C O N T E N T S

HP Secure Web Server Documentation

SSL User Guide

SSL Setup Information

Introduction to SSL

An SSL Primer

  • Using mod_ssl Directives

    Understanding Certificates

    Using the Certificate Tool

    Using Certificates

    Glossary

    		•  Chapter 4:

    Using mod_ssl Directives

    The mod_ssl directives are your means for configuring OpenSSL to function in exactly the way you want for your SSL-enabled HP Secure Web Server. All mod_ssl directives can be applied to the main server configuration file (HTTPD.CONF) by inclusion in the MOD_SSL.CONF include file.

    __Topics_____________________________

    How to apply mod_ssl directives

    Entering directives in MOD_SSL.CONF

    Using access files

    Mapping mod_ssl contexts

    Summary of mod_ssl directives

    How to apply mod_ssl directives

    There are three classes of mod_ssl directives used by HP Secure Web Server:

    • Global Directives Although you can put these anywhere in the HTTPD.CONF file, you should use the MOD_SSL.CONF include file outside any sectioning commands like <VirtualHost>.

    • Per Server Directives You can put these in the HTTPD.CONF (using the MOD_SSL.CONF include file), either outside sections (for the main/default server) or inside <VirtualHost> sections.

    • Per Directory Directives You can put these in the HTTPD.CONF (using the MOD_SSL.CONF include file) file and in the per-directory .HTACCESS files.

    The three classes of directives are hierarchical: per directory directives can also be used in the per server and global context. Per Server directives can also be used in the global context.

    Entering directives in the server configuration file

    Directives in the MOD_SSL.CONF file are included in the HTTPD.CONF server configuration file. Like any change to HTTPD.CONF, it has no effect until shutting down and restarting the server.

    Since MOD_SSL.CONF is an include file, changes to it are not affected by disabling SSL. When you reenable it, the same file is included in HTTPD.CONF again.

    Note: Although mod_ssl permits many directives to be entered in other configuration files, you should not add mod_ssl directives directly to HTTPD.CONF or to other configuration files (including SRM.CONF and ACCESS.CONF).

    To edit the MOD_SSL.CONF file, use this command:

    EDIT APACHE$COMMON:[CONF]MOD_SSL.CONF

    if you are using common configuration files across a cluster

    or

    EDIT APACHE$ROOT:[CONF]MOD_SSL.CONF

    if you are using system-specific configuration files

    Warning: Editing MOD_SSL.CONF or HTTPD.CONF can effect or prevent your server from running. If necessary, copies of these file exist:

    APACHE$COMMON:[APACHE.SRC.OS.OPENVMS]MOD_SSL.CONF APACHE$COMMON:[APACHE.SRC.OS.OPENVMS]HTTPD.CONF-DIST-OPENVMS-SSL

    Using access files

    Using access files (by default .HTACCESS files) is more flexible, but puts a greater burden on performance and security. Remember also that the default setting in HTTPD.CONF is AllowOverride None, meaning directives in .HTACCESS files are ignored. Overrides are activated by the AllowOverride directive, and apply to a particular scope (such as a directory) and all descendants, unless further modified by other AllowOverride directives at lower levels.

    Here are some usage guidelines:

    • HP Secure Web Server automatically looks for the access files in each document directory.
    • You do not have to restart the server after changing an access file's contents.
    • You can redefine the name of the access files (.HTACCESS by default) with the AccessFileName directive in HTTPD.CONF (using the MOD_SSL include file).
    • The contents of the access files are treated as if they are in the <Directory> section of MOD_SSL.CONF. Therefore, you should not use the <Directory> sectioning command inside the access files.
    Mapping mod_ssl contexts

    The www.modssl.org documentation refers to contexts such as server config and virtual host. Different directives may be applied in different contexts, and these determine the scope of their effect. These contexts should be understood as follows:

    server config
    This context means that you can use the directive in HTTPD.CONF (using the MOD_SSL.CONF include file) but not within any <VirtualHost> or <Directory> containers. It is not allowed in .HTACCESS files at all.

    virtual host
    This context means that you can use the directive in HTTPD.CONF (using the MOD_SSL.CONF include file) but only inside <VirtualHost> sections of HTTPD.CONF.

    directory
    The <Directory> section of MOD_SSL.CONF should specify the same path as the DocumentRoot does. By default:

    <Directory "/apache$common/htdocs">

    Each directory to which CSWS has access can be separately configured with respect to which services and features are allowed and/or disabled in that directory (and its subdirectories).

    location

    By default, all requests are taken from the DocumentRoot directory, but you can use symbolic links and aliases to point to other locations. For example:

    <Location /server-info>

    Summary of mod_ssl directives

    For official mod_ssl documentation on each directive, click the symbols.

    For more information about directives, click the symbols.

    Note: In the following summary listing, HTTPD.CONF (using the MOD_SSL.CONF include file) is used where "server config" appears in the mod_ssl official documentation.

    Use these directives to determine how the SSL Engine will operate:

    SSLEngine
    Description: Switches the SSL Engine on or off.
    Syntax: SSLEngine on|off
    Default: SSLEngine on
    Context: HTTPD.CONF, virtual host

     

    SSLProtocol
    Description: Configures usable SSL protocol flavors.
    Syntax: SSLProtocol [+-]protocol

    where [+-]protocol can be SSLv2, SSLv3, TLSv1, or All.

