H Oracle HTTP Server Module Directives
Modules extend the basic functionality of Oracle HTTP Server and support integration between Oracle HTTP Server and other Oracle Fusion Middleware components. Oracle HTTP Server uses both Oracle developed modules or “plug-ins” and Apache and third party-developed modules. Oracle developed modules have a set of directives that Oracle HTTP Server supports.
This appendix describes the directives available in the Oracle-developed modules:
- mod_wl_ohs Module
Themod_wl_ohs
module is a key feature of Oracle HTTP Server that enables requests to be proxied from Oracle HTTP Server to Oracle WebLogic Server. This module is generally referred to as the Oracle WebLogic Server proxy plug-in. - mod_certheaders Module
Themod_certheaders
module enables reverse proxies using two directives namely,AddCertHeader
andSimulateHttps
. - mod_ossl Module
Themod_ossl
module enables strong cryptography for Oracle HTTP Server. It accepts a set of directives such asSSLCARevocationFile
,SSLCipherSuite
,SSLEngine
, and more.
mod_wl_ohs Module
The mod_wl_ohs
module is a key feature of Oracle HTTP Server that enables requests to be proxied from Oracle HTTP Server to Oracle WebLogic Server. This module is generally referred to as the Oracle WebLogic Server proxy plug-in.
The mod_wl_ohs module enhances an Oracle HTTP server installation by allowing Oracle WebLogic Server to handle requests that require dynamic functionality. In other words, you typically use a plug-in where the HTTP server serves static pages such as HTML pages, while Oracle WebLogic Server serves dynamic pages such as HTTP Servlets and Java Server Pages (JSPs). For information on this module's directives, see Parameters for Web Server Plug-Ins in Using Oracle WebLogic Server Proxy Plug-Ins.
Parent topic: Oracle HTTP Server Module Directives
mod_certheaders Module
The mod_certheaders
module enables reverse proxies using two directives namely, AddCertHeader
and SimulateHttps
.
This section describes the mod_certheaders directives:
AddCertHeader Directive
Specify which headers should be translated to CGI environment variables. This can be achieved by using the AddCertHeader
directive. This directive takes a single argument, which is the CGI environment variable that should be populated from a HTTP header on incoming requests. For example, to populate the SSL_CLIENT_CERT CGI environment variable.
Category | Value |
---|---|
Syntax |
|
Example |
|
Default |
None |
Parent topic: mod_certheaders Module
SimulateHttps Directive
You can use mod_certheaders to instruct Oracle HTTP Server to treat certain requests as if they were received through HTTPS even though they were received through HTTP. This is useful when Oracle HTTP Server is front-ended by a reverse proxy or load balancer, which acts as a termination point for SSL requests, and forwards the requests to Oracle HTTP Server through HTTPS.
Category | Value |
---|---|
Syntax |
|
Example |
|
Default |
|
Parent topic: mod_certheaders Module
mod_ossl Module
The mod_ossl
module enables strong cryptography for Oracle HTTP Server. It accepts a set of directives such as SSLCARevocationFile
, SSLCipherSuite
, SSLEngine
, and more.
To configure SSL for your Oracle HTTP Server, enter the mod_ossl
module directives you want to use in the ssl.conf
file.
The following sections describe these mod_ossl
directives:
- SSLCARevocationFile Directive
- SSLCARevocationPath Directive
- SSLCipherSuite Directive
Specifies the SSL cipher suite that the client can use during the SSL handshake. This directive uses either a comma-separated or colon-separated cipher specification string to identify the cipher suite. - SSLEngine Directive
- SSLFIPS Directive
- SSLHonorCipherOrder Directive
- SSLInsecureRenegotiation Directive
- SSLOptions Directive
- SSLProtocol Directive
- SSLProxyCipherSuite Directive
- SSLProxyEngine Directive
- SSLProxyProtocol Directive
- SSLProxyWallet Directive
- SSLRequire Directive
- SSLRequireSSL Directive
- SSLSessionCache Directive
- SSLProxySessionCache Directive
- SSLSessionCacheTimeout Directive
- SSLTraceLogLevel Directive
- SSLVerifyClient Directive
- SSLWallet Directive
Parent topic: Oracle HTTP Server Module Directives
SSLCARevocationFile Directive
Specifies the file where you can assemble the Certificate Revocation Lists (CRLs) from CAs (Certificate Authorities) that you accept certificates from. These are used for client authentication. Such a file is the concatenation of various PEM-encoded CRL files in order of preference. This directive can be used alternatively or additionally to SSLCARevocationPath
.
