HP Secure Web Server Documentation
SSL User Guide
SSL Setup Information
Introduction to SSL
An SSL Primer
Using mod_ssl
Directives
Understanding
Certificates
Using the Certificate Tool
Using Certificates
Glossary
SSL Resource Guide
|
|
Chapter 4:
Using mod_ssl Directives
The mod_ssl directives are your means for
configuring OpenSSL to function in exactly the
way you want for your SSL-enabled HP Secure Web Server. All mod_ssl
directives can be applied to the main server configuration file (HTTPD.CONF) by inclusion
in the MOD_SSL.CONF include file.
__Topics_____________________________
How
to apply mod_ssl directives
Entering directives in MOD_SSL.CONF
Using access files
Mapping mod_ssl contexts
Summary
of mod_ssl directives
How to apply mod_ssl directives
There are three classes of mod_ssl directives used by HP Secure Web Server:
Global Directives Although you can
put these anywhere in the HTTPD.CONF file, you should use the MOD_SSL.CONF include file
outside any sectioning commands like <VirtualHost>.
Per Server Directives You can
put these in the HTTPD.CONF (using the MOD_SSL.CONF include file), either outside sections
(for the main/default server) or inside <VirtualHost> sections.
Per Directory Directives You can
put these in the HTTPD.CONF (using the MOD_SSL.CONF include file) file and in the
per-directory .HTACCESS files.
The three classes of directives are hierarchical: per
directory directives can also be used in the per server and global context. Per Server
directives can also be used in the global context.
Entering directives in the
server configuration file
Directives in the MOD_SSL.CONF file are included in the HTTPD.CONF server configuration
file. Like any change to HTTPD.CONF, it has no effect until shutting down and restarting
the server.
Since MOD_SSL.CONF is an include file, changes to it are
not affected by disabling SSL. When you reenable it, the same file is included in
HTTPD.CONF again.
Note: Although mod_ssl permits many
directives to be entered in other configuration files, you should not add mod_ssl
directives directly to HTTPD.CONF or to other configuration files (including SRM.CONF and
ACCESS.CONF).
To edit the MOD_SSL.CONF file, use this command:
EDIT APACHE$COMMON:[CONF]MOD_SSL.CONF
if you are using common configuration files across a cluster
or
EDIT APACHE$ROOT:[CONF]MOD_SSL.CONF
if you are using system-specific configuration files
Warning: Editing
MOD_SSL.CONF or HTTPD.CONF can effect or prevent your server from running. If necessary,
copies of these file exist:
APACHE$COMMON:[APACHE.SRC.OS.OPENVMS]MOD_SSL.CONF
APACHE$COMMON:[APACHE.SRC.OS.OPENVMS]HTTPD.CONF-DIST-OPENVMS-SSL
Using access files
Using access files (by default .HTACCESS files) is
more flexible, but puts a greater burden on performance and security. Remember also that
the default setting in HTTPD.CONF is AllowOverride None, meaning
directives in .HTACCESS files are ignored. Overrides are activated by the AllowOverride directive, and apply to a particular
scope (such as a directory) and all descendants, unless further modified by other AllowOverride directives at lower levels. 
Here are some usage guidelines:
- HP Secure Web Server
automatically looks for the access files in each document directory.
- You do not have to restart the server after changing an access file's
contents.
- You can redefine the name of the access files (.HTACCESS by default) with
the AccessFileName directive in HTTPD.CONF (using
the MOD_SSL include file).
- The contents of the access files are treated as if they are in the <Directory> section of MOD_SSL.CONF. Therefore,
you should not use the <Directory> sectioning command inside the access files.
