2013年2月19日火曜日

SVNにSSLを利用する

前回の記事SVNのインストール で、SSLのインストールが完了したので、
次は、SSLを導入したいと思います

■SSL設定用に「openssl」と「mod_ssl」のインストール
# yum install mod_ssl openssl
Loaded plugins: fastestmirror, priorities
Loading mirror speeds from cached hostfile
 * base: ftp.nara.wide.ad.jp
 * centosplus: ftp.nara.wide.ad.jp
 * elrepo: elrepo.org
 * epel: ftp.iij.ad.jp
 * extras: ftp.nara.wide.ad.jp
 * ius: ftp.neowiz.com
 * rpmforge: mirror.fairway.ne.jp
 * updates: ftp.nara.wide.ad.jp
169 packages excluded due to repository priority protections
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.x86_64 1:2.2.15-15.el6.centos.1 will be installed
---> Package openssl.x86_64 0:1.0.0-20.el6_2.5 will be updated
---> Package openssl.x86_64 0:1.0.0-25.el6_3.1 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

=================================================================================================================================================================================================================================
 Package                                           Arch                                             Version                                                              Repository                                         Size
=================================================================================================================================================================================================================================
Installing:
 mod_ssl                                           x86_64                                           1:2.2.15-15.el6.centos.1                                             base                                               87 k
Updating:
 openssl                                           x86_64                                           1.0.0-25.el6_3.1                                                     updates                                           1.4 M

Transaction Summary
=================================================================================================================================================================================================================================
Install       1 Package(s)
Upgrade       1 Package(s)

Total download size: 1.4 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): mod_ssl-2.2.15-15.el6.centos.1.x86_64.rpm                                                                                                                                                          |  87 kB     00:00
(2/2): openssl-1.0.0-25.el6_3.1.x86_64.rpm                                                                                                                                                                | 1.4 MB     00:00
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                             14 MB/s | 1.4 MB     00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : openssl-1.0.0-25.el6_3.1.x86_64                                                                                                                                                                               1/3
  Installing : 1:mod_ssl-2.2.15-15.el6.centos.1.x86_64                                                                                                                                                                       2/3
  Cleanup    : openssl-1.0.0-20.el6_2.5.x86_64                                                                                                                                                                               3/3
  Verifying  : openssl-1.0.0-25.el6_3.1.x86_64                                                                                                                                                                               1/3
  Verifying  : 1:mod_ssl-2.2.15-15.el6.centos.1.x86_64                                                                                                                                                                       2/3
  Verifying  : openssl-1.0.0-20.el6_2.5.x86_64                                                                                                                                                                               3/3

Installed:
  mod_ssl.x86_64 1:2.2.15-15.el6.centos.1

Updated:
  openssl.x86_64 0:1.0.0-25.el6_3.1

Complete!