Category | Value |
---|---|
Syntax |
|
Example |
SSLCARevocationFile ${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/keystores/crl/ca_bundle.cr |
Default |
None |
Parent topic: mod_ossl Module
SSLCARevocationPath Directive
Specifies the directory where PEM-encoded Certificate Revocation Lists (CRLs) are stored. These CRLs come from the CAs (Certificate Authorities) that you accept certificates from. If a client attempts to authenticate itself with a certificate that is on one of these CRLs, then the certificate is revoked and the client cannot authenticate itself with your server.
This directive must point to a directory that contains the hash value of the CRL. To see the commands that allow you to create the hashes, see orapki in Administering Oracle Fusion Middleware.
Category | Value |
---|---|
Syntax |
|
Example |
SSLCARevocationPath ${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/keystores/crl |
Default |
None |
Parent topic: mod_ossl Module
SSLCipherSuite Directive
Specifies the SSL cipher suite that the client can use during the SSL handshake. This directive uses either a comma-separated or colon-separated cipher specification string to identify the cipher suite.
SSLCipherSuite accepts the following prefixes:
-
none: Adds the cipher to the list
-
+ : Adds the cipher to the list and places it in the correct location in the list
-
- : Removes the cipher from the list (can be added later)
-
! : Removes the cipher from the list permanently
Tags are joined with prefixes to form a cipher specification string. Cipher suite tags are listed in Table H-1.
Note:
Cipher suites that use Rivest Cipher 4 (RC4) and Triple Data Encryption Standard (3DES) algorithms are deprecated from Oracle HTTP Server version 12.2.1.3 onwards due to known security vulnerabilities. These ciphers are removed from the SSLCipherSuite configuration of the default SSL port of Oracle HTTP Server. These ciphers are also removed from all supported cipher aliases except RC4 and 3DES aliases. If Oracle HTTP Server is managed through Enterprise Manager or WebLogic Scripting Tool, you cannot configure these cipher suites through these tools as these tools do not recognize the insecure RC4 and 3DES ciphers.
To provide backward compatibility, Oracle HTTP Server enables the RC4 and 3DES ciphers, if you explicitly add them to the cipher suite configuration. To use these insecure ciphers, edit the SSLCipherSuite directive in your .conf files using a file editor, and then add them to the end of the cipher list.
Table 11–2 shows the tags you can use in the string to describe the cipher suite you want.
Category | Value |
---|---|
Example |
In this example, all ciphers are specified except MD5 strength ciphers. |
Syntax |
|
Default |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA |
Table H-1 SSLCipher Suite Tags
Function | Tag | Meaning |
---|---|---|
Key exchange |
|
|
Key exchange |
|
Elliptic curve Diffie–Hellman Exchange key exchange |
Authentication |
|
|
Encryption |
|
Triple |
Encryption |
|
|
Data Integrity |
|
|
Data Integrity |
|
SHA256 hash function |
Data Integrity |
|
SHA384 hash function |
Aliases |
|
All TLS version 1 ciphers |
Aliases |
|
All TLS version 1.1 ciphers |
Aliases |
|
All TLS version 1.2 ciphers |
Aliases |
|
All ciphers with 128-bit encryption |
Aliases |
|
All ciphers with encryption key size greater than 128 bits |
Aliases |
|
All ciphers using AES encryption |
Aliases |
|
All ciphers using RSA for both authentication and key exchange |
Aliases |
|
All ciphers using Elliptic Curve Digital Signature Algorithm for authentication |
Aliases |
|
All ciphers using Elliptic curve Diffie–Hellman Exchange for key exchange |
Aliases |
|
All ciphers that use Advanced Encryption Standard in Galois/Counter Mode (GCM) for encryption. |
Table H-2 lists the Cipher Suites supported in Oracle Advanced Security 12c (12.2.1).
Note:
When using mod_ossl
on a Solaris Sparc platform, the underlying cryptographic libraries detect the Sparc T4 processor, and makes use of the on-core cryptography algorithms that accelerate cryptographic operations. No configuration is required to enable this feature. The following cryptographic algorithms are supported by the Oracle Sparc Enterprise T-series processors: RSA, 3DES, AES-CBC, AES-GCM, SHA1, SHA256, and SHA38.
Table H-2 Cipher Suites Supported in Oracle Advanced Security 12.2.1
Cipher Suite | Key Exchange | Authentication | Encryption | Data Integrity | TLS v1 | TLS v1.1 | TLS v1.2 |
---|---|---|---|---|---|---|---|
|
RSA |
|
|
|
Yes |
Yes |
Yes |
|
RSA |
|
|
|
Yes |
Yes |
Yes |
|
RSA |
|
|
|
Yes |
Yes |
Yes |
|
RSA |
|
|
|
Yes |
Yes |
Yes |
|
RSA |
|
|
|
No |
No |
Yes |
|
RSA |
|
|
|
No |
No |
Yes |
|
RSA |
|
|
|
No |
No |
Yes |
|
RSA |
|
|
|
No |
No |
Yes |
|
ECDHE |
|
|
|
Yes |
Yes |
Yes |
|
ECDHE |
|
|
|
Yes |
Yes |
Yes |
|
ECDHE |
|
|
|
No |
No |
Yes |
|
ECDHE |
|
|
|
No |
No |
Yes |
|
ECDHE |
|
|
|
No |
No |
Yes |
|
ECDHE |
|
|
|
No |
No |
Yes |
|
Ephemeral |
|
|
|
Yes |
Yes |
Yes |
|
Ephemeral |
|
|
|
Yes |
Yes |
Yes |
|
Ephemeral |
|
|
|
Yes |
Yes |
Yes |
|
Ephemeral |
|
|
|
Yes |
Yes |
Yes |
|
Ephemeral |
|
|
|
Yes |
Yes |
Yes |
|
Ephemeral |
|
|
|
Yes |
Yes |
Yes |
|
Ephemeral ECDH with RSA signatures |
RSA |
|
|
No |
No |
Yes |
|
Ephemeral |
RSA |
|
|
No |
No |
Yes |
|
Ephemeral |
RSA |
|
|
No |
No |
Yes |
|
Ephemeral |
RSA |
|
|
No |
No |
Yes |
Parent topic: mod_ossl Module
SSLEngine Directive
Toggles the usage of the SSL Protocol Engine. This is usually used inside a <VirtualHost>
section to enable SSL for a particular virtual host. By default, the SSL Protocol Engine is disabled for both the main server and all configured virtual hosts.
Category | Value |
---|---|
Syntax |
|
Example |
|
Default |
|
Parent topic: mod_ossl Module
SSLFIPS Directive
This directive toggles the usage of the SSL library FIPS_mode flag. It must be set in the global server context and should not be configured with conflicting settings (SSLFIPS on
followed by SSLFIPS off
or similar). The mode applies to all SSL library operations.
Category | Value |
---|---|
Syntax |
SSLFIPS ON | OFF |
Example |
SSLFIPS ON |
Default |
|
Configuring an SSLFIPS change requires that the SSLFIPS on
/off
directive be set globally in ssl.conf. Virtual level configuration is disabled in SSLFIPS directive. Hence, setting SSLFIPS to virtual directive results in an error.
Note:
Note the following restriction on SSLFIPS:
-
Enabling SSLFIPS mode in Oracle HTTP Server requires a wallet created with AES encrypted (compat_v12) headers. To create a new wallet or to convert an existing wallet with AES encryption, see these sections in orapki in Administering Oracle Fusion Middleware:
Creating and Viewing Oracle Wallets with orapki
The following tables describe the cipher suites that work in SSLFIPS mode with various protocols. For instructions on how to implement these cipher suites, see SSLCipherSuite Directive.
Table H-3 lists the cipher suites which work in TLS 1.0, TLS1.1, and TLS 1.2 protocols in SSLFIPS mode.
Table H-3 Ciphers Which Work in All TLS Protocols in SSLFIPS Mode
Cipher Name | Cipher Works in These Protocols: |
---|---|
SSL_RSA_WITH_3DES_EDE_CBC_SHA |
TLS 1.0, TLS1.1, and TLS 1.2 |
SSL_RSA_WITH_AES_128_CBC_SHA |
TLS 1.0, TLS1.1, and TLS 1.2 |
SSL_RSA_WITH_AES_256_CBC_SHA |
TLS 1.0, TLS1.1, and TLS 1.2 |
Table H-4 lists the cipher suites and protocols that can be used in SSLFIPS mode.
