H Oracle HTTP Server Module Directives

Modules extend the basic functionality of Oracle HTTP Server and support integration between Oracle HTTP Server and other Oracle Fusion Middleware components. Oracle HTTP Server uses both Oracle developed modules or “plug-ins” and Apache and third party-developed modules. Oracle developed modules have a set of directives that Oracle HTTP Server supports.

This appendix describes the directives available in the Oracle-developed modules:

mod_wl_ohs Module

The mod_wl_ohs module is a key feature of Oracle HTTP Server that enables requests to be proxied from Oracle HTTP Server to Oracle WebLogic Server. This module is generally referred to as the Oracle WebLogic Server proxy plug-in.

The mod_wl_ohs module enhances an Oracle HTTP server installation by allowing Oracle WebLogic Server to handle requests that require dynamic functionality. In other words, you typically use a plug-in where the HTTP server serves static pages such as HTML pages, while Oracle WebLogic Server serves dynamic pages such as HTTP Servlets and Java Server Pages (JSPs). For information on this module's directives, see Parameters for Web Server Plug-Ins in Using Oracle WebLogic Server Proxy Plug-Ins.

mod_certheaders Module

The mod_certheaders module enables reverse proxies using two directives namely, AddCertHeader and SimulateHttps.

This section describes the mod_certheaders directives:

AddCertHeader Directive

Specify which headers should be translated to CGI environment variables. This can be achieved by using the AddCertHeader directive. This directive takes a single argument, which is the CGI environment variable that should be populated from a HTTP header on incoming requests. For example, to populate the SSL_CLIENT_CERT CGI environment variable.

Category Value

Syntax

AddCertHeader environment_variable

Example

AddCertHeader SSL_CLIENT_CERT

Default

None

SimulateHttps Directive

You can use mod_certheaders to instruct Oracle HTTP Server to treat certain requests as if they were received through HTTPS even though they were received through HTTP. This is useful when Oracle HTTP Server is front-ended by a reverse proxy or load balancer, which acts as a termination point for SSL requests, and forwards the requests to Oracle HTTP Server through HTTPS.

Category Value

Syntax

SimulateHttps on|off

Example

SimulateHttps on

Default

off

mod_ossl Module

The mod_ossl module enables strong cryptography for Oracle HTTP Server. It accepts a set of directives such as SSLCARevocationFile, SSLCipherSuite, SSLEngine, and more.

To configure SSL for your Oracle HTTP Server, enter the mod_ossl module directives you want to use in the ssl.conf file.

The following sections describe these mod_ossl directives:

SSLCARevocationFile Directive

Specifies the file where you can assemble the Certificate Revocation Lists (CRLs) from CAs (Certificate Authorities) that you accept certificates from. These are used for client authentication. Such a file is the concatenation of various PEM-encoded CRL files in order of preference. This directive can be used alternatively or additionally to SSLCARevocationPath.

Category Value

Syntax

SSLCARevocationFile file_name

Example

SSLCARevocationFile ${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/keystores/crl/ca_bundle.cr

Default

None

SSLCARevocationPath Directive

Specifies the directory where PEM-encoded Certificate Revocation Lists (CRLs) are stored. These CRLs come from the CAs (Certificate Authorities) that you accept certificates from. If a client attempts to authenticate itself with a certificate that is on one of these CRLs, then the certificate is revoked and the client cannot authenticate itself with your server.

This directive must point to a directory that contains the hash value of the CRL. To see the commands that allow you to create the hashes, see orapki in Administering Oracle Fusion Middleware.

Category Value

Syntax

SSLCARevocationPath path/to/CRL_directory/

Example

SSLCARevocationPath ${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/keystores/crl 

Default

None

SSLCipherSuite Directive

Specifies the SSL cipher suite that the client can use during the SSL handshake. This directive uses either a comma-separated or colon-separated cipher specification string to identify the cipher suite.

SSLCipherSuite accepts the following prefixes:

  • none: Adds the cipher to the list

  • + : Adds the cipher to the list and places it in the correct location in the list

  • - : Removes the cipher from the list (can be added later)

  • ! : Removes the cipher from the list permanently

Tags are joined with prefixes to form a cipher specification string. Cipher suite tags are listed in Table H-1.

Note:

Cipher suites that use Rivest Cipher 4 (RC4) and Triple Data Encryption Standard (3DES) algorithms are deprecated from Oracle HTTP Server version 12.2.1.3 onwards due to known security vulnerabilities. These ciphers are removed from the SSLCipherSuite configuration of the default SSL port of Oracle HTTP Server. These ciphers are also removed from all supported cipher aliases except RC4 and 3DES aliases. If Oracle HTTP Server is managed through Enterprise Manager or WebLogic Scripting Tool, you cannot configure these cipher suites through these tools as these tools do not recognize the insecure RC4 and 3DES ciphers.

