SSLOptions
SSLOptions [+-]option ...
Server config, virtual host, directory, .htaccess
Apache v2 only
This directive can be used to control various runtime options on a
per-directory basis. Normally, if multiple
SSLOptions could apply to a directory, then the
most specific one is taken completely, and the options are not
merged. However, if all the options on the
SSLOptions directive are preceded by a plus (+) or
minus (-) symbol, the options are merged. Any options preceded by a +
are added to the options currently in force, and any options preceded
by a - are removed from the options currently in force.
The available options are as follows:
StdEnvVars
When this option is enabled, the standard set of SSL-related CGI/SSI environment variables are created. By default, this is disabled for performance reasons, because the information extraction step is an expensive operation. So one usually enables this option for CGI and SSI requests only.
CompatEnvVars
When this option is enabled, additional CGI/SSI environment variables are created for backward compatibility with other Apache SSL solutions. Look in the Compatibility chapter of the Apache documentation (httpd.apache.org/docs-2.0/ssl/ssl_compat.html) for details on the particular variables generated.
ExportCertData
When this option is enabled, additional CGI/SSI environment variables
are created: SSL_SERVER_CERT,
SSL_CLIENT_CERT and
SSL_CLIENT_CERT_CHAIN
n
(with n = 0,1,2,...). These contain the PEM-encoded X.509
Certificates of server and client for the current HTTPS connection
and can be used by CGI scripts for deeper Certificate checking. All
other certificates of the client certificate chain are provided, too.
This bloats the environment somewhat.
FakeBasicAuth
The effect of FakeBasicAuth is to allow the
webmaster to treat authorization by encrypted certificates as if it
were done by the old Authentication directives. This makes
everyone’s lives simpler because the standard
directives Limit, Require, and
Satisfy ... can be
used.
When this option is enabled, the Subject Distinguished Name (DN) of
the Client X509 Certificate is translated into a HTTP Basic
Authorization username. The username is just the Subject of the
Client’s X509 Certificate (can be determined by
running OpenSSL’s openssl x509
command: openssl x509 -noout -subject -in
certificate
.crt).
The easiest way to find this is to get the user to browse to the web
site. The name will then be found in the log.
Since the user has a certificate, we do not need to get a password from her. Every entry in the user file needs the encrypted version of the password “password”. The simple way to build the file is to create the first entry:
htpasswd -c sales bill
All things being equal, htpasswd will use the
operating system’s favorite encryption method, which
is what Apache will use as well. On our system, FreeBSD, this is
CRYPT, and this was the result:
bill:$1$RBZaI/..$/n0bgKUfnccGEsg4WQUVx
You can continue with this:
htpasswd sales sam htpasswd sales sonia ...
typing in the password twice each time, or you can just edit the file sales to get:
bill:$1$RBZaI/..$/n0bgKUfnccGEsg4WQUVx sam:$1$RBZaI/..$/n0bgKUfnccGEsg4WQUVx sonia:$1$RBZaI/..$/n0bgKUfnccGEsg4WQUVx
StrictRequire
This forces forbidden access when SSLRequireSSL or
SSLRequire successfully decided that access should
be forbidden. Usually the default is that in the case where a
"Satisfy any" directive is used and other access
restrictions are passed, denial of access due to
SSLRequireSSL or SSLRequire is
overridden (because that’s how the Apache
Satisfy mechanism works.) But for strict access
restriction you can use SSLRequireSSL and/or
SSLRequire in combination with an
"SSLOptions
+StrictRequire".
Then an additional "Satisfy Any" has no chance
once mod_ssl has decided to deny access.
OptRenegotiate
This enables optimized SSL connection renegotiation handling when SSL directives are used in per-directory context. By default, a strict scheme is enabled where every per-directory reconfiguration of SSL parameters causes a full SSL renegotiation handshake. When this option is used, mod_ssl tries to avoid unnecessary handshakes by doing more granular (but still safe) parameter checks. Nevertheless these granular checks sometimes may not be what the user expects, so please enable this on a per-directory basis only.