Table H-4 Ciphers Which Work in FIPS Mode
Cipher Name | Cipher Works in These Protocols: |
---|---|
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA |
TLS 1.0 and later |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
TLS 1.0 and later |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
TLS 1.0 and later |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
TLS1.2 and later |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
TLS1.2 and later |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
TLS1.2 and later |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
TLS1.2 and later |
TLS_RSA_WITH_AES_128_CBC_SHA256 |
TLS1.2 and later |
TLS_RSA_WITH_AES_256_CBC_SHA256 |
TLS1.2 and later |
TLS_RSA_WITH_AES_128_GCM_SHA256 |
TLS1.2 and later |
TLS_RSA_WITH_AES_256_GCM_SHA384 |
TLS1.2 and later |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
TLS1.2 and later |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
TLS1.2 and later |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
TLS1.2 and later |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
TLS1.2 and later |
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA |
TLS 1.0 and later |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
TLS 1.0 and later |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
TLS 1.0 and later |
Note:
-
If SSLFIPS is set to ON, and a cipher that does not support FIPS is used at the server, then client requests that use that cipher fail.
-
To use the TLS_ECDHE_ECDSA cipher suite, Oracle HTTP Server requires a wallet created with an ECC user certificate. The TLS_ECDHE_ECDSA cipher suite does not work with RSA certificates.
-
To use the SSL_RSA/TLS_RSA/TLS_ECDHE_RSA cipher suite, Oracle HTTP Server requires a wallet created with an RSA user certificate. The SSL_RSA/TLS_RSA/TLS_ECDHE_RSA cipher suite does not work with ECC certificates.
For more information about how to configure ECC/RSA certificates in a wallet, see Creating and Viewing Oracle Wallets with orapki in Administering Oracle Fusion Middleware.
For instructions about how to implement these cipher suites and corresponding protocols, see SSL Cipher Suite Directive and SSL Protocol.
Table H-5 lists the cipher suites that do not work in SSPFIPS mode.
Table H-5 Ciphers That Do Not Work in SSLFIPS Mode
Cipher Name | Description |
---|---|
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA |
Does not work in SSLFIPS mode in any protocol |
SSL_RSA_WITH_RC4_128_SHA |
Does not work in SSLFIPS mode in any protocol |
TLS_ECDHE_RSA_WITH_RC4_128_SHA |
Does not work in SSLFIPS mode in any protocol |
Parent topic: mod_ossl Module
SSLHonorCipherOrder Directive
When choosing a cipher during a handshake, normally the client's preference is used. If this directive is enabled, then the server's preference will be used instead.
Category | Value |
---|---|
Syntax |
|
Example |
SSLHonorCipherOrder ON |
Default |
|
The server's preference order can be configured using the SSLCipherSuite directive. When SSLHonorCipherOrder is set to ON, the value of SSLCipherSuite is treated as an ordered list of cipher values.
Cipher values that appear first in this list are preferred by the server over ciphers that appear later in the list.
Example:
SSLCipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 SSLHonorCipherOrder ON
In this case, the server will prefer TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
over all of the other ciphers configured in SSLCipherSuite directive as it appears first in the list and chooses this cipher for the SSL connection, if the client supports it.
Parent topic: mod_ossl Module
SSLInsecureRenegotiation Directive
As originally specified, all versions of the SSL and TLS protocols (up to and including TLS/1.2) were vulnerable to a Man-in-the-Middle attack (CVE-2009-3555) during a renegotiation. This vulnerability allowed an attacker to "prefix" a chosen plaintext to the HTTP request as seen by the web server. A protocol extension was developed which fixed this vulnerability if supported by both client and server.
For more information on Man-in-the-Middle attack (CVE-2009-3555), see:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555
The accepted values for this directive are:
- Default mode: When the directive SSLInsecureRenegotion is not specified in the configuration, Oracle HTTP Server does not allow client-initiated renegotiation. This is the most secure mode of operation.
SSLInsecureRenegotiation ON
: This option allows vulnerable peers that do not have RI/SCSV to perform renegotiation. Hence, this option must be used with caution, as it leaves the server vulnerable to the renegotiation attack described in CVE-2009-3555.SSLInsecureRenegotiation OFF
: This option can be used if support for client-initiated renegotiation is desired. When SSLInsecureRenegotiation directive is present in the configuration and set to OFF, Oracle HTTP Server allows client-initiated renegotiation. However, only peers that support RI/SCSV will be allowed to negotiate and renegotiate a session.
