Ликбез. SSL - настройки веб-сервера Apache

?????? ssl ???????????? ?????????? ?? ????????? SSL/TLS. ??????? ??????? OpenSSL ? (????????? ????????? ????????). ??????, ??????????? ??????? ? ????????? ?? ????? ?????????? (? ?????? ???????????? SSL ?????????? ????????? Host: ??? ?? ???????), ??? ??? ?????? ??????????? ?????? ??????? ?????????? IP ?????? (??? ????????????? ?????????????? ?????). ?????????:

• ?????????????? ????????? ? ?????????:
o SV SSLEngine Off|On (???????? ???????? SSL/TLS ??? ???????????? ?????)
o SV SSLProtocol [+|-]???????? ... (all; ????? ????????? ????????????: SSLv2, SSLv3, TLSv1, All)
o SVDFLA SSLCipherSuite ???????????? (????? ????????? ????????????: ? ????? ???? (????????? ?????? ??????, ????????? ??????????????, ????????? ??????????, ????????? ???????????) ??? ?????????? (MEDIUM, HIGH), ????????: "!EXP:!NULL:+HIGH:+MEDIUM:-LOW" ??? ?????? "HIGH:MEDIUM")
o SVDFLA SSLOptions [+|-]????? ... (??????, ??? ??? ????? ?? ????????)
 StdEnvVars (????????? ?????????? ????????? SSL_ - ??. ????)
 CompatEnvVars (????????? ?????????? ????????? ??? ????????????? ? ??????? ????????????)
 ExportCertData (?????????????? ?????????? ?????????, ?????????? ?????????? ? PEM)
 FakeBasicAuth (DN ??????????? ??????????? ???????????? ??? ??? ???????????? ??? ???????? ?????? ??????????????; ? ????? ? ???????? ? ?????? ???????????? ?????? ???? ????????????? ?????? "password" - "xxj31ZMTZzkVA" ??? "$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/"; ?????????? ????????????? ??????? ??? ????? ??????????????? ? ???????? ????? ???????????? (?????????? REMOTE_USER), ????????: "SSLUserName SSL_CLIENT_S_DN")
 StrictRequire (???? ?????? ???????? ?? SSLRequireSSL ??? SSLRequire, ?? ??????? ????????? ?????? ???????? ?? "Satisfy any")
 OptRenegotiate (?????????? ?????????????? ??? ????? ?????????? ?????????)
o S SSLMutex ??? (none; ?????? ?????????? ????????? ??? ?????? ? SSL ???: none (?? ?????????????), default - ?????????? ????????????? ??? ??????, ??. AcceptMutex)
o S SSLRandomSeed startup|connect ???????? [????] (?????? ????? ????????? ???????? ?????????? ??????????????? ?????: builtin (?? ????????????? ??? startup), file:???-????? (????????: /dev/random 512 (?? ????????????? ??? connect, ?.?. ????????? ??????, ???? ?? ??????? ??????????? ?????????? ????????? ??????), /dev/urandom 1024), exec:???-?????????; egd:???-?????? (egd - Entropy Gathering Daemon))
o S SSLSessionCache ??? (none; ???????????, ???? ?????? ?????????? ????????? ???????????? ??????? ????????; ????: none, dbm:???-?????, shm:???-?????; ? ????????? ??????? ?????????? ???????? ???????? ????? ?????)
o SV SSLSessionCacheTimeout ?????? (300)
• ???????? ???????:
o SV SSLCertificateFile ???-????? (?????????? ??????? ? ??????? PEM, ????? ???????? ????; ???? ???? ??????????, ?? ???????????? ?????? ??????? ????????? ?????)
o SV SSLCertificateChainFile ???-????? (??????? ???????????? CA ?? ?????? ?????, PEM)
o SV SSLCertificateKeyFile ???-????? (??????? ???? ???????, PEM; ???? ???? ??????????, ?? ???????????? ?????? ??????? ????????? ?????)
o SV SSLPassPhraseDialog ??? (builin ??? exec:???-?????????)
• ?????????? ? ????????:
o DA SSLRequireSSL (??? ?????????? ?.?. ???????? SSL/TLS)
o DA SSLRequire ??????????-????????? (????? ???????? SSL_ ??????????: %{...})
o SVDFLA SSLVerifyClient ??????? (none; ??? ????????? ?????????? ???????:
 none
 optional
 require
 optional_no_ca
o SVDFLA SSLVerifyDepth ????? (1; ???????????? ??????? ??????? CA ? ??????????? ???????)
o SV SSLCACertificateFile ???-????? (??????? ???????????? CA ? ??????? PEM, ???????? ????? ???? ????????? ??????????? ????????)
o SV SSLCACertificatePath ???-???????? (??????? ?????? ????????? ??????????? CA ? ??????? PEM, ???????? ????? ???? ????????? ??????????? ????????; ????? ?????? ?????? ??????????????? ????? ????????????)
o SV SSLCARevocationFile ???-????? (?????? CRL CA ???????? ? ??????? PEM)
o SV SSLCARevocationPath ???-???????? (??????? ?????? ????????? CRL CA ???????? ? ??????? PEM; ????? ?????? ?????? ??????????????? ????? ????????????)
• ?????????? ? ??????:
o SV SSLProxyEngine Off|On (???????????? ???????? SSL/TLS ??? ??????)
o SSLProxyProtocol, SSLProxyCipherSuite (????????? ????????? ??? ??????? ? ??????)
o SSLProxyMachineCertificateFile, SSLProxyMachineCertificatePath (??????????? ??????? ??? ??????? ? ??????)
o SSLProxyVerify, SSLProxyVerifyDepth (??? ????????? ?????????? ??????)
o SSLProxyCACertificateFile, SSLProxyCACertificatePath, SSLProxyCARevocationFile, SSLProxyCARevocationPath (??????????? CA ? CRL ??? ???????? ??????)