To provide backward compatibility, Oracle HTTP Server enables the RC4 and 3DES ciphers, if you explicitly add them to the cipher suite configuration. To use these insecure ciphers, edit the SSLCipherSuite directive in your .conf files using a file editor, and then add them to the end of the cipher list.

 

Table 11–2 shows the tags you can use in the string to describe the cipher suite you want.

Category Value

Example

SSLCipherSuite ALL:!MD5

In this example, all ciphers are specified except MD5 strength ciphers.

Syntax

SSLCipherSuite cipher-spec

Default

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256,
SSL_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_AES_128_CBC_SHA

Table H-1 SSLCipher Suite Tags

Function Tag Meaning

Key exchange

kRSA

RSA key exchange

Key exchange

kECDHE

Elliptic curve Diffie–Hellman Exchange key exchange

Authentication

aRSA

RSA authentication

Encryption

3DES

Triple DES encoding

Encryption

RC4

RC4 encoding

Data Integrity

SHA

SHA hash function

Data Integrity

SHA256

SHA256 hash function

Data Integrity

SHA384

SHA384 hash function

Aliases

TLSv1

All TLS version 1 ciphers

Aliases

TLSv1.1

All TLS version 1.1 ciphers

Aliases

TLSv1.2

All TLS version 1.2 ciphers

Aliases

MEDIUM

All ciphers with 128-bit encryption

Aliases

HIGH

All ciphers with encryption key size greater than 128 bits

Aliases

AES

All ciphers using AES encryption

Aliases

RSA

All ciphers using RSA for both authentication and key exchange

Aliases

ECDSA

All ciphers using Elliptic Curve Digital Signature Algorithm for authentication

Aliases

ECDHE

All ciphers using Elliptic curve Diffie–Hellman Exchange for key exchange

Aliases

AES-GCM

All ciphers that use Advanced Encryption Standard in Galois/Counter Mode (GCM) for encryption.

Table H-2 lists the Cipher Suites supported in Oracle Advanced Security 12c (12.2.1).

Note:

When using mod_ossl on a Solaris Sparc platform, the underlying cryptographic libraries detect the Sparc T4 processor, and makes use of the on-core cryptography algorithms that accelerate cryptographic operations. No configuration is required to enable this feature. The following cryptographic algorithms are supported by the Oracle Sparc  Enterprise T-series processors: RSA, 3DES, AES-CBC, AES-GCM, SHA1, SHA256, and SHA38.

Table H-2 Cipher Suites Supported in Oracle Advanced Security 12.2.1

Cipher Suite Key Exchange Authentication Encryption Data Integrity TLS v1 TLS v1.1 TLS v1.2

SSL_RSA_WITH_RC4_128_SHA

RSA

RSA

RC4 (128)

SHA

Yes

Yes

Yes

SSL_RSA_WITH_3DES_EDE_CBC_SHA

RSA

RSA

3DES (168)

SHA

Yes

Yes

Yes

SSL_RSA_WITH_AES_128_CBC_SHA

RSA

RSA

AES (128)

SHA

Yes

Yes

Yes

SSL_RSA_WITH_AES_256_CBC_SHA

RSA

RSA

AES (256)

SHA

Yes

Yes

Yes

TLS_RSA_WITH_AES_128_CBC_SHA256

RSA

RSA

AES (128)

SHA256

No

No

Yes

TLS_RSA_WITH_AES_256_CBC_SHA256

RSA

RSA

AES (256)

SHA256

No

No

Yes

TLS_RSA_WITH_AES_128_GCM_SHA256

RSA

RSA

AES (128)

SHA256

No

No

Yes

TLS_RSA_WITH_AES_256_GCM_SHA384

RSA

RSA

AES (256)

SHA384

No

No

Yes

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

ECDHE

ECDSA

AES (128)

SHA

Yes

Yes

Yes

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

ECDHE

ECDSA

AES (256)

SHA

Yes

Yes

Yes

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

ECDHE

ECDSA

AES (128)

SHA256

No

No

Yes

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

ECDHE

ECDSA

AES (256)

SHA384

No

No

Yes

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

ECDHE

ECDSA

AES (128)

SHA256

No

No

Yes

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

ECDHE

ECDSA

AES (256)

SHA384

No

No

Yes

TLS_ECDHE_RSA_WITH_RC4_128_SHA

Ephemeral ECDH with RSA signatures

RSA

RC4 (128)

SHA

Yes

Yes

Yes

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

Ephemeral ECDH with RSA signatures

RSA

3DES

SHA

Yes

Yes

Yes

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

Ephemeral ECDH with RSA signatures

RSA

AES (128)

SHA

Yes

Yes

Yes

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Ephemeral ECDH with RSA signatures

RSA

AES (256)

SHA

Yes

Yes

Yes

TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

Ephemeral ECDH with ECDSA signatures

ECDSA

RC4 (128)