Category | Value |
---|---|
Syntax |
SSLInsecureRenegotiation ON | OFF |
Example |
SSLInsecureRenegotiation ON |
Default |
The default value is neither |
To configure SSLInsecureRenegotiation, edit the ssl.conf
file and set SSLInsecureRenegotiation
ON/OFF to enable or disable insecure renegotiation. This directive may be configured either in the server config context or in the virtual host context.
Parent topic: mod_ossl Module
SSLOptions Directive
Controls various runtime options on a per-directory basis. In general, if multiple options apply to a directory, the most comprehensive option is applied (options are not merged). However, if all of the options in an SSLOptions
directive are preceded by a plus ('+') or minus ('-') symbol, then the options are merged. Options preceded by a plus are added to the options currently in force, and options preceded by a minus are removed from the options currently in force.
Accepted values are:
-
StdEnvVars
: Creates the standard set of CGI/SSI environment variables that are related to SSL. This is disabled by default because the extraction operation uses a lot of CPU time and usually has no application when serving static content. Typically, you only enable this for CGI/SSI requests. -
ExportCertData
: Enables the following additional CGI/SSI variables:SSL_SERVER_CERT
SSL_CLIENT_CERT
SSL_CLIENT_CERT_CHAIN_n
(where n= 0, 1, 2...)These variables contain the Privacy Enhanced Mail (PEM)-encoded X.509 certificates for the server and the client for the current HTTPS connection, and can be used by CGI scripts for deeper certificate checking. All other certificates of the client certificate chain are provided. This option is "Off" by default because there is a performance cost associated with using it.
SSL_CLIENT_CERT_CHAIN_n
variables are in the following order:SSL_CLIENT_CERT_CHAIN_0
is the intermediate CA who signsSSL_CLIENT_CERT
.SSL_CLIENT_CERT_CHAIN_1
is the intermediate CA who signsSSL_CLIENT_CERT_CHAIN_0
, and so forth, withSSL_CLIENT_ROOT_CERT
as the root CA. -
FakeBasicAuth
: Translates the subject distinguished name of the client X.509 certificate into an HTTP basic authorization user name. This means that the standard HTTP server authentication methods can be used for access control. No password is obtained from the user; the string 'password' is substituted. -
StrictRequire
: Denies access when, according to SSLRequireSSL Directive or directives, access should be forbidden. WithoutStrictRequire
, it is possible for a 'Satisfy any'
directive setting to override theSSLRequire
orSSLRequireSSL
directive, allowing access if the client passes the host restriction or supplies a valid user name and password.Thus, the combination of
SSLRequireSSL
orSSLRequire
withSSLOptions +StrictRequire
givesmod_ossl
the ability to override a'Satisfy any'
directive in all cases. -
CompatEnvVars
: Exports obsolete environment variables for backward compatibility to Apache SSL 1.x,mod_ssl
2.0.x, Sioux 1.0, and Stronghold 2.x. Use this to provide compatibility to existing CGI scripts. -
OptRenegotiate
: This enables optimized SSL connection renegotiation handling when SSL directives are used in a per-directory context.
Category | Value |
---|---|
Syntax |
|
Example |
|
Default |
None |
Parent topic: mod_ossl Module
SSLProtocol Directive
Specifies SSL protocol(s) for mod_ossl
to use when establishing the server environment. Clients can only connect with one of the specified protocols. Accepted values are:
-
TLSv1
-
TLSv1.1
-
TLSv1.2
-
All
You can specify multiple values as a space-delimited list. In the syntax, the "-" and "+" symbols have the following meaning:
-
+ : Adds the protocol to the list
-
- : Removes the protocol from the list
In the current release All
is defined as +TLSv1.2
.
Category | Value |
---|---|
Syntax |
|
Example |
|
Default |
|
Parent topic: mod_ossl Module
SSLProxyCipherSuite Directive
Specifies the SSL cipher suite that the proxy can use during the SSL handshake. This directive uses a colon-separated cipher specification string to identify the cipher suite. Table H-1 shows the tags to use in the string to describe the cipher suite you want. SSLProxyCipherSuite accepts the following values:
-
none: Adds the cipher to the list
-
+ : Adds the cipher to the list and places it in the correct location in the list
-
- : Removes the cipher from the list (which can be added later)
-
! : Removes the cipher from the list permanently
Tags are joined with prefixes to form a cipher specification string. Tags are joined together with prefixes to form a cipher specification string. The SSLProxyCipherSuite directive uses the same tags as the SSLCipherSuite directive. For a list of supported suite tags, see Table H-1.
