Chapter 4 Compatibility

장에서는 다른 SSL 솔류션들과의 backward compatibility 대하여 기술한다. Mod_ssl만이 Apache에서 SSL 구현한 유일한 솔류션은 아니며, 실질적으로 4개의 솔류션이 존재한다: Ben Laurie 구현한 freeware Apache-SSL(mod_ssl 기반이 ), RedHat 상용 서버인 Secure Web Server(mod_ssl 기반을 ), Covalent 상용 소프트웨어인 Raven SSL Module(Apache-SSL 기반을 ), 마지막으로 C2Net 상용 제품인 Stronghold(Sioux라는 다른 개발 branch 기반을 ) 있다.

mod_ssl 다른 4가지 솔류션의 기능을 대부분 지원할 있으며, 대부분의 경우에 있어서 쉽게 backward compatibility 제공할 있다. 실질적으로 주안점을 두고 있는 compatibility 영역은 다음의 세가지이다:

configuration directive, environment variable, custom log function.

Configuration Directives

다른 SSL 솔류션의 configuration directive들에 대한 backward compatibility 위하여 mod_ssl on-the-fly mapping 사용한다: directives which have a direct counterpart in mod_ssl are mapped silently while other directives lead to a warning message in the logfiles. 현재 구현되어 있는 directive mapping Table 1 있다. 현재 완전한 backward compatibility 단지 Apache-SSL 1.x mod_ssl 2.0.x 간에만 이루어져 있으며, Sioux 1.x Stronghold 2.x mod_ssl 아직 제공하지 않는 몇가지 기능상의 차이로 인하여 부분적으로만 mapping 가능하다.

Old Directive

mod_ssl Directive

Comment

Apache-SSL 1.x & mod_ssl 2.0.x compatibility:

SSLEnable

SSLEngine on

compactified

SSLDisable

SSLEngine off

compactified

SSLLogFile file

SSLLog file

compactified

SSLRequiredCiphers spec

SSLCipherSuite spec

renamed

SSLRequireCipher c1 ...

SSLRequire %{SSL_CIPHER} in

{"c1", ...}

generalized

SSLBanCipher c1 ...

SSLRequire not (%{SSL_CIPHER} in {"c1", ...})

generalized

SSLFakeBasicAuth

SSLOptions +FakeBasicAuth

merged

SSLCacheServerPath dir

-

functionality removed

SSLCacheServerPort integer

-

functionality removed

Apache-SSL 1.x compatibility:

SSLExportClientCertificates

SSLOptions +ExportCertData

Merged

SSLCacheServerRunDir dir

-

Functionality not supported

Sioux 1.x compatibility:

SSL_CertFile file

SSLCertificateFile file

renamed

SSL_KeyFile file

SSLCertificateKeyFile file

renamed

SSL_CipherSuite arg

SSLCipherList arg

renamed

SSL_X509VerifyDir arg

SSLCACertificatePath arg

renamed

SSL_Log file

SSLLogFile file

renamed

SSL_Connect flag

SSLEngine flag

renamed

SSL_ClientAuth arg

SSLVerifyClient arg

renamed

SSL_X509VerifyDepth arg

SSLVerifyDepth arg

renamed

SSL_FetchKeyPhraseFrom arg

-

not directly mappable;

use SSLPassPhraseDialog

SSL_SessionDir dir

-

not directly mappable;

use SSLSessionCache

SSL_Require expr

-

not directly mappable;

use SSLRequire

SSL_CertFileType arg

-

functionality not supported

SSL_KeyFileType arg

-

functionality not supported

SSL_X509VerifyPolicy arg

functionality not supported

SSL_LogX509Attributes arg

functionality not supported

Stronghold 2.x compatibility:

SSLFlag flag

SSLEngine flag

renamed

SSLSessionLockFile file

SSLMutex file

renamed

SSLCipherList spec

SSLCipherSuite spec

renamed

RequireSSL

SSLRequireSSL

renamed

SSLErrorFile file

-

functionality not supported

SSLProtocol spec

-

functionality not supported

SSLRoot dir

-

functionality not supported

SSL_CertificateLogDir dir

-

functionality not supported

AuthCertDir dir

-

functionality not supported

SSL_Group name

-

functionality not supported

SSLProxyMachineCertPath dir

-

Functionality not supported

SSLProxyMachineCertFile file

-

Functionality not supported

SSLProxyCACertificatePath dir

-

Functionality not supported

SSLProxyCACertificateFile file

-

functionality not supported

SSLProxyVerifyDepth number

-

functionality not supported

SSLProxyCipherList spec

-

functionality not supported

[ Table 1 : Configuration Directive Mapping ]
 

Environment Variables

서버를 설정할 “SSLOptions +CompatEnvVars” directive 설정하게 되면 부가적인 mod_ssl 환경 변수들이 생성된다. 현재 구현되어 있는 환경 변수들은 Table 2 같다.

