[번역] Apache + SSL 서버 구축을 위한 Mod_SSL Module Chap 4.
기술 이야기/TLS,SSL 2012. 3. 1. 20:44 |Chapter 4 Compatibility
이 장에서는 다른 SSL 솔류션들과의 backward compatibility에 대하여 기술한다. Mod_ssl만이 Apache에서 SSL을 구현한 유일한 솔류션은 아니며, 실질적으로 4개의 솔류션이 더 존재한다: Ben Laurie가 구현한 freeware인 Apache-SSL(mod_ssl의 기반이 됨), RedHat의 상용 서버인 Secure Web Server(mod_ssl에 기반을 둠), Covalent의 상용 소프트웨어인 Raven SSL Module(Apache-SSL에 기반을 둠), 마지막으로 C2Net의 상용 제품인 Stronghold(Sioux라는 다른 개발 branch에 기반을 둠)가 있다.
mod_ssl은 다른 4가지 솔류션의 기능을 대부분 지원할 수
있으며,
대부분의
경우에
있어서
쉽게 backward
compatibility를 제공할 수
있다.
실질적으로
주안점을
두고
있는
compatibility 영역은 다음의 세가지이다:
configuration directive, environment variable, custom log
function.
Configuration Directives
다른 SSL 솔류션의 configuration directive들에 대한 backward compatibility를 위하여 mod_ssl은 on-the-fly mapping을 사용한다: directives which have a direct counterpart in mod_ssl are mapped silently while other directives lead to a warning message in the logfiles. 현재 구현되어 있는 directive mapping은 Table 1에 있다. 현재 완전한 backward compatibility는 단지 Apache-SSL 1.x와 mod_ssl 2.0.x 간에만 이루어져 있으며, Sioux 1.x와 Stronghold 2.x는 mod_ssl이 아직 제공하지 않는 몇가지 기능상의 차이로 인하여 부분적으로만 mapping이 가능하다.
|
Old Directive |
mod_ssl Directive |
Comment |
|
Apache-SSL 1.x & mod_ssl 2.0.x compatibility: |
||
|
SSLEnable |
SSLEngine on |
compactified |
|
SSLDisable |
SSLEngine off |
compactified |
|
SSLLogFile file |
SSLLog file |
compactified |
|
SSLRequiredCiphers spec |
SSLCipherSuite spec |
renamed |
|
SSLRequireCipher c1 ... |
SSLRequire %{SSL_CIPHER} in {"c1", ...} |
generalized |
|
SSLBanCipher c1 ... |
SSLRequire not (%{SSL_CIPHER} in {"c1", ...}) |
generalized |
|
SSLFakeBasicAuth |
SSLOptions +FakeBasicAuth |
merged |
|
SSLCacheServerPath dir |
- |
functionality removed |
|
SSLCacheServerPort integer |
- |
functionality removed |
|
Apache-SSL 1.x compatibility: |
||
|
SSLExportClientCertificates |
SSLOptions +ExportCertData |
Merged |
|
SSLCacheServerRunDir dir |
- |
Functionality not supported |
|
Sioux 1.x compatibility: |
||
|
SSL_CertFile file |
SSLCertificateFile file |
renamed |
|
SSL_KeyFile file |
SSLCertificateKeyFile file |
renamed |
|
SSL_CipherSuite arg |
SSLCipherList arg |
renamed |
|
SSL_X509VerifyDir arg |
SSLCACertificatePath arg |
renamed |
|
SSL_Log file |
SSLLogFile file |
renamed |
|
SSL_Connect flag |
SSLEngine flag |
renamed |
|
SSL_ClientAuth arg |
SSLVerifyClient arg |
renamed |
|
SSL_X509VerifyDepth arg |
SSLVerifyDepth arg |
renamed |
|
SSL_FetchKeyPhraseFrom arg |
- |
not directly mappable; use SSLPassPhraseDialog |
|
SSL_SessionDir dir |
- |
not directly mappable; use SSLSessionCache |
|
SSL_Require expr |
- |
not directly mappable; use SSLRequire |
|
SSL_CertFileType arg |
- |
functionality not supported |
|
SSL_KeyFileType arg |
- |
functionality not supported |
|
SSL_X509VerifyPolicy arg |
functionality not supported |
|
|
SSL_LogX509Attributes arg |
functionality not supported |
|
|
Stronghold 2.x compatibility: |
||
|
SSLFlag flag |
SSLEngine flag |
renamed |
|
SSLSessionLockFile file |
SSLMutex file |
renamed |
|
SSLCipherList spec |
SSLCipherSuite spec |
renamed |
|
RequireSSL |
SSLRequireSSL |
renamed |
|
SSLErrorFile file |
- |
functionality not supported |
|
SSLProtocol spec |
- |
functionality not supported |
|
SSLRoot dir |
- |
functionality not supported |
|
SSL_CertificateLogDir dir |
- |
functionality not supported |
|
AuthCertDir dir |
- |
functionality not supported |
|
SSL_Group name |
- |
functionality not supported |
|
SSLProxyMachineCertPath dir |
- |
Functionality not supported |
|
SSLProxyMachineCertFile file |
- |
Functionality not supported |
|
SSLProxyCACertificatePath dir |
- |
Functionality not supported |
|
SSLProxyCACertificateFile file |
- |
functionality not supported |
|
SSLProxyVerifyDepth number |
- |
functionality not supported |
|
SSLProxyCipherList spec |
- |
functionality not supported |
[ Table 1 : Configuration Directive Mapping ]
Environment Variables
서버를 설정할 때 “SSLOptions +CompatEnvVars” directive를 설정하게 되면 부가적인 mod_ssl 환경 변수들이 생성된다. 현재 구현되어 있는 환경 변수들은 Table 2와 같다.
|
Old Variable |
mod_ssl Variable |
Comment |
|
SSL_PROTOCOL_VERSION |
SSL_PROTOCOL |
renamed |
|
SSLEAY_VERSION |
SSL_VERSION_LIBRARY |
renamed |
|
HTTPS_SECRETKEYSIZE |
SSL_CIPHER_USEKEYSIZE |
renamed |
|
HTTPS_KEYSIZE |
SSL_CIPHER_ALGKEYSIZE |
renamed |
|
HTTPS_CIPHER |
SSL_CIPHER |
renamed |
|
HTTPS_EXPORT |
SSL_CIPHER_EXPORT |
renamed |
|
SSL_SERVER_KEY_SIZE |
SSL_CIPHER_ALGKEYSIZE |
renamed |
|
SSL_SERVER_CERTIFICATE |
SSL_SERVER_CERT |
renamed |
|
SSL_SERVER_CERT_START |
SSL_SERVER_V_START |
renamed |
|
SSL_SERVER_CERT_END |
SSL_SERVER_V_END |
renamed |
|
SSL_SERVER_CN |
SSL_SERVER_S_DN_CN |
renamed |
|
SSL_SERVER_EMAIL |
SSL_SERVER_S_DN_Email |
renamed |
|
SSL_SERVER_O |
SSL_SERVER_S_DN_O |
renamed |
|
SSL_SERVER_OU |
SSL_SERVER_S_DN_OU |
renamed |
|
SSL_SERVER_C |
SSL_SERVER_S_DN_C |
renamed |
|
SSL_SERVER_SP |
SSL_SERVER_S_DN_SP |
renamed |
|
SSL_SERVER_L |
SSL_SERVER_S_DN_L |
renamed |
|
SSL_SERVER_ICN |
SSL_SERVER_I_DN_CN |
renamed |
|
SSL_SERVER_IEMAIL |
SSL_SERVER_I_DN_Email |
renamed |
|
SSL_SERVER_IO |
SSL_SERVER_I_DN_O |