# yum list installed | grep ssl
mod_ssl.x86_64                    1:2.2.15-15.el6.centos.1             @base
openssl.x86_64                    1.0.0-25.el6_3.1                     @updates
インストールされた内容を確認する
インストールされたmod_sslの確認する
# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf
/usr/lib64/httpd/modules/mod_ssl.so
/var/cache/mod_ssl
/var/cache/mod_ssl/scache.dir
/var/cache/mod_ssl/scache.pag
/var/cache/mod_ssl/scache.sem
インストールされたopensslの確認する
# rpm -ql openssl
/etc/pki/CA
/etc/pki/CA/certs
/etc/pki/CA/crl
/etc/pki/CA/newcerts
/etc/pki/CA/private
/etc/pki/tls
/etc/pki/tls/certs
/etc/pki/tls/certs/Makefile
/etc/pki/tls/certs/make-dummy-cert
/etc/pki/tls/misc
/etc/pki/tls/misc/CA
/etc/pki/tls/misc/c_hash
/etc/pki/tls/misc/c_info
/etc/pki/tls/misc/c_issuer
/etc/pki/tls/misc/c_name
/etc/pki/tls/openssl.cnf
/etc/pki/tls/private
/usr/bin/openssl
/usr/lib64/.libcrypto.so.1.0.0.hmac
/usr/lib64/.libcrypto.so.10.hmac
/usr/lib64/.libssl.so.1.0.0.hmac
/usr/lib64/.libssl.so.10.hmac
/usr/lib64/libcrypto.so.1.0.0
/usr/lib64/libcrypto.so.10
/usr/lib64/libssl.so.1.0.0
/usr/lib64/libssl.so.10
/usr/lib64/openssl
/usr/lib64/openssl/engines
/usr/lib64/openssl/engines/lib4758cca.so
/usr/lib64/openssl/engines/libaep.so
/usr/lib64/openssl/engines/libatalla.so
/usr/lib64/openssl/engines/libcapi.so
/usr/lib64/openssl/engines/libchil.so
/usr/lib64/openssl/engines/libcswift.so
/usr/lib64/openssl/engines/libgmp.so
/usr/lib64/openssl/engines/libnuron.so
/usr/lib64/openssl/engines/libpadlock.so
/usr/lib64/openssl/engines/libsureware.so
/usr/lib64/openssl/engines/libubsec.so
/usr/share/doc/openssl-1.0.0
/usr/share/doc/openssl-1.0.0/CHANGES
/usr/share/doc/openssl-1.0.0/FAQ
/usr/share/doc/openssl-1.0.0/INSTALL
/usr/share/doc/openssl-1.0.0/LICENSE
/usr/share/doc/openssl-1.0.0/NEWS
/usr/share/doc/openssl-1.0.0/README
/usr/share/doc/openssl-1.0.0/README.FIPS
/usr/share/doc/openssl-1.0.0/c-indentation.el
/usr/share/doc/openssl-1.0.0/openssl.txt
/usr/share/doc/openssl-1.0.0/openssl_button.gif
/usr/share/doc/openssl-1.0.0/openssl_button.html
/usr/share/doc/openssl-1.0.0/ssleay.txt
/usr/share/man/man1/asn1parse.1ssl.gz
/usr/share/man/man1/ca.1ssl.gz
/usr/share/man/man1/ciphers.1ssl.gz
/usr/share/man/man1/cms.1ssl.gz
/usr/share/man/man1/crl.1ssl.gz
/usr/share/man/man1/crl2pkcs7.1ssl.gz
/usr/share/man/man1/dgst.1ssl.gz
/usr/share/man/man1/dhparam.1ssl.gz
/usr/share/man/man1/dsa.1ssl.gz
/usr/share/man/man1/dsaparam.1ssl.gz
/usr/share/man/man1/ec.1ssl.gz
/usr/share/man/man1/ecparam.1ssl.gz
/usr/share/man/man1/enc.1ssl.gz
/usr/share/man/man1/errstr.1ssl.gz
/usr/share/man/man1/gendsa.1ssl.gz
/usr/share/man/man1/genpkey.1ssl.gz
/usr/share/man/man1/genrsa.1ssl.gz
/usr/share/man/man1/md2.1ssl.gz
/usr/share/man/man1/md4.1ssl.gz
/usr/share/man/man1/md5.1ssl.gz
/usr/share/man/man1/mdc2.1ssl.gz
/usr/share/man/man1/nseq.1ssl.gz
/usr/share/man/man1/ocsp.1ssl.gz
/usr/share/man/man1/openssl.1ssl.gz
/usr/share/man/man1/pkcs12.1ssl.gz
/usr/share/man/man1/pkcs7.1ssl.gz
/usr/share/man/man1/pkcs8.1ssl.gz
/usr/share/man/man1/pkey.1ssl.gz
/usr/share/man/man1/pkeyparam.1ssl.gz
/usr/share/man/man1/pkeyutl.1ssl.gz
/usr/share/man/man1/req.1ssl.gz
/usr/share/man/man1/ripemd160.1ssl.gz
/usr/share/man/man1/rsa.1ssl.gz
/usr/share/man/man1/rsautl.1ssl.gz
/usr/share/man/man1/s_client.1ssl.gz
/usr/share/man/man1/s_server.1ssl.gz
/usr/share/man/man1/s_time.1ssl.gz
/usr/share/man/man1/sess_id.1ssl.gz
/usr/share/man/man1/sha.1ssl.gz
/usr/share/man/man1/sha1.1ssl.gz
/usr/share/man/man1/smime.1ssl.gz
/usr/share/man/man1/speed.1ssl.gz
/usr/share/man/man1/spkac.1ssl.gz
/usr/share/man/man1/sslpasswd.1ssl.gz
/usr/share/man/man1/sslrand.1ssl.gz
/usr/share/man/man1/ts.1ssl.gz
/usr/share/man/man1/tsget.1ssl.gz
/usr/share/man/man1/verify.1ssl.gz
/usr/share/man/man1/version.1ssl.gz
/usr/share/man/man1/x509.1ssl.gz
/usr/share/man/man5/config.5ssl.gz
/usr/share/man/man5/x509v3_config.5ssl.gz
/usr/share/man/man7/des_modes.7ssl.gz
■RSA秘密鍵生成
/etc/pki/tls/certs/に移動する
cd /etc/pki/tls/certs/
RSA秘密鍵生成
# openssl genrsa -out server.key 1024
Generating RSA private key, 1024 bit long modulus
....................................................................++++++
....................++++++
e is 65537 (0x10001)
生成されたか確認する
# ls -alt
合計 1228
-rw-r--r-- 1 root root    887  2月 19 13:25 2013 server.key
drwxr-xr-x 2 root root   4096  2月 19 13:25 2013 .
drwxr-xr-x 5 root root   4096  2月 19 13:16 2013 ..
-rw------- 1 root root   1180  2月 19 13:16 2013 localhost.crt
-rw-r--r-- 1 root root   2242  8月 23 14:00 2012 Makefile
-rwxr-xr-x 1 root root    610  8月 23 14:00 2012 make-dummy-cert
-rw-r--r-- 1 root root 571450  4月  8 00:42 2010 ca-bundle.crt
-rw-r--r-- 1 root root 651083  4月  8 00:42 2010 ca-bundle.trust.crt
RSAの内容を確認する
# openssl rsa -in server.key -text -noout
■証明書要求(CSR)の生成
#移動
cd /etc/pki/tls/certs/

