Create a free Team What is Teams? Collectives on Stack Overflow. Learn more. What are valid characters in a Windows service key name? Ask Question. Asked 12 years, 8 months ago. Active 4 months ago. Viewed 8k times. Improve this question. Add a comment.
Active Oldest Votes. Additionally, the following rules apply to the "Display Name": This string has a maximum length of characters. Improve this answer. Richard Szalay Richard Szalay Note: I have shown imperically that a full stop.
This directive sets the directory where you keep the client certificates and keys used for authentication of the proxy server to remote servers. It will only connect to servers using one of the provided protocols. Please refer to SSLProtocol for additional information. When a proxy is configured to forward requests to a remote SSL server, this directive can be used to configure certificate verification of the remote server.
The depth actually is the maximum number of intermediate certificate issuers, i. A depth of 0 means that self-signed remote server certificates are accepted only, the default depth of 1 means the remote server certificate can be self-signed or has to be signed by a CA which is directly known to the server i. This directive can only be used in the global server context because the PRNG is a global facility.
This is the always available builtin seeding source. Its usage consumes minimum CPU cycles under runtime and hence can be always used without drawbacks. The source used for seeding the PRNG contains of the current time, the current process id and a randomly chosen bytes extract of the stack.
The drawback is that this is not really a strong source and at startup time where the scoreboard is still not available this source just produces a few bytes of entropy. So you should always, at least for the startup, use an additional seeding source. The drawback is just that the quality of the received data may not be the best. When bytes is specified, only the first bytes number of bytes of its stdout contents form the entropy.
When bytes is not specified, the entirety of the data produced on stdout form the entropy. Using this in the connection context slows down the server too dramatically, of course. So usually you should avoid using external programs in that context. Use this if no random device exists on your platform. This directive can be used to set the amount of memory that will be used for this buffer. Note that in many configurations, the client sending the request body will be untrusted so a denial of service attack by consumption of memory must be considered when changing this configuration setting.
SSLRequire is deprecated and should in general be replaced by Require expr. For the latter, there are also aliases without the leading dashes: lt , le , This directive specifies a general access requirement which has to be fulfilled in order to allow access.
It is a very powerful directive because the requirement specification is an arbitrarily complex boolean expression containing any number of access checks. For varname any of the variables described in Environment Variables can be used. The expression is parsed into an internal machine representation when the configuration is loaded, and then evaluated during request processing. The expression evaluates to true if the left-hand side string matches exactly against the value of an extension identified with this OID.
If multiple extensions with the same OID are present, at least one extension must match. Expressions with types known to the SSL library are rendered to a string before comparison. For an extension of one of these types, the string value will be converted to UTF-8 if necessary, then compared against the left-hand-side expression.
HTTPS is enabled for the current connection. This is very handy inside the SSL-enabled virtual host or directories for defending against configuration errors that expose stuff that should be protected. When this directive is present all requests are denied which are not using SSL.
This cache is an optional facility which speeds up parallel request processing. But because modern clients request inlined images and other data via parallel requests usually up to four parallel requests are common those requests are served by different pre-forked server processes. Here an inter-process cache helps to avoid unnecessary session handshakes. This will incur a noticeable speed penalty and may cause problems if using certain browsers, particularly if client certificates are enabled.
This setting is not recommended. This session cache may suffer reliability issues under high load. This makes use of a high-performance cyclic buffer approx. This is the recommended session cache. This makes use of the distcache distributed session caching libraries.
The ssl-cache mutex is used to serialize access to the session cache to prevent corruption. This mutex can be configured using the Mutex directive. It can be set as low as 15 for testing, but should be set to higher values like in real life. Primarily suitable for clustered environments where TLS sessions information should be shared between multiple nodes. The ticket key file must contain 48 bytes of random data, preferably created from a high-entropy source. On a Unix-based system, a ticket key file can be created as follows:.
Ticket keys should be rotated replaced on a frequent basis, as this is the only way to invalidate an existing session ticket - OpenSSL currently doesn't allow to specify a limit for ticket lifetimes. A new ticket key only gets used after restarting the web server. All existing session tickets become invalid after a restart. The ticket key file contains sensitive keying material and should be protected with file permissions similar to those used for SSLCertificateKeyFile.
TLS session tickets are enabled by default. Using them without restarting the web server with an appropriate frequency e. This directive sets the seed used to fake SRP user parameters for unknown users, to avoid leaking whether a given user exists.
Specify a secret string. Configuration of a cache is mandatory for OCSP stapling. With the exception of none and nonenotnull , the same storage types are supported as with SSLSessionCache.
One potential use is when a proxy is used for retrieving OCSP queries. This option sets the maximum allowable age "freshness" when considering OCSP responses for stapling purposes, i. If set to off , only responses indicating a certificate status of "good" will be included in the TLS handshake. This directive sets whether a non-SNI client is allowed to access a name-based virtual host.
If set to on in any other virtual host, SNI unaware clients are not allowed to access this particular virtual host. This directive sets the "user" field in the Apache request object. This is used by lower modules to identify the user with a character string. The varname can be any of the SSL environment variables. For server certificates with intermediate CA certificates in their chain the typical case nowadays , stapling in its current implementation therefore only partially achieves the stated goal of "saving roundtrips and resources" - see also RFC TLS Multiple Certificate Status Extension.
When OCSP stapling is enabled, the ssl-stapling mutex is used to control access to the OCSP stapling cache in order to prevent corruption, and the sss-stapling-refresh mutex is used to control refreshes of OCSP responses. These mutexes can be configured using the Mutex directive.
This directive sets the Certificate verification level for the Client Authentication. In per-server context it applies to the client authentication process used in the standard SSL handshake when a connection is established. A depth of 0 means that self-signed client certificates are accepted only, the default depth of 1 means the client certificate can be self-signed or has to be signed by a CA which is directly known to the server i.
Copyright The Apache Software Foundation. Licensed under the Apache License, Version 2. If the client does not support the secure renegotiation extension, the note is set to the value 0. Require ssl The ssl provider denies access if a connection is not encrypted with SSL. Require ssl Require ssl-verify-client The ssl provider allows access if the user is authenticated with a valid client certificate.
Require ssl-verify-client Require valid-user. Compatibility with versions 2. Example Example using a PEM-encoded file. The default used to be on in version 2. This directive allows to enable compression on the SSL level.
To discover which engine names are supported, run the command " openssl engine ". Context: server config, virtual host, directory,. Sign up using Facebook. Sign up using Email and Password. Post as a guest Name. Email Required, but never shown.
The Overflow Blog. Stack Gives Back Safety in numbers: crowdsourcing data on nefarious IP addresses. Featured on Meta. New post summary designs on greatest hits now, everywhere else eventually. Related Hot Network Questions. Question feed.
Stack Overflow works best with JavaScript enabled.
0コメント