When the responder does not use nonces e. This directive can be used to control various run-time options on a per-directory basis.
Normally, if multiple SSLOptions could apply to a directory, then the most specific one is taken completely; the options are not merged. This per default is disabled for performance reasons, because the information extraction step is a rather expensive operation. These contain the PEM-encoded X. Additionally all other certificates of the client certificate chain are provided, too. This bloats up the environment a little bit which is why you have to use this option to enable it on demand.
This means that the standard Apache authentication methods can be used for access control. The user name is just the Subject of the Client's X Certificate can be determined by running OpenSSL's openssl x command: openssl x -noout -subject -in certificate.
Note that no password is obtained from the user. By default a strict scheme is enabled where every per-directory reconfiguration of SSL parameters causes a full SSL renegotiation handshake. Nevertheless these granular checks sometimes may not be what the user expects, so enable this on a per-directory basis only, please. Since version 2. This uses commas as delimiters between the attributes, allows the use of non-ASCII characters which are converted to UTF8 , escapes various special characters with backslashes, and sorts the attributes with the "C" attribute last.
This query can be done in two ways which can be configured by type :. This is the default where an interactive terminal dialog occurs at startup time just before Apache detaches from the terminal. Here the administrator has to manually enter the Pass Phrase for each encrypted Private Key file. Because a lot of SSL-enabled virtual hosts can be configured, the following reuse-scheme is used to minimize the dialog: When a Private Key file is encrypted, all known Pass Phrases at the beginning there are none, of course are tried.
If one of those known Pass Phrases succeeds no dialog pops up for this particular Private Key file. If none succeeded, another Pass Phrase is queried on the terminal and remembered for the next round where it perhaps can be reused.
This mode allows an external program to be used which acts as a pipe to a particular input device; the program is sent the standard prompt text used for the builtin mode on stdin , and is expected to write password strings on stdout.
If several passwords are needed or an incorrect password is entered , additional prompt text will be written subsequent to the first password being returned, and more passwords must then be written back. Here an external program is configured which is called at startup for each encrypted Private Key file. In versions 2. The intent is that this external program first runs security checks to make sure that the system is not compromised by an attacker, and only when these checks were passed successfully it provides the Pass Phrase.
Both these security checks, and the way the Pass Phrase is determined, can be as complex as you like. Nothing more or less! So, if you're really paranoid about security, here is your interface.
Anything else has to be left as an exercise to the administrator, because local security requirements are so different. The reuse-algorithm above is used here, too. In other words: The external program is called only once per unique Pass Phrase. It is supported by nearly every client.
A revision of the TLS 1. Before OpenSSL 1. For compatibility with previous versions, if no SSLProtocol is configured in a name-based virtual host, the one from the base virtual host still applies, unless SSLProtocol is configured globally in which case the global value applies this latter exception is more sensible than compatible, though.
This directive sets the all-in-one file where you can assemble the Certificates of Certification Authorities CA whose remote servers you deal with. These are used for Remote Server Authentication. This directive sets the directory where you keep the Certificates of Certification Authorities CAs whose remote servers you deal with.
These are used to verify the remote server certificate on Remote Server Authentication. Enables certificate revocation list CRL checking for the remote servers you deal with. With the introduction of this directive, the behavior has been changed: when checking is enabled, CRLs must be present for the validation to succeed - otherwise it will fail with an "unable to get certificate CRL" error.
These are used to revoke the remote server certificate on Remote Server Authentication. This directive sets whether the remote server certificate's CN field is compared against the hostname of the request URL. If both are not equal a status code Bad Gateway is sent. In all releases 2. In these releases, both directives must be set to off to completely avoid remote server certificate name validation.
Many users reported this to be very confusing. As of release 2. Only the following configuration will trigger the legacy certificate CN comparison in 2. This directive sets whether it is checked if the remote server certificate is expired or not.
If the check fails a status code Bad Gateway is sent. The check will succeed if the host name from the request URI matches one of the CN attribute s of the certificate's subject, or matches the subjectAltName extension. This feature was introduced in 2. This directive sets the all-in-one file where you keep the certificate chain for all of the client certs in use. This directive will be needed if the remote server presents a list of CA certificates that are not direct signers of one of the configured client certificates.
This referenced file is simply the concatenation of the various PEM-encoded certificate files. Upon startup, each client certificate configured will be examined and a chain of trust will be constructed. This directive sets the all-in-one file where you keep the certificates and keys used for authentication of the proxy server to remote servers. The referenced file can contain any number of pairs of client certificate and associated private key.
Each pair can be specified in either certificate, key or key, certificate order. If the file includes any non-leaf certificate, or any unmatched key and certificate pair, a configuration error will be issued at startup. When challenged to provide a client certificate by a remote server, the server should provide a list of acceptable certificate authority names in the challenge. The first configured matching certificate will then be supplied in response to the challenge.
Keys encoded in PKCS8 format, ie. This directive sets the directory where you keep the client certificates and keys used for authentication of the proxy server to remote servers. It will only connect to servers using one of the provided protocols. Please refer to SSLProtocol for additional information. When a proxy is configured to forward requests to a remote SSL server, this directive can be used to configure certificate verification of the remote server.
The depth actually is the maximum number of intermediate certificate issuers, i. A depth of 0 means that self-signed remote server certificates are accepted only, the default depth of 1 means the remote server certificate can be self-signed or has to be signed by a CA which is directly known to the server i. This directive can only be used in the global server context because the PRNG is a global facility.
This is the always available builtin seeding source. Its usage consumes minimum CPU cycles under runtime and hence can be always used without drawbacks. The source used for seeding the PRNG contains of the current time, the current process id and a randomly chosen bytes extract of the stack.
The drawback is that this is not really a strong source and at startup time where the scoreboard is still not available this source just produces a few bytes of entropy.
So you should always, at least for the startup, use an additional seeding source. The drawback is just that the quality of the received data may not be the best. When bytes is specified, only the first bytes number of bytes of its stdout contents form the entropy.
When bytes is not specified, the entirety of the data produced on stdout form the entropy. Using this in the connection context slows down the server too dramatically, of course. So usually you should avoid using external programs in that context.
Use this if no random device exists on your platform. This directive can be used to set the amount of memory that will be used for this buffer. Note that in many configurations, the client sending the request body will be untrusted so a denial of service attack by consumption of memory must be considered when changing this configuration setting.
November kotoroshinoto wrote: I cannot use the newest version in windows 7 because when it tries to start apache, it trips up on some windows security setting or something and fails to run, there is no popup error message, but event viewer reports: "The Apache2. Last month I bought a new laptop with Windows-7 in bits mode. In the file 'httpd. Scache "' into , where after there is NOT made any error.
Who can help me with that problem? December DeVrije wrote I tried to start Apache and MySql, but they do not go in the running!? December I am using Windows 7 Home Premium 64 bits! Help, who can help me? What tot do now? December One issues that I painfully learned, is that Xampp conflicts with Skype. Export that certificate from the browser to a file named rootcacert.
Output should be similar to the following: If you do not get any session cache statistics on the server-status page then your SSL configuration is not correctly set. To enable server-status, the following construct can be used in your Apache configuration file: Example Problems on bit Microsoft Windows The following error may be encountered in the error. The following topics guide you through the necessary steps: Generate the Certification Request Modify httpd. The following is an example of a certification request: Please enter the following 'extra' attributes to be sent with your certification request: Be sure to take note of the following: These commands create two files: key.
Remember the password you enter. Send the Certification Request. In the CSR area, paste the certification request from csr. When you receive the certificate, paste it into a file named portalcert.
0コメント