summaryrefslogtreecommitdiffstats
path: root/docs
diff options
context:
space:
mode:
authorGraham Leggett <minfrin@apache.org>2009-01-03 22:10:27 +0100
committerGraham Leggett <minfrin@apache.org>2009-01-03 22:10:27 +0100
commit6563cec83352207d60c9e845ebfebd58d25e30a2 (patch)
treec4909f98a22af54aac30e0e5715d7706070dfcb4 /docs
parentmod_session_crypto: Rewrite the session_crypto module against the (diff)
downloadapache2-6563cec83352207d60c9e845ebfebd58d25e30a2.tar.xz
apache2-6563cec83352207d60c9e845ebfebd58d25e30a2.zip
Update transformation.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@731089 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'docs')
-rw-r--r--docs/manual/mod/directives.html.en6
-rw-r--r--docs/manual/mod/mod_session_crypto.html.en147
-rw-r--r--docs/manual/mod/quickreference.html.en6
3 files changed, 47 insertions, 112 deletions
diff --git a/docs/manual/mod/directives.html.en b/docs/manual/mod/directives.html.en
index e953274fa6..da64747619 100644
--- a/docs/manual/mod/directives.html.en
+++ b/docs/manual/mod/directives.html.en
@@ -401,11 +401,7 @@
<li><a href="mod_session_cookie.html#sessioncookiename">SessionCookieName</a></li>
<li><a href="mod_session_cookie.html#sessioncookiename2">SessionCookieName2</a></li>
<li><a href="mod_session_cookie.html#sessioncookieremove">SessionCookieRemove</a></li>
-<li><a href="mod_session_crypto.html#sessioncryptocertificatefile">SessionCryptoCertificateFile</a></li>
-<li><a href="mod_session_crypto.html#sessioncryptocertificatekeyfile">SessionCryptoCertificateKeyFile</a></li>
-<li><a href="mod_session_crypto.html#sessioncryptocipher">SessionCryptoCipher</a></li>
-<li><a href="mod_session_crypto.html#sessioncryptodigest">SessionCryptoDigest</a></li>
-<li><a href="mod_session_crypto.html#sessioncryptoengine">SessionCryptoEngine</a></li>
+<li><a href="mod_session_crypto.html#sessioncryptodriver">SessionCryptoDriver</a></li>
<li><a href="mod_session_crypto.html#sessioncryptopassphrase">SessionCryptoPassphrase</a></li>
<li><a href="mod_session_dbd.html#sessiondbdcookiename">SessionDBDCookieName</a></li>
<li><a href="mod_session_dbd.html#sessiondbdcookiename2">SessionDBDCookieName2</a></li>
diff --git a/docs/manual/mod/mod_session_crypto.html.en b/docs/manual/mod/mod_session_crypto.html.en
index 5e5ed54561..9ff31c3b67 100644
--- a/docs/manual/mod/mod_session_crypto.html.en
+++ b/docs/manual/mod/mod_session_crypto.html.en
@@ -52,11 +52,7 @@
</div>
<div id="quickview"><h3 class="directives">Directives</h3>
<ul id="toc">
-<li><img alt="" src="../images/down.gif" /> <a href="#sessioncryptocertificatefile">SessionCryptoCertificateFile</a></li>
-<li><img alt="" src="../images/down.gif" /> <a href="#sessioncryptocertificatekeyfile">SessionCryptoCertificateKeyFile</a></li>
-<li><img alt="" src="../images/down.gif" /> <a href="#sessioncryptocipher">SessionCryptoCipher</a></li>
-<li><img alt="" src="../images/down.gif" /> <a href="#sessioncryptodigest">SessionCryptoDigest</a></li>
-<li><img alt="" src="../images/down.gif" /> <a href="#sessioncryptoengine">SessionCryptoEngine</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#sessioncryptodriver">SessionCryptoDriver</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sessioncryptopassphrase">SessionCryptoPassphrase</a></li>
</ul>
<h3>Topics</h3>
@@ -93,112 +89,48 @@
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
-<div class="directive-section"><h2><a name="SessionCryptoCertificateFile" id="SessionCryptoCertificateFile">SessionCryptoCertificateFile</a> <a name="sessioncryptocertificatefile" id="sessioncryptocertificatefile">Directive</a></h2>
+<div class="directive-section"><h2><a name="SessionCryptoDriver" id="SessionCryptoDriver">SessionCryptoDriver</a> <a name="sessioncryptodriver" id="sessioncryptodriver">Directive</a></h2>
<table class="directive">
-<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>The certificate used to encrypt and decrypt the session</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionCryptoCertificateFile <var>file</var></code></td></tr>
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>The crypto driver to be used to encrypt the session</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionCryptoDriver <var>name</var> <var>[param[=value]]</var></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>none</code></td></tr>