Old Variable

mod_ssl Variable

Comment

SSL_PROTOCOL_VERSION

SSL_PROTOCOL

renamed

SSLEAY_VERSION

SSL_VERSION_LIBRARY

renamed

HTTPS_SECRETKEYSIZE

SSL_CIPHER_USEKEYSIZE

renamed

HTTPS_KEYSIZE

SSL_CIPHER_ALGKEYSIZE

renamed

HTTPS_CIPHER

SSL_CIPHER

renamed

HTTPS_EXPORT

SSL_CIPHER_EXPORT

renamed

SSL_SERVER_KEY_SIZE

SSL_CIPHER_ALGKEYSIZE

renamed

SSL_SERVER_CERTIFICATE

SSL_SERVER_CERT

renamed

SSL_SERVER_CERT_START

SSL_SERVER_V_START

renamed

SSL_SERVER_CERT_END

SSL_SERVER_V_END

renamed

SSL_SERVER_CN

SSL_SERVER_S_DN_CN

renamed

SSL_SERVER_EMAIL

SSL_SERVER_S_DN_Email

renamed

SSL_SERVER_O

SSL_SERVER_S_DN_O

renamed

SSL_SERVER_OU

SSL_SERVER_S_DN_OU

renamed

SSL_SERVER_C

SSL_SERVER_S_DN_C

renamed

SSL_SERVER_SP

SSL_SERVER_S_DN_SP

renamed

SSL_SERVER_L

SSL_SERVER_S_DN_L

renamed

SSL_SERVER_ICN

SSL_SERVER_I_DN_CN

renamed

SSL_SERVER_IEMAIL

SSL_SERVER_I_DN_Email

renamed

SSL_SERVER_IO

SSL_SERVER_I_DN_O

renamed

SSL_SERVER_IOU

SSL_SERVER_I_DN_OU

renamed

SSL_SERVER_IC

SSL_SERVER_I_DN_C

renamed

SSL_SERVER_ISP

SSL_SERVER_I_DN_SP

renamed

SSL_SERVER_IL

SSL_SERVER_I_DN_L

renamed

SSL_CLIENT_CERTIFICATE

SSL_CLIENT_CERT

renamed

SSL_CLIENT_CERT_START

SSL_CLIENT_V_START

renamed

SSL_CLIENT_CERT_END

SSL_CLIENT_V_END

renamed

SSL_CLIENT_CN

SSL_CLIENT_S_DN_CN

renamed

SSL_CLIENT_EMAIL

SSL_CLIENT_S_DN_Email

renamed

SSL_CLIENT_O

SSL_CLIENT_S_DN_O

renamed

SSL_CLIENT_OU

SSL_CLIENT_S_DN_OU

renamed

SSL_CLIENT_C

SSL_CLIENT_S_DN_C

renamed

SSL_CLIENT_SP

SSL_CLIENT_S_DN_SP

renamed

SSL_CLIENT_L

SSL_CLIENT_S_DN_L

renamed

SSL_CLIENT_ICN

SSL_CLIENT_I_DN_CN

renamed

SSL_CLIENT_IEMAIL

SSL_CLIENT_I_DN_Email

renamed

SSL_CLIENT_IO

SSL_CLIENT_I_DN_O

renamed

SSL_CLIENT_IOU

SSL_CLIENT_I_DN_OU

renamed

SSL_CLIENT_IC

SSL_CLIENT_I_DN_C

renamed

SSL_CLIENT_ISP

SSL_CLIENT_I_DN_SP

renamed

SSL_CLIENT_IL

SSL_CLIENT_I_DN_L

renamed

SSL_SERVER_KEY_EXP

-

Not supported by mod_ssl

SSL_SERVER_KEY_ALGORITHM

-

Not supported by mod_ssl

SSL_SERVER_SIGNATURE_ALGORITHM

-

Not supported by mod_ssl

SSL_SERVER_SESSIONDIR

-

Not supported by mod_ssl

SSL_SERVER_CERTIFICATELOGDIR

-

Not supported by mod_ssl

SSL_SERVER_CERTFILE

-

Not supported by mod_ssl

SSL_SERVER_KEYFILE

-

Not supported by mod_ssl

SSL_SERVER_KEYFILETYPE

-

Not supported by mod_ssl

SSL_CLIENT_KEY_EXP

-

Not supported by mod_ssl

SSL_CLIENT_KEY_ALGORITHM

-

Not supported by mod_ssl

SSL_CLIENT_KEY_SIZE

-

Not supported by mod_ssl

SSL_CLIENT_SIGNATURE_ALGORITHM

-

Not supported by mod_ssl

[ Table 2 : Environment Variable Derivation ]

Custom Log Functions

Mod_ssl Apache 적용되어지거나 혹은 DSO 이용하여 모듈이 loading되면 Custom Log Format 위한 부가적인 함수들이 존재한다. “%{varname}x” eXtension format function 어떤 모듈이 제공하는 변수를 확장(expend)하는데 사용되며, 부가적인 Cryptography “%{name}c” cryptography format function Backward compatibility 위해 제공되며, 현재 구현된 함수 호출(function call) Table 3 같다.

Function Call

Description

%...{version}c

SSL protocol version

%...{cipher}c

SSL cipher

%...{subjectdn}c

Client Certificate Subject Distinguished Name

%...{issuerdn}c

Client Certificate Issuer Distinguished Name

%...{errcode}c

Certificate Verification Error (numerical)

%...{errstr}c

Certificate Verification Error (string)

[ Table 3 : Custom Log Cryptography Function ]

Posted by Golmong
: