The directives in this module set the locations of certificate and
key files, specify options for the behavior of the encryption engine,
and set up authorization requirements for access to protected parts
of the server. The module also creates a number of new
SSL_* environment variables, which will be
available to SSI, CGI, and custom logging formats.
SSLCipherSuite cipher_spec
[server config, within
<VirtualHost> or
<Directory>, or
.htaccess]
This directive combines a number of cipher specifications to
configure the Cipher Suite. The Cipher Suite is the set of methods or
algorithms used by the server and client to establish secure
communications. The cipher suite is negotiated during the handshake
phase, just after a client sends an SSL request. The
cipher_spec provided by this directive lists a
set of methods that the server will support for a request. The client
and server negotiate the most common and preferred methods in this
list to use for transactions.
The cipher_spec is a rather complex string that
requires at least one declaration for each of the following: a key
exchange algorithm, an authentication algorithm, a cipher or
encryption algorithm, and MAC digest algorithm. You can additionally
declare an export cipher. There are many different tags for specific
ciphers that can be combined for the cipher spec. Certain alias tags
have been defined to group ciphers into specific sets that comprise
certain protocols and levels of security. Table 19-2 lists the alias tags.
Table 19-2. Cipher tag aliases
Tag
|
Description
|
SSLv2
|
All SSL 2.0 ciphers
|
SSLv3
|
All SSL 3.0 ciphers
|
TLSv1
|
All TLS 1.0 ciphers
|
EXP
|
All export ciphers
|
EXPORT40
|
40-bit export ciphers only
|
EXPORT56
|
56-bit export ciphers only
|
LOW
|
All low strength ciphers (no export, single DES)
|
MEDIUM
|
All ciphers with 128-bit encryption
|
HIGH
|
All Triple-DES ciphers
|
RSA
|
All ciphers that use RSA key exchange
|
DH
|
All ciphers that use Diffie-Hellman key exchange
|
EDH
|
All ciphers that use Ephemeral Diffie-Hellman key exchange
|
ADH
|
All ciphers that use Anonymous Diffie-Hellman key exchange
|
DSS
|
All ciphers that use DSS authentication
|
NULL
|
All ciphers that don't use encryption
|
The
cipher_spec string is composed of a list of
cipher tags separated by colons. Each tag may also have a qualifier
placed before it. No qualifier means that the cipher is added to the
list. A
+ means that the cipher is added and is
pulled to this location on the cipher order. A
-
means that the cipher is removed from the list, but can be added
somewhere else. A
! means that the cipher cannot
be used at all.
The default value for this directive demonstrates these features:
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
The cipher_spec first includes all ciphers, then
removes the ones it doesn't want
(!ADH) and adjusts the order of preference for the
remaining ciphers. See the Apache and OpenSSL documentation for a
complete list of cipher tags and complete information on using SSL
for secure server communications.