This appendix describes the directives available in the Oracle-developed modules supported by OHS. It contains these sections:
In addition to the modules and directives described in this appendix, Oracle HTTP Server also ships with the mod_wl_ohs module, generally referred to as the Oracle WebLogic Server Proxy Plug-In. For information on this module's directives, see "Parameters for Web Server Plug-Ins" in Using Oracle WebLogic Server Proxy Plug-Ins 12.2.1.
The mod_certheaders module accepts the following directives:
Specify which headers should be translated to CGI environment variables. This can be achieved by using the AddCertHeader directive. This directive takes a single argument, which is the CGI environment variable that should be populated from a HTTP header on incoming requests. For example, to populate the SSL_CLIENT_CERT CGI environment variable.
| Category | Value |
|---|---|
| Syntax | AddCertHeader environment_variable |
| Example | AddCertHeader SSL_CLIENT_CERT |
| Default | None |
You can use mod_certheaders to instruct Oracle HTTP Server to treat certain requests as if they were received through HTTPS even though they were received through HTTP. This is useful when Oracle HTTP Server is front-ended by a reverse proxy or load balancer, which acts as a termination point for SSL requests, and forwards the requests to Oracle HTTP Server through HTTPS.
| Category | Value |
|---|---|
| Syntax | SimulateHttps on|off |
| Example | SimulateHttps on |
| Default | off |
To configure SSL for your Oracle HTTP Server, enter the mod_ossl module directives you want to use in the ssl.conf file.
The following sections describe these mod_ossl directives:
Specifies the file where you can assemble the Certificate Revocation Lists (CRLs) from CAs (Certificate Authorities) that you accept certificates from. These are used for client authentication. Such a file is the concatenation of various PEM-encoded CRL files in order of preference. This directive can be used alternatively or additionally to SSLCARevocationPath.
| Category | Value |
|---|---|
| Syntax | SSLCARevocationFile file_name |
| Example |
SSLCARevocationFile ${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/keystores/crl/ca_bundle.cr
|
| Default | None |
Specifies the directory where PEM-encoded Certificate Revocation Lists (CRLs) are stored. These CRLs come from the CAs (Certificate Authorities) that you accept certificates from. If a client attempts to authenticate itself with a certificate that is on one of these CRLs, then the certificate is revoked and the client cannot authenticate itself with your server.
This directive must point to a directory that contains the hash value of the CRL To see the commands that allow you to create the hashes, see "orapki" in Administering Oracle Fusion Middleware.
| Category | Value |
|---|---|
| Syntax | SSLCARevocationPath path/to/CRL_directory/ |
| Example |
SSLCARevocationPath ${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/keystores/crl
|
| Default | None |
Specifies the SSL cipher suite that the client can use during the SSL handshake. This directive uses either a comma-separated or colon-separated cipher specification string to identify the cipher suite. Table 11–2 shows the tags you can use in the string to describe the cipher suite you want. SSLCipherSuite accepts the following prefixes:
none: Adds the cipher to the list
+ : Adds the cipher to the list and places it in the correct location in the list
- : Removes the cipher from the list (can be added later)
! : Removes the cipher from the list permanently
Tags are joined with prefixes to form a cipher specification string. Cipher suite tags are listed in Table G-1.
| Category | Value |
|---|---|
| Example | SSLCipherSuite ALL:!MD5
In this example, all ciphers are specified except MD5 strength ciphers. |
| Syntax | SSLCipherSuite cipher-spec |
| Default |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,SSL_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA |
Table G-1 SSLCipher Suite Tags
| Function | Tag | Meaning |
|---|---|---|
|
Key exchange |
|
|
|
Key exchange |
|
Elliptic curve Diffie–Hellman Exchange key exchange |
|
Authentication |
|
|
|
Encryption |
|
Triple |
|
Encryption |
|
|
|
Data Integrity |
|
|
|
Data Integrity |
|
SHA256 hash function |
|
Data Integrity |
|
SHA384 hash function |
|
Aliases |
|
All TLS version 1 ciphers |
|
Aliases |
|
All TLS version 1.1 ciphers |
|
Aliases |
|
All TLS version 1.2 ciphers |
|
Aliases |
|
All ciphers with 128-bit encryption |
|
Aliases |
|
All ciphers with encryption key size greater than 128 bits |
|
Aliases |
|
All ciphers using AES encryption |
|
Aliases |
|
All ciphers using RSA for both authentication and key exchange |
|
Aliases |
|
All ciphers using Elliptic Curve Digital Signature Algorithm for authentication |
|
Aliases |
|
All ciphers using Elliptic curve Diffie–Hellman Exchange for key exchange |
|
Aliases |
|
All ciphers that use Advanced Encryption Standard in Galois/Counter Mode (GCM) for encryption. |
Table G-2 lists the Cipher Suites supported in Oracle Advanced Security 12c (12.2.1).
