• No results found

SSLProtocol

In document Oracle9i Application Server (Page 137-143)

Description: SSL protocol(s) for mod_ossl to use when establishing the server environment. Clients can only connect with one of the specified protocols.

Valid Values: ■ SSLv3

SSL version 3.0

■ All

SSL version 3.0 and any other version supported by Oracle products

Example: To specify only SSL version 3.0, set this directive to the following:

SSLProtocol +SSLv3

Syntax: SSLProtocol [+-] protocol

Default: SSLProtocol +SSLv3

Using Secure Sockets Layer (SSL) to Authenticate Users

SSLCipherSuite

Description: Specifies the SSLcipher suite that the client can use during the SSL handshake. This directive uses a colon-separated cipher

specification string to identify the cipher suite.Table 4–4 shows the tags you can use in the string to describe the cipher suite you want. The tags are joined together with prefixes to form the cipher specification string.

Valid Values: ■ none

■ +:

■ -: ■ !:

Adds the cipher to the list

Adds the cipher to the list and place them in the correct location in the list

Remove the cipher from the list (can be added later) Remove the cipher from the list permanently

Example: SSLCipherSuite ALL:!LOW:!DH

In this example, all ciphers are specified except low strength ciphers and those using theDiffie-Hellman key negotiation algorithm.

Syntax: SSLCipherSuite cipher-spec

Default: None

Context server configuration, virtual host, directory

Table 4–4 SSLCipher Suite Tags

Function Tag Meaning

Key exchange kRSA RSA key exchange

Key exchange kDHr Diffie-Hellman key exchange with RSA key Authentication aNULL No authentication

Authentication aRSA RSA authentication

Authentication aDH Diffie-Hellman authentication Encryption eNULL No encryption

Encryption DES DES encoding Encryption 3DES Triple DES encoding Encryption RC4 RC4 encoding Data Integrity MD5 MD5 hash function

Using Secure Sockets Layer (SSL) to Authenticate Users

Data Integrity SHA SHA hash function Aliases SSLv3 All SSL version 3.0 ciphers Aliases EXP All export ciphers

Aliases EXP40 ALl 40-bit export ciphers only Aliases EXP56 All 56-bit export ciphers only

Aliases LOW All low strength ciphers (export and single DES) Aliases MEDIUM All ciphers with 128-bit encryption

Aliases HIGH All ciphers using triple DES Aliases RSA All ciphers using RSA key exchange

Aliases DH All ciphers using Diffie-Hellman key exchange

Note:

■ Not all of the ciphers shown in the tags listed inTable 4–4 are

supported by Oracle Advanced Security.Table 4–5 lists those supported as of version 9i.

■ There are restrictions if export versions of browsers are used.

Oracle module, mod_ossl, supports RC4-40 encryption only when the server uses 512 bit key size wallets.

Table 4–4 SSLCipher Suite Tags (Cont.)

Using Secure Sockets Layer (SSL) to Authenticate Users

Table 4–5 Cipher Suites Supported in Oracle Advanced Security 9i

Cipher Suite Authentication Encryption

Data Integrity

SSL_RSA_WITH_3DES_EDE_CBC_SHA RSA 3DES EDE CBC SHA

SSL_RSA_WITH_RC4_128_SHA RSA RC4 128 SHA

SSL_RSA_WITH_RC4_128_MD5 RSA RC4 128 MD5

SSL_RSA_WITH_DES_CBC_SHA RSA DES CBC SHA

SSL_DH_anon_WITH_3DES_EDE_CBC_SHA DH anon 3DES EDE CBC SHA SSL_DH_anon_WITH_RC4_128_MD5 DH anon RC4 128 MD5 SSL_DH_anon_WITH_DES_CBC_SHA DH anon DES CBC SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 RSA RC4 40 MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA RSA DES40 CBC SHA SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 DH anon RC4 40 MD5 SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA DH anon DES40 CBC SHA

Using Secure Sockets Layer (SSL) to Authenticate Users

SSLVerifyClient

SSLLog

Description: Specifies whether or not a client must present a certificate when connecting.

Valid Values: ■ none - No client certificate is required

■ optional - Client may present a valid certificate

■ require - Client must present a valid certificate

Syntax: SSLVerifyClient level

Default: None

Context server configuration, virtual host

Note: The leveloptional_no_ca included with mod_ssl (in which the client can present a valid certificate, but it need not be verifiable) is not supported in mod_ossl.

Description: Specifies where the SSL engine log file will be written. (Error messages will also be duplicated to the standard HTTP server log file specified by theErrorLog directive.)

Place this file at a location where only root can write, so that it cannot be used for symlink attacks. If the filename does not begin with a slash (’/’), it is assumed to be relative to the

ServerRoot. If the filename begins with a bar (’|’), then the

string following the bar is expected to be a path to an executable program to which a reliable pipe can be established.

This directive should occur only once per virtual server configuration.

Syntax: SSLVerifyClient path/to/filename

Using Secure Sockets Layer (SSL) to Authenticate Users

SSLLogLevel

Description: Specifies the verbosity degree of the SSL engine log file. Valid Values: The levels are (in ascending order, where each level is

included in the levels above it):

■ none - No dedicated SSL logging is done. Messages of

type ’error’ are duplicated to the standard HTTP server log file specified by theErrorLog directive.

■ error- Only messages of the type ’error’ (conditions that

stop processing) are logged.

■ warn - Messages that notify of non-fatal problems

(conditions that do not stop processing) are logged.

■ info - Messages that summarize major processing

actions are logged.

■ trace - Messages that summarize minor processing

actions are logged.

■ debug - Messages that summarize development and

low-level I/O operations are logged.

Syntax: SSLLogLevel level

Default: None

Using Secure Sockets Layer (SSL) to Authenticate Users

In document Oracle9i Application Server (Page 137-143)
Download now "Oracle9i Application S..."

Outline

Related documents