SSL/TLS Strong Encryption: Compatibility

This page covers backwards compatibility between mod_ssl and other SSL solutions. mod_ssl is not the only SSL solution for Apache; four additional products are (or were) also available: Ben Laurie's freely available Apache-SSL (from where mod_ssl were originally derived in 1998), Red Hat's commercial Secure Web Server (which was based on mod_ssl), Covalent's commercial Raven SSL Module (also based on mod_ssl) and finally C2Net's (now Red Hat's) commercial product Stronghold (based on a different evolution branch, named Sioux up to Stronghold 2.x, and based on mod_ssl since Stronghold 3.x).

mod_ssl mostly provides a superset of the functionality of all the other solutions, so it's simple to migrate from one of the older modules to mod_ssl. The configuration directives and environment variable names used by the older SSL solutions vary from those used in mod_ssl; mapping tables are included here to give the equivalents used by mod_ssl.

Configuration Directives

The mapping between configuration directives used by Apache-SSL 1.x and mod_ssl 2.0.x is given in Table 1. The mapping from Sioux 1.x and Stronghold 2.x is only partial because of special functionality in these interfaces which mod_ssl doesn't provide.

Table 1: Configuration Directive Mapping

Old Directive	mod_ssl Directive	Comment
Apache-SSL 1.x & mod_ssl 2.0.x compatibility:
`SSLEnable`	SSLEngine on	compactified
`SSLDisable`	SSLEngine off	compactified
`SSLLogFile` file		Use per-module `LogLevel` setting instead.
`SSLRequiredCiphers` spec	`SSLCipherSuite` spec	renamed
`SSLRequireCipher` c1 ...	`SSLRequire %{SSL_CIPHER} in {"`c1`", ...}`	generalized
`SSLBanCipher` c1 ...	`SSLRequire not (%{SSL_CIPHER} in {"`c1`", ...})`	generalized
`SSLFakeBasicAuth`	SSLOptions +FakeBasicAuth	merged
`SSLCacheServerPath` dir	-	functionality removed
`SSLCacheServerPort` integer	-	functionality removed
Apache-SSL 1.x compatibility:
`SSLExportClientCertificates`	SSLOptions +ExportCertData	merged
`SSLCacheServerRunDir` dir	-	functionality not supported
Sioux 1.x compatibility:
`SSL_CertFile` file	`SSLCertificateFile` file	renamed
`SSL_KeyFile` file	`SSLCertificateKeyFile` file	renamed
`SSL_CipherSuite` arg	`SSLCipherSuite` arg	renamed
`SSL_X509VerifyDir` arg	`SSLCACertificatePath` arg	renamed
`SSL_Log` file	`-`	Use per-module `LogLevel` setting instead.
`SSL_Connect` flag	`SSLEngine` flag	renamed
`SSL_ClientAuth` arg	`SSLVerifyClient` arg	renamed
`SSL_X509VerifyDepth` arg	`SSLVerifyDepth` arg	renamed
`SSL_FetchKeyPhraseFrom` arg	-	not directly mappable; use SSLPassPhraseDialog
`SSL_SessionDir` dir	-	not directly mappable; use SSLSessionCache
`SSL_Require` expr	-	not directly mappable; use SSLRequire
`SSL_CertFileType` arg	-	functionality not supported
`SSL_KeyFileType` arg	-	functionality not supported
`SSL_X509VerifyPolicy` arg	-	functionality not supported
`SSL_LogX509Attributes` arg	-	functionality not supported
Stronghold 2.x compatibility:
`StrongholdAccelerator` engine	`SSLCryptoDevice` engine	renamed
`StrongholdKey` dir	-	functionality not needed
`StrongholdLicenseFile` dir	-	functionality not needed
`SSLFlag` flag	`SSLEngine` flag	renamed
`SSLSessionLockFile` file	`SSLMutex` file	renamed
`SSLCipherList` spec	`SSLCipherSuite` spec	renamed
`RequireSSL`	`SSLRequireSSL`	renamed
`SSLErrorFile` file	-	functionality not supported
`SSLRoot` dir	-	functionality not supported
`SSL_CertificateLogDir` dir	-	functionality not supported
`AuthCertDir` dir	-	functionality not supported
`SSL_Group` name	-	functionality not supported
`SSLProxyMachineCertPath` dir	`SSLProxyMachineCertificatePath` dir	renamed
`SSLProxyMachineCertFile` file	`SSLProxyMachineCertificateFile` file	renamed
`SSLProxyCipherList` spec	`SSLProxyCipherSpec` spec	renamed

