1<?xml version="1.0" encoding="ISO-8859-1"?> 2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 3<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!-- 4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 5 This file is generated from xml source: DO NOT EDIT 6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 7 --> 8<title>SSL/TLS Strong Encryption: How-To - Apache HTTP Server</title> 9<link href="/style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> 10<link href="/style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> 11<link href="/style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="/style/css/prettify.css" /> 12<script src="/style/scripts/prettify.min.js" type="text/javascript"> 13</script> 14 15<link href="/images/favicon.ico" rel="shortcut icon" /></head> 16<body id="manual-page"><div id="page-header"> 17<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p> 18<p class="apache">Apache HTTP Server Version 2.4</p> 19<img alt="" src="/images/feather.gif" /></div> 20<div class="up"><a href="./"><img title="<-" alt="<-" src="/images/left.gif" /></a></div> 21<div id="path"> 22<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.4</a> > <a href="./">SSL/TLS</a></div><div id="page-content"><div id="preamble"><h1>SSL/TLS Strong Encryption: How-To</h1> 23<div class="toplang"> 24<p><span>Available Languages: </span><a href="/en/ssl/ssl_howto.html" title="English"> en </a> | 25<a href="/fr/ssl/ssl_howto.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a></p> 26</div> 27 28 29<p>This documented is intended to get you started, and get a few things 30working. You are strongly encouraged to read the rest of the SSL 31documentation, and arrive at a deeper understanding of the material, 32before progressing to the advanced techniques.</p> 33</div> 34<div id="quickview"><ul id="toc"><li><img alt="" src="/images/down.gif" /> <a href="#configexample">Basic Configuration Example</a></li> 35<li><img alt="" src="/images/down.gif" /> <a href="#ciphersuites">Cipher Suites and Enforcing Strong Security</a></li> 36<li><img alt="" src="/images/down.gif" /> <a href="#accesscontrol">Client Authentication and Access Control</a></li> 37<li><img alt="" src="/images/down.gif" /> <a href="#logging">Logging</a></li> 38</ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div> 39<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 40<div class="section"> 41<h2><a name="configexample" id="configexample">Basic Configuration Example</a></h2> 42 43 44<p>Your SSL configuration will need to contain, at minimum, the 45following directives.</p> 46 47<pre class="prettyprint lang-config">LoadModule ssl_module modules/mod_ssl.so 48 49Listen 443 50<VirtualHost *:443> 51 ServerName www.example.com 52 SSLEngine on 53 SSLCertificateFile /path/to/www.example.com.cert 54 SSLCertificateKeyFile /path/to/www.example.com.key 55</VirtualHost></pre> 56 57 58</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 59<div class="section"> 60<h2><a name="ciphersuites" id="ciphersuites">Cipher Suites and Enforcing Strong Security</a></h2> 61 62<ul> 63<li><a href="#onlystrong">How can I create an SSL server which accepts strong encryption only?</a></li> 64<li><a href="#strongurl">How can I create an SSL server which accepts all types of ciphers in general, but 65requires a strong cipher for access to a particular URL?</a></li> 66</ul> 67 68<h3><a name="onlystrong" id="onlystrong">How can I create an SSL server which accepts strong encryption 69only?</a></h3> 70 71 <p>The following enables only the strongest ciphers:</p> 72 <pre class="prettyprint lang-config">SSLCipherSuite HIGH:!aNULL:!MD5</pre> 73 74 75 <p>While with the following configuration you specify a preference 76 for specific speed-optimized ciphers (which will be selected by 77 mod_ssl, provided that they are supported by the client):</p> 78 79 <pre class="prettyprint lang-config">SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5 80SSLHonorCipherOrder on</pre> 81 82 83 84<h3><a name="strongurl" id="strongurl">How can I create an SSL server which accepts all types of ciphers 85in general, but requires a strong ciphers for access to a particular 86URL?</a></h3> 87 88 <p>Obviously, a server-wide <code class="directive"><a href="/mod/mod_ssl.html#sslciphersuite">SSLCipherSuite</a></code> which restricts 89 ciphers to the strong variants, isn't the answer here. However, 90 <code class="module"><a href="/mod/mod_ssl.html">mod_ssl</a></code> can be reconfigured within <code>Location</code> 91 blocks, to give a per-directory solution, and can automatically force 92 a renegotiation of the SSL parameters to meet the new configuration. 