-<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_session_crypto</td></tr>
<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.3.0 and later</td></tr>
</table>
- <p>The <code class="directive">SessionCryptoCertificateFile</code> directive specifies the name
- of a certificate to be used to asymmetrically encrypt the contents of the session before
- writing the session, or decrypting the content of the session after reading the session.</p>
-
- <p>Changing the certificate on a server has the effect of invalidating all existing
- sessions.</p>
+ <p>The <code class="directive">SessionCryptoDriver</code> directive specifies the name of
+ the crypto driver to be used for encryption. If not specified, the driver defaults
+ to the recommended driver compiled into APR-util.</p>
- <p>If the key associated with this certificate is protected with a passphrase, the
- <code class="directive"><a href="#sessioncryptopassphrase">SessionCryptoPassphrase</a></code> directive
- will be interpreted as the passphrase to use to decrypt the key.</p>
+ <p>The <var>NSS</var> crypto driver requires some parameters for configuration,
+ which are specified as parameters with optional values after the driver name.</p>
- <div class="warning"><h3>Experimental</h3>
- <p>This directive is dependent on experimental support for asymmetrical encryption
- support currently available in prerelease versions of OpenSSL, and will only be
- available on platforms that support it.</p>
- </div>
-
+ <div class="example"><h3>NSS without a certificate database</h3><p><code>
+ SessionCryptoDriver nss
+ </code></p></div>
-</div>
-<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
-<div class="directive-section"><h2><a name="SessionCryptoCertificateKeyFile" id="SessionCryptoCertificateKeyFile">SessionCryptoCertificateKeyFile</a> <a name="sessioncryptocertificatekeyfile" id="sessioncryptocertificatekeyfile">Directive</a></h2>
-<table class="directive">
-<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>The certificate key used to encrypt and decrypt the session</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionCryptoCertificateKeyFile <var>file</var></code></td></tr>
-<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>none</code></td></tr>
-<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
-<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
-<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_session_crypto</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.3.0 and later</td></tr>
-</table>
- <p>The <code class="directive">SessionCryptoCertificateKeyFile</code> directive specifies the name
- of a certificate key to be used alongside a certificate to encrypt the contents of the
- session before writing the session, or decrypting the content of the session after reading
- the session.</p>
-
- <p>Changing the certificate or key on a server has the effect of invalidating all existing
- sessions.</p>
+ <div class="example"><h3>NSS with certificate database</h3><p><code>
+ SessionCryptoDriver nss dir=certs
+ </code></p></div>
- <p>If this key is protected with a passphrase, the
- <code class="directive"><a href="#sessioncryptopassphrase">SessionCryptoPassphrase</a></code> directive
- will be interpreted as the passphrase to use to decrypt the key.</p>
+ <div class="example"><h3>NSS with certificate database and parameters</h3><p><code>
+ SessionCryptoDriver nss dir=certs key3=key3.db cert7=cert7.db secmod=secmod
+ </code></p></div>
- <div class="warning"><h3>Experimental</h3>
- <p>This directive is dependent on experimental support for asymmetrical encryption
- support currently available in prerelease versions of OpenSSL, and will only be
- available on platforms that support it.</p>
- </div>
-
+ <p>The <var>NSS</var> crypto driver might have already been configured by another
+ part of the server, for example from <code class="module"><a href="../mod/mod_nss.html">mod_nss</a></code> or
+ <code class="module"><a href="../mod/mod_ldap.html">mod_ldap</a></code>. If found to have already been configured,
+ a warning will be logged, and the existing configuration will have taken affect.