Environment Variables

The mapping between environment variable names used by the older SSL solutions and the names used by mod_ssl is given in Table 2.

Table 2: Environment Variable Derivation

Old Variable	mod_ssl Variable	Comment
`SSL_PROTOCOL_VERSION`	`SSL_PROTOCOL`	renamed
`SSLEAY_VERSION`	`SSL_VERSION_LIBRARY`	renamed
`HTTPS_SECRETKEYSIZE`	`SSL_CIPHER_USEKEYSIZE`	renamed
`HTTPS_KEYSIZE`	`SSL_CIPHER_ALGKEYSIZE`	renamed
`HTTPS_CIPHER`	`SSL_CIPHER`	renamed
`HTTPS_EXPORT`	`SSL_CIPHER_EXPORT`	renamed
`SSL_SERVER_KEY_SIZE`	`SSL_CIPHER_ALGKEYSIZE`	renamed
`SSL_SERVER_CERTIFICATE`	`SSL_SERVER_CERT`	renamed
`SSL_SERVER_CERT_START`	`SSL_SERVER_V_START`	renamed
`SSL_SERVER_CERT_END`	`SSL_SERVER_V_END`	renamed
`SSL_SERVER_CERT_SERIAL`	`SSL_SERVER_M_SERIAL`	renamed
`SSL_SERVER_SIGNATURE_ALGORITHM`	`SSL_SERVER_A_SIG`	renamed
`SSL_SERVER_DN`	`SSL_SERVER_S_DN`	renamed
`SSL_SERVER_CN`	`SSL_SERVER_S_DN_CN`	renamed
`SSL_SERVER_EMAIL`	`SSL_SERVER_S_DN_Email`	renamed
`SSL_SERVER_O`	`SSL_SERVER_S_DN_O`	renamed
`SSL_SERVER_OU`	`SSL_SERVER_S_DN_OU`	renamed
`SSL_SERVER_C`	`SSL_SERVER_S_DN_C`	renamed
`SSL_SERVER_SP`	`SSL_SERVER_S_DN_SP`	renamed
`SSL_SERVER_L`	`SSL_SERVER_S_DN_L`	renamed
`SSL_SERVER_IDN`	`SSL_SERVER_I_DN`	renamed
`SSL_SERVER_ICN`	`SSL_SERVER_I_DN_CN`	renamed
`SSL_SERVER_IEMAIL`	`SSL_SERVER_I_DN_Email`	renamed
`SSL_SERVER_IO`	`SSL_SERVER_I_DN_O`	renamed
`SSL_SERVER_IOU`	`SSL_SERVER_I_DN_OU`	renamed
`SSL_SERVER_IC`	`SSL_SERVER_I_DN_C`	renamed
`SSL_SERVER_ISP`	`SSL_SERVER_I_DN_SP`	renamed
`SSL_SERVER_IL`	`SSL_SERVER_I_DN_L`	renamed
`SSL_CLIENT_CERTIFICATE`	`SSL_CLIENT_CERT`	renamed
`SSL_CLIENT_CERT_START`	`SSL_CLIENT_V_START`	renamed
`SSL_CLIENT_CERT_END`	`SSL_CLIENT_V_END`	renamed
`SSL_CLIENT_CERT_SERIAL`	`SSL_CLIENT_M_SERIAL`	renamed
`SSL_CLIENT_SIGNATURE_ALGORITHM`	`SSL_CLIENT_A_SIG`	renamed
`SSL_CLIENT_DN`	`SSL_CLIENT_S_DN`	renamed
`SSL_CLIENT_CN`	`SSL_CLIENT_S_DN_CN`	renamed
`SSL_CLIENT_EMAIL`	`SSL_CLIENT_S_DN_Email`	renamed
`SSL_CLIENT_O`	`SSL_CLIENT_S_DN_O`	renamed
`SSL_CLIENT_OU`	`SSL_CLIENT_S_DN_OU`	renamed
`SSL_CLIENT_C`	`SSL_CLIENT_S_DN_C`	renamed
`SSL_CLIENT_SP`	`SSL_CLIENT_S_DN_SP`	renamed