93 This can be done as follows:</p> 94 <pre class="prettyprint lang-config"># be liberal in general 95SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL 96 97<Location /strong/area> 98# but https://hostname/strong/area/ and below 99# requires strong ciphers 100SSLCipherSuite HIGH:!aNULL:!MD5 101</Location></pre> 102 103 104</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 105<div class="section"> 106<h2><a name="accesscontrol" id="accesscontrol">Client Authentication and Access Control</a></h2> 107 108<ul> 109<li><a href="#allclients">How can I force clients to authenticate using certificates?</a></li> 110<li><a href="#arbitraryclients">How can I force clients to authenticate using certificates for a 111 particular URL, but still allow arbitrary clients to access the rest of the server?</a></li> 112<li><a href="#certauthenticate">How can I allow only clients who have certificates to access a 113 particular URL, but allow all clients to access the rest of the server?</a></li> 114<li><a href="#intranet">How can I require HTTPS with strong ciphers, and either 115basic authentication or client certificates, for access to part of the 116Intranet website, for clients coming from the Internet?</a></li> 117</ul> 118 119<h3><a name="allclients" id="allclients">How can I force clients to authenticate using certificates?</a></h3> 120 121 122 <p>When you know all of your users (eg, as is often the case on a corporate 123 Intranet), you can require plain certificate authentication. All you 124 need to do is to create client certificates signed by your own CA 125 certificate (<code>ca.crt</code>) and then verify the clients against this 126 certificate.</p> 127 <pre class="prettyprint lang-config"># require a client certificate which has to be directly 128# signed by our CA certificate in ca.crt 129SSLVerifyClient require 130SSLVerifyDepth 1 131SSLCACertificateFile conf/ssl.crt/ca.crt</pre> 132 133 134 135<h3><a name="arbitraryclients" id="arbitraryclients">How can I force clients to authenticate using certificates for a 136 particular URL, but still allow arbitrary clients to access the rest of the server?</a></h3> 137 138 139 <p>To force clients to authenticate using certificates for a particular URL, 140 you can use the per-directory reconfiguration features of 141 <code class="module"><a href="/mod/mod_ssl.html">mod_ssl</a></code>:</p> 142 143 <pre class="prettyprint lang-config">SSLVerifyClient none 144SSLCACertificateFile conf/ssl.crt/ca.crt 145 146<Location /secure/area> 147SSLVerifyClient require 148SSLVerifyDepth 1 149</Location></pre> 150 151 152 153<h3><a name="certauthenticate" id="certauthenticate">How can I allow only clients who have certificates to access a 154 particular URL, but allow all clients to access the rest of the server?</a></h3> 155 156 157 <p>The key to doing this is checking that part of the client certificate 158 matches what you expect. Usually this means checking all or part of the 159 Distinguished Name (DN), to see if it contains some known string. 160 There are two ways to do this, using either <code class="module"><a href="/mod/mod_auth_basic.html">mod_auth_basic</a></code> or 161 <code class="directive"><a href="/mod/mod_ssl.html#sslrequire">SSLRequire</a></code>.</p> 162 163 <p>The <code class="module"><a href="/mod/mod_auth_basic.html">mod_auth_basic</a></code> method is generally required when 164 the certificates are completely arbitrary, or when their DNs have 165 no common fields (usually the organisation, etc.). In this case, 166 you should establish a password database containing <em>all</em> 167 clients allowed, as follows:</p> 168 169 <pre class="prettyprint lang-config">SSLVerifyClient none 170SSLCACertificateFile conf/ssl.crt/ca.crt 171SSLCACertificatePath conf/ssl.crt 172 173<Directory /usr/local/apache2/htdocs/secure/area> 174 SSLVerifyClient require 175 SSLVerifyDepth 5 176 SSLOptions +FakeBasicAuth 177 SSLRequireSSL 178 AuthName "Snake Oil Authentication" 179 AuthType Basic 180 AuthBasicProvider file 181 AuthUserFile /usr/local/apache2/conf/httpd.passwd 182 Require valid-user 183</Directory></pre> 184 185 186 <p>The password used in this example is the DES encrypted string "password". 187 See the <code class="directive"><a href="/mod/mod_ssl.html#ssloptions">SSLOptions</a></code> docs for more 188 information.