Table G-2 Cipher Suites Supported in Oracle Advanced Security 12.2.1
| Cipher Suite | Key Exchange |
Authentication | Encryption | Data Integrity |
TLS v1 |
TLS v1.1 |
TLS v1.2 |
|---|---|---|---|---|---|---|---|
|
|
RSA |
|
|
|
Yes |
Yes |
Yes |
|
|
RSA |
|
|
|
Yes |
Yes |
Yes |
|
|
RSA |
|
|
|
Yes |
Yes |
Yes |
|
|
RSA |
|
|
|
Yes |
Yes |
Yes |
|
|
RSA |
|
|
|
No |
No |
Yes |
|
|
RSA |
|
|
|
No |
No |
Yes |
|
|
RSA |
|
|
|
No |
No |
Yes |
|
|
RSA |
|
|
|
No |
No |
Yes |
|
|
ECDHE |
|
|
|
Yes |
Yes |
Yes |
|
|
ECDHE |
|
|
|
Yes |
Yes |
Yes |
|
|
ECDHE |
|
|
|
No |
No |
Yes |
|
|
ECDHE |
|
|
|
No |
No |
Yes |
|
|
ECDHE |
|
|
|
No |
No |
Yes |
|
|
ECDHE |
|
|
|
No |
No |
Yes |
|
|
Ephemeral |
|
|
|
Yes |
Yes |
Yes |
|
|
Ephemeral |
|
|
|
Yes |
Yes |
Yes |
|
|
Ephemeral |
|
|
|
Yes |
Yes |
Yes |
|
|
Ephemeral |
|
|
|
Yes |
Yes |
Yes |
|
|
Ephemeral |
|
|
|
Yes |
Yes |
Yes |
|
|
Ephemeral |
|
|
|
Yes |
Yes |
Yes |
|
|
Ephemeral ECDH with RSA signatures |
RSA |
|
|
No |
No |
Yes |
|
|
Ephemeral |
RSA |
|
|
No |
No |
Yes |
|
|
Ephemeral |
RSA |
|
|
No |
No |
Yes |
|
|
Ephemeral |
RSA |
|
|
No |
No |
Yes |
Toggles the usage of the SSL Protocol Engine. This is usually used inside a <VirtualHost> section to enable SSL for a particular virtual host. By default, the SSL Protocol Engine is disabled for both the main server and all configured virtual hosts.
| Category | Value |
|---|---|
| Syntax | SSLEngine on|off |
| Example | SSLEngine on |
| Default | Off |
This directive toggles the usage of the SSL library FIPS_mode flag. It must be set in the global server context and should not be configured with conflicting settings (SSLFIPS on followed by SSLFIPS off or similar). The mode applies to all SSL library operations.
| Category | Value |
|---|---|
| Syntax |
SSLFIPS ON | OFF |
| Example |
SSLFIPS ON |
| Default | Off |
Configuring an SSLFIPS change requires that the SSLFIPS on/off directive be set globally in ssl.conf. Virtual level configuration is disabled in SSLFIPS directive. Hence, setting SSLFIPS to virtual directive will result in an error.
