最新下载
热门教程
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
apache2.4废除SSLCertificateChainFile指令详解
时间:2016-07-04 编辑:简简单单 来源:一聚教程网
pache2.2升级到apache2.4,配置ssl时出料意外的费时间了记录一下。
apache2.4开始SSLCertificateChainFile指令以不存在,把服务器证明书和中继证明书的内容保存到一个文件,并在SSLCertificateFile指令里指定该文件。
http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatechainfile
证明书结构
apache2.2证明书结构
SSLCertificateKeyFile : 密钥
SSLCertificateFile : 服务器证明书
SSLCertificateChainFile : 中继证明书
apache2.4证明书结构
SSLCertificateKeyFile : 密钥
SSLCertificateFile : 服务器证明书及中继证明书
ssl.conf文件
根据以上情况apache2.2和2.4的ssl.conf配置如下。
apache2.2的ssl.conf
LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
ErrorLog logs/ssl_error_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile conf/ssl/server.crt
SSLCertificateKeyFile conf/ssl/server.key
SSLCertificateChainFile conf/ssl/chain.crt
SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_access_log ltsv_ssl
apache2.4的ssl.conf
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
ErrorLog logs/ssl_error_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateFile conf/ssl/server.crt
SSLCertificateKeyFile conf/ssl/server.key
SSLOptions +StdEnvVars
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_access_log ltsv_ssl
备注
其实Apache2.2升级到Apache2.4,比想象的花费时间,主要是Apache2.4已经不支持Apache2.2的部分指令及参数。
顺便说一下,Apache上使用https需要安装mod_ssl,安装之后修改/etc/httpd/conf.d/ssl.conf文件。
# yum install mod_ssl