    Default: SSLProtocol all
    Context: HTTPD.CONF, virtual host
    Override: Options

     

    SSLLog
    Description Specifies where to write the dedicated SSL engine logfile.
    Syntax: SSLLog filename
    Default: None
    Context: HTTPD.CONF, virtual host

     

    SSLLogLevel
    Description: Sets the logging level for the dedicated SSL engine logfile.
    Syntax: SSLLogLevel level

    where level can be none, error, warn, info, trace, and debug
    Default: SSLLogLevel none
    Context: HTTPD.CONF, virtual host

     

    Use these directives to set server startup and administration:

    SSLPassPhraseDialog
    Description: Determines the type of pass-phrase dialog for decrypting private keys at startup time. The default requires manual entry of pass phrases.
    Syntax: SSLPassPhraseDialog type

    where type is builtin or exec:/path/to/program
    Default: SSLPassPhraseDialog builtin
    Context: HTTPD.CONF
    OpenVMS note: Do not use an encoded pass phrase with the builtin option.

     

    SSLMutex
    Description: Provides a method for mutual exclusion of internal operations.
    Syntax: SSLMutex type

    where type is none, file:/path/to/mutex, sem, or csem
    Default: SSLMutex none
    Context: HTTPD.CONF
    OpenVMS note: OpenVMS uses semaphore-caching mutex, because it's faster than file locking.

     

    SSLRandomSeed
    Description: Configures one or more sources for seeding the Pseudo Random Number Generator (PRNG) in OpenSSL at startup time.
    Syntax: SSLRandomSeed context source [bytes]

    where context source is builtin, file:/path/to/source, or exec:/path/to/program.
    Default: none
    Context: HTTPD.CONF

     

    Use these directives to determine how a secure connection should be established and maintained with the client:

    SSLCipherSuite
    Description: Specifies the cipher suite for negotiation in the SSL handshake.
    Syntax: SSLCipherSuite cipher-spec
    Default: SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
    Context: HTTPD.CONF, virtual host, directory, .HTACCESS
    Override: AuthConfig

     

    SSLSessionCache
    Description: Configures storage type of the global/interprocess SSL Session Cache.
    Syntax SSLSessionCache type

    where type is none, dbm:/path/to/datafile, SHM or CSHM
    Context: HTTPD.CONF
    OpenVMS note: OpenVMS uses a file-based session cache. (OpenVMS does not support a shared-memory session cache at this time.)

     

    SSLSessionCacheTimeout
    Description: Sets the number of seconds before an SSL session expires in the Session Cache.
    Syntax: SSLSessionCacheTimeout seconds
    Default: SSLSessionCacheTimeout 300
    Context: HTTPD.CONF, virtual host

     

    Use these directives to specify the file or directory locations of certificate, key, chain, and revocation files:

    SSLCertificateFile
    Description: Specifies the server PEM-encoded X.509 Certificate file.
    Syntax: SSLCertificateFile filename
    Default: None
    Context: HTTPD.CONF, virtual host

     

    SSLCertificateKeyFile
    Description: Specifies the server PEM-encoded Private Key file.
    Syntax: SSLCertificateKeyFile filename
    Default: None
    Context: HTTPD.CONF, virtual host

     

    SSLCertificateChainFile
    Description: Specifies a file with concatenated PEM-encoded server CA certificates.
    Syntax: SSLCertificateChainFile filename
    Default: None
    Context: HTTPD.CONF, virtual host

     

    SSLCACertificatePath
    Description: Specifes the directory of PEM-encoded CA certificates for client authorization.
    Syntax: SSLCACertificatePath directory
    Default: None
    Context: HTTPD.CONF, virtual host

     

    SSLCACertificateFile
    Description: File of concatenated PEM-encoded CA certificates for client authorization.
    Syntax: SSLCACertificateFile filename
    Default: None
    Context: HTTPD.CONF, virtual host

     

    SSLCARevocationPath
    Description: Directory of PEM-encoded CA client revocation lists for client
    authorization.
    Syntax: SSLCARevocationPath directory
    Default: None
    Context: HTTPD.CONF, virtual host

     

    SSLCARevocationFile
    Description: File of concatenated PEM-encoded CA client revocation lists for client
    authorization.
    Syntax: SSLCARevocationFile filename
    Default: None
    Context: HTTPD.CONF, virtual host

     

    Use these directives to enforce secure connections according to the level of server and client authentication you want:

    SSLVerifyClient
    Description: Specifies the type of Client Certificate verification.
    Syntax: SSLVerifyClient level
    Default: SSLVerifyClient none
    Context: HTTPD.CONF, virtual host, directory, .HTACCESS

     

    SSLVerifyDepth
    Description: Sets the maximum depth of CA certificates in client certificate
    verification.
    Syntax: SSLVerifyDepth number
    Default: SSLVerifyDepth 1
    Context: HTTPD.CONF, virtual host, directory, .HTACCESS
    Override: AuthConfig

     

    SSLRequireSSL
    Description: Denies client access when not using an https request.
    Syntax: SSLRequireSSL
    Default: None
    Context: directory, .HTACCESS
    Override: AuthConfig

     

    SSLRequire
    Description: Allows client access only when a custom Boolean expression is True.
    Syntax: SSLRequire expression
    Default: None
    Context: directory, .htaccess
    Override: AuthConfig

     

    SSLOptions
    Description: Configures various SSL engine run-time options
    Syntax: SSLOptions [+-]option ...

    where option can be StdEnvVars, CompatEnvVars , ExportCertData, FakeBasicAuth, StrictRequire, and OptRenegotiate.
    Default: None
    Context: HTTPD.CONF, virtual host, directory, .HTACCESS
    Override: Options