Controls various runtime options on a per-directory basis. In general, if multiple options apply to a directory, the most comprehensive option is applied (options are not merged). However, if all of the options in an SSLOptions
directive are preceded by a plus ('+') or minus ('-') symbol, then the options are merged. Options preceded by a plus are added to the options currently in force, and options preceded by a minus are removed from the options currently in force.
Accepted values are:
StdEnvVars
: Creates the standard set of CGI/SSI environment variables that are related to SSL. This is disabled by default because the extraction operation uses a lot of CPU time and usually has no application when serving static content. Typically, you only enable this for CGI/SSI requests.
ExportCertData
: Enables the following additional CGI/SSI variables:
SSL_SERVER_CERT
SSL_CLIENT_CERT
SSL_CLIENT_CERT_CHAIN_n
(where n= 0, 1, 2...)
These variables contain the Privacy Enhanced Mail (PEM)-encoded X.509 certificates for the server and the client for the current HTTPS connection, and can be used by CGI scripts for deeper certificate checking. All other certificates of the client certificate chain are provided. This option is "Off" by default because there is a performance cost associated with using it.
SSL_CLIENT_CERT_CHAIN_n
variables are in the following order: SSL_CLIENT_CERT_CHAIN_0
is the intermediate CA who signs SSL_CLIENT_CERT
. SSL_CLIENT_CERT_CHAIN_1
is the intermediate CA who signs SSL_CLIENT_CERT_CHAIN_0
, and so forth, with SSL_CLIENT_ROOT_CERT
as the root CA.
FakeBasicAuth
: Translates the subject distinguished name of the client X.509 certificate into an HTTP basic authorization user name. This means that the standard HTTP server authentication methods can be used for access control. No password is obtained from the user; the string 'password' is substituted.
StrictRequire
: Denies access when, according to SSLRequireSSL Directive or directives, access should be forbidden. Without StrictRequire
, it is possible for a 'Satisfy any'
directive setting to override the SSLRequire
or SSLRequireSSL
directive, allowing access if the client passes the host restriction or supplies a valid user name and password.
Thus, the combination of SSLRequireSSL
or SSLRequire
with SSLOptions +StrictRequire
gives mod_ossl
the ability to override a 'Satisfy any'
directive in all cases.
CompatEnvVars
: Exports obsolete environment variables for backward compatibility to Apache SSL 1.x, mod_ssl
2.0.x, Sioux 1.0, and Stronghold 2.x. Use this to provide compatibility to existing CGI scripts.
OptRenegotiate
: This enables optimized SSL connection renegotiation handling when SSL directives are used in a per-directory context.
Category | Value |
---|---|
Syntax |
|
Example |
|
Default |
None |