httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From humbed...@apache.org
Subject svn commit: r1331289 - /httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en
Date Fri, 27 Apr 2012 08:15:15 GMT
Author: humbedooh
Date: Fri Apr 27 08:15:15 2012
New Revision: 1331289

URL: http://svn.apache.org/viewvc?rev=1331289&view=rev
Log:
Rebuild mod_ssl doc

Modified:
    httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en

Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en?rev=1331289&r1=1331288&r2=1331289&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en Fri Apr 27 08:15:15 2012
@@ -240,8 +240,10 @@ For backward compatibility there is addi
 ``<code>%{</code><em>name</em><code>}c</code>'' cryptography
format function
 provided. Information about this function is provided in the <a href="../ssl/ssl_compat.html">Compatibility</a>
chapter.</p>
 <div class="example"><h3>Example</h3><p><code>
-CustomLog logs/ssl_request_log \
-          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+<pre class="prettyprint lang-config"> 
+CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+</pre>
+
 </code></p></div>
 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif"
/></a></div>
 <div class="section">
@@ -285,9 +287,10 @@ string in <code class="module"><a href="
        encrypted with SSL. This is similar to the
        <code class="directive">SSLRequireSSL</code> directive.</p>
 
-    <div class="example"><p><code>
+    <pre class="prettyprint lang-config">
       Require ssl
-    </code></p></div>
+    </pre>
+
 
   
 
@@ -300,10 +303,11 @@ string in <code class="module"><a href="
     <p>The following example grants access if the user is authenticated
        either with a client certificate or by username and password.</p>
 
-    <div class="example"><p><code>
+    <pre class="prettyprint lang-config">
       Require ssl-verify-client<br />
       Require valid-user
-    </code></p></div>
+    </pre>
+
 
   
 
@@ -326,7 +330,10 @@ concatenation of the various PEM-encoded
 preference. This can be used alternatively and/or additionally to
 <code class="directive"><a href="#sslcacertificatepath">SSLCACertificatePath</a></code>.</p>
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-client.crt
+</pre>
+
 </code></p></div>
 
 </div>
@@ -351,7 +358,10 @@ there: you also have to create symbolic 
 <em>hash-value</em><code>.N</code>. And you should always make sure
this directory
 contains the appropriate symbolic links.</p>
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLCACertificatePath /usr/local/apache2/conf/ssl.crt/
+</pre>
+
 </code></p></div>
 
 </div>
@@ -390,7 +400,10 @@ specify an <em>all-in-one</em> file cont
 PEM-encoded CA certificates.</p>
 
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLCADNRequestFile /usr/local/apache2/conf/ca-names.crt
+</pre>
+
 </code></p></div>
 
 </div>
@@ -416,7 +429,10 @@ Certificate files there: you also have t
 <em>hash-value</em><code>.N</code>. And you should always make sure
 this directory contains the appropriate symbolic links.</p>
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLCADNRequestPath /usr/local/apache2/conf/ca-names.crt/
+</pre>
+
 </code></p></div>
 
 </div>
@@ -453,7 +469,10 @@ to succeed - otherwise it will fail with
 </p>
 </div>
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLCARevocationCheck chain
+</pre>
+
 </code></p></div>
 
 </div>
@@ -475,7 +494,10 @@ for Client Authentication.  Such a file 
 the various PEM-encoded CRL files, in order of preference. This can be
 used alternatively and/or additionally to <code class="directive"><a href="#sslcarevocationpath">SSLCARevocationPath</a></code>.</p>
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle-client.crl
+</pre>
+
 </code></p></div>
 
 </div>
@@ -500,7 +522,10 @@ Additionally you have to create symbolic
 <em>hash-value</em><code>.rN</code>. And you should always make sure
this directory
 contains the appropriate symbolic links.</p>
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLCARevocationPath /usr/local/apache2/conf/ssl.crl/
+</pre>
+
 </code></p></div>
 
 </div>
@@ -537,7 +562,10 @@ using a coupled RSA+DSA certificate pair
 certificates use the <em>same</em> certificate chain. Else the browsers will
be
 confused in this situation.</p>
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLCertificateChainFile /usr/local/apache2/conf/ssl.crt/ca.crt
+</pre>
+
 </code></p></div>
 
 </div>
@@ -558,7 +586,10 @@ Pass Phrase dialog is forced at startup 
 two times (referencing different filenames) when both a RSA and a DSA based
 server certificate is used in parallel.</p>
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
+</pre>
+
 </code></p></div>
 