Mapping mod_ssl contexts
The www.modssl.org documentation refers to
contexts such as server config and virtual host. Different directives may be applied in
different contexts, and these determine the scope of their effect. These contexts should
be understood as follows:
server config
This context means that you can use the
directive in HTTPD.CONF (using the MOD_SSL.CONF include file) but not within any
<VirtualHost> or <Directory> containers. It is not allowed in .HTACCESS files
at all.
virtual host
This context means that you can use the directive in HTTPD.CONF (using the MOD_SSL.CONF
include file) but only inside <VirtualHost> sections of HTTPD.CONF.
directory
The <Directory> section of MOD_SSL.CONF
should specify the same path as the DocumentRoot
does. By default:
<Directory "/apache$common/htdocs">
Each directory to which CSWS has access can
be separately configured with respect to which services and features are allowed and/or
disabled in that directory (and its subdirectories).
location
By default, all requests are taken from the DocumentRoot directory, but you can use symbolic links
and aliases to point to other locations. For example:
<Location /server-info>
Summary of mod_ssl directives
For official mod_ssl documentation on each directive, click the symbols.
For more information about directives, click the  symbols.
Note: In the
following summary listing, HTTPD.CONF (using the MOD_SSL.CONF include file) is used where
"server config" appears in the mod_ssl official documentation.
Use these directives to determine
how the SSL Engine will operate:
SSLEngine
| Description:
|
Switches
the SSL Engine on or off. |
| Syntax: |
SSLEngine on|off |
| Default:
|
SSLEngine on |
| Context:
|
HTTPD.CONF,
virtual host |
SSLProtocol
| Description:
|
Configures
usable SSL protocol flavors. |
| Syntax: |
SSLProtocol [+-]protocolwhere [+-]protocol
can be SSLv2, SSLv3, TLSv1, or All.
|
| Default:
|
SSLProtocol all |
| Context:
|
HTTPD.CONF,
virtual host |
| Override:
|
Options |
SSLLog
| Description |
Specifies where to write
the dedicated SSL engine logfile. |
|
| Syntax: |
SSLLog filename |
|
| Default: |
None |
|
| Context: |
HTTPD.CONF, virtual host |
|
SSLLogLevel
| Description:
|
Sets the
logging level for the dedicated SSL engine logfile. |
| Syntax: |
SSLLogLevel levelwhere level can
be none, error, warn,
info, trace, and debug |
| Default:
|
SSLLogLevel none |
| Context:
|
HTTPD.CONF,
virtual host |
Use these directives to set server
startup and administration:
SSLPassPhraseDialog
| Description:
|
Determines
the type of pass-phrase dialog for decrypting private keys at startup time. The default
requires manual entry of pass phrases. |
| Syntax: |
SSLPassPhraseDialog typewhere
type is builtin or
exec:/path/to/program |
| Default:
|
SSLPassPhraseDialog builtin |
| Context:
|
HTTPD.CONF |
| OpenVMS
note: |
Do not use an encoded pass phrase with the builtin
option. |
SSLMutex
| Description:
|
Provides a
method for mutual exclusion of internal operations. |
| Syntax: |
SSLMutex typewhere type is
none, file:/path/to/mutex, sem, or csem |
| Default:
|
SSLMutex none |
| Context:
|
HTTPD.CONF |
| OpenVMS
note: |
OpenVMS
uses semaphore-caching mutex, because it's faster than file locking. |
SSLRandomSeed
| Description:
|
Configures
one or more sources for seeding the Pseudo Random Number Generator (PRNG) in OpenSSL at
startup time. |
| Syntax: |
SSLRandomSeed context source [bytes]where context source is builtin, file:/path/to/source, or exec:/path/to/program. |
| Default: |
none |
| Context: |
HTTPD.CONF |
Use these
directives to determine how a secure connection should be established and maintained with
the client:
SSLCipherSuite
| Description:
|
Specifies
the cipher suite for negotiation in the SSL handshake. |
| Syntax: |