Note:
Note the following restriction on SSLFIPS:Enabling SSLFIPS mode in Oracle HTTP Server requires a wallet created with AES encrypted (compat_v12) headers. To create a new wallet or to convert an existing wallet with AES encryption, see these sections in "orapki" in Administering Oracle Fusion Middleware:
"Creating and Viewing Oracle Wallets with orapki"
The following tables describe the cipher suites that work in SSLFIPS mode with various protocols. For instructions on how to implement these cipher suites, see Section G.3.3, "SSLCipherSuite Directive".
Table G-3 lists the cipher suites which work in TLS 1.0, TLS1.1, and TLS 1.2 protocols in SSLFIPS mode.
Table G-3 Ciphers Which Work in All TLS Protocols in SSLFIPS Mode
| Cipher Name | Cipher Works in These Protocols: |
|---|---|
|
SSL_RSA_WITH_3DES_EDE_CBC_SHA |
TLS 1.0, TLS1.1, and TLS 1.2 |
|
SSL_RSA_WITH_AES_128_CBC_SHA |
TLS 1.0, TLS1.1, and TLS 1.2 |
|
SSL_RSA_WITH_AES_256_CBC_SHA |
TLS 1.0, TLS1.1, and TLS 1.2 |
Table G-4 lists the cipher suites and protocols that can be used in SSLFIPS mode.
Table G-4 Ciphers Which Work in FIPS Mode
| Cipher Name | Cipher Works in These Protocols: |
|---|---|
|
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA |
TLS 1.0 and later |
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
TLS 1.0 and later |
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
TLS 1.0 and later |
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
TLS1.2 and later |
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
TLS1.2 and later |
|
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
TLS1.2 and later |
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
TLS1.2 and later |
|
TLS_RSA_WITH_AES_128_CBC_SHA256 |
TLS1.2 and later |
|
TLS_RSA_WITH_AES_256_CBC_SHA256 |
TLS1.2 and later |
|
TLS_RSA_WITH_AES_128_GCM_SHA256 |
TLS1.2 and later |
|
TLS_RSA_WITH_AES_256_GCM_SHA384 |
TLS1.2 and later |
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
TLS1.2 and later |
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
TLS1.2 and later |
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
TLS1.2 and later |
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
TLS1.2 and later |
|
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA |
TLS 1.0 and later |
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
TLS 1.0 and later |
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
TLS 1.0 and later |
Note:
If SSLFIPS is set to ON, and a cipher that does not support FIPS is used at the server, then client requests that use that cipher will fail.
If SSLFIPS is set to ON, and a cipher that supports FIPS is used at the server, then client requests that use that cipher will succeed.
Table G-5 lists the cipher suites that do not work in SSPFIPS mode.
Table G-5 Ciphers That Do Not Work in SSLFIPS Mode
| Cipher Name | Description |
|---|---|
|
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA |
Does not work in SSLFIPS mode in any protocol |
|
SSL_RSA_WITH_RC4_128_SHA |
Does not work in SSLFIPS mode in any protocol |
|
TLS_ECDHE_RSA_WITH_RC4_128_SHA |
Does not work in SSLFIPS mode in any protocol |
When choosing a cipher during a handshake, normally the client's preference is used. If this directive is enabled, then the server's preference will be used instead.
| Category | Value |
|---|---|
| Syntax | SSLHonorCipherOrder ON | OFF |
| Example |
SSLHonorCipherOrder ON |
| Default | OFF |
The server's preference order can be configured using the SSLCipherSuite directive. When SSLHonorCipherOrder is set to ON, the value of SSLCipherSuite is treated as an ordered list of cipher values.
Cipher values that appear first in this list are preferred by the server over ciphers that appear later in the list.
SSLCipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 SSLHonorCipherOrder ON
In this case, the server will prefer TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 over all of the other ciphers configured in SSLCipherSuite directive as it appears first in the list and chooses this cipher for the SSL connection, if the client supports it.
As originally specified, all versions of the SSL and TLS protocols (up to and including TLS/1.2) were vulnerable to a Man-in-the-Middle attack (CVE-2009-3555) during a renegotiation. This vulnerability allowed an attacker to "prefix" a chosen plaintext to the HTTP request as seen by the web server. A protocol extension was developed which fixed this vulnerability if supported by both client and server.
For more information on Man-in-the-Middle attack (CVE-2009-3555), see:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555
Default mode
When the directive SSLInsecureRenegotion is not specified in the configuration, Oracle HTTP Server operates in compatibility mode.
In this mode, vulnerable peers that do not have Renegotiation Info/Signaling Cipher Suite Value (RI/SCSV) support are allowed to connect, but renegotiation is allowed only with those peers that have RI/SCSV support.
SSLInsecureRenegotiation ON
This option allows vulnerable peers that do not have RI/SCSV to perform renegotiation. Hence, this option must be used with caution, as it leaves the server vulnerable to the renegotiation attack described in CVE-2009-3555.
SSLInsecureRenegotiation OFF
If this option is used, only peers that support RI/SCSV will be allowed to negotiate and renegotiate a session. This is the most secure and recommended mode.
| Category | Value |
|---|---|
| Syntax |
SSLInsecureRenegotiation ON | OFF |
| Example |
SSLInsecureRenegotiation ON |
| Default | The default value is neither ON nor OFF. By default, Oracle HTTP Server operates in compatibility mode, as described under the heading Default mode. |
To configure SSLInsecureRenegotiation, edit the ssl.conf file and set SSLInsecureRenegotiation ON/OFF globally or virtually to enable or disable insecure renegotiation.
Controls various runtime options on a per-directory basis. In general, if multiple options apply to a directory, the most comprehensive option is applied (options are not merged). However, if all of the options in an SSLOptions directive are preceded by a plus ('+') or minus ('-') symbol, then the options are merged. Options preceded by a plus are added to the options currently in force, and options preceded by a minus are removed from the options currently in force.
Accepted values are:
StdEnvVars: Creates the standard set of CGI/SSI environment variables that are related to SSL. This is disabled by default because the extraction operation uses a lot of CPU time and usually has no application when serving static content. Typically, you only enable this for CGI/SSI requests.
ExportCertData: Enables the following additional CGI/SSI variables:
SSL_SERVER_CERT
SSL_CLIENT_CERT
SSL_CLIENT_CERT_CHAIN_n (where n= 0, 1, 2...)
These variables contain the Privacy Enhanced Mail (PEM)-encoded X.509 certificates for the server and the client for the current HTTPS connection, and can be used by CGI scripts for deeper certificate checking. All other certificates of the client certificate chain are provided. This option is "Off" by default because there is a performance cost associated with using it.
SSL_CLIENT_CERT_CHAIN_n variables are in the following order: SSL_CLIENT_CERT_CHAIN_0 is the intermediate CA who signs SSL_CLIENT_CERT. SSL_CLIENT_CERT_CHAIN_1 is the intermediate CA who signs SSL_CLIENT_CERT_CHAIN_0, and so forth, with SSL_CLIENT_ROOT_CERT as the root CA.
FakeBasicAuth: Translates the subject distinguished name of the client X.509 certificate into an HTTP basic authorization user name. This means that the standard HTTP server authentication methods can be used for access control. No password is obtained from the user; the string 'password' is substituted.
StrictRequire: Denies access when, according to SSLRequireSSL Directive or directives, access should be forbidden. Without StrictRequire, it is possible for a 'Satisfy any' directive setting to override the SSLRequire or SSLRequireSSL directive, allowing access if the client passes the host restriction or supplies a valid user name and password.
Thus, the combination of SSLRequireSSL or SSLRequire with SSLOptions +StrictRequire gives mod_ossl the ability to override a 'Satisfy any' directive in all cases.
CompatEnvVars: Exports obsolete environment variables for backward compatibility to Apache SSL 1.x, mod_ssl 2.0.x, Sioux 1.0, and Stronghold 2.x. Use this to provide compatibility to existing CGI scripts.
OptRenegotiate: This enables optimized SSL connection renegotiation handling when SSL directives are used in a per-directory context.
| Category | Value |
|---|---|
| Syntax | SSLOptions [+-] StdEnvVars | ExportCertData | FakeBasicAuth | StrictRequire | CompatEnvVars | OptRenegotiate |
| Example | SSLOptions -StdEnvVars |
| Default | None |
Specifies SSL protocol(s) for mod_ossl to use when establishing the server environment. Clients can only connect with one of the specified protocols. Accepted values are:
TLSv1
TLSv1.1
TLSv1.2
All
Note:
SSLv3 is disabled in Release 12.2.1.You can specify multiple values as a space-delimited list. In the syntax, the "-" and "+" symbols have the following meaning:
+ : Adds the protocol to the list
- : Removes the protocol from the list
In the current release All is defined as +TLSv1 +TLSv1.1 +TLSv1.2.
| Category | Value |
|---|---|
| Syntax | SSLProtocol [+-] TLSv1 | TLSv1.1 | TLSv1.2 | All |
| Example | SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2 |
| Default | ALL |
Specifies the SSL cipher suite that the proxy can use during the SSL handshake. This directive uses a colon-separated cipher specification string to identify the cipher suite. Table G-1 shows the tags to use in the string to describe the cipher suite you want. SSLProxyCipherSuite accepts the following values:
none: Adds the cipher to the list
+ : Adds the cipher to the list and places it in the correct location in the list
- : Removes the cipher from the list (which can be added later)
! : Removes the cipher from the list permanently
Tags are joined with prefixes to form a cipher specification string. Tags are joined together with prefixes to form a cipher specification string. The SSLProxyCipherSuite directive uses the same tags as the SSLCipherSuite directive. For a list of supported suite tags, see Table G-1.
| Category | Value |
|---|---|
| Example | SSLProxyCipherSuite ALL:!MD5
In this example, all ciphers are specified except MD5 strength ciphers. |
| Syntax | SSLProxyCipherSuite cipher-spec |
| Default |
ALL:!ADH:+HIGH:+MEDIUM |
The SSLProxyCipherSuite directive uses the same cipher suites as the SSLCipherSuite directive. For a list of the Cipher Suites supported in Oracle Advanced Security 12.2.1, see Table G-2.
Enables or disables the SSL/TLS protocol engine for proxy. SSLProxyEngine is usually used inside a <VirtualHost> section to enable SSL/TLS for proxy usage in a particular virtual host. By default, the SSL/TLS protocol engine is disabled for proxy both for the main server and all configured virtual hosts.
SSLProxyEngine should not be included in a virtual host that will be acting as a forward proxy (by using Proxy or ProxyRequest directives). SSLProxyEngine is not required to enable a forward proxy server to proxy SSL/TLS requests.
| Category | Value |
|---|---|
| Syntax | SSLProxyEngine ON | OFF |
| Example | SSLProxyEngine on |
| Default | Disable |
Specifies SSL protocol(s) for mod_ossl to use when establishing a proxy connection in the server environment. Proxies can only connect with one of the specified protocols. Accepted values are:
TLSv1
TLSv1.1
TLSv1.2
All
You can specify multiple values as a space-delimited list. In the syntax, the "-" and "+" symbols have the following meaning:
+ : Adds the protocol to the list
- : Removes the protocol from the list
In the current release All is defined as +TLSv1 +TLSv1.1 +TLSv1.2.
| Category | Value |
|---|---|
| Syntax | SSLProxyProtocol [+-] TLSv1 | TLSv1.1 | TLSv1.2 | All |
| Example | SSLProxyProtocol +TLSv1 +TLSv1.1 +TLSv1.2 |
| Default | ALL |
Specifies the location of the wallet with its WRL, specified as a filepath, that a proxy connection needs to use.
| Category | Value |
|---|---|
| Syntax | SSLProxyWallet file:path to wallet |
| Example |
SSLProxyWallet "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/keystores/proxy"
|
| Default | None |
Denies access unless an arbitrarily complex boolean expression is true.
| Category | Value |
|---|---|
| Syntax | SSLRequire expression (see Understanding the Expression Variable) |
| Example | SSLRequire word ">=" word |word "ge" word |
| Default | None |
Understanding the Expression Variable
The expression variable must match the following syntax (given as a BNF grammar notation):
expr ::= "true" | "false"
"!" expr
expr "&&" expr
expr "||" expr
"(" expr ")"
comp ::=word "==" word | word "eq" word
word "!=" word |word "ne" word
word "<" word |word "lt" word
word "<=" word |word "le" word
word ">" word |word "gt" word
word ">=" word |word "ge" word
word "=~" regex
word "!~" regex
wordlist ::= word
wordlist "," word
word ::= digit
cstring
variable
function
digit ::= [0-9]+
cstring ::= "..."
variable ::= "%{varname}"
Table G-6 and Table G-7 list standard and SSL variables. These are valid values for varname.
function ::= funcname "(" funcargs ")"
For funcname, the following function is available:
file(filename)
The file function takes one string argument, the filename, and expands to the contents of the file. This is useful for evaluating the file's contents against a regular expression.
Table G-6 lists the standard variables for SSLRequire Directive varname.
Table G-6 Standard Variables for SSLRequire Varname
| Standard Variables | Standard Variables | Standard Variables |
|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table G-7 lists the SSL variables for SSLRequire Directive varname.
Table G-7 SSL Variables for SSLRequire Varname
| SSL Variables | SSL Variables | SSL Variables |
|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Denies access to clients not using SSL. This is a useful directive for absolute protection of a SSL-enabled virtual host or directories in which configuration errors could create security vulnerabilities.
| Category | Value |
|---|---|
| Syntax | SSLRequireSSL |
| Example | SSLRequireSSL |
| Default | None |
Specifies the global/interprocess session cache storage type. The cache provides an optional way to speed up parallel request processing. The accepted values are:
none: disables the global/interprocess session cache. Produces no impact on functionality, but makes a major difference in performance.
nonenotnull: This disables any global/inter-process Session Cache.
shmcb:/path/to/datafile[bytes]: Uses a high-performance Shared Memory Cyclic Buffer (SHMCB) session cache to synchronize the local SSL memory caches of the server processes. Note: in this shm setting, no log files are created under /path/to/datafile on local disk.
| Category | Value |
|---|---|
| Syntax | SSLSessionCache none | nonenotnull | shmcb:/path/to/datafile[bytes] |
| Examples | SSLSessionCache "shmcb:${ORACLE_INSTANCE}/servers/${COMPONENT_NAME}/logs/ssl_scache(512000)" |
| Default | SSLSessionCache shmcb:/path/to/datafile[bytes] |
Specifies the number of seconds before a SSL session in the session cache expires.
| Category | Value |
|---|---|
| Syntax | SSLSessionCacheTimeout seconds |
| Example | SSLSessionCacheTimeout 120 |
| Default | 300 |
SSLTraceLogLevel adjusts the verbosity of the messages recorded in the Oracle Security library error logs. When a particular level is specified, messages from all other levels of higher significance will be reported as well. For example, when SSLTraceLogLevel ssl is set, messages with log levels of error, warn, user and debug will also be posted.
Note:
This directive can only be set globally in thessl.conf file.SSLTraceLogLevel accepts the following log levels:
none: Oracle Security Trace disable
fatal: Fatal error; system is unusable.
error: Error conditions.
warn: Warning conditions.
user: Normal but significant condition.
debug: Debug-level condition
ssl: SSL level debugging
| Category | Value |
|---|---|
| Syntax |
SSLTraceLogLevel none | fatal | error | warn | user | debug | ssl |
| Example |
SSLTraceLogLevel fatal |
| Default | None |
Specifies whether a client must present a certificate when connecting. The accepted values are:
none: No client certificate is required
optional: Client can present a valid certificate
require: Client must present a valid certificate
| Category | Value |
|---|---|
| Syntax | SSLVerifyClient none | optional | require |
| Example | SSLVerifyClient optional |
| Default | None |
Note:
The leveloptional_no_ca included with mod_ssl (in which the client can present a valid certificate, but it need not be verifiable) is not supported in mod_ossl.Specifies the location of the wallet with its WRL, specified as a filepath.
| Category | Value |
|---|---|
| Syntax | SSLWallet file:path to wallet directory
|
| Example |
SSLWallet "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/keystores/default"
|
| Default | This is the default |