You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rj...@apache.org on 2015/06/01 17:00:13 UTC

svn commit: r1682923 - in /httpd/httpd/trunk/docs/manual: mod/mod_ssl.xml ssl/ssl_faq.xml

Author: rjung
Date: Mon Jun  1 15:00:13 2015
New Revision: 1682923

URL: http://svn.apache.org/r1682923
Log:
Try to clarify extended uses of SSLCertificateFile.

Modified:
    httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
    httpd/httpd/trunk/docs/manual/ssl/ssl_faq.xml

Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=1682923&r1=1682922&r2=1682923&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Mon Jun  1 15:00:13 2015
@@ -817,35 +817,44 @@ SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MED
 <p>
 This directive points to a file with certificate data in PEM format.
 At a minimum, the file must include an end-entity (leaf) certificate.
-Beginning with version 2.4.8, it may also include intermediate CA
-certificates, sorted from leaf to root, and obsoletes
-<directive module="mod_ssl">SSLCertificateChainFile</directive>.
+The directive can be used multiple times (referencing different filenames)
+to support multiple algorithms for server authentication - typically
+RSA, DSA, and ECC. The number of supported algorithms depends on the
+OpenSSL version being used for mod_ssl: with version 1.0.0 or later,
+<code>openssl list-public-key-algorithms</code> will output a list
+of supported algorithms.
 </p>
 
 <p>
-Additional optional elements are DH parameters and/or an EC curve name
-for ephemeral keys, as generated by <code>openssl dhparam</code> and
-<code>openssl ecparam</code>, respectively (supported in version 2.4.7
-or later) and finally, the end-entity certificate's private key.
-If the private key is encrypted, the pass phrase dialog is forced
-at startup time.</p>
+The files may also include intermediate CA certificates, sorted from
+leaf to root. This is supported with version 2.4.8 and later,
+and obsoletes <directive module="mod_ssl">SSLCertificateChainFile</directive>.
+When running with OpenSSL 1.0.2 or later, this allows
+to configure the intermediate CA chain on a per-certificate basis.
+</p>
 
 <p>
-This directive can be used multiple times (referencing different filenames)
-to support multiple algorithms for server authentication - typically
-RSA, DSA, and ECC. The number of supported algorithms depends on the
-OpenSSL version being used for mod_ssl: with version 1.0.0 or later,
-<code>openssl list-public-key-algorithms</code> will output a list
-of supported algorithms.</p>
+Custom DH parameters and an EC curve name for ephemeral keys,
+can also be added to end of the first file configured using
+<directive module="mod_ssl">SSLCertificateChainFile</directive>.
+This is supported in version 2.4.7 or later.
+Such parameters can be generated using the commands
+<code>openssl dhparam</code> and <code>openssl ecparam</code>.
+The parameters can be added as-is to the end of the first
+certificate file. Only the first file can be used for custom
+parameters, as they are applied independently of the authentication
+algorithm type.
+</p>
 
 <p>
-When running with OpenSSL 1.0.2 or later, this directive allows
-to configure the intermediate CA chain on a per-certificate basis,
-which removes a limitation of the (now obsolete)
-<directive module="mod_ssl">SSLCertificateChainFile</directive> directive.
-DH and ECDH parameters, however, are only read from the first
-<directive>SSLCertificateFile</directive> directive, as they
-are applied independently of the authentication algorithm type.</p>
+Finally the the end-entity certificate's private key can also be
+added to the certificate file instead of using a separate
+<directive module="mod_ssl">SSLCertificateKeyFile</directive>
+directive. This practice is highly discouraged. If it is used,
+the certificate files using such an embedded key must be configured
+after the certificates using a separate key file. If the private
+key is encrypted, the pass phrase dialog is forced at startup time.
+</p>
 
 <note>
 <title>DH parameter interoperability with primes > 1024 bit</title>
@@ -881,9 +890,7 @@ SSLCertificateFile /usr/local/apache2/co
 <usage>
 <p>
 This directive points to the PEM-encoded private key file for the
-server (the private key may also be combined with the certificate in the
-<directive module="mod_ssl">SSLCertificateFile</directive>, but this practice
-is discouraged). If the contained private key is encrypted, the pass phrase
+server. If the contained private key is encrypted, the pass phrase
 dialog is forced at startup time.</p>
 
 <p>
@@ -893,6 +900,13 @@ to support multiple algorithms for serve
 directive, there must be a matching <directive>SSLCertificateFile</directive>
 directive.</p>
 
+<p>
+The private key may also be combined with the certificate in the file given by
+<directive module="mod_ssl">SSLCertificateFile</directive>, but this practice
+is highly discouraged. If it is used, the certificate files using such
+an embedded key must be configured after the certificates using a separate
+key file.</p>
+
 <example><title>Example</title>
 <highlight language="config">
 SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key

Modified: httpd/httpd/trunk/docs/manual/ssl/ssl_faq.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/ssl/ssl_faq.xml?rev=1682923&r1=1682922&r2=1682923&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/ssl/ssl_faq.xml (original)
+++ httpd/httpd/trunk/docs/manual/ssl/ssl_faq.xml Mon Jun  1 15:00:13 2015
@@ -757,20 +757,22 @@ SetEnvIf User-Agent "MSIE [2-5]" \
     or higher), you can either rearrange mod_ssl's cipher list with
     <directive module="mod_ssl">SSLCipherSuite</directive>
     (possibly in conjunction with <directive module="mod_ssl">SSLHonorCipherOrder</directive>),
-    or you can use the <directive module="mod_ssl">SSLCertificateFile</directive>
-    directive to configure custom DH parameters with a 1024-bit prime, which
+    or you can use custom DH parameters with a 1024-bit prime, which
     will always have precedence over any of the built-in DH parameters.</p>
 
-    <p>To generate custom DH parameters, use the <code>openssl dhparam</code>
-    command. Alternatively, you can append the following standard 1024-bit DH
+    <p>To generate custom DH parameters, use the <code>openssl dhparam 1024</code>
+    command. Alternatively, you can use the following standard 1024-bit DH
     parameters from <a href="http://www.ietf.org/rfc/rfc2409.txt">RFC 2409</a>,
-    section 6.2 to the respective
-    <directive module="mod_ssl">SSLCertificateFile</directive> file:</p>
+    section 6.2:</p>
     <example><pre>-----BEGIN DH PARAMETERS-----
 MIGHAoGBAP//////////yQ/aoiFowjTExmKLgNwc0SkCTgiKZ8x0Agu+pjsTmyJR
 Sgh5jjQE3e+VGbPNOkMbMCsKbfJfFDdP4TVtbVHCReSFtXZiXn7G9ExC6aY37WsL
 /1y29Aa37e44a/taiZ+lrp8kEXxLH+ZJKGZR7OZTgf//////////AgEC
 -----END DH PARAMETERS-----</pre></example>
+    <p>Add the custom parameters including the "BEGIN DH PARAMETERS" and
+    "END DH PARAMETERS" lines to the end of the first certificate file
+    you have configured using the
+    <directive module="mod_ssl">SSLCertificateFile</directive> directive.</p>
 </section>
 
 </section>