatibility the information can be made
available under different names, too. Look in the
chapter for details on the
compatibility variables.
# 注释 :该模块提供了很多的 SSL 信息,例如环境变量。下面列出了相关的环境变量。
Variable Name:
Value Type:
Description:
HTTPS
flag
HTTPS is being used.
SSL_PROTOCOL
string
The SSL protocol version (SSLv2, SSLv3, TLSv1)
SSL_SESSION_ID
string
The hex-encoded SSL session id
SSL_CIPHER
string
The cipher specification name
SSL_CIPHER_EXPORT
string
true if cipher is an export cipher
SSL_CIPHER_USEKEYSIZE
number
Number of cipher bits (actually used)
SSL_CIPHER_ALGKEYSIZE
number
Number of cipher bits (possible)
SSL_VERSION_INTERFACE
string
The mod_ssl program version
SSL_VERSION_LIBRARY
string
The OpenSSL program version
SSL_CLIENT_M_VERSION
string
The version of the client certificate
SSL_CLIENT_M_SERIAL
string
The serial of the client certificate
SSL_CLIENT_S_DN
string
Subject DN in client's certificate
SSL_CLIENT_S_DN_x509
string
Component of client's Subject DN
SSL_CLIENT_I_DN
string
Issuer DN of client's certificate
SSL_CLIENT_I_DN_x509
string
Component of client's Issuer DN
SSL_CLIENT_V_START
string
Validity of client's certificate (start time)
SSL_CLIENT_V_END
string
Validity of client's certificate (end time)
SSL_CLIENT_A_SIG
string
Algorithm used for the signature of client's certificate
SSL_CLIENT_A_KEY
string
Algorithm used for the public key of client's certificate
SSL_CLIENT_CERT
string
PEM-encoded client certificate
SSL_CLIENT_CERT_CHAINn
string
PEM-encoded certificates in client certificate chain
SSL_CLIENT_VERIFY
string
NONE, SUCCESS, GENEROUS or
FAILED:reason
SSL_SERVER_M_VERSION
string
The version of the server certificate
SSL_SERVER_M_SERIAL
string
The serial of the server certificate
SSL_SERVER_S_DN
string
Subject DN in server's certificate
SSL_SERVER_S_DN_x509
string
Component of server's Subject DN
SSL_SERVER_I_DN
string
Issuer DN of server's certificate
SSL_SERVER_I_DN_x509
string
Component of server's Issuer DN
SSL_SERVER_V_START
string
Validity of server's certificate (start time)
SSL_SERVER_V_END
string
Validity of server's certificate (end time)
SSL_SERVER_A_SIG
string
Algorithm used for the signature of server's certificate
SSL_SERVER_A_KEY
string
Algorithm used for the public key of server's certificate
SSL_SERVER_CERT
string
PEM-encoded server certificate
[ where x509 is a component of a X.509 DN:
C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email ]
Custom Log Formats
When
is
built into Apache or at least loaded (under DSO situation) additional functions
exist for the
of
. First there is an
additional ``%{varname}x'' eXtension format
function which can be used to expand any variables provided by any module,
especially those provided by mod_ssl which can you find in the above table.
# 注释 :mod_ssl 的请求日志可以用 %{var}x 的格式来引用上面的这些环境变量
For backward compatibility there is additionally a special
``%{name}c'' cryptography format function
provided. Information about this function is provided in the
chapter.
Example:
CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLCACertificateFile Directive
File of concatenated PEM-encoded CA Certificates for Client Auth
SSLCACertificateFile file-path
server config, virtual host
Extension
mod_ssl
This directive sets the all-in-one file where you can assemble the
Certificates of Certification Authorities (CA) whose clients you deal
with. These are used for Client Authentication. Such a file is simply the
concatenation of the various PEM-encoded Certificate files, in order of
preference. This can be used alternatively and/or additionally to
.
# 注释 :SSLCACertificateFile 指定一个 CA 的证书文件,它用于认证由该 CA
所签名的其他证书。
# 这个文件必须是 PEM-Encoded 的(base64 编码)的,含有多个证书。
Example
SSLCACertificateFile
/usr/local/apache2/conf/ssl.crt/ca-bundle-client.crt
SSLCACertificatePath Directive
Directory of PEM-encoded CA Certificates for Client Auth
SSLCACertificatePath directory-path
server config, virtual host
Extension
mod_ssl
This directive sets the directory where you keep the Certificates of
Certification Authorities (CAs) whose clients you deal with. These are used to
verify the client certificate on Client Authentication.
# 注释 :SSLCACertificatePath 指令设置你所用于放置 CA
证书的目录。这些证书用于验证客户端的证书
The files in this directory have to be PEM-encoded and are accessed through
hash filenames. So usually you can't just place the Certificate files there: you
also have to create symbolic links named hash-value.N. And
you should always make sure this directory contains the appropriate symbolic
links.
Example
SSLCACertificatePath /usr/local/apache2/conf/ssl.crt/
SSLCARevocationFile
Directive
File of concatenated PEM-encoded CA CRLs for Client Auth
SSLCARevocationFile file-path
server config, virtual host
Extension
mod_ssl
This directive sets the all-in-one file where you can assemble the
Certificate Revocation Lists (CRL) of Certification Authorities (CA) whose
clients you deal with. These are used for Client Authentication. Such a
file is simply the concatenation of the various PEM-encoded CRL files, in order
of preference. This can be used alternatively and/or additionally to
.
# 注释 :SSLCARevocationFile 指定一个 CRL
文件。该文件可以含有多个证书
Example
SSLCARevocationFile
/usr/local/apache2/conf/ssl.crl/ca-bundle-client.crl
SSLCARevocationPath
Directive
Directory of PEM-encoded CA CRLs for Client Auth
SSLCARevocationPath directory-path
server config, virtual host
Extension
mod_ssl
This directive sets the directory where you keep the Certificate Revocation
Lists (CRL) of Certification Authorities (CAs) whose clients you