SHA

Yes

Yes

Yes

TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

Ephemeral ECDH with ECDSA signatures

ECDSA

3DES

SHA

Yes

Yes

Yes

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Ephemeral ECDH with RSA signatures

RSA

AES (256)

SHA384

No

No

Yes

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Ephemeral ECDH with RSA signatures

RSA

AES (128)

SHA256

No

No

Yes

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Ephemeral ECDH with RSA signatures

RSA

AES (256)

SHA384

No

No

Yes

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Ephemeral ECDH with RSA signatures

RSA

AES (128)

SHA256

No

No

Yes

SSLEngine Directive

Toggles the usage of the SSL Protocol Engine. This is usually used inside a <VirtualHost> section to enable SSL for a particular virtual host. By default, the SSL Protocol Engine is disabled for both the main server and all configured virtual hosts.

Category Value

Syntax

SSLEngine on|off

Example

SSLEngine on

Default

Off

SSLFIPS Directive

This directive toggles the usage of the SSL library FIPS_mode flag. It must be set in the global server context and should not be configured with conflicting settings (SSLFIPS on followed by SSLFIPS off or similar). The mode applies to all SSL library operations.

Category Value

Syntax

SSLFIPS ON | OFF

Example

SSLFIPS ON

Default

Off

Configuring an SSLFIPS change requires that the SSLFIPS on/off directive be set globally in ssl.conf. Virtual level configuration is disabled in SSLFIPS directive. Hence, setting SSLFIPS to virtual directive results in an error.

Note:

Note the following restriction on SSLFIPS:

The following tables describe the cipher suites that work in SSLFIPS mode with various protocols. For instructions on how to implement these cipher suites, see SSLCipherSuite Directive.

Table H-3 lists the cipher suites which work in TLS 1.0, TLS1.1, and TLS 1.2 protocols in SSLFIPS mode.

Table H-3 Ciphers Which Work in All TLS Protocols in SSLFIPS Mode

Cipher Name Cipher Works in These Protocols:

SSL_RSA_WITH_3DES_EDE_CBC_SHA

TLS 1.0, TLS1.1, and TLS 1.2

SSL_RSA_WITH_AES_128_CBC_SHA

TLS 1.0, TLS1.1, and TLS 1.2

SSL_RSA_WITH_AES_256_CBC_SHA

TLS 1.0, TLS1.1, and TLS 1.2

Table H-4 lists the cipher suites and protocols that can be used in SSLFIPS mode.

Table H-4 Ciphers Which Work in FIPS Mode

Cipher Name Cipher Works in These Protocols:

TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

TLS 1.0 and later

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

TLS 1.0 and later

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

TLS 1.0 and later

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

TLS1.2 and later

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

TLS1.2 and later

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS1.2 and later

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS1.2 and later

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS1.2 and later

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS1.2 and later

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS1.2 and later

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS1.2 and later

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS1.2 and later

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS1.2 and later

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS1.2 and later

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS1.2 and later

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

TLS 1.0 and later

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS 1.0 and later

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS 1.0 and later

Note:

  • If SSLFIPS is set to ON, and a cipher that does not support FIPS is used at the server, then client requests that use that cipher fail.

  • To use the TLS_ECDHE_ECDSA cipher suite, Oracle HTTP Server requires a wallet created with an ECC user certificate. The TLS_ECDHE_ECDSA cipher suite does not work with RSA certificates.

  • To use the SSL_RSA/TLS_RSA/TLS_ECDHE_RSA cipher suite, Oracle HTTP Server requires a wallet created with an RSA user certificate. The SSL_RSA/TLS_RSA/TLS_ECDHE_RSA cipher suite does not work with ECC certificates.

For more information about how to configure ECC/RSA certificates in a wallet, see Creating and Viewing Oracle Wallets with orapki in Administering Oracle Fusion Middleware.

For instructions about how to implement these cipher suites and corresponding protocols, see SSL Cipher Suite Directive and SSL Protocol.

Table H-5 lists the cipher suites that do not work in SSPFIPS mode.

Table H-5 Ciphers That Do Not Work in SSLFIPS Mode

Cipher Name Description

TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

Does not work in SSLFIPS mode in any protocol

SSL_RSA_WITH_RC4_128_SHA

Does not work in SSLFIPS mode in any protocol

TLS_ECDHE_RSA_WITH_RC4_128_SHA

Does not work in SSLFIPS mode in any protocol

SSLHonorCipherOrder Directive

When choosing a cipher during a handshake, normally the client's preference is used. If this directive is enabled, then the server's preference will be used instead.

Category Value

Syntax

SSLHonorCipherOrder ON | OFF

Example

SSLHonorCipherOrder ON 

Default

OFF

The server's preference order can be configured using the SSLCipherSuite directive. When SSLHonorCipherOrder is set to ON, the value of SSLCipherSuite is treated as an ordered list of cipher values.