#生成する
# openssl req -new -key server.key -out server.pem -sha1
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:サーバーIPアドレスを入力する
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Common NameにはSSLを利用するドメイン名を入力すること。
そうしないと下記のエラーが出る
[Thu Jun 02 17:13:24 2011] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
生成したCSRの内容を確認する
# openssl req -in server.pem -text -noout
■証明書の発行(自己署名)
σ(゚∀゚ )オレσ(゚∀゚ )オレ証明を発行する
# openssl x509 -in server.pem -out server.crt -req -signkey server.key -days 3650 -sha1
Signature ok
subject=/C=JP/ST=Tokyo/L=Default City/O=Default Company Ltd/CN=153.127.246.125
Getting Private key
権限を与える
chmod 400 server.crt server.key server.pem
■「RSA秘密鍵」について、格納するディレクトリが用意されているので、移動させておきます。
mv /etc/pki/tls/certs/server.key /etc/pki/tls/private/server.key
移動したか確認する
# ls -alt /etc/pki/tls/private/
合計 16
drwxr-xr-x 2 root root 4096  2月 19 13:30 2013 .
-r-------- 1 root root  887  2月 19 13:25 2013 server.key
drwxr-xr-x 5 root root 4096  2月 19 13:16 2013 ..
-rw------- 1 root root  891  2月 19 13:16 2013 localhost.key
■ssl.confの編集
subversion.confでvirtualhostの設定を行うので、からをコメントアウトする。
vi /etc/httpd/conf.d/ssl.conf
自分の環境では74行目から221行目がVirtualHostの設定だったので一括でコメントアウトする
#viで74行目から221行目をコメントアウトする
:74,221 s/^/#
■SVNの設定ファイルを編集する
SSLを利用するように設定を書き換えます。
vi /etc/httpd/conf.d/subversion.conf

  #sample
  #SSSLの設定
  SSLEngine on
  SSLProtocol all -SSLv2
  SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
  SSLCertificateFile /etc/pki/tls/certs/server.crt
  SSLCertificateKeyFile /etc/pki/tls/private/server.key
  
     #Subversionを利用するために必ず指定
     DAV svn
     #リポジトリを作成したディレクトリへのパスを指定します。
     SVNPath /var/www/svn/sample
#     
#       # Require SSL connection for password protection.
#       # SSLRequireSSL
#       AuthType Basic
#       AuthName "Authorization Realm"
#       Require valid-user
#     
  

■apacheの再起動
再起動する
apachectl restart
■443ポートが有効になっているか確認する
LISTENに443があれば問題なし( ´∀`)bグッ!
# netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:443                 0.0.0.0:*                   LISTEN
tcp        0      0 153.127.246.125:22          122.208.42.218:61212        ESTABLISHED
tcp        0      0 :::22
※LISTENされているけどiptablesでブロックされている場合には、 正しく動作しないので、iptablesで制限がかかっていないかも確認すること。 ■SSLでアクセスしてみる。
https://サーバーのIPアドレス/repos/sample/

サーバーにアクセスすると次のような画面が表示されます。

このサイトのセキュリティ証明書は信用できません(; ・`д・´) ナ、ナンダッテー!! (`・д´・ ;)
σ(゚∀゚ )オレσ(゚∀゚ )オレ証明なのでこういう警告の画面が表示されますが、
通信自体はSSLになっていますので、気にせず「このまま続行」を押します



リポジトリが表示されたら完了ですド━━━━m9(゚∀゚)━━━━ン!!<br/>
 以上(`・ω・´)ゞビシッ!!

■今回利用した/etc/httpd/conf.d/subversion.conf<br/>
LoadModule dav_svn_module     modules/mod_dav_svn.so
LoadModule authz_svn_module   modules/mod_authz_svn.so

#
# Example configuration to enable HTTP access for a directory
# containing Subversion repositories, "/var/www/svn".  Each repository
# must be both:
#
#   a) readable and writable by the 'apache' user, and
#
#   b) labelled with the 'httpd_sys_content_t' context if using
#   SELinux
#

#
# To create a new repository "http://localhost/repos/stuff" using
# this configuration, run as root:
#
#   # cd /var/www/svn
#   # svnadmin create stuff
#   # chown -R apache.apache stuff
#   # chcon -R -t httpd_sys_content_t stuff
#

#<Location /repos>
#   DAV svn
#   SVNParentPath /var/www/svn
#
#   # Limit write permission to list of valid users.
#   <LimitExcept GET PROPFIND OPTIONS REPORT>
#      # Require SSL connection for password protection.
#      # SSLRequireSSL
#
#      AuthType Basic
#      AuthName "Authorization Realm"
#      AuthUserFile /path/to/passwdfile
#      Require valid-user
#   </LimitExcept>
#</Location>

<VirtualHost *:443>
  #sample
  #SSLの設定
  SSLEngine on
  SSLProtocol all -SSLv2
  SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
  SSLCertificateFile /etc/pki/tls/certs/server.crt
  SSLCertificateKeyFile /etc/pki/tls/private/server.key
  <Location /repos/sample>
     #Subversionを利用するために必ず指定
     DAV svn
     #リポジトリを作成したディレクトリへのパスを指定します。
     SVNPath /var/www/svn/sample
#     <LimitExcept GET PROPFIND OPTIONS REPORT>
#       # Require SSL connection for password protection.
#       # SSLRequireSSL
#       AuthType Basic
#       AuthName "Authorization Realm"
#       Require valid-user
#     </LimitExcept>
  </Location>
</VirtualHost>
■今回利用した/etc/httpd/conf.d/ssl.conf
#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.
#

LoadModule ssl_module modules/mod_ssl.so

#
# When we also provide SSL we have to listen to the
# the HTTPS port in addition.
#
Listen 443

##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog  builtin

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism
#   to use and second the expiring timeout (in seconds).
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300

#   Semaphore:
#   Configure the path to the mutual exclusion semaphore the
#   SSL engine uses internally for inter-process synchronization.
SSLMutex default

#   Pseudo Random Number Generator (PRNG):
#   Configure one or more sources to seed the PRNG of the
#   SSL library. The seed data should be of good random quality.
#   WARNING! On some platforms /dev/random blocks if not enough entropy
#   is available. This means you then cannot use the /dev/random device
#   because it would lead to very long connection times (as long as
#   it requires to make more entropy available). But usually those
#   platforms additionally provide a /dev/urandom device which doesn't
#   block. So, if available, use this one instead. Read the mod_ssl User
#   Manual for more details.
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names.  NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly.
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