renamed |
|
SSL_SERVER_IOU |
SSL_SERVER_I_DN_OU |
renamed |
|
SSL_SERVER_IC |
SSL_SERVER_I_DN_C |
renamed |
|
SSL_SERVER_ISP |
SSL_SERVER_I_DN_SP |
renamed |
|
SSL_SERVER_IL |
SSL_SERVER_I_DN_L |
renamed |
|
SSL_CLIENT_CERTIFICATE |
SSL_CLIENT_CERT |
renamed |
|
SSL_CLIENT_CERT_START |
SSL_CLIENT_V_START |
renamed |
|
SSL_CLIENT_CERT_END |
SSL_CLIENT_V_END |
renamed |
|
SSL_CLIENT_CN |
SSL_CLIENT_S_DN_CN |
renamed |
|
SSL_CLIENT_EMAIL |
SSL_CLIENT_S_DN_Email |
renamed |
|
SSL_CLIENT_O |
SSL_CLIENT_S_DN_O |
renamed |
|
SSL_CLIENT_OU |
SSL_CLIENT_S_DN_OU |
renamed |
|
SSL_CLIENT_C |
SSL_CLIENT_S_DN_C |
renamed |
|
SSL_CLIENT_SP |
SSL_CLIENT_S_DN_SP |
renamed |
|
SSL_CLIENT_L |
SSL_CLIENT_S_DN_L |
renamed |
|
SSL_CLIENT_ICN |
SSL_CLIENT_I_DN_CN |
renamed |
|
SSL_CLIENT_IEMAIL |
SSL_CLIENT_I_DN_Email |
renamed |
|
SSL_CLIENT_IO |
SSL_CLIENT_I_DN_O |
renamed |
|
SSL_CLIENT_IOU |
SSL_CLIENT_I_DN_OU |
renamed |
|
SSL_CLIENT_IC |
SSL_CLIENT_I_DN_C |
renamed |
|
SSL_CLIENT_ISP |
SSL_CLIENT_I_DN_SP |
renamed |
|
SSL_CLIENT_IL |
SSL_CLIENT_I_DN_L |
renamed |
|
SSL_SERVER_KEY_EXP |
- |
Not supported by mod_ssl |
|
SSL_SERVER_KEY_ALGORITHM |
- |
Not supported by mod_ssl |
|
SSL_SERVER_SIGNATURE_ALGORITHM |
- |
Not supported by mod_ssl |
|
SSL_SERVER_SESSIONDIR |
- |
Not supported by mod_ssl |
|
SSL_SERVER_CERTIFICATELOGDIR |
- |
Not supported by mod_ssl |
|
SSL_SERVER_CERTFILE |
- |
Not supported by mod_ssl |
|
SSL_SERVER_KEYFILE |
- |
Not supported by mod_ssl |
|
SSL_SERVER_KEYFILETYPE |
- |
Not supported by mod_ssl |
|
SSL_CLIENT_KEY_EXP |
- |
Not supported by mod_ssl |
|
SSL_CLIENT_KEY_ALGORITHM |
- |
Not supported by mod_ssl |
|
SSL_CLIENT_KEY_SIZE |
- |
Not supported by mod_ssl |
|
SSL_CLIENT_SIGNATURE_ALGORITHM |
- |
Not supported by mod_ssl |
[ Table 2 : Environment Variable Derivation ]
Custom Log Functions
Mod_ssl이 Apache에 적용되어지거나 혹은 DSO를 이용하여 모듈이 loading되면 Custom Log Format을 위한 부가적인 함수들이 존재한다. “%{varname}x” eXtension format function은 어떤 모듈이 제공하는 변수를 확장(expend)하는데 사용되며, 부가적인 Cryptography인 “%{name}c” cryptography format function은 Backward compatibility를 위해 제공되며, 현재 구현된 함수 호출(function call)은 Table 3과 같다.
|
Function Call |
Description |
|
%...{version}c |
SSL protocol version |
|
%...{cipher}c |
SSL cipher |
|
%...{subjectdn}c |
Client Certificate Subject Distinguished Name |
|
%...{issuerdn}c |
Client Certificate Issuer Distinguished Name |
|
%...{errcode}c |
Certificate Verification Error (numerical) |
|
%...{errstr}c |
Certificate Verification Error (string) |
[ Table 3 : Custom Log Cryptography Function ]