Cipher values that appear first in this list are preferred by the server over ciphers that appear later in the list.

Example:

SSLCipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

SSLHonorCipherOrder ON

In this case, the server will prefer TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 over all of the other ciphers configured in SSLCipherSuite directive as it appears first in the list and chooses this cipher for the SSL connection, if the client supports it.

SSLInsecureRenegotiation Directive

As originally specified, all versions of the SSL and TLS protocols (up to and including TLS/1.2) were vulnerable to a Man-in-the-Middle attack (CVE-2009-3555) during a renegotiation. This vulnerability allowed an attacker to "prefix" a chosen plaintext to the HTTP request as seen by the web server. A protocol extension was developed which fixed this vulnerability if supported by both client and server.

For more information on Man-in-the-Middle attack (CVE-2009-3555), see:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555

The accepted values for this directive are:

  • Default mode: When the directive SSLInsecureRenegotion is not specified in the configuration, Oracle HTTP Server does not allow client-initiated renegotiation. This is the most secure mode of operation.
  • SSLInsecureRenegotiation ON: This option allows vulnerable peers that do not have RI/SCSV to perform renegotiation. Hence, this option must be used with caution, as it leaves the server vulnerable to the renegotiation attack described in CVE-2009-3555.
  • SSLInsecureRenegotiation OFF: This option can be used if support for client-initiated renegotiation is desired. When SSLInsecureRenegotiation directive is present in the configuration and set to OFF, Oracle HTTP Server allows client-initiated renegotiation. However, only peers that support RI/SCSV will be allowed to negotiate and renegotiate a session.
Category Value

Syntax

SSLInsecureRenegotiation ON | OFF

Example

SSLInsecureRenegotiation ON

Default

The default value is neither ON nor OFF. See description under the heading Default mode.

To configure SSLInsecureRenegotiation, edit the ssl.conf file and set SSLInsecureRenegotiation ON/OFF to enable or disable insecure renegotiation. This directive may be configured either in the server config context or in the virtual host context.

SSLOptions Directive

Controls various runtime options on a per-directory basis. In general, if multiple options apply to a directory, the most comprehensive option is applied (options are not merged). However, if all of the options in an SSLOptions directive are preceded by a plus ('+') or minus ('-') symbol, then the options are merged. Options preceded by a plus are added to the options currently in force, and options preceded by a minus are removed from the options currently in force.

Accepted values are:

  • StdEnvVars: Creates the standard set of CGI/SSI environment variables that are related to SSL. This is disabled by default because the extraction operation uses a lot of CPU time and usually has no application when serving static content. Typically, you only enable this for CGI/SSI requests.

  • ExportCertData: Enables the following additional CGI/SSI variables:

    SSL_SERVER_CERT

    SSL_CLIENT_CERT

    SSL_CLIENT_CERT_CHAIN_n (where n= 0, 1, 2...)

    These variables contain the Privacy Enhanced Mail (PEM)-encoded X.509 certificates for the server and the client for the current HTTPS connection, and can be used by CGI scripts for deeper certificate checking. All other certificates of the client certificate chain are provided. This option is "Off" by default because there is a performance cost associated with using it.

    SSL_CLIENT_CERT_CHAIN_n variables are in the following order: SSL_CLIENT_CERT_CHAIN_0 is the intermediate CA who signs SSL_CLIENT_CERT. SSL_CLIENT_CERT_CHAIN_1 is the intermediate CA who signs SSL_CLIENT_CERT_CHAIN_0, and so forth, with SSL_CLIENT_ROOT_CERT as the root CA.

  • FakeBasicAuth: Translates the subject distinguished name of the client X.509 certificate into an HTTP basic authorization user name. This means that the standard HTTP server authentication methods can be used for access control. No password is obtained from the user; the string 'password' is substituted.

  • StrictRequire: Denies access when, according to SSLRequireSSL Directive or directives, access should be forbidden. Without StrictRequire, it is possible for a 'Satisfy any' directive setting to override the SSLRequire or SSLRequireSSL directive, allowing access if the client passes the host restriction or supplies a valid user name and password.

    Thus, the combination of SSLRequireSSL or SSLRequire with SSLOptions +StrictRequire gives mod_ossl the ability to override a 'Satisfy any' directive in all cases.

  • CompatEnvVars: Exports obsolete environment variables for backward compatibility to Apache SSL 1.x, mod_ssl 2.0.x, Sioux 1.0, and Stronghold 2.x. Use this to provide compatibility to existing CGI scripts.

  • OptRenegotiate: This enables optimized SSL connection renegotiation handling when SSL directives are used in a per-directory context.

