SSL/TLS Strong Encryption: Compatibility

SSL/TLS Strong Encryption: Compatibility

This page covers backwards compatibility between mod_ssl and other SSL solutions. mod_ssl is not the only SSL solution for Apache; four additional products are (or were) also available: Ben Laurie's freely available Apache-SSL (from where mod_ssl were originally derived in 1998), Red Hat's commercial Secure Web Server (which was based on mod_ssl), Covalent's commercial Raven SSL Module (also based on mod_ssl) and finally C2Net's (now Red Hat's) commercial product Stronghold (based on a different evolution branch, named Sioux up to Stronghold 2.x, and based on mod_ssl since Stronghold 3.x).

mod_ssl mostly provides a superset of the functionality of all the other solutions, so it's simple to migrate from one of the older modules to mod_ssl. The configuration directives and environment variable names used by the older SSL solutions vary from those used in mod_ssl; mapping tables are included here to give the equivalents used by mod_ssl.

Configuration Directives

The mapping between configuration directives used by Apache-SSL 1.x and mod_ssl 2.0.x is given in Table 1. The mapping from Sioux 1.x and Stronghold 2.x is only partial because of special functionality in these interfaces which mod_ssl doesn't provide.

Table 1: Configuration Directive Mapping

Old Directive mod_ssl Directive Comment
Apache-SSL 1.x & mod_ssl 2.0.x compatibility:
SSLEnable
SSLEngine on
compactified
SSLDisable
SSLEngine off
compactified
SSLLogFile file Use per-module LogLevel setting instead.
SSLRequiredCiphers spec SSLCipherSuite spec renamed
SSLRequireCipher c1 ... SSLRequire %{SSL_CIPHER} in {"c1", ...} generalized
SSLBanCipher c1 ... SSLRequire not (%{SSL_CIPHER} in {"c1", ...}) generalized
SSLFakeBasicAuth
SSLOptions +FakeBasicAuth
merged
SSLCacheServerPath dir - functionality removed
SSLCacheServerPort integer - functionality removed
Apache-SSL 1.x compatibility:
SSLExportClientCertificates
SSLOptions +ExportCertData
merged
SSLCacheServerRunDir dir - functionality not supported
Sioux 1.x compatibility:
SSL_CertFile file SSLCertificateFile file renamed
SSL_KeyFile file SSLCertificateKeyFile file renamed
SSL_CipherSuite arg SSLCipherSuite arg renamed
SSL_X509VerifyDir arg SSLCACertificatePath arg renamed
SSL_Log file - Use per-module LogLevel setting instead.
SSL_Connect flag SSLEngine flag renamed
SSL_ClientAuth arg SSLVerifyClient arg renamed
SSL_X509VerifyDepth arg SSLVerifyDepth arg renamed
SSL_FetchKeyPhraseFrom arg - not directly mappable; use SSLPassPhraseDialog
SSL_SessionDir dir - not directly mappable; use SSLSessionCache
SSL_Require expr - not directly mappable; use SSLRequire
SSL_CertFileType arg - functionality not supported
SSL_KeyFileType arg - functionality not supported
SSL_X509VerifyPolicy arg - functionality not supported
SSL_LogX509Attributes arg - functionality not supported
Stronghold 2.x compatibility:
StrongholdAccelerator engine SSLCryptoDevice engine renamed
StrongholdKey dir - functionality not needed
StrongholdLicenseFile dir - functionality not needed
SSLFlag flag SSLEngine flag renamed
SSLSessionLockFile file SSLMutex file renamed
SSLCipherList spec SSLCipherSuite spec renamed
RequireSSL SSLRequireSSL renamed
SSLErrorFile file - functionality not supported
SSLRoot dir - functionality not supported
SSL_CertificateLogDir dir - functionality not supported
AuthCertDir dir - functionality not supported
SSL_Group name - functionality not supported
SSLProxyMachineCertPath dir SSLProxyMachineCertificatePath dir renamed
SSLProxyMachineCertFile file SSLProxyMachineCertificateFile file renamed
SSLProxyCipherList spec SSLProxyCipherSpec spec renamed

Environment Variables

The mapping between environment variable names used by the older SSL solutions and the names used by mod_ssl is given in Table 2.

