github.com/krum110487/go-htaccess@v0.0.0-20240316004156-60641c8e7598/tests/data/apache_2_2_34/manual/ssl/ssl_howto.html.en (about) 1 <?xml version="1.0" encoding="ISO-8859-1"?> 2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 3 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head> 4 <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type" /> 5 <!-- 6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 7 This file is generated from xml source: DO NOT EDIT 8 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 9 --> 10 <title>SSL/TLS Strong Encryption: How-To - Apache HTTP Server Version 2.2</title> 11 <link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> 12 <link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> 13 <link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" /> 14 <script src="../style/scripts/prettify.min.js" type="text/javascript"> 15 </script> 16 17 <link href="../images/favicon.ico" rel="shortcut icon" /><link href="http://httpd.apache.org/docs/current/ssl/ssl_howto.html" rel="canonical" /></head> 18 <body id="manual-page"><div id="page-header"> 19 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p> 20 <p class="apache">Apache HTTP Server Version 2.2</p> 21 <img alt="" src="../images/feather.gif" /></div> 22 <div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div> 23 <div id="path"> 24 <a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.2</a> > <a href="./">SSL/TLS</a></div><div id="page-content"><div class="retired"><h4>Please note</h4> 25 <p> This document refers to a legacy release (<strong>2.2</strong>) of Apache httpd. The active release (<strong>2.4</strong>) is documented <a href="http://httpd.apache.org/docs/current">here</a>. If you have not already upgraded, please follow <a href="http://httpd.apache.org/docs/current/upgrading.html">this link</a> for more information.</p> 26 <p>You may follow <a href="http://httpd.apache.org/docs/current/ssl/ssl_howto.html">this link</a> to go to the current version of this document.</p></div><div id="preamble"><h1>SSL/TLS Strong Encryption: How-To</h1> 27 <div class="toplang"> 28 <p><span>Available Languages: </span><a href="../en/ssl/ssl_howto.html" title="English"> en </a></p> 29 </div> 30 31 <blockquote> 32 <p>The solution to this problem is trivial 33 and is left as an exercise for the reader.</p> 34 35 <p class="cite">-- <cite>Standard textbook cookie</cite></p> 36 </blockquote> 37 38 <p>How to solve particular security problems for an SSL-aware 39 webserver is not always obvious because of the interactions between SSL, 40 HTTP and Apache's way of processing requests. This chapter gives 41 instructions on how to solve some typical situations. Treat it as a first 42 step to find out the final solution, but always try to understand the 43 stuff before you use it. Nothing is worse than using a security solution 44 without knowing its restrictions and how it interacts with other systems.</p> 45 </div> 46 <div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#ciphersuites">Cipher Suites and Enforcing Strong Security</a></li> 47 <li><img alt="" src="../images/down.gif" /> <a href="#accesscontrol">Client Authentication and Access Control</a></li> 48 </ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div> 49 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 50 <div class="section"> 51 <h2><a name="ciphersuites" id="ciphersuites">Cipher Suites and Enforcing Strong Security</a></h2> 52 53 <ul> 54 <li><a href="#realssl">How can I create a real SSLv2-only server?</a></li> 55 <li><a href="#onlystrong">How can I create an SSL server which accepts strong encryption only?</a></li> 56 <li><a href="#upgradeenc">How can I create an SSL server which accepts strong encryption only, but allows 57 export browsers to upgrade to stronger encryption?</a></li> 58 <li><a href="#strongurl">How can I create an SSL server which accepts all types of ciphers in general, but 59 requires a strong cipher for access to a particular URL?</a></li> 60 </ul> 61 62 <h3><a name="realssl" id="realssl">How can I create a real SSLv2-only server?</a></h3> 63 64 <p>The following creates an SSL server which speaks only the SSLv2 protocol and 65 its ciphers.</p> 66 67 <div class="example"><h3>httpd.conf</h3><p><code> 68 SSLProtocol -all +SSLv2<br /> 69 SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP<br /> 70 </code></p></div> 71 72 73 <h3><a name="onlystrong" id="onlystrong">How can I create an SSL server which accepts strong encryption 74 only?</a></h3> 75 76 <p>The following enables only the seven strongest ciphers:</p> 77 <div class="example"><h3>httpd.conf</h3><p><code> 78 SSLProtocol all<br /> 79 SSLCipherSuite HIGH:MEDIUM<br /> 80 </code></p></div> 81 82 83 <h3><a name="upgradeenc" id="upgradeenc">How can I create an SSL server which accepts strong encryption 84 only, but allows export browsers to upgrade to stronger encryption?</a></h3> 85 86 <p>This facility is called Server Gated Cryptography (SGC) and requires 87 a Global ID server certificate, signed by a special CA certificate 88 from Verisign. This enables strong encryption in 'export' versions of 89 browsers, which traditionally could not support it (because of US export 90 restrictions).