Category | Value |
---|---|
Example |
In this example, all ciphers are specified except MD5 strength ciphers. |
Syntax |
|
Default |
ALL:!ADH:+HIGH:+MEDIUM |
The SSLProxyCipherSuite directive uses the same cipher suites as the SSLCipherSuite directive. For a list of the Cipher Suites supported in Oracle Advanced Security 12.2.1, see Table H-2.
Parent topic: mod_ossl Module
SSLProxyEngine Directive
Enables or disables the SSL/TLS protocol engine for proxy. SSLProxyEngine is usually used inside a <VirtualHost>
section to enable SSL/TLS for proxy usage in a particular virtual host. By default, the SSL/TLS protocol engine is disabled for proxy both for the main server and all configured virtual hosts.
SSLProxyEngine should not be included in a virtual host that will be acting as a forward proxy (by using Proxy
or ProxyRequest
directives). SSLProxyEngine is not required to enable a forward proxy server to proxy SSL/TLS requests.
Category | Value |
---|---|
Syntax |
SSLProxyEngine ON | OFF |
Example |
SSLProxyEngine on |
Default |
|
Parent topic: mod_ossl Module
SSLProxyProtocol Directive
Specifies SSL protocol(s) for mod_ossl
to use when establishing a proxy connection in the server environment. Proxies can only connect with one of the specified protocols. Accepted values are:
-
TLSv1
-
TLSv1.1
-
TLSv1.2
-
All
You can specify multiple values as a space-delimited list. In the syntax, the "-" and "+" symbols have the following meaning:
-
+ : Adds the protocol to the list
-
- : Removes the protocol from the list
In the current release All
is defined as +TLSv1
+TLSv1.1
+TLSv1.2
.
Category | Value |
---|---|
Syntax |
|
Example |
|
Default |
|
Parent topic: mod_ossl Module
SSLProxyWallet Directive
Specifies the location of the wallet with its WRL, specified as a filepath, that a proxy connection needs to use.
Category | Value |
---|---|
Syntax |
|
Example |
SSLProxyWallet "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/keystores/proxy" |
Default |
None |
Parent topic: mod_ossl Module
SSLRequire Directive
Note:
SSLRequire is deprecated and must be replaced with Require expression.Denies access unless an arbitrarily complex boolean expression is true.
Category | Value |
---|---|
Syntax |
|
Example |
|
Default |
None |
Understanding the Expression Variable
The expression variable must match the following syntax (given as a BNF grammar notation):
expr ::= "true" | "false" "!" expr expr "&&" expr expr "||" expr "(" expr ")" comp ::=word "==" word | word "eq" word word "!=" word |word "ne" word word "<" word |word "lt" word word "<=" word |word "le" word word ">" word |word "gt" word word ">=" word |word "ge" word word "=~" regex word "!~" regex wordlist ::= word wordlist "," word word ::= digit cstring variable function digit ::= [0-9]+ cstring ::= "..." variable ::= "%{varname}"
Table H-6 and Table H-7 list standard and SSL variables. These are valid values for varname
.
function ::= funcname "(" funcargs ")"
For funcname
, the following function is available:
file(filename)
The file function takes one string argument, the filename, and expands to the contents of the file. This is useful for evaluating the file's contents against a regular expression.
Table H-6 lists the standard variables for SSLRequire Directive varname
.
Table H-6 Standard Variables for SSLRequire Varname
Standard Variables | Standard Variables | Standard Variables |
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table H-7 lists the SSL variables for SSLRequire Directive varname.
Table H-7 SSL Variables for SSLRequire Varname
SSL Variables | SSL Variables | SSL Variables |
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Parent topic: mod_ossl Module
SSLRequireSSL Directive
Denies access to clients not using SSL. This is a useful directive for absolute protection of a SSL-enabled virtual host or directories in which configuration errors could create security vulnerabilities.
Category | Value |
---|---|
Syntax |
|
Example |
|
Default |
None |
Parent topic: mod_ossl Module
SSLSessionCache Directive
Specifies the global/interprocess session cache storage type. The cache provides an optional way to speed up parallel request processing. The accepted values are:
-
none
: disables the global/interprocess session cache. Produces no impact on functionality, but makes a major difference in performance. -
shmcb:
/path/to/datafile[bytes]: Uses a high-performance Shared Memory Cyclic Buffer (SHMCB) session cache to synchronize the local SSL memory caches of the server processes. Note: in this shm setting, no log files are created under /path/to/datafile on local disk.