SSLCipherSuite cipher-spec |
| Default:
|
SSLCipherSuite
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP |
| Context:
|
HTTPD.CONF,
virtual host, directory, .HTACCESS |
| Override:
|
AuthConfig |
SSLSessionCache
| Description:
|
Configures
storage type of the global/interprocess SSL Session Cache. |
| Syntax |
SSLSessionCache typewhere type is none, dbm:/path/to/datafile, SHM or CSHM |
| Context: |
HTTPD.CONF |
| OpenVMS
note: |
OpenVMS uses a file-based
session cache. (OpenVMS does not support a shared-memory session cache at this time.) |
SSLSessionCacheTimeout
| Description:
|
Sets the
number of seconds before an SSL session expires in the Session Cache. |
| Syntax: |
SSLSessionCacheTimeout seconds |
| Default:
|
SSLSessionCacheTimeout 300 |
| Context:
|
HTTPD.CONF,
virtual host |
Use these
directives to specify the file or directory locations of certificate, key, chain, and
revocation files:
SSLCertificateFile
| Description:
|
Specifies
the server PEM-encoded X.509 Certificate file. |
| Syntax: |
SSLCertificateFile filename |
| Default:
|
None
|
| Context:
|
HTTPD.CONF,
virtual host |
SSLCertificateKeyFile
| Description:
|
Specifies
the server PEM-encoded Private Key file. |
| Syntax: |
SSLCertificateKeyFile filename |
| Default:
|
None
|
| Context:
|
HTTPD.CONF,
virtual host |
SSLCertificateChainFile
| Description:
|
Specifies
a file with concatenated PEM-encoded server CA certificates. |
| Syntax: |
SSLCertificateChainFile filename |
| Default:
|
None
|
| Context:
|
HTTPD.CONF,
virtual host |
SSLCACertificatePath
| Description:
|
Specifes
the directory of PEM-encoded CA certificates for client authorization. |
| Syntax: |
SSLCACertificatePath directory |
| Default:
|
None
|
| Context:
|
HTTPD.CONF,
virtual host |
SSLCACertificateFile
| Description:
|
File of concatenated
PEM-encoded CA certificates for client authorization. |
| Syntax: |
SSLCACertificateFile filename |
| Default:
|
None |
| Context:
|
HTTPD.CONF, virtual
host |
SSLCARevocationPath
| Description:
|
Directory
of PEM-encoded CA client revocation lists for client
authorization. |
| Syntax: |
SSLCARevocationPath directory |
| Default:
|
None
|
| Context:
|
HTTPD.CONF,
virtual host |
SSLCARevocationFile
| Description:
|
File of
concatenated PEM-encoded CA client revocation lists for client
authorization. |
| Syntax: |
SSLCARevocationFile filename |
| Default:
|
None
|
| Context:
|
HTTPD.CONF,
virtual host |
Use these
directives to enforce secure connections according to the level of server and client
authentication you want:
SSLVerifyClient
| Description:
|
Specifies
the type of Client Certificate verification. |
| Syntax: |
SSLVerifyClient level |
| Default:
|
SSLVerifyClient none |
| Context:
|
HTTPD.CONF,
virtual host, directory, .HTACCESS |
SSLVerifyDepth
| Description:
|
Sets the
maximum depth of CA certificates in client certificate
verification. |
| Syntax: |
SSLVerifyDepth number |
| Default:
|
SSLVerifyDepth 1 |
| Context:
|
HTTPD.CONF,
virtual host, directory, .HTACCESS |
| Override:
|
AuthConfig |
SSLRequireSSL
| Description:
|
Denies
client access when not using an https request. |
| Syntax: |
SSLRequireSSL |
| Default:
|
None
|
| Context:
|
directory,
.HTACCESS |
| Override:
|
AuthConfig |
SSLRequire
| Description:
|
Allows
client access only when a custom Boolean expression is True. |
| Syntax: |
SSLRequire expression |
| Default:
|
None
|
| Context:
|
directory,
.htaccess |
| Override:
|
AuthConfig |
SSLOptions
| Description:
|
Configures
various SSL engine run-time options |
| Syntax: |
SSLOptions [+-]option ...where option
can be StdEnvVars, CompatEnvVars
, ExportCertData,
FakeBasicAuth, StrictRequire, and OptRenegotiate. |
| Default:
|
None
|
| Context:
|
HTTPD.CONF,
virtual host, directory, .HTACCESS |
| Override:
|
Options |
|