Category Value

Syntax

SSLOptions [+-] StdEnvVars | ExportCertData | FakeBasicAuth | StrictRequire | CompatEnvVars | OptRenegotiate

Example

SSLOptions -StdEnvVars

Default

None

SSLProtocol Directive

Specifies SSL protocol(s) for mod_ossl to use when establishing the server environment. Clients can only connect with one of the specified protocols. Accepted values are:

  • TLSv1

  • TLSv1.1

  • TLSv1.2

  • All

You can specify multiple values as a space-delimited list. In the syntax, the "-" and "+" symbols have the following meaning:

  • + : Adds the protocol to the list

  • - : Removes the protocol from the list

In the current release All is defined as +TLSv1.2.

Category Value

Syntax

SSLProtocol [+-] TLSv1 | TLSv1.1 | TLSv1.2 | All

Example

SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2

Default

TLSv1.2

SSLProxyCipherSuite Directive

Specifies the SSL cipher suite that the proxy can use during the SSL handshake. This directive uses a colon-separated cipher specification string to identify the cipher suite. Table H-1 shows the tags to use in the string to describe the cipher suite you want. SSLProxyCipherSuite accepts the following values:

  • none: Adds the cipher to the list

  • + : Adds the cipher to the list and places it in the correct location in the list

  • - : Removes the cipher from the list (which can be added later)

  • ! : Removes the cipher from the list permanently

Tags are joined with prefixes to form a cipher specification string. Tags are joined together with prefixes to form a cipher specification string. The SSLProxyCipherSuite directive uses the same tags as the SSLCipherSuite directive. For a list of supported suite tags, see Table H-1.

Category Value

Example

SSLProxyCipherSuite ALL:!MD5

In this example, all ciphers are specified except MD5 strength ciphers.

Syntax

SSLProxyCipherSuite cipher-spec

Default

ALL:!ADH:+HIGH:+MEDIUM

The SSLProxyCipherSuite directive uses the same cipher suites as the SSLCipherSuite directive. For a list of the Cipher Suites supported in Oracle Advanced Security 12.2.1, see Table H-2.

SSLProxyEngine Directive

Enables or disables the SSL/TLS protocol engine for proxy. SSLProxyEngine is usually used inside a <VirtualHost> section to enable SSL/TLS for proxy usage in a particular virtual host. By default, the SSL/TLS protocol engine is disabled for proxy both for the main server and all configured virtual hosts.

SSLProxyEngine should not be included in a virtual host that will be acting as a forward proxy (by using Proxy or ProxyRequest directives). SSLProxyEngine is not required to enable a forward proxy server to proxy SSL/TLS requests.

Category Value

Syntax

SSLProxyEngine ON | OFF

Example

SSLProxyEngine on

Default

Disable

SSLProxyProtocol Directive

Specifies SSL protocol(s) for mod_ossl to use when establishing a proxy connection in the server environment. Proxies can only connect with one of the specified protocols. Accepted values are:

  • TLSv1

  • TLSv1.1

  • TLSv1.2

  • All

You can specify multiple values as a space-delimited list. In the syntax, the "-" and "+" symbols have the following meaning:

  • + : Adds the protocol to the list

  • - : Removes the protocol from the list

In the current release All is defined as +TLSv1 +TLSv1.1 +TLSv1.2.

Category Value

Syntax

SSLProxyProtocol [+-] TLSv1 | TLSv1.1 | TLSv1.2 | All

Example

SSLProxyProtocol +TLSv1 +TLSv1.1 +TLSv1.2

Default

ALL

SSLProxyWallet Directive

Specifies the location of the wallet with its WRL, specified as a filepath, that a proxy connection needs to use.

Category Value

Syntax

SSLProxyWallet file:path to wallet

Example

SSLProxyWallet "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/keystores/proxy"

Default

None

SSLRequire Directive

Denies access unless an arbitrarily complex boolean expression is true.

Category Value

Syntax

SSLRequire expression

Example

SSLRequire word ">=" word |word "ge" word

Default

None

Understanding the Expression Variable

The expression variable must match the following syntax (given as a BNF grammar notation):

expr ::= "true" | "false"
"!" expr
expr "&&" expr
expr "||" expr
"(" expr ")"

comp ::=word "==" word | word "eq" word
word "!=" word |word "ne" word
word "<" word |word "lt" word
word "<=" word |word "le" word
word ">" word |word "gt" word
word ">=" word |word "ge" word
word "=~" regex
word "!~" regex
wordlist ::= word
wordlist "," word

word ::= digit
cstring
variable
function

digit ::= [0-9]+

cstring ::= "..."

variable ::= "%{varname}"

Table H-6 and Table H-7 list standard and SSL variables. These are valid values for varname.

function ::= funcname "(" funcargs ")"

For funcname, the following function is available:

file(filename)

The file function takes one string argument, the filename, and expands to the contents of the file. This is useful for evaluating the file's contents against a regular expression.