?????????? ????????? (???????????? ? ?????? ? ????: "%{SSL_PROTOCOL}x"):
• HTTPS (???????????? ???????? HTTPS)
• SSL_PROTOCOL (SSLv2, SSLv3, TLSv1)
• SSL_SESSION_ID (? ????????????????? ???????????)
• SSL_CIPHER
• SSL_CIPHER_EXPORT (true)
• SSL_CIPHER_USEKEYSIZE (????? ????????????? ?????)
• SSL_CIPHER_ALGKEYSIZE (????? ?????????? ?????)
• SSL_VERSION_INTERFACE (?????? mod_ssl)
• SSL_VERSION_LIBRARY (?????? OpenSSL)
• SSL_CLIENT_M_VERSION (?????? ??????????? ???????)
• SSL_CLIENT_M_SERIAL (???????? ????? ??????????? ???????)
• SSL_CLIENT_S_DN (DN ??????????? ???????, ??????? ?????????? ??? ????????? ?????)
• SSL_CLIENT_I_DN (DN ????????? ?????????? ???????, ??????? ?????????? ??? ????????? ?????)
• SSL_CLIENT_V_START (?????? ???????? ??????????? ???????)
• SSL_CLIENT_V_END (????? ???????? ??????????? ???????)
• SSL_CLIENT_A_SIG (???????? ??????? ??????????? ???????)
• SSL_CLIENT_A_KEY (???????? ?????????? ????? ??????????? ???????)
• SSL_CLIENT_CERT (?????????? ???????, PEM)
• ??????????? ?????????? ??? SERVER
• SSL_CLIENT_VERIFY (NONE, SUCCESS, GENEROUS, FAILED:???????)

???????????? (?????????? ?????? ?????: "Purposes: Client,Sign"):
openssl s_client -connect www.company.ru:443 -CAfile ??????-????????-???????????? \
-cert ???-?????????? -key ???????-????