Category | Value |
---|---|
Syntax |
|
Examples |
|
Default |
|
Parent topic: mod_ossl Module
SSLProxySessionCache Directive
This directive toggles the usage of a global or interprocess session cache to cache SSL session information when OHS is configured to behave as a proxy through the use of the mod_proxy
module. The type of global or interprocess SSL session cache that is used to store the SSL session information is controlled by the SSLSessionCache directive.
The number of seconds before an SSL session expires in the session cache is controlled by the SSLSessionCacheTimeout directive. The ssl-cache mutex is used to serialize access to the session cache to prevent corruption.
The accepted values for SSLProxySessionCache directive are:
-
On
: Enables the SSL session cache when OHS is configured to behave as a proxy through the use of themod_proxy
module. When this directive is set toOn
, it is necessary to choose the type of SSL session cache by configuring the SSLSessionCache directive appropriately.SSLSessionCache cannot be set to a value of
none
, as it would be a conflicting setting to turn on SSL session cache for the proxy and not specify the type of cache to use. -
Off
: Disables SSL session caching when OHS is configured to behave as a proxy through the use of the mod_proxy module. This is not a recommended setting. The performance costs of full handshakes must be considered before choosing this option.
Category | Value |
---|---|
Syntax |
|
Context |
Server Config |
Default |
|
Module Identifier |
|
The following examples illustrate how to use the SSLSessionCache and SSLProxySessionCache directives to control the SSL session caching behaviour of OHS.
Example 1
LoadModule proxy_module "${PRODUCT_HOME}/modules/mod_proxy.so"
LoadModule proxy_balancer_module
"${PRODUCT_HOME}/modules/mod_proxy_balancer.so"
SSLSessionCache none
SSLProxySessionCache on
<VirtualHost _default_:443>
SSLEngine on
<Proxy "balancer://mybalancer">
SSLProxyEngine On
#..
</Proxy>
#...
</VirtualHost>
This is not an allowed configuration. SSLProxySessionCache cannot be turned on when SSLSessionCache is set to None
.
Example 2
LoadModule proxy_module "${PRODUCT_HOME}/modules/mod_proxy.so"
LoadModule proxy_balancer_module
"${PRODUCT_HOME}/modules/mod_proxy_balancer.so"
SSLSessionCache none
SSLProxySessionCache off
<VirtualHost _default_:443>
SSLEngine on
<Proxy "balancer://mybalancer">
SSLProxyEngine On
#..
</Proxy>
#...
</VirtualHost>
This example
- Turns off SSL session caching for the SSL enabled virtual host defined within the OHS configuration.
- Turns off SSL client session caching for requests handled by the proxy
mybalancer
.
Example 3
LoadModule proxy_module "${PRODUCT_HOME}/modules/mod_proxy.so"
LoadModule proxy_balancer_module
"${PRODUCT_HOME}/modules/mod_proxy_balancer.so"
SSLSessionCache
"shmcb:${ORACLE_INSTANCE}/servers/${COMPONENT_NAME}/logs/ssl_scache(512000)"
SSLProxySessionCache off
<VirtualHost _default_:443>
SSLEngine on
<Proxy "balancer://mybalancer">
SSLProxyEngine On
#..
</Proxy>
#...
</VirtualHost>
This example
- Turns on SSL session caching for the SSL enabled virtual host defined within the OHS configuration.
- Turns off SSL client session caching for requests handled by the proxy
mybalancer
.
Example 4
LoadModule proxy_module "${PRODUCT_HOME}/modules/mod_proxy.so"
SSLSessionCache
"shmcb:${ORACLE_INSTANCE}/servers/${COMPONENT_NAME}/logs/ssl_scache(512000)"
SSLProxySessionCache off
<VirtualHost _default_:443>
SSLEngine on
SSLProxyEngine on
ProxyPass / https://<backend_host_name>:<backend_port>/
ProxyPassReverse / https://<backend_host_name>:<backend_port>/
</VirtualHost>
This example
- Turns on SSL session caching for the SSL enabled virtual host defined within the OHS configuration.
- Turns off SSL client session caching for the requests handled by the reverse proxy defined within the virtual host (
_default_:443
).
Example 5
LoadModule proxy_module "${PRODUCT_HOME}/modules/mod_proxy.so"
LoadModule proxy_balancer_module
"${PRODUCT_HOME}/modules/mod_proxy_balancer.so"
SSLSessionCache
"shmcb:${ORACLE_INSTANCE}/servers/${COMPONENT_NAME}/logs/ssl_scache(512000)"
SSLProxySessionCache on
<VirtualHost _default_:443>
SSLEngine on
<Proxy "balancer://mybalancer">
SSLProxyEngine On
#..
