Movatterモバイル変換

[0]ホーム
URL:

Modules |Directives |FAQ |Glossary |Sitemap

Apache HTTP Server Version 2.4

<-
Apache >HTTP Server >Documentation >Version 2.4 >SSL/TLS

SSL/TLS Strong Encryption: Compatibility

Available Languages: en  | fr 

This page covers backwards compatibility between mod_ssl and otherSSL solutions. mod_ssl is not the only SSL solution for Apache; fouradditional products are (or were) also available: Ben Laurie's freelyavailableApache-SSL (fromwhere mod_ssl were originally derived in 1998), Red Hat's commercialSecure Web Server (which was based on mod_ssl), Covalent's commercialRaven SSL Module (also based onmod_ssl) and finally C2Net's (now Red Hat's) commercial productStronghold (basedon a different evolution branch, named Sioux up to Stronghold 2.x, andbased on mod_ssl since Stronghold 3.x).

mod_ssl mostly provides a superset of the functionality of all the othersolutions, so it's simple to migrate from one of the older modules tomod_ssl. The configuration directives and environment variable namesused by the older SSL solutions vary from those used in mod_ssl;mapping tables are included here to give the equivalents used by mod_ssl.

Support Apache!

See also

top

Configuration Directives

The mapping between configuration directives used by Apache-SSL1.x and mod_ssl 2.0.x is given inTable1. The mapping from Sioux 1.x and Stronghold 2.x is only partialbecause of special functionality in these interfaces which mod_ssldoesn't provide.

Table 1: Configuration Directive Mapping

Old Directivemod_ssl DirectiveComment
Apache-SSL 1.x & mod_ssl 2.0.x compatibility:
SSLEnableSSLEngine oncompactified
SSLDisableSSLEngine offcompactified
SSLLogFilefileUse per-moduleLogLevel setting instead.
SSLRequiredCiphersspecSSLCipherSuitespecrenamed
SSLRequireCipherc1 ...SSLRequire %{SSL_CIPHER} in {"c1",...}generalized
SSLBanCipherc1 ...SSLRequire not (%{SSL_CIPHER} in {"c1",...})generalized
SSLFakeBasicAuthSSLOptions +FakeBasicAuthmerged
SSLCacheServerPathdir-functionality removed
SSLCacheServerPortinteger-functionality removed
Apache-SSL 1.x compatibility:
SSLExportClientCertificatesSSLOptions +ExportCertDatamerged
SSLCacheServerRunDirdir-functionality not supported
Sioux 1.x compatibility:
SSL_CertFilefileSSLCertificateFilefilerenamed
SSL_KeyFilefileSSLCertificateKeyFilefilerenamed
SSL_CipherSuiteargSSLCipherSuiteargrenamed
SSL_X509VerifyDirargSSLCACertificatePathargrenamed
SSL_Logfile-Use per-moduleLogLevel setting instead.
SSL_ConnectflagSSLEngineflagrenamed
SSL_ClientAuthargSSLVerifyClientargrenamed
SSL_X509VerifyDepthargSSLVerifyDepthargrenamed
SSL_FetchKeyPhraseFromarg-not directly mappable; use SSLPassPhraseDialog
SSL_SessionDirdir-not directly mappable; use SSLSessionCache
SSL_Requireexpr-not directly mappable; use SSLRequire
SSL_CertFileTypearg-functionality not supported
SSL_KeyFileTypearg-functionality not supported
SSL_X509VerifyPolicyarg-functionality not supported
SSL_LogX509Attributesarg-functionality not supported
Stronghold 2.x compatibility:
StrongholdAcceleratorengineSSLCryptoDeviceenginerenamed
StrongholdKeydir-functionality not needed
StrongholdLicenseFiledir-functionality not needed
SSLFlagflagSSLEngineflagrenamed
SSLSessionLockFilefileSSLMutexfilerenamed
SSLCipherListspecSSLCipherSuitespecrenamed
RequireSSLSSLRequireSSLrenamed
SSLErrorFilefile-functionality not supported
SSLRootdir-functionality not supported
SSL_CertificateLogDirdir-functionality not supported
AuthCertDirdir-functionality not supported
SSL_Groupname-functionality not supported
SSLProxyMachineCertPathdirSSLProxyMachineCertificatePathdirrenamed
SSLProxyMachineCertFilefileSSLProxyMachineCertificateFilefilerenamed
SSLProxyCipherListspecSSLProxyCipherSpecspecrenamed
top

Environment Variables

The mapping between environment variable names used by the olderSSL solutions and the names used by mod_ssl is given inTable 2.