 </div>
@@ -585,7 +616,10 @@ at startup time. This directive can be u
 (referencing different filenames) when both a RSA and a DSA based
 private key is used in parallel.</p>
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key
+</pre>
+
 </code></p></div>
 
 </div>
@@ -710,7 +744,10 @@ KRB5-RC4-SHA            SSLv3 Kx=KRB5   
 </pre></div>
 <p>The complete list of particular RSA &amp; DH ciphers for SSL is given in <a
href="#table2">Table 2</a>.</p>
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW
+</pre>
+
 </code></p></div>
 <table class="bordered">
 
@@ -770,8 +807,11 @@ separate "-engine" releases of OpenSSL 0
 "<code>openssl engine</code>".</p>
 
 <div class="example"><h3>Example</h3><p><code>
-# For a Broadcom accelerator:<br />
+<pre class="prettyprint lang-config">
+# For a Broadcom accelerator:
 SSLCryptoDevice ubsec
+</pre>
+
 </code></p></div>
 
 </div>
@@ -791,10 +831,13 @@ is should be used inside a <code class="
 that virtual host. By default the SSL/TLS Protocol Engine is
 disabled for both the main server and all configured virtual hosts.</p>
 <div class="example"><h3>Example</h3><p><code>
-&lt;VirtualHost _default_:443&gt;<br />
-SSLEngine on<br />
-...<br />
+<pre class="prettyprint lang-config">
+&lt;VirtualHost _default_:443&gt;
+SSLEngine on
+#...
 &lt;/VirtualHost&gt;
+</pre>
+
 </code></p></div>
 <p>In Apache 2.1 and later, <code class="directive">SSLEngine</code> can
be set to
 <code>optional</code>. This enables support for
@@ -844,7 +887,10 @@ by the applicable Security Policy.
 the client's preference is used.  If this directive is enabled, the
 server's preference will be used instead.</p>
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLHonorCipherOrder on
+</pre>
+
 </code></p></div>
 
 </div>
@@ -881,7 +927,10 @@ in <a href="http://cve.mitre.org/cgi-bin
 </div>
 
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLInsecureRenegotiation on
+</pre>
+
 </code></p></div>
 
 <p>The <code>SSL_SECURE_RENEG</code> environment variable can be used
@@ -927,10 +976,13 @@ itself, or derived by configuration; see
 directives.</p>
 
 <div class="example"><h3>Example</h3><p><code>
-SSLVerifyClient on<br />
-SSLOCSPEnable on<br />
-SSLOCSPDefaultResponder http://responder.example.com:8888/responder<br />
+<pre class="prettyprint lang-config">
+SSLVerifyClient on
+SSLOCSPEnable on
+SSLOCSPDefaultResponder http://responder.example.com:8888/responder
 SSLOCSPOverrideResponder on
+</pre>
+
 </code></p></div>
 
 </div>
@@ -1096,10 +1148,13 @@ The available <em>option</em>s are:</p>
 </li>
 </ul>
 <div class="example"><h3>Example</h3><p><code>
-SSLOptions +FakeBasicAuth -StrictRequire<br />
-&lt;Files ~ "\.(cgi|shtml)$"&gt;<br />
-    SSLOptions +StdEnvVars -ExportCertData<br />
+<pre class="prettyprint lang-config">
+SSLOptions +FakeBasicAuth -StrictRequire
+&lt;Files ~ "\.(cgi|shtml)$"&gt;
+    SSLOptions +StdEnvVars -ExportCertData
 &lt;Files&gt;
+</pre>
+
 </code></p></div>
 
 </div>
@@ -1177,7 +1232,10 @@ query can be done in two ways which can 
     program is called only once per unique Pass Phrase.</p></li>
 </ul>
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLPassPhraseDialog exec:/usr/local/apache/sbin/pp-filter
+</pre>
+
 </code></p></div>
 
 </div>
@@ -1227,7 +1285,10 @@ The available (case-insensitive) <em>pro
     ``<code>+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2</code>, respectively.</p></li>
 </ul>
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLProtocol TLSv1
+</pre>
+
 </code></p></div>
 
 </div>
@@ -1249,7 +1310,10 @@ concatenation of the various PEM-encoded
 preference. This can be used alternatively and/or additionally to
 <code class="directive"><a href="#sslproxycacertificatepath">SSLProxyCACertificatePath</a></code>.</p>
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLProxyCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-remote-server.crt
+</pre>
+
 </code></p></div>
 
 </div>
@@ -1274,7 +1338,10 @@ there: you also have to create symbolic 
 <em>hash-value</em><code>.N</code>. And you should always make sure
this directory
 contains the appropriate symbolic links.</p>
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLProxyCACertificatePath /usr/local/apache2/conf/ssl.crt/
+</pre>
+
 </code></p></div>
 
 </div>
@@ -1312,7 +1379,10 @@ to succeed - otherwise it will fail with
 </p>
 </div>
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLProxyCARevocationCheck chain
+</pre>
+
 </code></p></div>
 
 </div>
@@ -1334,7 +1404,10 @@ for Remote Server Authentication.  Such 
 the various PEM-encoded CRL files, in order of preference. This can be
 used alternatively and/or additionally to <code class="directive"><a href="#sslproxycarevocationpath">SSLProxyCARevocationPath</a></code>.</p>
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLProxyCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle-remote-server.crl
+</pre>
+
 </code></p></div>
 
 </div>
@@ -1359,7 +1432,10 @@ Additionally you have to create symbolic
 <em>hash-value</em><code>.rN</code>. And you should always make sure
this directory
 contains the appropriate symbolic links.</p>
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLProxyCARevocationPath /usr/local/apache2/conf/ssl.crl/
+</pre>
+
 </code></p></div>
 
 </div>
@@ -1380,7 +1456,10 @@ compared against the hostname of the req
 a 502 status code (Bad Gateway) is sent.
 </p>
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLProxyCheckPeerCN on
+</pre>
+
 </code></p></div>
 
 </div>
@@ -1401,7 +1480,10 @@ is expired or not. If the check fails a 
 sent.
 </p>
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLProxyCheckPeerExpire on
+</pre>
+
 </code></p></div>
 
 </div>
@@ -1438,10 +1520,13 @@ is usually used inside a <code class="di
 usage in a particular virtual host. By default the SSL/TLS Protocol Engine is
 disabled for proxy image both for the main server and all configured virtual hosts.</p>
 <div class="example"><h3>Example</h3><p><code>
-&lt;VirtualHost _default_:443&gt;<br />
-SSLProxyEngine on<br />
-...<br />
+<pre class="prettyprint lang-config">
+&lt;VirtualHost _default_:443&gt;
+    SSLProxyEngine on
+    #...
 &lt;/VirtualHost&gt;
+</pre>
+
 </code></p></div>
 
 </div>
@@ -1472,7 +1557,10 @@ trusted as if they were also in <code cl
 SSLProxyCACertificateFile</a></code>.</p>
 </div>
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLProxyMachineCertificateChainFile /usr/local/apache2/conf/ssl.crt/proxyCA.pem
+</pre>
+
 </code></p></div>
 
 </div>
@@ -1499,7 +1587,10 @@ or additionally to <code>SSLProxyMachine
 <p>Currently there is no support for encrypted private keys</p>
 </div>
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLProxyMachineCertificateFile /usr/local/apache2/conf/ssl.crt/proxy.pem
+</pre>
+
 </code></p></div>
 
 </div>
@@ -1525,7 +1616,10 @@ directory contains the appropriate symbo
 <p>Currently there is no support for encrypted private keys</p>
 </div>
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLProxyMachineCertificatePath /usr/local/apache2/conf/proxy.crt/
+</pre>
+
 </code></p></div>
 
 </div>
@@ -1583,7 +1677,10 @@ The following levels are available for <
 <strong>optional_no_ca</strong> is actually against the idea of
 authentication (but can be used to establish SSL test pages, etc.)</p>
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLProxyVerify require
+</pre>
+
 </code></p></div>
 
 </div>
@@ -1610,7 +1707,10 @@ the remote server certificate can be sel
 which is directly known to the server (i.e. the CA's certificate is under
 <code class="directive"><a href="#sslproxycacertificatepath">SSLProxyCACertificatePath</a></code>),
etc.</p>
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLProxyVerifyDepth 10
+</pre>
+
 </code></p></div>
 