</p> 189 190 <div class="example"><h3>httpd.passwd</h3><pre>/C=DE/L=Munich/O=Snake Oil, Ltd./OU=Staff/CN=Foo:xxj31ZMTZzkVA 191/C=US/L=S.F./O=Snake Oil, Ltd./OU=CA/CN=Bar:xxj31ZMTZzkVA 192/C=US/L=L.A./O=Snake Oil, Ltd./OU=Dev/CN=Quux:xxj31ZMTZzkVA</pre></div> 193 194 <p>When your clients are all part of a common hierarchy, which is encoded 195 into the DN, you can match them more easily using <code class="directive"><a href="/mod/mod_ssl.html#sslrequire">SSLRequire</a></code>, as follows:</p> 196 197 198 <pre class="prettyprint lang-config">SSLVerifyClient none 199SSLCACertificateFile conf/ssl.crt/ca.crt 200SSLCACertificatePath conf/ssl.crt 201 202<Directory /usr/local/apache2/htdocs/secure/area> 203 SSLVerifyClient require 204 SSLVerifyDepth 5 205 SSLOptions +FakeBasicAuth 206 SSLRequireSSL 207 SSLRequire %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ 208 and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} 209</Directory></pre> 210 211 212 213<h3><a name="intranet" id="intranet">How can I require HTTPS with strong ciphers, and either basic 214authentication or client certificates, for access to part of the 215Intranet website, for clients coming from the Internet? I still want to allow 216plain HTTP access for clients on the Intranet.</a></h3> 217 218 219 <p>These examples presume that clients on the Intranet have IPs in the range 220 192.168.1.0/24, and that the part of the Intranet website you want to allow 221 internet access to is <code>/usr/local/apache2/htdocs/subarea</code>. 222 This configuration should remain outside of your HTTPS virtual host, so 223 that it applies to both HTTPS and HTTP.</p> 224 225 <pre class="prettyprint lang-config">SSLCACertificateFile conf/ssl.crt/company-ca.crt 226 227<Directory /usr/local/apache2/htdocs> 228 # Outside the subarea only Intranet access is granted 229 Require ip 192.168.1.0/24 230</Directory> 231 232<Directory /usr/local/apache2/htdocs/subarea> 233 # Inside the subarea any Intranet access is allowed 234 # but from the Internet only HTTPS + Strong-Cipher + Password 235 # or the alternative HTTPS + Strong-Cipher + Client-Certificate 236 237 # If HTTPS is used, make sure a strong cipher is used. 238 # Additionally allow client certs as alternative to basic auth. 239 SSLVerifyClient optional 240 SSLVerifyDepth 1 241 SSLOptions +FakeBasicAuth +StrictRequire 242 SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 243 244 # Force clients from the Internet to use HTTPS 245 RewriteEngine on 246 RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$ 247 RewriteCond %{HTTPS} !=on 248 RewriteRule . - [F] 249 250 # Allow Network Access and/or Basic Auth 251 Satisfy any 252 253 # Network Access Control 254 Require ip 192.168.1.0/24 255 256 # HTTP Basic Authentication 257 AuthType basic 258 AuthName "Protected Intranet Area" 259 AuthBasicProvider file 260 AuthUserFile conf/protected.passwd 261 Require valid-user 262</Directory></pre> 263 264 265</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 266<div class="section"> 267<h2><a name="logging" id="logging">Logging</a></h2> 268 269 270 <p><code class="module"><a href="/mod/mod_ssl.html">mod_ssl</a></code> can log extremely verbose debugging information 271 to the error log, when its <code class="directive"><a href="/mod/core.html#loglevel">LogLevel</a></code> is 272 set to the higher trace levels. On the other hand, on a very busy server, 273 level <code>info</code> may already be too much. Remember that you can 274 configure the <code class="directive"><a href="/mod/core.html#loglevel">LogLevel</a></code> per module to 275 suite your needs.</p> 276</div></div> 277<div class="bottomlang"> 278<p><span>Available Languages: </span><a href="/en/ssl/ssl_howto.html" title="English"> en </a> | 279<a href="/fr/ssl/ssl_howto.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a></p> 280</div><div class="top"><a href="#page-header"><img src="/images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div> 281<script type="text/javascript"><!--//--><![CDATA[//><!-- 282var comments_shortname = 'httpd'; 283var comments_identifier = 'http://httpd.apache.org/docs/2.4/ssl/ssl_howto.html'; 284(function(w, d) { 285 if (w.location.hostname.toLowerCase() == "httpd.apache.org") { 286 d.write('<div id="comments_thread"><\/div>'); 287 var s = d.createElement('script'); 288 s.type = 'text/javascript'; 289 s.async = true; 290 s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier; 291 (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s); 292 } 293 else { 294 d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>'); 295 } 296})(window, document); 297//--><!]]></script></div><div id="footer"> 298<p class="apache">Copyright 2014 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> 299<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!-- 300if (typeof(prettyPrint) !== 'undefined') { 301 prettyPrint(); 302} 303//--><!]]></script> 304</body></html>