Table 2: Environment Variable Derivation

Old Variablemod_ssl VariableComment
SSL_PROTOCOL_VERSIONSSL_PROTOCOLrenamed
SSLEAY_VERSIONSSL_VERSION_LIBRARYrenamed
HTTPS_SECRETKEYSIZESSL_CIPHER_USEKEYSIZErenamed
HTTPS_KEYSIZESSL_CIPHER_ALGKEYSIZErenamed
HTTPS_CIPHERSSL_CIPHERrenamed
HTTPS_EXPORTSSL_CIPHER_EXPORTrenamed
SSL_SERVER_KEY_SIZESSL_CIPHER_ALGKEYSIZErenamed
SSL_SERVER_CERTIFICATESSL_SERVER_CERTrenamed
SSL_SERVER_CERT_STARTSSL_SERVER_V_STARTrenamed
SSL_SERVER_CERT_ENDSSL_SERVER_V_ENDrenamed
SSL_SERVER_CERT_SERIALSSL_SERVER_M_SERIALrenamed
SSL_SERVER_SIGNATURE_ALGORITHMSSL_SERVER_A_SIGrenamed
SSL_SERVER_DNSSL_SERVER_S_DNrenamed
SSL_SERVER_CNSSL_SERVER_S_DN_CNrenamed
SSL_SERVER_EMAILSSL_SERVER_S_DN_Emailrenamed
SSL_SERVER_OSSL_SERVER_S_DN_Orenamed
SSL_SERVER_OUSSL_SERVER_S_DN_OUrenamed
SSL_SERVER_CSSL_SERVER_S_DN_Crenamed
SSL_SERVER_SPSSL_SERVER_S_DN_SPrenamed
SSL_SERVER_LSSL_SERVER_S_DN_Lrenamed
SSL_SERVER_IDNSSL_SERVER_I_DNrenamed
SSL_SERVER_ICNSSL_SERVER_I_DN_CNrenamed
SSL_SERVER_IEMAILSSL_SERVER_I_DN_Emailrenamed
SSL_SERVER_IOSSL_SERVER_I_DN_Orenamed
SSL_SERVER_IOUSSL_SERVER_I_DN_OUrenamed
SSL_SERVER_ICSSL_SERVER_I_DN_Crenamed
SSL_SERVER_ISPSSL_SERVER_I_DN_SPrenamed
SSL_SERVER_ILSSL_SERVER_I_DN_Lrenamed
SSL_CLIENT_CERTIFICATESSL_CLIENT_CERTrenamed
SSL_CLIENT_CERT_STARTSSL_CLIENT_V_STARTrenamed
SSL_CLIENT_CERT_ENDSSL_CLIENT_V_ENDrenamed
SSL_CLIENT_CERT_SERIALSSL_CLIENT_M_SERIALrenamed
SSL_CLIENT_SIGNATURE_ALGORITHMSSL_CLIENT_A_SIGrenamed
SSL_CLIENT_DNSSL_CLIENT_S_DNrenamed
SSL_CLIENT_CNSSL_CLIENT_S_DN_CNrenamed
SSL_CLIENT_EMAILSSL_CLIENT_S_DN_Emailrenamed
SSL_CLIENT_OSSL_CLIENT_S_DN_Orenamed
SSL_CLIENT_OUSSL_CLIENT_S_DN_OUrenamed
SSL_CLIENT_CSSL_CLIENT_S_DN_Crenamed
SSL_CLIENT_SPSSL_CLIENT_S_DN_SPrenamed
SSL_CLIENT_LSSL_CLIENT_S_DN_Lrenamed
SSL_CLIENT_IDNSSL_CLIENT_I_DNrenamed
SSL_CLIENT_ICNSSL_CLIENT_I_DN_CNrenamed
SSL_CLIENT_IEMAILSSL_CLIENT_I_DN_Emailrenamed
SSL_CLIENT_IOSSL_CLIENT_I_DN_Orenamed
SSL_CLIENT_IOUSSL_CLIENT_I_DN_OUrenamed
SSL_CLIENT_ICSSL_CLIENT_I_DN_Crenamed
SSL_CLIENT_ISPSSL_CLIENT_I_DN_SPrenamed
SSL_CLIENT_ILSSL_CLIENT_I_DN_Lrenamed
SSL_EXPORTSSL_CIPHER_EXPORTrenamed
SSL_KEYSIZESSL_CIPHER_ALGKEYSIZErenamed
SSL_SECKEYSIZESSL_CIPHER_USEKEYSIZErenamed
SSL_SSLEAY_VERSIONSSL_VERSION_LIBRARYrenamed
SSL_STRONG_CRYPTO-Not supported by mod_ssl
SSL_SERVER_KEY_EXP-Not supported by mod_ssl
SSL_SERVER_KEY_ALGORITHM-Not supported by mod_ssl
SSL_SERVER_KEY_SIZE-Not supported by mod_ssl
SSL_SERVER_SESSIONDIR-Not supported by mod_ssl
SSL_SERVER_CERTIFICATELOGDIR-Not supported by mod_ssl
SSL_SERVER_CERTFILE-Not supported by mod_ssl
SSL_SERVER_KEYFILE-Not supported by mod_ssl
SSL_SERVER_KEYFILETYPE-Not supported by mod_ssl
SSL_CLIENT_KEY_EXP-Not supported by mod_ssl
SSL_CLIENT_KEY_ALGORITHM-Not supported by mod_ssl
SSL_CLIENT_KEY_SIZE-Not supported by mod_ssl
top

Custom Log Functions

When mod_ssl is enabled, additional functions exist for theCustom Log Format ofmod_log_config as documented in the ReferenceChapter. Beside the ``%{varname}x''eXtension format function which can be used to expand any variables providedby any module, an additional Cryptography``%{name}c'' cryptography format functionexists for backward compatibility. The currently implemented function callsare listed inTable 3.

Table 3: Custom Log Cryptography Function

Function CallDescription
%...{version}cSSL protocol version
%...{cipher}cSSL cipher
%...{subjectdn}cClient Certificate Subject Distinguished Name
%...{issuerdn}cClient Certificate Issuer Distinguished Name
%...{errcode}cCertificate Verification Error (numerical)
%...{errstr}cCertificate Verification Error (string)

Available Languages: en  | fr 

top

Comments

Notice:
This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Libera.chat, or sent to ourmailing lists.

Copyright 2025 The Apache Software Foundation.
Licensed under theApache License, Version 2.0.

Modules |Directives |FAQ |Glossary |Sitemap

[8]ページ先頭
©2009-2025 Movatter.jp