SSL/TLS 强加密:兼容性
本页涵盖了 mod_ssl 与其他 SSL 解决方案之间的向后兼容性。 mod_ssl 并不是 Apache 唯一的 SSL 解决方案;还有(或曾经提供)另外四个产品:Ben Laurie 的免费提供的Apache-SSL(最初是 mod_ssl 的来源,1998 年从那里获得),Red Hat 的商业 Secure Web Server(基于 mod_ssl),Covalent 的商业 Raven SSL 模块(也基于 mod_ssl),最后是 C2Net(现在是 Red Hat)的商业产品Stronghold(基于一个不同的演进分支,从 Stronghold 2.x 开始命名为 Sioux,从 Stronghold 3.x 开始基于 mod_ssl)。
mod_ssl 主要提供所有其他解决方案功能的超集,因此很容易从较旧的模块之一迁移到 mod_ssl。较早的 SSL 解决方案使用的配置指令和环境变量名称与 mod_ssl 中使用的配置指令和环境变量名称不同;此处包含 Map 表,以提供 mod_ssl 使用的等效表。
Configuration Directives
Table 1给出了 Apache-SSL 1.x 和 mod_ssl 2.0.x 使用的配置指令之间的 Map。由于这些接口中的特殊功能(mod_ssl 不提供),因此 Sioux 1.x 和 Stronghold 2.x 的 Map 仅是部分的。
表 1:配置指令 Map
| Old Directive | mod_ssl Directive | Comment |
|---|---|---|
| Apache-SSL 1.x 和 mod_ssl 2.0.x 兼容性: | ||
SSLEnable |
SSLEngine on |
compactified |
SSLDisable |
SSLEngine off |
compactified |
SSLLogFile 文件 |
`` | 而是使用按模块的LogLevel设置。 |
SSLRequiredCiphers 规格 |
SSLCipherSuite 规格 |
renamed |
SSLRequireCipher * c1 * ... |
SSLRequire %{SSL_CIPHER} in {" * c1 * ", ...} |
generalized |
SSLBanCipher * c1 * ... |
SSLRequire not (%{SSL_CIPHER} in {" * c1 * ", ...}) |
generalized |
SSLFakeBasicAuth |
SSLOptions +FakeBasicAuth |
merged |
SSLCacheServerPath * dir * |
- | functionality removed |
SSLCacheServerPort 整数 |
- | functionality removed |
| Apache-SSL 1.x 兼容性: | ||
SSLExportClientCertificates |
SSLOptions +ExportCertData |
merged |
SSLCacheServerRunDir * dir * |
- | 不支持的功能 |
| Sioux 1.x 兼容性: | ||
SSL_CertFile 文件 |
SSLCertificateFile 文件 |
renamed |
SSL_KeyFile 文件 |
SSLCertificateKeyFile 文件 |
renamed |
SSL_CipherSuite * arg * |
SSLCipherSuite * arg * |
renamed |
SSL_X509VerifyDir * arg * |
SSLCACertificatePath * arg * |
renamed |
SSL_Log 文件 |
- |
而是使用按模块的LogLevel设置。 |
SSL_Connect 标志 |
SSLEngine 标志 |
renamed |
SSL_ClientAuth * arg * |
SSLVerifyClient * arg * |
renamed |
SSL_X509VerifyDepth * arg * |
SSLVerifyDepth * arg * |
renamed |
SSL_FetchKeyPhraseFrom * arg * |
- | 不可直接 Map;使用 SSLPassPhraseDialog |
SSL_SessionDir * dir * |
- | 不可直接 Map;使用 SSLSessionCache |
SSL_Require * expr * |
- | 不可直接 Map;使用 SSLRequire |
SSL_CertFileType * arg * |
- | 不支持的功能 |
SSL_KeyFileType * arg * |
- | 不支持的功能 |
SSL_X509VerifyPolicy * arg * |
- | 不支持的功能 |
SSL_LogX509Attributes * arg * |
- | 不支持的功能 |
| 要塞 2.x 兼容性: | ||
StrongholdAccelerator 引擎 |
SSLCryptoDevice 引擎 |
renamed |
StrongholdKey * dir * |
- | 不需要功能 |
StrongholdLicenseFile * dir * |
- | 不需要功能 |
SSLFlag 标志 |
SSLEngine 标志 |
renamed |
SSLSessionLockFile 文件 |
SSLMutex 文件 |
renamed |
SSLCipherList 规格 |
SSLCipherSuite 规格 |
renamed |
RequireSSL |
SSLRequireSSL |
renamed |
SSLErrorFile 文件 |
- | 不支持的功能 |
SSLRoot * dir * |
- | 不支持的功能 |
SSL_CertificateLogDir * dir * |
- | 不支持的功能 |
AuthCertDir * dir * |
- | 不支持的功能 |
SSL_Group 名称 |
- | 不支持的功能 |
SSLProxyMachineCertPath * dir * |
SSLProxyMachineCertificatePath * dir * |
renamed |
SSLProxyMachineCertFile 文件 |
SSLProxyMachineCertificateFile 文件 |
renamed |
SSLProxyCipherList 规格 |
SSLProxyCipherSpec 规格 |
renamed |
Environment Variables
较旧的 SSL 解决方案使用的环境变量名称与 mod_ssl 使用的名称之间的 Map 在Table 2中给出。
表 2:环境变量推导
| Old Variable | mod_ssl Variable | Comment |
|---|---|---|
SSL_PROTOCOL_VERSION |
SSL_PROTOCOL |
renamed |
SSLEAY_VERSION |
SSL_VERSION_LIBRARY |
renamed |
HTTPS_SECRETKEYSIZE |
SSL_CIPHER_USEKEYSIZE |
renamed |
HTTPS_KEYSIZE |
SSL_CIPHER_ALGKEYSIZE |
renamed |
HTTPS_CIPHER |
SSL_CIPHER |
renamed |
HTTPS_EXPORT |
SSL_CIPHER_EXPORT |
renamed |
SSL_SERVER_KEY_SIZE |
SSL_CIPHER_ALGKEYSIZE |
renamed |
SSL_SERVER_CERTIFICATE |
SSL_SERVER_CERT |
renamed |
SSL_SERVER_CERT_START |
SSL_SERVER_V_START |
renamed |
SSL_SERVER_CERT_END |
SSL_SERVER_V_END |
renamed |
SSL_SERVER_CERT_SERIAL |
SSL_SERVER_M_SERIAL |
renamed |
SSL_SERVER_SIGNATURE_ALGORITHM |
SSL_SERVER_A_SIG |
renamed |
SSL_SERVER_DN |
SSL_SERVER_S_DN |
renamed |
SSL_SERVER_CN |
SSL_SERVER_S_DN_CN |
renamed |
SSL_SERVER_EMAIL |
SSL_SERVER_S_DN_Email |
renamed |
SSL_SERVER_O |
SSL_SERVER_S_DN_O |
renamed |
SSL_SERVER_OU |
SSL_SERVER_S_DN_OU |
renamed |
SSL_SERVER_C |
SSL_SERVER_S_DN_C |
renamed |
SSL_SERVER_SP |
SSL_SERVER_S_DN_SP |
renamed |
SSL_SERVER_L |
SSL_SERVER_S_DN_L |
renamed |
SSL_SERVER_IDN |
SSL_SERVER_I_DN |
renamed |
SSL_SERVER_ICN |
SSL_SERVER_I_DN_CN |
renamed |
SSL_SERVER_IEMAIL |
SSL_SERVER_I_DN_Email |
renamed |
SSL_SERVER_IO |
SSL_SERVER_I_DN_O |
renamed |
SSL_SERVER_IOU |
SSL_SERVER_I_DN_OU |
renamed |
SSL_SERVER_IC |
SSL_SERVER_I_DN_C |
renamed |
SSL_SERVER_ISP |
SSL_SERVER_I_DN_SP |
renamed |
SSL_SERVER_IL |
SSL_SERVER_I_DN_L |
renamed |
SSL_CLIENT_CERTIFICATE |
SSL_CLIENT_CERT |
renamed |
SSL_CLIENT_CERT_START |
SSL_CLIENT_V_START |
renamed |
SSL_CLIENT_CERT_END |
SSL_CLIENT_V_END |
renamed |
SSL_CLIENT_CERT_SERIAL |
SSL_CLIENT_M_SERIAL |
renamed |
SSL_CLIENT_SIGNATURE_ALGORITHM |
SSL_CLIENT_A_SIG |
renamed |
SSL_CLIENT_DN |
SSL_CLIENT_S_DN |
renamed |
SSL_CLIENT_CN |
SSL_CLIENT_S_DN_CN |
renamed |
SSL_CLIENT_EMAIL |
SSL_CLIENT_S_DN_Email |
renamed |
SSL_CLIENT_O |
SSL_CLIENT_S_DN_O |
renamed |
SSL_CLIENT_OU |
SSL_CLIENT_S_DN_OU |
renamed |
SSL_CLIENT_C |
SSL_CLIENT_S_DN_C |
renamed |
SSL_CLIENT_SP |
SSL_CLIENT_S_DN_SP |
renamed |
SSL_CLIENT_L |
SSL_CLIENT_S_DN_L |
renamed |
SSL_CLIENT_IDN |
SSL_CLIENT_I_DN |
renamed |
SSL_CLIENT_ICN |
SSL_CLIENT_I_DN_CN |
renamed |
SSL_CLIENT_IEMAIL |
SSL_CLIENT_I_DN_Email |
renamed |
SSL_CLIENT_IO |
SSL_CLIENT_I_DN_O |
renamed |
SSL_CLIENT_IOU |
SSL_CLIENT_I_DN_OU |
renamed |
SSL_CLIENT_IC |
SSL_CLIENT_I_DN_C |
renamed |
SSL_CLIENT_ISP |
SSL_CLIENT_I_DN_SP |
renamed |
SSL_CLIENT_IL |
SSL_CLIENT_I_DN_L |
renamed |
SSL_EXPORT |
SSL_CIPHER_EXPORT |
renamed |
SSL_KEYSIZE |
SSL_CIPHER_ALGKEYSIZE |
renamed |
SSL_SECKEYSIZE |
SSL_CIPHER_USEKEYSIZE |
renamed |
SSL_SSLEAY_VERSION |
SSL_VERSION_LIBRARY |
renamed |
SSL_STRONG_CRYPTO |
- |
mod_ssl 不支持 |
SSL_SERVER_KEY_EXP |
- |
mod_ssl 不支持 |
SSL_SERVER_KEY_ALGORITHM |
- |
mod_ssl 不支持 |
SSL_SERVER_KEY_SIZE |
- |
mod_ssl 不支持 |
SSL_SERVER_SESSIONDIR |
- |
mod_ssl 不支持 |
SSL_SERVER_CERTIFICATELOGDIR |
- |
mod_ssl 不支持 |
SSL_SERVER_CERTFILE |
- |
mod_ssl 不支持 |
SSL_SERVER_KEYFILE |
- |
mod_ssl 不支持 |
SSL_SERVER_KEYFILETYPE |
- |
mod_ssl 不支持 |
SSL_CLIENT_KEY_EXP |
- |
mod_ssl 不支持 |
SSL_CLIENT_KEY_ALGORITHM |
- |
mod_ssl 不支持 |
SSL_CLIENT_KEY_SIZE |
- |
mod_ssl 不支持 |
自定义日志功能
启用 mod_ssl 时,如参考章节中所述,mod_log_config的自定义日志格式存在附加功能。除了可以用于扩展任何模块提供的任何变量的``````+215+``+216+`''加密格式功能,用于向后兼容。当前实现的函数调用在Table 3中列出。
表 3:自定义日志密码功能
| Function Call | Description |
|---|---|
%...{version}c |
SSL 协议版本 |
%...{cipher}c |
SSL cipher |
%...{subjectdn}c |
Client 证书主题专有名称 |
%...{issuerdn}c |
Client 证书颁发者的专有名称 |
%...{errcode}c |
证书验证错误(数字) |
%...{errstr}c |
证书验证错误(字符串) |