13.7. Apache-SSL's Directives
Apache-SSL's directives follow, with a small section at the end of the chapter concerning CGIs.
SSLDisable Server config, virtual host
Disable SSL. This directive is useful if you wish to run both secure and nonsecure hosts on the same server. Conversely, SSL can be enabled with SSLEnable.
SSLEnable Server config, virtual host
Enable SSL. The default; but if you've used SSLDisable in the main server, you can enable SSL again for virtual hosts using this directive.
SSLRequireSSL Server config, .htaccess, virtual host, directory
Require SSL. This can be used in <Directory> sections (and elsewhere) to protect against inadvertently disabling SSL. If SSL is not in use when this directive applies, access will be refused. This is a useful belt-and-suspenders measure for critical information.
SSLCacheServerPath filename Server config
This directive specifies the path to the global cache server, gcache. It can be absolute or relative to the server root.
SSLCacheServerRunDir directory Server config
Sets the directory in which gcache runs, so that it can produce core dumps during debugging.
SSLCacheServerPort file|port Server config
The cache server can use either TCP/IP or Unix domain sockets. If the file or port argument is a number, then a TCP/IP port at that number is used; otherwise, it is assumed to be the path to use for a Unix domain socket.
SSLSessionCacheTimeout time_in_seconds Server config, virtual host
A session key is generated when a client connects to the server for the first time. This directive sets the length of time in seconds that the session key will be cached locally. Lower values are safer (an attacker then has a limited time to crack the key before a new one will be used) but also slower, because the key will be regenerated at each timeout. If client certificates are being requested by the server, they will also be required to be re-presented at each timeout. For many purposes, timeouts measured in hours are perfectly safe, for example:
SSLCACertificatePath directory Server config, virtual host
This directive specifies the path to the directory where you keep the certificates of the certification authorities whose client certificates you are prepared to accept. They must be PEM encoded.
SSLCACertificateFile filename Server config, virtual host
If you only accept client certificates from a single CA, then you can use this directive instead of SSLCACertificatePath to specify a single PEM-encoded (according to SSLeay) certificate file.
SSLCertificateFile filename Config outside <Directory> or <Location> blocks
This is your PEM-encoded certificate. It is encoded with distinguished encoding rules (DER), and is ASCII-armored so it will go over the Web. If the certificate is encrypted, you are prompted for a passphrase.
SSLCertificateKeyFile filename Config outside <Directory> or <Location> blocks
This is the private key of your PEM-encoded certificate. If the key is not combined with the certificate, use this directive to point at the key file. If the filename starts with "/", it specifies an absolute path; otherwise, it is relative to the default certificate area, which is currently defined by SSLeay to be either /usr/local/ssl/private or <wherever you told ssl to install>/private. Examples:
SSLCertificateKeyFile /usr/local/apache/certs/my.server.key.pem SSLCertificateKeyFile certs/my.server.key.pem
SSLVerifyClient level Default: 0 Server config, virtual host
This directive defines what you require of clients:
SSLVerifyDepth depth Server config, virtual host
In real life, the certificate we are dealing with was issued by a CA, who in turn relied on another CA for validation, and so on, back to a root certificate. This directive specifies how far up or down the chain we are prepared to go before giving up. What happens when we give up is determined by the setting given to SSLVerifyClient. Normally, you only trust certificates signed directly by a CA you've authorized, so this should be set to 1.
SSLFakeBasicAuth Server config, virtual host
This directive makes Apache pretend that the user has been logged in using basic authentication (see Chapter 5, "Authentication"), except that instead of the username you get the one-line X509, a version of the client's certificate. If you switch this on, along with SSLVerifyClient, you should see the results in one of the logs. The code adds a predefined password.
CustomLog nickname Server config, virtual host
CustomLog is a standard Apache directive (see Chapter 11, "What's Going On?" ) to which Apache-SSL adds some extra categories that can be logged:
Copyright © 2001 O'Reilly & Associates. All rights reserved.