SSL/TLS Strong Encryption: Compatibility
SSL/TLS Strong Encryption: Compatibility
This page covers backwards compatibility between mod_ssl and other SSL solutions. mod_ssl is not the only SSL solution for Apache; four additional products are (or were) also available: Ben Laurie's freely available Apache-SSL (from where mod_ssl were originally derived in 1998), Red Hat's commercial Secure Web Server (which was based on mod_ssl), Covalent's commercial Raven SSL Module (also based on mod_ssl) and finally C2Net's (now Red Hat's) commercial product Stronghold (based on a different evolution branch, named Sioux up to Stronghold 2.x, and based on mod_ssl since Stronghold 3.x).
mod_ssl mostly provides a superset of the functionality of all the other solutions, so it's simple to migrate from one of the older modules to mod_ssl. The configuration directives and environment variable names used by the older SSL solutions vary from those used in mod_ssl; mapping tables are included here to give the equivalents used by mod_ssl.
Configuration Directives
The mapping between configuration directives used by Apache-SSL 1.x and mod_ssl 2.0.x is given in Table 1. The mapping from Sioux 1.x and Stronghold 2.x is only partial because of special functionality in these interfaces which mod_ssl doesn't provide.
Table 1: Configuration Directive Mapping
Old Directive | mod_ssl Directive | Comment |
---|---|---|
Apache-SSL 1.x & mod_ssl 2.0.x compatibility: | ||
SSLEnable
|
SSLEngine on |
compactified |
SSLDisable
|
SSLEngine off |
compactified |
SSLLogFile file
|
Use per-module LogLevel setting instead.
| |
SSLRequiredCiphers spec
|
SSLCipherSuite spec
|
renamed |
SSLRequireCipher c1 ...
|
SSLRequire %{SSL_CIPHER} in {" c1", ...}
|
generalized |
SSLBanCipher c1 ...
|
SSLRequire not (%{SSL_CIPHER} in {" c1", ...})
|
generalized |
SSLFakeBasicAuth
|
SSLOptions +FakeBasicAuth |
merged |
SSLCacheServerPath dir
|
- | functionality removed |
SSLCacheServerPort integer
|
- | functionality removed |
Apache-SSL 1.x compatibility: | ||
SSLExportClientCertificates
|
SSLOptions +ExportCertData |
merged |
SSLCacheServerRunDir dir
|
- | functionality not supported |
Sioux 1.x compatibility: | ||
SSL_CertFile file
|
SSLCertificateFile file
|
renamed |
SSL_KeyFile file
|
SSLCertificateKeyFile file
|
renamed |
SSL_CipherSuite arg
|
SSLCipherSuite arg
|
renamed |
SSL_X509VerifyDir arg
|
SSLCACertificatePath arg
|
renamed |
SSL_Log file
|
-
|
Use per-module LogLevel setting instead.
|
SSL_Connect flag
|
SSLEngine flag
|
renamed |
SSL_ClientAuth arg
|
SSLVerifyClient arg
|
renamed |
SSL_X509VerifyDepth arg
|
SSLVerifyDepth arg
|
renamed |
SSL_FetchKeyPhraseFrom arg
|
- | not directly mappable; use SSLPassPhraseDialog |
SSL_SessionDir dir
|
- | not directly mappable; use SSLSessionCache |
SSL_Require expr
|
- | not directly mappable; use SSLRequire |
SSL_CertFileType arg
|
- | functionality not supported |
SSL_KeyFileType arg
|
- | functionality not supported |
SSL_X509VerifyPolicy arg
|
- | functionality not supported |
SSL_LogX509Attributes arg
|
- | functionality not supported |
Stronghold 2.x compatibility: | ||
StrongholdAccelerator engine
|
SSLCryptoDevice engine
|
renamed |
StrongholdKey dir
|
- | functionality not needed |
StrongholdLicenseFile dir
|
- | functionality not needed |
SSLFlag flag
|
SSLEngine flag
|
renamed |
SSLSessionLockFile file
|
SSLMutex file
|
renamed |
SSLCipherList spec
|
SSLCipherSuite spec
|
renamed |
RequireSSL
|
SSLRequireSSL
|
renamed |
SSLErrorFile file
|
- | functionality not supported |
SSLRoot dir
|
- | functionality not supported |
SSL_CertificateLogDir dir
|
- | functionality not supported |
AuthCertDir dir
|
- | functionality not supported |
SSL_Group name
|
- | functionality not supported |
SSLProxyMachineCertPath dir
|
SSLProxyMachineCertificatePath dir
|
renamed |
SSLProxyMachineCertFile file
|
SSLProxyMachineCertificateFile file
|
renamed |
SSLProxyCipherList spec
|
SSLProxyCipherSpec spec
|
renamed |
Environment Variables
The mapping between environment variable names used by the older SSL solutions and the names used by mod_ssl is given in Table 2.
Table 2: Environment Variable Derivation
Old Variable | mod_ssl Variable | Comment |
---|---|---|
SSL_PROTOCOL_VERSION
|
SSL_PROTOCOL
|
renamed |
SSLEAY_VERSION
|
SSL_VERSION_LIBRARY
|
renamed |
HTTPS_SECRETKEYSIZE
|
SSL_CIPHER_USEKEYSIZE
|
renamed |
HTTPS_KEYSIZE
|
SSL_CIPHER_ALGKEYSIZE
|
renamed |
HTTPS_CIPHER
|
SSL_CIPHER
|
renamed |
HTTPS_EXPORT
|
SSL_CIPHER_EXPORT
|
renamed |
SSL_SERVER_KEY_SIZE
|
SSL_CIPHER_ALGKEYSIZE
|
renamed |
SSL_SERVER_CERTIFICATE
|
SSL_SERVER_CERT
|
renamed |
SSL_SERVER_CERT_START
|
SSL_SERVER_V_START
|
renamed |
SSL_SERVER_CERT_END
|
SSL_SERVER_V_END
|
renamed |
SSL_SERVER_CERT_SERIAL
|
SSL_SERVER_M_SERIAL
|
renamed |
SSL_SERVER_SIGNATURE_ALGORITHM
|
SSL_SERVER_A_SIG
|
renamed |
SSL_SERVER_DN
|
SSL_SERVER_S_DN
|
renamed |
SSL_SERVER_CN
|
SSL_SERVER_S_DN_CN
|
renamed |
SSL_SERVER_EMAIL
|
SSL_SERVER_S_DN_Email
|
renamed |
SSL_SERVER_O
|
SSL_SERVER_S_DN_O
|
renamed |
SSL_SERVER_OU
|
SSL_SERVER_S_DN_OU
|
renamed |
SSL_SERVER_C
|
SSL_SERVER_S_DN_C
|
renamed |
SSL_SERVER_SP
|
SSL_SERVER_S_DN_SP
|
renamed |
SSL_SERVER_L
|
SSL_SERVER_S_DN_L
|
renamed |
SSL_SERVER_IDN
|
SSL_SERVER_I_DN
|
renamed |
SSL_SERVER_ICN
|
SSL_SERVER_I_DN_CN
|
renamed |
SSL_SERVER_IEMAIL
|
SSL_SERVER_I_DN_Email
|
renamed |
SSL_SERVER_IO
|
SSL_SERVER_I_DN_O
|
renamed |
SSL_SERVER_IOU
|
SSL_SERVER_I_DN_OU
|
renamed |
SSL_SERVER_IC
|
SSL_SERVER_I_DN_C
|
renamed |
SSL_SERVER_ISP
|
SSL_SERVER_I_DN_SP
|
renamed |
SSL_SERVER_IL
|
SSL_SERVER_I_DN_L
|
renamed |
SSL_CLIENT_CERTIFICATE
|
SSL_CLIENT_CERT
|
renamed |
SSL_CLIENT_CERT_START
|
SSL_CLIENT_V_START
|
renamed |
SSL_CLIENT_CERT_END
|
SSL_CLIENT_V_END
|
renamed |
SSL_CLIENT_CERT_SERIAL
|
SSL_CLIENT_M_SERIAL
|
renamed |
SSL_CLIENT_SIGNATURE_ALGORITHM
|
SSL_CLIENT_A_SIG
|
renamed |
SSL_CLIENT_DN
|
SSL_CLIENT_S_DN
|
renamed |
SSL_CLIENT_CN
|
SSL_CLIENT_S_DN_CN
|
renamed |
SSL_CLIENT_EMAIL
|
SSL_CLIENT_S_DN_Email
|
renamed |
SSL_CLIENT_O
|
SSL_CLIENT_S_DN_O
|
renamed |
SSL_CLIENT_OU
|
SSL_CLIENT_S_DN_OU
|
renamed |
SSL_CLIENT_C
|
SSL_CLIENT_S_DN_C
|
renamed |
SSL_CLIENT_SP
|
SSL_CLIENT_S_DN_SP
|
renamed |
SSL_CLIENT_L
|
SSL_CLIENT_S_DN_L
|
renamed |
SSL_CLIENT_IDN
|
SSL_CLIENT_I_DN
|
renamed |
SSL_CLIENT_ICN
|
SSL_CLIENT_I_DN_CN
|
renamed |
SSL_CLIENT_IEMAIL
|
SSL_CLIENT_I_DN_Email
|
renamed |
SSL_CLIENT_IO
|
SSL_CLIENT_I_DN_O
|
renamed |
SSL_CLIENT_IOU
|
SSL_CLIENT_I_DN_OU
|
renamed |
SSL_CLIENT_IC
|
SSL_CLIENT_I_DN_C
|
renamed |
SSL_CLIENT_ISP
|
SSL_CLIENT_I_DN_SP
|
renamed |
SSL_CLIENT_IL
|
SSL_CLIENT_I_DN_L
|
renamed |
SSL_EXPORT
|
SSL_CIPHER_EXPORT
|
renamed |
SSL_KEYSIZE
|
SSL_CIPHER_ALGKEYSIZE
|
renamed |
SSL_SECKEYSIZE
|
SSL_CIPHER_USEKEYSIZE
|
renamed |
SSL_SSLEAY_VERSION
|
SSL_VERSION_LIBRARY
|
renamed |
SSL_STRONG_CRYPTO
|
-
|
Not supported by mod_ssl |
SSL_SERVER_KEY_EXP
|
-
|
Not supported by mod_ssl |
SSL_SERVER_KEY_ALGORITHM
|
-
|
Not supported by mod_ssl |
SSL_SERVER_KEY_SIZE
|
-
|
Not supported by mod_ssl |
SSL_SERVER_SESSIONDIR
|
-
|
Not supported by mod_ssl |
SSL_SERVER_CERTIFICATELOGDIR
|
-
|
Not supported by mod_ssl |
SSL_SERVER_CERTFILE
|
-
|
Not supported by mod_ssl |
SSL_SERVER_KEYFILE
|
-
|
Not supported by mod_ssl |
SSL_SERVER_KEYFILETYPE
|
-
|
Not supported by mod_ssl |
SSL_CLIENT_KEY_EXP
|
-
|
Not supported by mod_ssl |
SSL_CLIENT_KEY_ALGORITHM
|
-
|
Not supported by mod_ssl |
SSL_CLIENT_KEY_SIZE
|
-
|
Not supported by mod_ssl |
Custom Log Functions
When mod_ssl is enabled, additional functions exist for the Custom Log Format of mod_log_config
as documented in the Reference Chapter. Beside the ``%{
varname}x
eXtension format function which can be used to expand any variables provided by any module, an additional Cryptography ``%{
name}c
cryptography format function exists for backward compatibility. The currently implemented function calls are listed in Table 3.
Table 3: Custom Log Cryptography Function
Function Call | Description |
---|---|
%...{version}c
|
SSL protocol version |
%...{cipher}c
|
SSL cipher |
%...{subjectdn}c
|
Client Certificate Subject Distinguished Name |
%...{issuerdn}c
|
Client Certificate Issuer Distinguished Name |
%...{errcode}c
|
Certificate Verification Error (numerical) |
%...{errstr}c
|
Certificate Verification Error (string) |
© 2018 The Apache Software Foundation
Licensed under the Apache License, Version 2.0.
https://httpd.apache.org/docs/2.4/en/ssl/ssl_compat.html