`SSL_CLIENT_L`	`SSL_CLIENT_S_DN_L`	renamed
`SSL_CLIENT_IDN`	`SSL_CLIENT_I_DN`	renamed
`SSL_CLIENT_ICN`	`SSL_CLIENT_I_DN_CN`	renamed
`SSL_CLIENT_IEMAIL`	`SSL_CLIENT_I_DN_Email`	renamed
`SSL_CLIENT_IO`	`SSL_CLIENT_I_DN_O`	renamed
`SSL_CLIENT_IOU`	`SSL_CLIENT_I_DN_OU`	renamed
`SSL_CLIENT_IC`	`SSL_CLIENT_I_DN_C`	renamed
`SSL_CLIENT_ISP`	`SSL_CLIENT_I_DN_SP`	renamed
`SSL_CLIENT_IL`	`SSL_CLIENT_I_DN_L`	renamed
`SSL_EXPORT`	`SSL_CIPHER_EXPORT`	renamed
`SSL_KEYSIZE`	`SSL_CIPHER_ALGKEYSIZE`	renamed
`SSL_SECKEYSIZE`	`SSL_CIPHER_USEKEYSIZE`	renamed
`SSL_SSLEAY_VERSION`	`SSL_VERSION_LIBRARY`	renamed
`SSL_STRONG_CRYPTO`	`-`	Not supported by mod_ssl
`SSL_SERVER_KEY_EXP`	`-`	Not supported by mod_ssl
`SSL_SERVER_KEY_ALGORITHM`	`-`	Not supported by mod_ssl
`SSL_SERVER_KEY_SIZE`	`-`	Not supported by mod_ssl
`SSL_SERVER_SESSIONDIR`	`-`	Not supported by mod_ssl
`SSL_SERVER_CERTIFICATELOGDIR`	`-`	Not supported by mod_ssl
`SSL_SERVER_CERTFILE`	`-`	Not supported by mod_ssl
`SSL_SERVER_KEYFILE`	`-`	Not supported by mod_ssl
`SSL_SERVER_KEYFILETYPE`	`-`	Not supported by mod_ssl
`SSL_CLIENT_KEY_EXP`	`-`	Not supported by mod_ssl
`SSL_CLIENT_KEY_ALGORITHM`	`-`	Not supported by mod_ssl
`SSL_CLIENT_KEY_SIZE`	`-`	Not supported by mod_ssl

Custom Log Functions

When mod_ssl is enabled, additional functions exist for the Custom Log Format of mod_log_config as documented in the Reference Chapter. Beside the ``%{varname}x'' eXtension format function which can be used to expand any variables provided by any module, an additional Cryptography ``%{name}c'' cryptography format function exists for backward compatibility. The currently implemented function calls are listed in Table 3.

Table 3: Custom Log Cryptography Function

Function Call	Description
`%...{version}c`	SSL protocol version
`%...{cipher}c`	SSL cipher
`%...{subjectdn}c`	Client Certificate Subject Distinguished Name
`%...{issuerdn}c`	Client Certificate Issuer Distinguished Name
`%...{errcode}c`	Certificate Verification Error (numerical)
`%...{errstr}c`	Certificate Verification Error (string)

Links:

https://httpd.apache.org/docs/2.4/en/ssl/ssl_compat.html

doc_apache_http_server

2017-02-05 05:04:34

Comments