 </div>
@@ -1690,13 +1790,16 @@ The following <em>source</em> variants a
     on your platform.</p></li>
 </ul>
 <div class="example"><h3>Example</h3><p><code>
-SSLRandomSeed startup builtin<br />
-SSLRandomSeed startup file:/dev/random<br />
-SSLRandomSeed startup file:/dev/urandom 1024<br />
-SSLRandomSeed startup exec:/usr/local/bin/truerand 16<br />
-SSLRandomSeed connect builtin<br />
-SSLRandomSeed connect file:/dev/random<br />
-SSLRandomSeed connect file:/dev/urandom 1024<br />
+<pre class="prettyprint lang-config">
+SSLRandomSeed startup builtin
+SSLRandomSeed startup file:/dev/random
+SSLRandomSeed startup file:/dev/urandom 1024
+SSLRandomSeed startup exec:/usr/local/bin/truerand 16
+SSLRandomSeed connect builtin
+SSLRandomSeed connect file:/dev/random
+SSLRandomSeed connect file:/dev/urandom 1024
+</pre>
+
 </code></p></div>
 
 </div>
@@ -1726,7 +1829,10 @@ memory must be considered when changing 
 </p></div>
 
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLRenegBufferSize 262144
+</pre>
+
 </code></p></div>
 
 </div>
@@ -1815,12 +1921,17 @@ during request processing.  In .htaccess
 both parsed and executed each time the .htaccess file is encountered during 
 request processing.</p>
 
-<div class="example"><h3>Example</h3><pre>SSLRequire (    %{SSL_CIPHER}
!~ m/^(EXP|NULL)-/                \
+<div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
+SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)-/                \
             and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd."        \
             and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}  \
             and %{TIME_WDAY} &gt;= 1 and %{TIME_WDAY} &lt;= 5          \
             and %{TIME_HOUR} &gt;= 8 and %{TIME_HOUR} &lt;= 20       ) \
-           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/</pre></div>
+           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+</pre>
+
+</code></p></div>
 
 <p>The <code>PeerExtList(<em>object-ID</em>)</code> function
expects
 to find zero or more instances of the X.509 certificate extension
@@ -1831,7 +1942,10 @@ exactly against the value of an extensio
 extension must match).</p>
 
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLRequire "foobar" in PeerExtList("1.2.3.4.5.6")
+</pre>
+
 </code></p></div>
 
 <div class="note"><h3>Notes on the PeerExtList function</h3>
@@ -1882,7 +1996,10 @@ host or directories for defending agains
 stuff that should be protected. When this directive is present all requests
 are denied which are not using SSL.</p>
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLRequireSSL
+</pre>
+
 </code></p></div>
 
 </div>
@@ -1953,8 +2070,11 @@ The following five storage <em>type</em>
 </ul>
 
 <div class="example"><h3>Examples</h3><p><code>
-SSLSessionCache dbm:/usr/local/apache/logs/ssl_gcache_data<br />
+<pre class="prettyprint lang-config">
+SSLSessionCache dbm:/usr/local/apache/logs/ssl_gcache_data
 SSLSessionCache shmcb:/usr/local/apache/logs/ssl_gcache_data(512000)
+</pre>
+
 </code></p></div>
 
 <p>The <code>ssl-cache</code> mutex is used to serialize access to
@@ -1979,7 +2099,10 @@ global/inter-process SSL Session Cache a
 It can be set as low as 15 for testing, but should be set to higher
 values like 300 in real life.</p>
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLSessionCacheTimeout 600
+</pre>
+
 </code></p></div>
 
 </div>
@@ -2202,7 +2325,10 @@ version of OpenSSL.
 </p></div>
 
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLStrictSNIVHostCheck on
+</pre>
+
 </code></p></div>
 
 </div>
@@ -2228,7 +2354,10 @@ any of the <a href="#envvars">SSL enviro
 <code>FakeBasicAuth</code> option is used (see <a href="#ssloptions">SSLOptions</a>).</p>
 
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLUserName SSL_CLIENT_S_DN_CN
+</pre>
+
 </code></p></div>
 
 </div>
@@ -2299,7 +2428,10 @@ The following levels are available for <
 <strong>optional_no_ca</strong> is actually against the idea of
 authentication (but can be used to establish SSL test pages, etc.)</p>
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLVerifyClient require
+</pre>
+
 </code></p></div>
 
 </div>
@@ -2332,7 +2464,10 @@ certificate can be self-signed or has to
 known to the server (i.e. the CA's certificate is under
 <code class="directive"><a href="#sslcacertificatepath">SSLCACertificatePath</a></code>),
etc.</p>
 <div class="example"><h3>Example</h3><p><code>
+<pre class="prettyprint lang-config">
 SSLVerifyDepth 10
+</pre>
+
 </code></p></div>
 
 </div>



Mime
View raw message