</Proxy>
#...
</VirtualHost>
This example
- Turns on SSL session caching for the SSL enabled virtual host defined within the OHS configuration.
- Turns on SSL client session caching for requests handled by the proxy
mybalancer
.
Example 6
LoadModule proxy_module "${PRODUCT_HOME}/modules/mod_proxy.so"
SSLSessionCache
"shmcb:${ORACLE_INSTANCE}/servers/${COMPONENT_NAME}/logs/ssl_scache(512000)"
SSLProxySessionCache on
<VirtualHost _default_:443>
SSLEngine on
SSLProxyEngine on
ProxyPass / https://<backend_host_name>:<backend_port>/
ProxyPassReverse / https://<backend_host_name>:<backend_port>/
</VirtualHost>
This example
- Turns on SSL session caching for the SSL enabled virtual host defined within the OHS configuration.
- Turns on SSL client session caching for the requests handled by the reverse proxy defined within the virtual host (
_default_:443
).
Example 7
LoadModule proxy_module "${PRODUCT_HOME}/modules/mod_proxy.so"
LoadModule proxy_balancer_module
"${PRODUCT_HOME}/modules/mod_proxy_balancer.so"
SSLSessionCache
"shmcb:${ORACLE_INSTANCE}/servers/${COMPONENT_NAME}/logs/ssl_scache(512000)"
SSLProxySessionCache on
<VirtualHost _default_:443>
SSLEngine on
<Proxy "balancer://mybalancer">
SSLProxyEngine On
#..
</Proxy>
<Proxy "balancer://mybalancer2">
SSLProxyEngine On
#..
</Proxy>
#...
</VirtualHost>
<VirtualHost _default_:4448>
SSLEngine on
<Proxy "balancer://mybalancer3">
SSLProxyEngine On
#..
</Proxy>
<Proxy "balancer://mybalancer4">
SSLProxyEngine On
#..
</Proxy>
#...
</VirtualHost>
This example
- Turns on SSL session caching for all the SSL enabled virtual hosts defined within the OHS configuration.
- Turns on SSL client session caching for requests handled by the proxy
mybalancer
,mybalancer2
,mybalancer3
, andmybalancer4
.
Parent topic: mod_ossl Module
SSLSessionCacheTimeout Directive
Specifies the number of seconds before a SSL session in the session cache expires.
Category | Value |
---|---|
Syntax |
|
Example |
|
Default |
|
Parent topic: mod_ossl Module
SSLTraceLogLevel Directive
SSLTraceLogLevel
adjusts the verbosity of the messages recorded in the Oracle Security library error logs. When a particular level is specified, messages from all other levels of higher significance will be reported as well. For example, when SSLTraceLogLevel ssl
is set, messages with log levels of error, warn, user and debug will also be posted.
Note:
This directive can only be set globally in the ssl.conf
file.
SSLTraceLogLevel accepts the following log levels:
-
none
: Oracle Security Trace disable -
fatal
: Fatal error; system is unusable. -
error
: Error conditions. -
warn
: Warning conditions. -
user
: Normal but significant condition. -
debug
: Debug-level condition -
ssl
: SSL level debugging
Category | Value |
---|---|
Syntax |
SSLTraceLogLevel none | fatal | error | warn | user | debug | ssl |
Example |
SSLTraceLogLevel fatal |
Default |
None |
Parent topic: mod_ossl Module
SSLVerifyClient Directive
Specifies whether a client must present a certificate when connecting. The accepted values are:
-
none
: No client certificate is required -
optional
: Client can present a valid certificate -
require
: Client must present a valid certificate
Category | Value |
---|---|
Syntax |
|
Example |
|
Default |
None |
Note:
The level optional_no_ca
included with mod_ssl
(in which the client can present a valid certificate, but it need not be verifiable) is not supported in mod_ossl
.
Parent topic: mod_ossl Module
SSLWallet Directive
Specifies the location of the wallet with its WRL, specified as a filepath.
Category | Value |
---|---|
Syntax |
|
Example |
SSLWallet "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/keystores/default" |
Default |
This is the default |
Note:
If the wallet has a certificate/certificate request signed with the MD5 algorithm, Oracle HTTP Server will fail to start.Parent topic: mod_ossl Module