</p> 91 <p>When a browser connects with an export cipher, the server sends its Global 92 ID certificate. The browser verifies this, and can then upgrade its 93 cipher suite before any HTTP communication takes place. The problem 94 lies in allowing browsers to upgrade in this fashion, but still requiring 95 strong encryption. In other words, we want browsers to either start a 96 connection with strong encryption, or to start with export ciphers but 97 upgrade to strong encryption before beginning HTTP communication.</p> 98 <p>This can be done as follows:</p> 99 <div class="example"><h3>httpd.conf</h3><p><code> 100 # allow all ciphers for the initial handshake,<br /> 101 # so export browsers can upgrade via SGC facility<br /> 102 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL<br /> 103 <br /> 104 <Directory /usr/local/apache2/htdocs><br /> 105 # but finally deny all browsers which haven't upgraded<br /> 106 SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128<br /> 107 </Directory> 108 </code></p></div> 109 110 111 <h3><a name="strongurl" id="strongurl">How can I create an SSL server which accepts all types of ciphers 112 in general, but requires a strong ciphers for access to a particular 113 URL?</a></h3> 114 115 <p>Obviously, a server-wide <code class="directive"><a href="../mod/mod_ssl.html#sslciphersuite">SSLCipherSuite</a></code> which restricts 116 ciphers to the strong variants, isn't the answer here. However, 117 <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> can be reconfigured within <code>Location</code> 118 blocks, to give a per-directory solution, and can automatically force 119 a renegotiation of the SSL parameters to meet the new configuration. 120 This can be done as follows:</p> 121 <div class="example"><p><code> 122 # be liberal in general<br /> 123 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL<br /> 124 <br /> 125 <Location /strong/area><br /> 126 # but https://hostname/strong/area/ and below<br /> 127 # requires strong ciphers<br /> 128 SSLCipherSuite HIGH:MEDIUM<br /> 129 </Location> 130 </code></p></div> 131 132 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 133 <div class="section"> 134 <h2><a name="accesscontrol" id="accesscontrol">Client Authentication and Access Control</a></h2> 135 136 <ul> 137 <li><a href="#allclients">How can I force clients to authenticate using certificates?</a></li> 138 <li><a href="#arbitraryclients">How can I force clients to authenticate using certificates for a 139 particular URL, but still allow arbitrary clients to access the rest of the server?</a></li> 140 <li><a href="#certauthenticate">How can I allow only clients who have certificates to access a 141 particular URL, but allow all clients to access the rest of the server?</a></li> 142 <li><a href="#intranet">How can I require HTTPS with strong ciphers, and either 143 basic authentication or client certificates, for access to part of the 144 Intranet website, for clients coming from the Internet?</a></li> 145 </ul> 146 147 <h3><a name="allclients" id="allclients">How can I force clients to authenticate using certificates?</a></h3> 148 149 150 <p>When you know all of your users (eg, as is often the case on a corporate 151 Intranet), you can require plain certificate authentication. All you 152 need to do is to create client certificates signed by your own CA 153 certificate (<code>ca.crt</code>) and then verify the clients against this 154 certificate.</p> 155 <div class="example"><h3>httpd.conf</h3><p><code> 156 # require a client certificate which has to be directly<br /> 157 # signed by our CA certificate in ca.crt<br /> 158 SSLVerifyClient require<br /> 159 SSLVerifyDepth 1<br /> 160 SSLCACertificateFile conf/ssl.crt/ca.crt 161 </code></p></div> 162 163 164 <h3><a name="arbitraryclients" id="arbitraryclients">How can I force clients to authenticate using certificates for a 165 particular URL, but still allow arbitrary clients to access the rest of the server?</a></h3> 166 167 168 <p>To force clients to authenticate using certificates for a particular URL, 169 you can use the per-directory reconfiguration features of <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code>:</p> 170 171 <div class="example"><h3>httpd.conf</h3><p><code> 172 SSLVerifyClient none<br /> 173 SSLCACertificateFile conf/ssl.crt/ca.crt<br /> 174 <br /> 175 <Location /secure/area><br /> 176 SSLVerifyClient require<br /> 177 SSLVerifyDepth 1<br /> 178 </Location><br /> 179 </code></p></div> 180 181 182 <h3><a name="certauthenticate" id="certauthenticate">How can I allow only clients who have certificates to access a 183 particular URL, but allow all clients to access the rest of the server?</a></h3> 184 185 186 <p>The key to doing this is checking that part of the client certificate 187 matches what you expect. Usually this means checking all or part of the 188 Distinguished Name (DN), to see if it contains some known string. 189 There are two ways to do this, using either <code class="module"><a href="../mod/mod_auth_basic.html">mod_auth_basic</a></code> or 190 <code class="directive"><a href="../mod/mod_ssl.html#sslrequire">SSLRequire</a></code>.