Table H-6 lists the standard variables for SSLRequire Directive varname.

Table H-6 Standard Variables for SSLRequire Varname

Standard Variables Standard Variables Standard Variables

HTTP_USER_AGENT

PATH_INFO

AUTH_TYPE

HTTP_REFERER

QUERY_STRING

SERVER_SOFTWARE

HTTP_COOKIE

REMOTE_HOST

API_VERSION

HTTP_FORWARDED

REMOTE_IDENT

TIME_YEAR

HTTP_HOST

IS_SUBREQ

TIME_MON

HTTP_PROXY_CONNECTION

DOCUMENT_ROOT

TIME_DAY

HTTP_ACCEPT

SERVER_ADMIN

TIME_HOUR

HTTP:headername

SERVER_NAME

TIME_MIN

THE_REQUEST

SERVER_PORT

TIME_SEC

REQUEST_METHOD

SERVER_PROTOCOL

TIME_WDAY

REQUEST_SCHEME

REMOTE_ADDR

TIME

REQUEST_URI

REMOTE_USER

ENV:variablename

REQUEST_FILENAME

 

 

Table H-7 lists the SSL variables for SSLRequire Directive varname.

Table H-7 SSL Variables for SSLRequire Varname

SSL Variables SSL Variables SSL Variables

HTTPS

SSL_PROTOCOL

SSL_CIPHER_ALGKEYSIZE

SSL_CIPHER

SSL_CIPHER_EXPORT

SSL_VERSION_INTERFACE

SSL_CIPHER_USEKEYSIZE

SSL_VERSION_LIBRARY

SSL_SESSION_ID

SSL_CLIENT_V_END

SSL_CLIENT_M_SERIAL

SSL_CLIENT_V_START

SSL_CLIENT_S_DN_ST

SSL_CLIENT_S_DN

SSL_CLIENT_S_DN_C

SSL_CLIENT_S_DN_CN

SSL_CLIENT_S_DN_O

SSL_CLIENT_S_DN_OU

SSL_CLIENT_S_DN_G

SSL_CLIENT_S_DN_T

SSL_CLIENT_S_DN_I

SSL_CLIENT_S_DN_UID

SSL_CLIENT_S_DN_S

SSL_CLIENT_S_DN_D

SSL_CLIENT_I_DN_C

SSL_CLIENT_S_DN_Email

SSL_CLIENT_I_DN

SSL_CLIENT_I_DN_O

SSL_CLIENT_I_DN_ST

SSL_CLIENT_I_DN_L

SSL_CLIENT_I_DN_T

SSL_CLIENT_I_DN_OU

SSL_CLIENT_I_DN_CN

SSL_CLIENT_I_DN_S

SSL_CLIENT_I_DN_I

SSL_CLIENT_I_DN_G

SSL_CLIENT_I_DN_Email

SSL_CLIENT_I_DN_D

SSL_CLIENT_I_DN_UID

SSL_CLIENT_CERT

SSL_CLIENT_CERT_CHAIN_n

SSL_CLIENT_ROOT_CERT

SSL_CLIENT_VERIFY

SSL_CLIENT_M_VERSION

SSL_SERVER_M_VERSION

SSL_SERVER_V_START

SSL_SERVER_V_END

SSL_SERVER_M_SERIAL

SSL_SERVER_S_DN_C

SSL_SERVERT_S_DN_ST

SSL_SERVER_S_DN

SSL_SERVER_S_DN_OU

SSL_SERVER_S_DN_CN

SSL_SERVER_S_DN_O

SSL_SERVER_S_DN_I

SSL_SERVER_S_DN_G

SSL_SERVER_S_DN_T

SSL_SERVER_S_DN_D

SSL_SERVER_S_DN_UID

SSL_SERVER_S_DN_S

SSL_SERVER_I_DN

SSL_SERVER_I_DN_C

SSL_SERVER_S_DN_Email

SSL_SERVER_I_DN_L

SSL_SERVER_I_DN_O

SSL_SERVER_I_DN_ST

SSL_SERVER_I_DN_CN

SSSL_SERVER_I_DN_T

SSL_SERVER_I_DN_OU

SSL_SERVER_I_DN_G

SSL_SERVER_I_DN_I

 

SSLRequireSSL Directive

Denies access to clients not using SSL. This is a useful directive for absolute protection of a SSL-enabled virtual host or directories in which configuration errors could create security vulnerabilities.

Category Value

Syntax

SSLRequireSSL

Example

SSLRequireSSL

Default

None

SSLSessionCache Directive

Specifies the global/interprocess session cache storage type. The cache provides an optional way to speed up parallel request processing. The accepted values are:

  • none: disables the global/interprocess session cache. Produces no impact on functionality, but makes a major difference in performance.

