Quick Nav
- ListenSecure
- SSLCipherSuite
- SSLCertificateFile
- SSLCertificateKeyFile
- SSLCACertificateFile
- SSLVerifyClient
- SSLVerifyIssuer
See Also
SSL Directives
ListenSecure
| Description | IP address and port on which to listing for incoming SSL/TLS requests. |
| Synopsis | ListenSecure [IP address:]portNumber |
| Context | Default server, Virtual Host, Route |
| Examples | Listen 80 ListenSecure 205.162.77.64:7777 ListenSecure [::] |
| Notes |
The ListenSecure directive specifies the IP endpoints on which Appweb will listen for incoming SSL/TLS HTTP requests. If you specify only the port number and omit the IP address, Appweb will listen on all network interfaces including the loop-back adaptor. Multiple Listen directives may be given and Appweb will listen on all the specified endpoints for SSL/TLS. In Appweb 4 and later, you do not need to use a Virtual Host to use SSL/TLS. For IPv6 endpoints, enclose the IP address in square brackets. For example: Listen [2001:05c0:9168:0000:0000:0000:0000:0001] |
SSLProtocol
| Description | Restrict the SSL protocols for OpenSSL. |
|---|---|
| Synopsis | SSLProtocol [+ | -] protocol ... |
| Context | OpenSSL only. Default Server, Virtual Host, Route |
| Example | SSLProtocol all -SSLV2 |
| Notes |
The SSLProtocol directive defines which SSL protocol variants to enable for use. The following protocol options are available: SSLv2This is the original Secure Sockets Layer (SSL) protocol defined by Netscape. It has several flaws and should not be used if SSLv3 or TLSv1 are available. SSLv3This is the Secure Sockets Layer (SSL) protocol version 3. TLSv1This is the Transport Layer Security (TLS) protocol version 1. It is the most current SSL standard defined by the IETF and should be used if available. TLSv1.1, TLSv1.2Available when using OpenSSL 1.0.1 or later. ALLEnables all SSL protocol variants. If unspecified, the default is: TLSv1, TLSv1.1 or TLSv1.2. |
| Security |
You should not use SSLv2 if possible. |
SSLCipherSuite
| Description | Defines the permissible SSL Cipher suites. |
|---|---|
| Synopsis | SSLCipherSuite cipher-spec |
| Context | Default Server, Virtual Host, Route (with EST and OpenSSL stacks only) |
| Example |
# # For EST # CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA CipherSuite TLS_RSA_WITH_RC4_128_SHA # # For OpenSSL # CipherSuite HIGH:RC4+SHA |
| Notes |
The SSLCipherSuite directive specifies the permissible set of cipher algorithms to use when communicating with the client. If unspecified, the cipher suite is defined by the SSL protocol stack and negotiated with the client. You may use this directive multiple times or may specify multiple ciphers separated by commas. This directive is only supported with the EST and OpenSSL stacks. The format of this directive varies depending on the SSL protocol stack. The EST, stack use the standard IANA Cipher Suite Registry names. The OpenSSL stack uses its own proprietary cipher naming. If using OpenSSL, please consult the OpenSSL documentation for how to format the cipher suite argument. |
SSLCertificateFile
| Description | Defines the location of the X.509 file containing the server certificate |
|---|---|
| Synopsis | SSLCertificateFile path |
| Context | Default Server, Virtual Host, Route |
| Example | SSLCertificateFile /var/appweb/server.crt |
| Notes |
The SSLCertificateFile directive defines the file containing the PEM encoded X.509 certificate for the server. The file may also contain the private key for the server in which case you do not need to use the SSLCertificateKeyFile directive. The path may be an absolute path or it may be relative to the Home directory. |
SSLCertificateKeyFile
| Description | Defines the location of the server's private key |
|---|---|
| Synopsis | SSLCertificateKeyFile |
| Context | Default Server, Virtual Host, Route |
| Example | SSLCertificateKeyFile /var/appweb/server.key.pem |
| Notes |
The SSLCertificateKeyFile directive defines the file containing the PEM encoded private key file for the server. This directive is not required if the server's private key is combined with the certificate file. If the private key is encrypted, you will be prompted to enter the pass-phrase to decrypt the private key on system reboot. |
| Security | There is a dilemma here. If you use an encrypted private key, the server will pause until you enter the pass-phrase which makes headless operation impossible. If you do not encrypt the private key, your private key is more vulnerable should the server be compromised. Which option you choose depends on whether headless operation is essential or not. |
SSLCACertificateFile
| Description | Defines the location of the certificate file for client authentication |
|---|---|
| Synopsis | SSLCACertificateFile path |
| Context | Default Server, Virtual Host, Route |
| Example | SSLCACertificateFile /var/appweb/ca.crt |
| Notes |
The SSLCACertificateFile directive defines the file containing the certificates to use when authenticating client certificates. This directive is only necessary if you wish to verify client certificates. If so, you must specify the "SSLVerifyClient on" directive. The certificate file contains the concatenated certificates to use in preference order. The path may be an absolute path or it may be relative to the Home directory. If using the OpenSSL stack, You may alternatively use SSLCACertificatePath if you have separate certificates. |
SSLCACertificatePath
| Description | Defines a directory of client authentication certificates. |
|---|---|
| Synopsis | SSLCACertificatePath |
| Context | OpenSSL only. Default Server, Virtual Host, Route |
| Example | SSLCACertificatePath /var/appweb/certs |
| Notes |
The SSLCACertificatePath directive is an OpenSSL directive that defines the directory containing the certificates to use when authenticating client certificates. This directive is only necessary if you wish to verify client certificates. If so, you must specify the "SSLVerifyClient on" directive. The path may be an absolute path or it may be relative to the Home directory. This directive is only supported for OpenSSL. If using another SSL stack, you may use SSLCACertificateFile if you have a bundle of certificates concatenated together. |
SSLVerifyClient
| Description | Defines the type of client certificate verification. |
|---|---|
| Synopsis | SSLVerifyClient [off | on] |
| Context | Default Server, Virtual Host, Route |
| Example | SSLVerifyClient on |
| Notes |
This directive controls whether the client must provide a client certificate for the server to verify the identity of the client. If set to off, no certificate is required. If one is supplied, it will be ignored. The certificate and the certificate's issuer will be verified. Use the SSLVerifyIssuer directive to turn off verification of the issuer if you need to use a self-signed test certificate. If the directive is set to on, the client must provide a valid certificate. |
SSLVerifyIssuer
| Description | Defines whether the issuer of the client certificate is verified. |
|---|---|
| Synopsis | SSLVerifyIssuer [off | on] |
| Context | Default Server, Virtual Host, Route |
| Example | SSLVerifyIssuer on |
| Notes |
This directive controls whether the issuer of the client certificate will be verified. If set to off, the certificate issuer will not be verified. This is useful to accept self-signed test certificates. |