Table 2: Environment Variable Derivation

Old Variable mod_ssl Variable Comment
SSL_PROTOCOL_VERSION SSL_PROTOCOL renamed
SSLEAY_VERSION SSL_VERSION_LIBRARY renamed
HTTPS_SECRETKEYSIZE SSL_CIPHER_USEKEYSIZE renamed
HTTPS_KEYSIZE SSL_CIPHER_ALGKEYSIZE renamed
HTTPS_CIPHER SSL_CIPHER renamed
HTTPS_EXPORT SSL_CIPHER_EXPORT renamed
SSL_SERVER_KEY_SIZE SSL_CIPHER_ALGKEYSIZE renamed
SSL_SERVER_CERTIFICATE SSL_SERVER_CERT renamed
SSL_SERVER_CERT_START SSL_SERVER_V_START renamed
SSL_SERVER_CERT_END SSL_SERVER_V_END renamed
SSL_SERVER_CERT_SERIAL SSL_SERVER_M_SERIAL renamed
SSL_SERVER_SIGNATURE_ALGORITHM SSL_SERVER_A_SIG renamed
SSL_SERVER_DN SSL_SERVER_S_DN renamed
SSL_SERVER_CN SSL_SERVER_S_DN_CN renamed
SSL_SERVER_EMAIL SSL_SERVER_S_DN_Email renamed
SSL_SERVER_O SSL_SERVER_S_DN_O renamed
SSL_SERVER_OU SSL_SERVER_S_DN_OU renamed
SSL_SERVER_C SSL_SERVER_S_DN_C renamed
SSL_SERVER_SP SSL_SERVER_S_DN_SP renamed
SSL_SERVER_L SSL_SERVER_S_DN_L renamed
SSL_SERVER_IDN SSL_SERVER_I_DN renamed
SSL_SERVER_ICN SSL_SERVER_I_DN_CN renamed
SSL_SERVER_IEMAIL SSL_SERVER_I_DN_Email renamed
SSL_SERVER_IO SSL_SERVER_I_DN_O renamed
SSL_SERVER_IOU SSL_SERVER_I_DN_OU renamed
SSL_SERVER_IC SSL_SERVER_I_DN_C renamed
SSL_SERVER_ISP SSL_SERVER_I_DN_SP renamed
SSL_SERVER_IL SSL_SERVER_I_DN_L renamed
SSL_CLIENT_CERTIFICATE SSL_CLIENT_CERT renamed
SSL_CLIENT_CERT_START SSL_CLIENT_V_START renamed
SSL_CLIENT_CERT_END SSL_CLIENT_V_END renamed
SSL_CLIENT_CERT_SERIAL SSL_CLIENT_M_SERIAL renamed
SSL_CLIENT_SIGNATURE_ALGORITHM SSL_CLIENT_A_SIG renamed
SSL_CLIENT_DN SSL_CLIENT_S_DN renamed
SSL_CLIENT_CN SSL_CLIENT_S_DN_CN renamed
SSL_CLIENT_EMAIL SSL_CLIENT_S_DN_Email renamed
SSL_CLIENT_O SSL_CLIENT_S_DN_O renamed
SSL_CLIENT_OU SSL_CLIENT_S_DN_OU renamed
SSL_CLIENT_C SSL_CLIENT_S_DN_C renamed
SSL_CLIENT_SP SSL_CLIENT_S_DN_SP renamed
SSL_CLIENT_L SSL_CLIENT_S_DN_L renamed
SSL_CLIENT_IDN SSL_CLIENT_I_DN renamed
SSL_CLIENT_ICN SSL_CLIENT_I_DN_CN renamed
SSL_CLIENT_IEMAIL SSL_CLIENT_I_DN_Email renamed
SSL_CLIENT_IO SSL_CLIENT_I_DN_O renamed
SSL_CLIENT_IOU SSL_CLIENT_I_DN_OU renamed
SSL_CLIENT_IC SSL_CLIENT_I_DN_C renamed
SSL_CLIENT_ISP SSL_CLIENT_I_DN_SP renamed
SSL_CLIENT_IL SSL_CLIENT_I_DN_L renamed
SSL_EXPORT SSL_CIPHER_EXPORT renamed
SSL_KEYSIZE SSL_CIPHER_ALGKEYSIZE renamed
SSL_SECKEYSIZE SSL_CIPHER_USEKEYSIZE renamed
SSL_SSLEAY_VERSION SSL_VERSION_LIBRARY renamed
SSL_STRONG_CRYPTO - Not supported by mod_ssl
SSL_SERVER_KEY_EXP - Not supported by mod_ssl
SSL_SERVER_KEY_ALGORITHM - Not supported by mod_ssl
SSL_SERVER_KEY_SIZE - Not supported by mod_ssl
SSL_SERVER_SESSIONDIR - Not supported by mod_ssl
SSL_SERVER_CERTIFICATELOGDIR - Not supported by mod_ssl
SSL_SERVER_CERTFILE - Not supported by mod_ssl
SSL_SERVER_KEYFILE - Not supported by mod_ssl
SSL_SERVER_KEYFILETYPE - Not supported by mod_ssl
SSL_CLIENT_KEY_EXP - Not supported by mod_ssl
SSL_CLIENT_KEY_ALGORITHM - Not supported by mod_ssl
SSL_CLIENT_KEY_SIZE - Not supported by mod_ssl

Custom Log Functions

When mod_ssl is enabled, additional functions exist for the Custom Log Format of mod_log_config as documented in the Reference Chapter. Beside the ``%{varname}x'' eXtension format function which can be used to expand any variables provided by any module, an additional Cryptography ``%{name}c'' cryptography format function exists for backward compatibility. The currently implemented function calls are listed in Table 3.

Table 3: Custom Log Cryptography Function

Function Call Description
%...{version}c SSL protocol version
%...{cipher}c SSL cipher
%...{subjectdn}c Client Certificate Subject Distinguished Name
%...{issuerdn}c Client Certificate Issuer Distinguished Name
%...{errcode}c Certificate Verification Error (numerical)
%...{errstr}c Certificate Verification Error (string)
doc_apache_http_server
2017-02-05 05:04:34
Comments
Leave a Comment

Please login to continue.