  • shmcb:/path/to/datafile[bytes]: Uses a high-performance Shared Memory Cyclic Buffer (SHMCB) session cache to synchronize the local SSL memory caches of the server processes. Note: in this shm setting, no log files are created under /path/to/datafile on local disk.

Category Value

Syntax

SSLSessionCache none | shmcb:/path/to/datafile[bytes]

Examples

SSLSessionCache "shmcb:${ORACLE_INSTANCE}/servers/${COMPONENT_NAME}/logs/ssl_scache(512000)"

Default

SSLSessionCache shmcb:/path/to/datafile[bytes]

SSLProxySessionCache Directive

This directive toggles the usage of a global or interprocess session cache to cache SSL session information when OHS is configured to behave as a proxy through the use of the mod_proxy module. The type of global or interprocess SSL session cache that is used to store the SSL session information is controlled by the SSLSessionCache directive.

The number of seconds before an SSL session expires in the session cache is controlled by the SSLSessionCacheTimeout directive. The ssl-cache mutex is used to serialize access to the session cache to prevent corruption.

The accepted values for SSLProxySessionCache directive are:

  • On: Enables the SSL session cache when OHS is configured to behave as a proxy through the use of the mod_proxy module. When this directive is set to On, it is necessary to choose the type of SSL session cache by configuring the SSLSessionCache directive appropriately.

    SSLSessionCache cannot be set to a value of none, as it would be a conflicting setting to turn on SSL session cache for the proxy and not specify the type of cache to use.

  • Off: Disables SSL session caching when OHS is configured to behave as a proxy through the use of the mod_proxy module. This is not a recommended setting. The performance costs of full handshakes must be considered before choosing this option.

Category Value

Syntax

SSLProxySessionCache On | Off

Context

Server Config

Default

On

Module Identifier

ossl_module

The following examples illustrate how to use the SSLSessionCache and SSLProxySessionCache directives to control the SSL session caching behaviour of OHS.

Example 1

LoadModule proxy_module "${PRODUCT_HOME}/modules/mod_proxy.so" 
LoadModule proxy_balancer_module 
"${PRODUCT_HOME}/modules/mod_proxy_balancer.so" 

SSLSessionCache none 
SSLProxySessionCache on 
<VirtualHost _default_:443> 
SSLEngine on 
   <Proxy "balancer://mybalancer"> 
SSLProxyEngine On	 
    #.. 
    </Proxy> 
#... 
</VirtualHost>

This is not an allowed configuration. SSLProxySessionCache cannot be turned on when SSLSessionCache is set to None.

Example 2

LoadModule proxy_module "${PRODUCT_HOME}/modules/mod_proxy.so" 
LoadModule proxy_balancer_module 
"${PRODUCT_HOME}/modules/mod_proxy_balancer.so" 

SSLSessionCache none 
SSLProxySessionCache off 
<VirtualHost _default_:443> 
SSLEngine on 
   <Proxy "balancer://mybalancer"> 
    SSLProxyEngine On	
    #.. 
    </Proxy> 
#... 
</VirtualHost>

This example

  • Turns off SSL session caching for the SSL enabled virtual host defined within the OHS configuration.
  • Turns off SSL client session caching for requests handled by the proxy mybalancer.

Example 3

LoadModule proxy_module "${PRODUCT_HOME}/modules/mod_proxy.so" 
LoadModule proxy_balancer_module 
"${PRODUCT_HOME}/modules/mod_proxy_balancer.so" 

SSLSessionCache 
"shmcb:${ORACLE_INSTANCE}/servers/${COMPONENT_NAME}/logs/ssl_scache(512000)" 
SSLProxySessionCache off 
<VirtualHost _default_:443> 
SSLEngine on 
   <Proxy "balancer://mybalancer"> 
    SSLProxyEngine On   
    #.. 
    </Proxy> 
#... 
</VirtualHost>

This example

  • Turns on SSL session caching for the SSL enabled virtual host defined within the OHS configuration.
  • Turns off SSL client session caching for requests handled by the proxy mybalancer.

Example 4

LoadModule proxy_module "${PRODUCT_HOME}/modules/mod_proxy.so" 

SSLSessionCache 
"shmcb:${ORACLE_INSTANCE}/servers/${COMPONENT_NAME}/logs/ssl_scache(512000)" 
SSLProxySessionCache off 

<VirtualHost _default_:443> 
SSLEngine on 
SSLProxyEngine on 

ProxyPass / https://<backend_host_name>:<backend_port>/ 
ProxyPassReverse / https://<backend_host_name>:<backend_port>/ 

</VirtualHost>

This example

  • Turns on SSL session caching for the SSL enabled virtual host defined within the OHS configuration.
  • Turns off SSL client session caching for the requests handled by the reverse proxy defined within the virtual host (_default_:443).

Example 5

LoadModule proxy_module "${PRODUCT_HOME}/modules/mod_proxy.so" 
LoadModule proxy_balancer_module 
"${PRODUCT_HOME}/modules/mod_proxy_balancer.so" 

SSLSessionCache 
"shmcb:${ORACLE_INSTANCE}/servers/${COMPONENT_NAME}/logs/ssl_scache(512000)" 
SSLProxySessionCache on 
<VirtualHost _default_:443> 
SSLEngine on 
   <Proxy "balancer://mybalancer"> 
    SSLProxyEngine On 
    #.. 
    </Proxy> 
#... 
</VirtualHost>

This example

  • Turns on SSL session caching for the SSL enabled virtual host defined within the OHS configuration.
  • Turns on SSL client session caching for requests handled by the proxy mybalancer.

Example 6

LoadModule proxy_module "${PRODUCT_HOME}/modules/mod_proxy.so" 

SSLSessionCache 
"shmcb:${ORACLE_INSTANCE}/servers/${COMPONENT_NAME}/logs/ssl_scache(512000)" 
SSLProxySessionCache on 

<VirtualHost _default_:443> 
SSLEngine on 
SSLProxyEngine on 

ProxyPass / https://<backend_host_name>:<backend_port>/ 
ProxyPassReverse / https://<backend_host_name>:<backend_port>/ 

</VirtualHost>

This example

  • Turns on SSL session caching for the SSL enabled virtual host defined within the OHS configuration.
  • Turns on SSL client session caching for the requests handled by the reverse proxy defined within the virtual host (_default_:443).

Example 7

LoadModule proxy_module "${PRODUCT_HOME}/modules/mod_proxy.so" 
LoadModule proxy_balancer_module 
"${PRODUCT_HOME}/modules/mod_proxy_balancer.so" 

SSLSessionCache 
"shmcb:${ORACLE_INSTANCE}/servers/${COMPONENT_NAME}/logs/ssl_scache(512000)" 
SSLProxySessionCache on 
<VirtualHost _default_:443> 
SSLEngine on 
   <Proxy "balancer://mybalancer"> 
    SSLProxyEngine On 
    #.. 
    </Proxy> 

    <Proxy "balancer://mybalancer2"> 
    SSLProxyEngine On 
    #.. 
    </Proxy> 

#... 
</VirtualHost> 

<VirtualHost _default_:4448> 
SSLEngine on 
   <Proxy "balancer://mybalancer3"> 
    SSLProxyEngine On 
    #.. 
    </Proxy> 

    <Proxy "balancer://mybalancer4"> 
    SSLProxyEngine On 
    #.. 
    </Proxy> 

#... 
</VirtualHost>

This example

  • Turns on SSL session caching for all the SSL enabled virtual hosts defined within the OHS configuration.
  • Turns on SSL client session caching for requests handled by the proxy mybalancer, mybalancer2, mybalancer3, and mybalancer4.

SSLSessionCacheTimeout Directive

Specifies the number of seconds before a SSL session in the session cache expires.

Category Value

Syntax

SSLSessionCacheTimeout seconds

Example

SSLSessionCacheTimeout 120

Default

300

SSLTraceLogLevel Directive

SSLTraceLogLevel adjusts the verbosity of the messages recorded in the Oracle Security library error logs. When a particular level is specified, messages from all other levels of higher significance will be reported as well. For example, when SSLTraceLogLevel ssl is set, messages with log levels of error, warn, user and debug will also be posted.

Note:

This directive can only be set globally in the ssl.conf file.

SSLTraceLogLevel accepts the following log levels:

  • none: Oracle Security Trace disable

  • fatal: Fatal error; system is unusable.

  • error: Error conditions.

  • warn: Warning conditions.

  • user: Normal but significant condition.

  • debug: Debug-level condition

  • ssl: SSL level debugging

Category Value

Syntax

SSLTraceLogLevel none | fatal | error | warn | user | debug | ssl 

Example

SSLTraceLogLevel fatal

Default

None

SSLVerifyClient Directive

Specifies whether a client must present a certificate when connecting. The accepted values are:

  • none: No client certificate is required

  • optional: Client can present a valid certificate

  • require: Client must present a valid certificate

Category Value

Syntax

SSLVerifyClient none | optional | require

Example

SSLVerifyClient optional

Default

None

Note:

The level optional_no_ca included with mod_ssl (in which the client can present a valid certificate, but it need not be verifiable) is not supported in mod_ossl.

SSLWallet Directive

Specifies the location of the wallet with its WRL, specified as a filepath.

Category Value

Syntax

SSLWallet file:path to wallet directory

file:path may also be expressed simply as path.

Example

SSLWallet "${ORACLE_INSTANCE}/config/fmwconfig/components/${COMPONENT_TYPE}/instances/${COMPONENT_NAME}/keystores/default"

Default

This is the default

Note:

If the wallet has a certificate/certificate request signed with the MD5 algorithm, Oracle HTTP Server will fail to start.