</p> 191 192 <p>The <code class="module"><a href="../mod/mod_auth_basic.html">mod_auth_basic</a></code> method is generally required when 193 the certificates are completely arbitrary, or when their DNs have 194 no common fields (usually the organisation, etc.). In this case, 195 you should establish a password database containing <em>all</em> 196 clients allowed, as follows:</p> 197 198 <div class="example"><h3>httpd.conf</h3><pre>SSLCACertificateFile conf/ssl.crt/ca.crt 199 SSLCACertificatePath conf/ssl.crt 200 SSLVerifyClient none 201 202 <Directory /usr/local/apache2/htdocs/secure/area> 203 SSLVerifyClient require 204 SSLVerifyDepth 5 205 SSLOptions +FakeBasicAuth 206 SSLRequireSSL 207 AuthName "Snake Oil Authentication" 208 AuthType Basic 209 AuthBasicProvider file 210 AuthUserFile /usr/local/apache2/conf/httpd.passwd 211 Require valid-user 212 </Directory></pre></div> 213 214 <p>The password used in this example is the DES encrypted string "password". 215 See the <code class="directive"><a href="../mod/mod_ssl.html#ssloptions">SSLOptions</a></code> docs for more 216 information.</p> 217 218 <div class="example"><h3>httpd.passwd</h3><pre>/C=DE/L=Munich/O=Snake Oil, Ltd./OU=Staff/CN=Foo:xxj31ZMTZzkVA 219 /C=US/L=S.F./O=Snake Oil, Ltd./OU=CA/CN=Bar:xxj31ZMTZzkVA 220 /C=US/L=L.A./O=Snake Oil, Ltd./OU=Dev/CN=Quux:xxj31ZMTZzkVA</pre></div> 221 222 <p>When your clients are all part of a common hierarchy, which is encoded 223 into the DN, you can match them more easily using <code class="directive"><a href="../mod/mod_ssl.html#sslrequire">SSLRequire</a></code>, as follows:</p> 224 225 226 <div class="example"><h3>httpd.conf</h3><pre>SSLVerifyClient none 227 SSLCACertificateFile conf/ssl.crt/ca.crt 228 SSLCACertificatePath conf/ssl.crt 229 230 <Directory /usr/local/apache2/htdocs/secure/area> 231 SSLVerifyClient require 232 SSLVerifyDepth 5 233 SSLOptions +FakeBasicAuth 234 SSLRequireSSL 235 SSLRequire %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ 236 and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} 237 </Directory></pre></div> 238 239 240 <h3><a name="intranet" id="intranet">How can I require HTTPS with strong ciphers, and either basic 241 authentication or client certificates, for access to part of the 242 Intranet website, for clients coming from the Internet? I still want to allow 243 plain HTTP access for clients on the Intranet.</a></h3> 244 245 246 <p>These examples presume that clients on the Intranet have IPs in the range 247 192.168.1.0/24, and that the part of the Intranet website you want to allow 248 internet access to is <code>/usr/local/apache2/htdocs/subarea</code>. 249 This configuration should remain outside of your HTTPS virtual host, so 250 that it applies to both HTTPS and HTTP.</p> 251 252 <div class="example"><h3>httpd.conf</h3><pre>SSLCACertificateFile conf/ssl.crt/company-ca.crt 253 254 <Directory /usr/local/apache2/htdocs> 255 # Outside the subarea only Intranet access is granted 256 Order deny,allow 257 Deny from all 258 Allow from 192.168.1.0/24 259 </Directory> 260 261 <Directory /usr/local/apache2/htdocs/subarea> 262 # Inside the subarea any Intranet access is allowed 263 # but from the Internet only HTTPS + Strong-Cipher + Password 264 # or the alternative HTTPS + Strong-Cipher + Client-Certificate 265 266 # If HTTPS is used, make sure a strong cipher is used. 267 # Additionally allow client certs as alternative to basic auth. 268 SSLVerifyClient optional 269 SSLVerifyDepth 1 270 SSLOptions +FakeBasicAuth +StrictRequire 271 SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 272 273 # Force clients from the Internet to use HTTPS 274 RewriteEngine on 275 RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$ 276 RewriteCond %{HTTPS} !=on 277 RewriteRule .* - [F] 278 279 # Allow Network Access and/or Basic Auth 280 Satisfy any 281 282 # Network Access Control 283 Order deny,allow 284 Deny from all 285 Allow 192.168.1.0/24 286 287 # HTTP Basic Authentication 288 AuthType basic 289 AuthName "Protected Intranet Area" 290 AuthBasicProvider file 291 AuthUserFile conf/protected.passwd 292 Require valid-user 293 </Directory></pre></div> 294 295 </div></div> 296 <div class="bottomlang"> 297 <p><span>Available Languages: </span><a href="../en/ssl/ssl_howto.html" title="English"> en </a></p> 298 </div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div> 299 <script type="text/javascript"><!--//--><![CDATA[//><!-- 300 var comments_shortname = 'httpd'; 301 var comments_identifier = 'http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html'; 302 (function(w, d) { 303 if (w.location.hostname.toLowerCase() == "httpd.apache.org") { 304 d.write('<div id="comments_thread"><\/div>'); 305 var s = d.createElement('script'); 306 s.type = 'text/javascript'; 307 s.async = true; 308 s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier; 309 (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s); 310 } 311 else { 312 d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>'); 313 } 314 })(window, document); 315 //--><!]]></script></div><div id="footer"> 316 <p class="apache">Copyright 2017 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> 317 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!-- 318 if (typeof(prettyPrint) !== 'undefined') { 319 prettyPrint(); 320 } 321 //--><!]]></script> 322 </body></html>