+ To avoid this warning, use the noinit parameter as follows.</p>
-</div>
-<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
-<div class="directive-section"><h2><a name="SessionCryptoCipher" id="SessionCryptoCipher">SessionCryptoCipher</a> <a name="sessioncryptocipher" id="sessioncryptocipher">Directive</a></h2>
-<table class="directive">
-<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>The name of the cipher to use during encryption / decryption</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionCryptoCipher <var>cipher</var></code></td></tr>
-<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AES256</code></td></tr>
-<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
-<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
-<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_session_crypto</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.3.0 and later</td></tr>
-</table>
- <p>The <code class="directive">SessionCryptoCipher</code> directive specifies the name
- of the cipher to use during encryption. The ciphers available will depend on the
- underlying encryption toolkit on the server platform.</p>
+ <div class="example"><h3>NSS with certificate database</h3><p><code>
+ SessionCryptoDriver nss noinit
+ </code></p></div>
-</div>
-<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
-<div class="directive-section"><h2><a name="SessionCryptoDigest" id="SessionCryptoDigest">SessionCryptoDigest</a> <a name="sessioncryptodigest" id="sessioncryptodigest">Directive</a></h2>
-<table class="directive">
-<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>The name of the digest to use during encryption / decryption</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionCryptoDigest <var>cipher</var></code></td></tr>
-<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SHA</code></td></tr>
-<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
-<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
-<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_session_crypto</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.3.0 and later</td></tr>
-</table>
- <p>The <code class="directive">SessionCryptoDigest</code> directive specifies the name
- of the digest to use during encryption. The list of digests available will depend
- on the underlying encryption toolkit on the server platform.</p>
+ <p>To prevent confusion, ensure that all modules requiring NSS are configured with
+ identical parameters.</p>
-</div>
-<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
-<div class="directive-section"><h2><a name="SessionCryptoEngine" id="SessionCryptoEngine">SessionCryptoEngine</a> <a name="sessioncryptoengine" id="sessioncryptoengine">Directive</a></h2>
-<table class="directive">
-<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>The name of the engine to use during encryption / decryption</td></tr>
-<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SessionCryptoEngine <var>engine</var></code></td></tr>
-<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>none</code></td></tr>
-<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host, directory, .htaccess</td></tr>
-<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
-<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_session_crypto</td></tr>
-<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.3.0 and later</td></tr>
-</table>
- <p>The <code class="directive">SessionCryptoEngine</code> directive specifies the name
- of the engine to use during encryption, depending on the capabilities of the
- underlying encryption toolkit on the server platform.</p>
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
@@ -214,15 +146,26 @@
</table>
<p>The <code class="directive">SessionCryptoPassphrase</code> directive specifies the key
to be used to enable symmetrical encryption on the contents of the session before
- writing the session, or decrypting the contents of the session after reading the session.</p>
+ writing the session, or decrypting the contents of the session after reading the
+ session.</p>
<p>Keys are more secure when they are long, and consist of truly random characters.
