Apache HTTP Server Version 2.4
Description: | Strong cryptography using the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols |
---|---|
Status: | Extension |
Module Identifier: | ssl_module |
Source File: | mod_ssl.c |
This module provides SSL v3 and TLS v1.x support for the Apache HTTP Server. SSL v2 is no longer supported.
This module relies on OpenSSL to provide the cryptography engine.
Further details, discussion, and examples are provided in the SSL documentation.
This module can be configured to provide several items of SSL information
as additional environment variables to the SSI and CGI namespace. This
information is not provided by default for performance reasons. (See
SSLOptions
StdEnvVars, below.) The generated variables
are listed in the table below. For backward compatibility the information can
be made available under different names, too. Look in the Compatibility chapter for details on the
compatibility variables.
Variable Name: | Value Type: | Description: |
---|---|---|
HTTPS | flag | HTTPS is being used. |
SSL_PROTOCOL | string | The SSL protocol version (SSLv3, TLSv1, TLSv1.1, TLSv1.2) |
SSL_SESSION_ID | string | The hex-encoded SSL session id |
SSL_SESSION_RESUMED | string | Initial or Resumed SSL Session. Note: multiple requests may be served over the same (Initial or Resumed) SSL session if HTTP KeepAlive is in use |
SSL_SECURE_RENEG | string | true if secure renegotiation is supported, else false |
SSL_CIPHER | string | The cipher specification name |
SSL_CIPHER_EXPORT | string | true if cipher is an export cipher |
SSL_CIPHER_USEKEYSIZE | number | Number of cipher bits (actually used) |
SSL_CIPHER_ALGKEYSIZE | number | Number of cipher bits (possible) |
SSL_COMPRESS_METHOD | string | SSL compression method negotiated |
SSL_VERSION_INTERFACE | string | The mod_ssl program version |
SSL_VERSION_LIBRARY | string | The OpenSSL program version |
SSL_CLIENT_M_VERSION | string | The version of the client certificate |
SSL_CLIENT_M_SERIAL | string | The serial of the client certificate |
SSL_CLIENT_S_DN | string | Subject DN in client's certificate |
SSL_CLIENT_S_DN_ x509 | string | Component of client's Subject DN |
SSL_CLIENT_SAN_Email_ n | string | Client certificate's subjectAltName extension entries of type rfc822Name |
SSL_CLIENT_SAN_DNS_ n | string | Client certificate's subjectAltName extension entries of type dNSName |
SSL_CLIENT_SAN_OTHER_msUPN_ n | string | Client certificate's subjectAltName extension entries of type otherName, Microsoft User Principal Name form (OID 1.3.6.1.4.1.311.20.2.3) |
SSL_CLIENT_I_DN | string | Issuer DN of client's certificate |
SSL_CLIENT_I_DN_ x509 | string | Component of client's Issuer DN |
SSL_CLIENT_V_START | string | Validity of client's certificate (start time) |
SSL_CLIENT_V_END | string | Validity of client's certificate (end time) |
SSL_CLIENT_V_REMAIN | string | Number of days until client's certificate expires |
SSL_CLIENT_A_SIG | string | Algorithm used for the signature of client's certificate |
SSL_CLIENT_A_KEY | string | Algorithm used for the public key of client's certificate |
SSL_CLIENT_CERT | string | PEM-encoded client certificate |
SSL_CLIENT_CERT_CHAIN_ n | string | PEM-encoded certificates in client certificate chain |
SSL_CLIENT_CERT_RFC4523_CEA | string | Serial number and issuer of the certificate. The format matches that of the CertificateExactAssertion in RFC4523 |
SSL_CLIENT_VERIFY | string | NONE , SUCCESS , GENEROUS or FAILED: reason |
SSL_SERVER_M_VERSION | string | The version of the server certificate |
SSL_SERVER_M_SERIAL | string | The serial of the server certificate |
SSL_SERVER_S_DN | string | Subject DN in server's certificate |
SSL_SERVER_SAN_Email_ n | string | Server certificate's subjectAltName extension entries of type rfc822Name |
SSL_SERVER_SAN_DNS_ n | string | Server certificate's subjectAltName extension entries of type dNSName |
SSL_SERVER_SAN_OTHER_dnsSRV_ n | string | Server certificate's subjectAltName extension entries of type otherName, SRVName form (OID 1.3.6.1.5.5.7.8.7, RFC 4985) |
SSL_SERVER_S_DN_ x509 | string | Component of server's Subject DN |
SSL_SERVER_I_DN | string | Issuer DN of server's certificate |
SSL_SERVER_I_DN_ x509 | string | Component of server's Issuer DN |
SSL_SERVER_V_START | string | Validity of server's certificate (start time) |
SSL_SERVER_V_END | string | Validity of server's certificate (end time) |
SSL_SERVER_A_SIG | string | Algorithm used for the signature of server's certificate |
SSL_SERVER_A_KEY | string | Algorithm used for the public key of server's certificate |
SSL_SERVER_CERT | string | PEM-encoded server certificate |
SSL_SRP_USER | string | SRP username |
SSL_SRP_USERINFO | string | SRP user info |
SSL_TLS_SNI | string | Contents of the SNI TLS extension (if supplied with ClientHello) |
x509 specifies a component of an X.509 DN; one of
C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email
. In httpd 2.2.0 and
later, x509 may also include a numeric _n
suffix. If the DN in question contains multiple attributes of the
same name, this suffix is used as a zero-based index to select a
particular attribute. For example, where the server certificate
subject DN included two OU attributes, SSL_SERVER_S_DN_OU_0
and
SSL_SERVER_S_DN_OU_1
could be used to reference each. A
variable name without a _n
suffix is equivalent to that
name with a _0
suffix; the first (or only) attribute.
When the environment table is populated using
the StdEnvVars
option of
the SSLOptions
directive, the
first (or only) attribute of any DN is added only under a non-suffixed
name; i.e. no _0
suffixed entries are added.
In httpd 2.4.32 and later, an optional _RAW suffix may be
added to x509 in a DN component, to suppress conversion of
the attribute value to UTF-8. This must be placed after the index
suffix (if any). For example, SSL_SERVER_S_DN_OU_RAW
or
SSL_SERVER_S_DN_OU_0_RAW
could be used.
The format of the *_DN variables has changed in Apache HTTPD
2.3.11. See the LegacyDNStringFormat
option for
SSLOptions
for details.
SSL_CLIENT_V_REMAIN
is only available in version 2.1
and later.
A number of additional environment variables can also be used
in SSLRequire
expressions, or in custom log
formats:
HTTP_USER_AGENT PATH_INFO AUTH_TYPE HTTP_REFERER QUERY_STRING SERVER_SOFTWARE HTTP_COOKIE REMOTE_HOST API_VERSION HTTP_FORWARDED REMOTE_IDENT TIME_YEAR HTTP_HOST IS_SUBREQ TIME_MON HTTP_PROXY_CONNECTION DOCUMENT_ROOT TIME_DAY HTTP_ACCEPT SERVER_ADMIN TIME_HOUR THE_REQUEST SERVER_NAME TIME_MIN REQUEST_FILENAME SERVER_PORT TIME_SEC REQUEST_METHOD SERVER_PROTOCOL TIME_WDAY REQUEST_SCHEME REMOTE_ADDR TIME REQUEST_URI REMOTE_USER
In these contexts, two special formats can also be used: