SSL/TLS 强加密:兼容性
本页涵盖了 mod_ssl 与其他 SSL 解决方案之间的向后兼容性。 mod_ssl 并不是 Apache 唯一的 SSL 解决方案;还有(或曾经提供)另外四个产品:Ben Laurie 的免费提供的Apache-SSL(最初是 mod_ssl 的来源,1998 年从那里获得),Red Hat 的商业 Secure Web Server(基于 mod_ssl),Covalent 的商业 Raven SSL 模块(也基于 mod_ssl),最后是 C2Net(现在是 Red Hat)的商业产品Stronghold(基于一个不同的演进分支,从 Stronghold 2.x 开始命名为 Sioux,从 Stronghold 3.x 开始基于 mod_ssl)。
mod_ssl 主要提供所有其他解决方案功能的超集,因此很容易从较旧的模块之一迁移到 mod_ssl。较早的 SSL 解决方案使用的配置指令和环境变量名称与 mod_ssl 中使用的配置指令和环境变量名称不同;此处包含 Map 表,以提供 mod_ssl 使用的等效表。
Configuration Directives
Table 1给出了 Apache-SSL 1.x 和 mod_ssl 2.0.x 使用的配置指令之间的 Map。由于这些接口中的特殊功能(mod_ssl 不提供),因此 Sioux 1.x 和 Stronghold 2.x 的 Map 仅是部分的。
表 1:配置指令 Map
| Old Directive | mod_ssl Directive | Comment |
|---|---|---|
| Apache-SSL 1.x 和 mod_ssl 2.0.x 兼容性: | ||
SSLEnable | SSLEngine on | compactified |
SSLDisable | SSLEngine off | compactified |
SSLLogFile 文件 | `` | 而是使用按模块的LogLevel设置。 |
SSLRequiredCiphers 规格 | SSLCipherSuite 规格 | renamed |
SSLRequireCipher * c1 * ... | SSLRequire %{SSL_CIPHER} in {" * c1 * ", ...} | generalized |
SSLBanCipher * c1 * ... | SSLRequire not (%{SSL_CIPHER} in {" * c1 * ", ...}) | generalized |
SSLFakeBasicAuth | SSLOptions +FakeBasicAuth | merged |
SSLCacheServerPath * dir * | - | functionality removed |
SSLCacheServerPort 整数 | - | functionality removed |
| Apache-SSL 1.x 兼容性: | ||
SSLExportClientCertificates | SSLOptions +ExportCertData | merged |
SSLCacheServerRunDir * dir * | - | 不支持的功能 |
| Sioux 1.x 兼容性: | ||
SSL_CertFile 文件 | SSLCertificateFile 文件 | renamed |
SSL_KeyFile 文件 | SSLCertificateKeyFile 文件 | renamed |
SSL_CipherSuite * arg * | SSLCipherSuite * arg * | renamed |
SSL_X509VerifyDir * arg * | SSLCACertificatePath * arg * | renamed |
SSL_Log 文件 | - | 而是使用按模块的LogLevel设置。 |
SSL_Connect 标志 | SSLEngine 标志 | renamed |
SSL_ClientAuth * arg * | SSLVerifyClient * arg * | renamed |
SSL_X509VerifyDepth * arg * | SSLVerifyDepth * arg * | renamed |
SSL_FetchKeyPhraseFrom * arg * | - | 不可直接 Map;使用 SSLPassPhraseDialog |
SSL_SessionDir * dir * | - | 不可直接 Map;使用 SSLSessionCache |
SSL_Require * expr * | - | 不可直接 Map;使用 SSLRequire |
SSL_CertFileType * arg * | - | 不支持的功能 |
SSL_KeyFileType * arg * | - | 不支持的功能 |
SSL_X509VerifyPolicy * arg * | - | 不支持的功能 |
SSL_LogX509Attributes * arg * | - | 不支持的功能 |
| 要塞 2.x 兼容性: | ||
StrongholdAccelerator 引擎 | SSLCryptoDevice 引擎 | renamed |
StrongholdKey * dir * | - | 不需要功能 |
StrongholdLicenseFile * dir * | - | 不需要功能 |
SSLFlag 标志 | SSLEngine 标志 | renamed |
SSLSessionLockFile 文件 | SSLMutex 文件 | renamed |
SSLCipherList 规格 | SSLCipherSuite 规格 | renamed |
RequireSSL | SSLRequireSSL | renamed |
SSLErrorFile 文件 | - | 不支持的功能 |
SSLRoot * dir * | - | 不支持的功能 |
SSL_CertificateLogDir * dir * | - | 不支持的功能 |
AuthCertDir * dir * | - | 不支持的功能 |
SSL_Group 名称 | - | 不支持的功能 |
SSLProxyMachineCertPath * dir * | SSLProxyMachineCertificatePath * dir * | renamed |
SSLProxyMachineCertFile 文件 | SSLProxyMachineCertificateFile 文件 | renamed |
SSLProxyCipherList 规格 | SSLProxyCipherSpec 规格 | renamed |
Environment Variables
较旧的 SSL 解决方案使用的环境变量名称与 mod_ssl 使用的名称之间的 Map 在Table 2中给出。
表 2:环境变量推导
| Old Variable | mod_ssl Variable | Comment |
|---|---|---|
SSL_PROTOCOL_VERSION | SSL_PROTOCOL | renamed |
SSLEAY_VERSION | SSL_VERSION_LIBRARY | renamed |
HTTPS_SECRETKEYSIZE | SSL_CIPHER_USEKEYSIZE | renamed |
HTTPS_KEYSIZE | SSL_CIPHER_ALGKEYSIZE | renamed |
HTTPS_CIPHER | SSL_CIPHER | renamed |
HTTPS_EXPORT | SSL_CIPHER_EXPORT | renamed |
SSL_SERVER_KEY_SIZE | SSL_CIPHER_ALGKEYSIZE | renamed |
SSL_SERVER_CERTIFICATE | SSL_SERVER_CERT | renamed |
SSL_SERVER_CERT_START | SSL_SERVER_V_START | renamed |
SSL_SERVER_CERT_END | SSL_SERVER_V_END | renamed |
SSL_SERVER_CERT_SERIAL | SSL_SERVER_M_SERIAL | renamed |
SSL_SERVER_SIGNATURE_ALGORITHM | SSL_SERVER_A_SIG | renamed |
SSL_SERVER_DN | SSL_SERVER_S_DN | renamed |
SSL_SERVER_CN | SSL_SERVER_S_DN_CN | renamed |
SSL_SERVER_EMAIL | SSL_SERVER_S_DN_Email | renamed |
SSL_SERVER_O | SSL_SERVER_S_DN_O | renamed |
SSL_SERVER_OU | SSL_SERVER_S_DN_OU | renamed |
SSL_SERVER_C | SSL_SERVER_S_DN_C | renamed |
SSL_SERVER_SP | SSL_SERVER_S_DN_SP | renamed |
SSL_SERVER_L | SSL_SERVER_S_DN_L | renamed |
SSL_SERVER_IDN | SSL_SERVER_I_DN | renamed |
SSL_SERVER_ICN | SSL_SERVER_I_DN_CN | renamed |
SSL_SERVER_IEMAIL | SSL_SERVER_I_DN_Email | renamed |
SSL_SERVER_IO | SSL_SERVER_I_DN_O | renamed |
SSL_SERVER_IOU | SSL_SERVER_I_DN_OU | renamed |
SSL_SERVER_IC | SSL_SERVER_I_DN_C | renamed |
SSL_SERVER_ISP | SSL_SERVER_I_DN_SP | renamed |
SSL_SERVER_IL | SSL_SERVER_I_DN_L | renamed |
SSL_CLIENT_CERTIFICATE | SSL_CLIENT_CERT | renamed |
SSL_CLIENT_CERT_START | SSL_CLIENT_V_START | renamed |
SSL_CLIENT_CERT_END | SSL_CLIENT_V_END | renamed |
SSL_CLIENT_CERT_SERIAL | SSL_CLIENT_M_SERIAL | renamed |
SSL_CLIENT_SIGNATURE_ALGORITHM | SSL_CLIENT_A_SIG | renamed |
SSL_CLIENT_DN | SSL_CLIENT_S_DN | renamed |
SSL_CLIENT_CN | SSL_CLIENT_S_DN_CN | renamed |
SSL_CLIENT_EMAIL | SSL_CLIENT_S_DN_Email | renamed |
SSL_CLIENT_O | SSL_CLIENT_S_DN_O | renamed |
SSL_CLIENT_OU | SSL_CLIENT_S_DN_OU | renamed |
SSL_CLIENT_C | SSL_CLIENT_S_DN_C | renamed |
SSL_CLIENT_SP | SSL_CLIENT_S_DN_SP | renamed |
SSL_CLIENT_L | SSL_CLIENT_S_DN_L | renamed |
SSL_CLIENT_IDN | SSL_CLIENT_I_DN | renamed |
SSL_CLIENT_ICN | SSL_CLIENT_I_DN_CN | renamed |
SSL_CLIENT_IEMAIL | SSL_CLIENT_I_DN_Email | renamed |
SSL_CLIENT_IO | SSL_CLIENT_I_DN_O | renamed |
SSL_CLIENT_IOU | SSL_CLIENT_I_DN_OU | renamed |
SSL_CLIENT_IC | SSL_CLIENT_I_DN_C | renamed |
SSL_CLIENT_ISP | SSL_CLIENT_I_DN_SP | renamed |
SSL_CLIENT_IL | SSL_CLIENT_I_DN_L | renamed |
SSL_EXPORT | SSL_CIPHER_EXPORT | renamed |
SSL_KEYSIZE | SSL_CIPHER_ALGKEYSIZE | renamed |
SSL_SECKEYSIZE | SSL_CIPHER_USEKEYSIZE | renamed |
SSL_SSLEAY_VERSION | SSL_VERSION_LIBRARY | renamed |
SSL_STRONG_CRYPTO | - | mod_ssl 不支持 |
SSL_SERVER_KEY_EXP | - | mod_ssl 不支持 |
SSL_SERVER_KEY_ALGORITHM | - | mod_ssl 不支持 |
SSL_SERVER_KEY_SIZE | - | mod_ssl 不支持 |
SSL_SERVER_SESSIONDIR | - | mod_ssl 不支持 |
SSL_SERVER_CERTIFICATELOGDIR | - | mod_ssl 不支持 |
SSL_SERVER_CERTFILE | - | mod_ssl 不支持 |
SSL_SERVER_KEYFILE | - | mod_ssl 不支持 |
SSL_SERVER_KEYFILETYPE | - | mod_ssl 不支持 |
SSL_CLIENT_KEY_EXP | - | mod_ssl 不支持 |
SSL_CLIENT_KEY_ALGORITHM | - | mod_ssl 不支持 |
SSL_CLIENT_KEY_SIZE | - | mod_ssl 不支持 |
自定义日志功能
启用 mod_ssl 时,如参考章节中所述,mod_log_config的自定义日志格式存在附加功能。除了可以用于扩展任何模块提供的任何变量的``````+215+``+216+`''加密格式功能,用于向后兼容。当前实现的函数调用在Table 3中列出。
表 3:自定义日志密码功能
| Function Call | Description |
|---|---|
%...{version}c | SSL 协议版本 |
%...{cipher}c | SSL cipher |
%...{subjectdn}c | Client 证书主题专有名称 |
%...{issuerdn}c | Client 证书颁发者的专有名称 |
%...{errcode}c | 证书验证错误(数字) |
%...{errstr}c | 证书验证错误(字符串) |