Changing the key on a server has the effect of invalidating all existing sessions.</p>
- <p>If the <code class="directive"><a href="#sessioncryptocertificatefile">SessionCryptoCertificateFile</a></code>
- directive is set and asymmetrical encryption is enabled instead, the
- <code class="directive"><a href="#sessioncryptopassphrase">SessionCryptoPassphrase</a></code> directive
- will be interpreted as the passphrase of the key, if the key is encrypted.</p>
+ <p>The cipher can be set to <var>3des192</var> or <var>aes256</var> using the
+ <var>cipher</var> parameter as per the example below. If not set, the cipher defaults
+ to <var>aes256</var>.</p>
+
+ <div class="example"><h3>Cipher</h3><p><code>
+ SessionCryptoPassphrase secret cipher=aes256
+ </code></p></div>
+
+ <p>The <var>openssl</var> crypto driver supports an optional parameter to specify
+ the engine to be used for encryption.</p>
+
+ <div class="example"><h3>OpenSSL with engine support</h3><p><code>
+ SessionCryptoPassphrase secret engine=name
+ </code></p></div>
</div>
diff --git a/docs/manual/mod/quickreference.html.en b/docs/manual/mod/quickreference.html.en
index ae462adc3a..4b5d4da9a5 100644
--- a/docs/manual/mod/quickreference.html.en
+++ b/docs/manual/mod/quickreference.html.en
@@ -690,11 +690,7 @@ header</td></tr>
<tr><td><a href="mod_session_cookie.html#sessioncookiename">SessionCookieName <var>name</var> <var>attributes</var></a></td><td></td><td>svdh</td><td>E</td></tr><tr><td class="descr" colspan="4">Name and attributes for the RFC2109 cookie storing the session</td></tr>
<tr class="odd"><td><a href="mod_session_cookie.html#sessioncookiename2">SessionCookieName2 <var>name</var> <var>attributes</var></a></td><td></td><td>svdh</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Name and attributes for the RFC2965 cookie storing the session</td></tr>
<tr><td><a href="mod_session_cookie.html#sessioncookieremove">SessionCookieRemove On|Off</a></td><td> Off </td><td>svdh</td><td>E</td></tr><tr><td class="descr" colspan="4">Control for whether session cookies should be removed from incoming HTTP headers</td></tr>
-<tr class="odd"><td><a href="mod_session_crypto.html#sessioncryptocertificatefile">SessionCryptoCertificateFile <var>file</var></a></td><td></td><td>svdh</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">The certificate used to encrypt and decrypt the session</td></tr>
-<tr><td><a href="mod_session_crypto.html#sessioncryptocertificatekeyfile">SessionCryptoCertificateKeyFile <var>file</var></a></td><td></td><td>svdh</td><td>E</td></tr><tr><td class="descr" colspan="4">The certificate key used to encrypt and decrypt the session</td></tr>
-<tr class="odd"><td><a href="mod_session_crypto.html#sessioncryptocipher">SessionCryptoCipher <var>cipher</var></a></td><td></td><td>svdh</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">The name of the cipher to use during encryption / decryption</td></tr>
-<tr><td><a href="mod_session_crypto.html#sessioncryptodigest">SessionCryptoDigest <var>cipher</var></a></td><td></td><td>svdh</td><td>E</td></tr><tr><td class="descr" colspan="4">The name of the digest to use during encryption / decryption</td></tr>
-<tr class="odd"><td><a href="mod_session_crypto.html#sessioncryptoengine">SessionCryptoEngine <var>engine</var></a></td><td></td><td>svdh</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">The name of the engine to use during encryption / decryption</td></tr>
+<tr class="odd"><td><a href="mod_session_crypto.html#sessioncryptodriver">SessionCryptoDriver <var>name</var> <var>[param[=value]]</var></a></td><td></td><td>s</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">The crypto driver to be used to encrypt the session</td></tr>
<tr><td><a href="mod_session_crypto.html#sessioncryptopassphrase">SessionCryptoPassphrase <var>secret</var></a></td><td></td><td>svdh</td><td>E</td></tr><tr><td class="descr" colspan="4">The key used to encrypt the session</td></tr>
<tr class="odd"><td><a href="mod_session_dbd.html#sessiondbdcookiename">SessionDBDCookieName <var>name</var> <var>attributes</var></a></td><td></td><td>svdh</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Name and attributes for the RFC2109 cookie storing the session ID</td></tr>
<tr><td><a href="mod_session_dbd.html#sessiondbdcookiename2">SessionDBDCookieName2 <var>name</var> <var>attributes</var></a></td><td></td><td>svdh</td><td>E</td></tr><tr><td class="descr" colspan="4">Name and attributes for the RFC2965 cookie storing the session ID</td></tr>
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-02 07:27:52 +0100