##
## SSL Virtual Host Context
##

#<VirtualHost _default_:443>
#
## General setup for the virtual host, inherited from global configuration
##DocumentRoot "/var/www/html"
##ServerName www.example.com:443
#
## Use separate log files for the SSL virtual host; note that LogLevel
## is not inherited from httpd.conf.
#ErrorLog logs/ssl_error_log
#TransferLog logs/ssl_access_log
#LogLevel warn
#
##   SSL Engine Switch:
##   Enable/Disable SSL for this virtual host.
#SSLEngine on
#
##   SSL Protocol support:
## List the enable protocol levels with which clients will be able to
## connect.  Disable SSLv2 access by default:
#SSLProtocol all -SSLv2
#
##   SSL Cipher Suite:
## List the ciphers that the client is permitted to negotiate.
## See the mod_ssl documentation for a complete list.
#SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
#
##   Server Certificate:
## Point SSLCertificateFile at a PEM encoded certificate.  If
## the certificate is encrypted, then you will be prompted for a
## pass phrase.  Note that a kill -HUP will prompt again.  A new
## certificate can be generated using the genkey(1) command.
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
#
##   Server Private Key:
##   If the key is not combined with the certificate, use this
##   directive to point at the key file.  Keep in mind that if
##   you've both a RSA and a DSA private key you can configure
##   both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
#
##   Server Certificate Chain:
##   Point SSLCertificateChainFile at a file containing the
##   concatenation of PEM encoded CA certificates which form the
##   certificate chain for the server certificate. Alternatively
##   the referenced file can be the same as SSLCertificateFile
##   when the CA certificates are directly appended to the server
##   certificate for convinience.
##SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
#
##   Certificate Authority (CA):
##   Set the CA certificate verification path where to find CA
##   certificates for client authentication or alternatively one
##   huge file containing all of them (file must be PEM encoded)
##SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
#
##   Client Authentication (Type):
##   Client certificate verification type and depth.  Types are
##   none, optional, require and optional_no_ca.  Depth is a
##   number which specifies how deeply to verify the certificate
##   issuer chain before deciding the certificate is not valid.
##SSLVerifyClient require
##SSLVerifyDepth  10
#
##   Access Control:
##   With SSLRequire you can do per-directory access control based
##   on arbitrary complex boolean expressions containing server
##   variable checks and other lookup directives.  The syntax is a
##   mixture between C and Perl.  See the mod_ssl documentation
##   for more details.
##<Location />
##SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
##            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
##            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
##            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
##            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
##           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
##</Location>
#
##   SSL Engine Options:
##   Set various options for the SSL engine.
##   o FakeBasicAuth:
##     Translate the client X.509 into a Basic Authorisation.  This means that
##     the standard Auth/DBMAuth methods can be used for access control.  The
##     user name is the `one line' version of the client's X.509 certificate.
##     Note that no password is obtained from the user. Every entry in the user
##     file needs this password: `xxj31ZMTZzkVA'.
##   o ExportCertData:
##     This exports two additional environment variables: SSL_CLIENT_CERT and
##     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
##     server (always existing) and the client (only existing when client
##     authentication is used). This can be used to import the certificates
##     into CGI scripts.
##   o StdEnvVars:
##     This exports the standard SSL/TLS related `SSL_*' environment variables.
##     Per default this exportation is switched off for performance reasons,
##     because the extraction step is an expensive operation and is usually
##     useless for serving static content. So one usually enables the
##     exportation for CGI and SSI requests only.
##   o StrictRequire:
##     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
##     under a "Satisfy any" situation, i.e. when it applies access is denied
##     and no other module can change it.
##   o OptRenegotiate:
##     This enables optimized SSL connection renegotiation handling when SSL
##     directives are used in per-directory context.
##SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
#<Files ~ "\.(cgi|shtml|phtml|php3?)$">
#    SSLOptions +StdEnvVars
#</Files>
#<Directory "/var/www/cgi-bin">
#    SSLOptions +StdEnvVars
#</Directory>
#
##   SSL Protocol Adjustments:
##   The safe and default but still SSL/TLS standard compliant shutdown
##   approach is that mod_ssl sends the close notify alert but doesn't wait for
##   the close notify alert from client. When you need a different shutdown
##   approach you can use one of the following variables:
##   o ssl-unclean-shutdown:
##     This forces an unclean shutdown when the connection is closed, i.e. no
##     SSL close notify alert is send or allowed to received.  This violates
##     the SSL/TLS standard but is needed for some brain-dead browsers. Use
##     this when you receive I/O errors because of the standard approach where
##     mod_ssl sends the close notify alert.
##   o ssl-accurate-shutdown:
##     This forces an accurate shutdown when the connection is closed, i.e. a
##     SSL close notify alert is send and mod_ssl waits for the close notify
##     alert of the client. This is 100% SSL/TLS standard compliant, but in
##     practice often causes hanging connections with brain-dead browsers. Use
##     this only for browsers where you know that their SSL implementation
##     works correctly.
##   Notice: Most problems of broken clients are also related to the HTTP
##   keep-alive facility, so you usually additionally want to disable
##   keep-alive for those clients, too. Use variable "nokeepalive" for this.
##   Similarly, one has to force some clients to use HTTP/1.0 to workaround
##   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
##   "force-response-1.0" for this.
#SetEnvIf User-Agent ".*MSIE.*" \
#         nokeepalive ssl-unclean-shutdown \
#         downgrade-1.0 force-response-1.0
#
##   Per-Server Logging:
##   The home of a custom SSL log file. Use this when you want a
##   compact non-error SSL logfile on a virtual host basis.
#CustomLog logs/ssl_request_log \
#          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
#
#</VirtualHost>

0 件のコメント:

コメントを投稿