On 02/17/2010 02:08 AM, NT984 wrote:
I am converting from a Verisign SSL Certificate to a Network Solutions EV SSL
Cert on my site. My existing configuration uses the following directives:
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXP:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2
SSLCertificateFile /etc/apache2/ssl.crt/my.blah.com.cert
SSLCertificateKeyFile /etc/apache2/ssl.key/my.blah.com.key
SSLCACertificateFile /etc/apache2/ssl.crt/my.blah.com.intermediate.crt
In the Network Solutions instructions, it recommends using the following:
SSLCertificateFile /etc/apache2/ssl.crt/my.blah.com.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/my.blah.com.key
SSLCertificateChainFile /etc/apache2/ssl.crt/Apache_Plesk_Install.txt
In the http://httpd.apache.org/docs/2.0/mod/mod_ssl.html apache mod_ssl
documentation , it states the following:
SSLCertificateChainFile
This should be used alternatively and/or additionally to
SSLCACertificatePath for explicitly constructing the server certificate
chain which is sent to the browser in addition to the server certificate. It
is especially useful to avoid conflicts with CA certificates when using
client authentication. Because although placing a CA certificate of the
server certificate chain into SSLCACertificatePath has the same effect for
the certificate chain construction, it has the side-effect that client
certificates issued by this same CA certificate are also accepted on client
authentication.
Example:
SSLCertificateChainFile /usr/local/apache2/conf/ssl.crt/ca.crt
SSLCACertificateFile
This directive sets the all-in-one file where you can assemble the
Certificates of Certification Authorities (CA) whose clients you deal with.
These are used for Client Authentication. Such a file is simply the
concatenation of the various PEM-encoded Certificate files, in order of
preference. This can be used alternatively and/or additionally to
SSLCACertificatePath.
Example
SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-client.crt
My question is... should I include both directives in my configuration? Is
there an advantage to doing so? Now that I am upgrading, do I need to
consider modification of my SSLCipherSuite setting?
Any help would be appreciated.
Thx. nt
NT,
You should use SSLCertificateChainFile if you're on Apache2.2. If you're
on Apache 1.x, then typically you'll want to use SSLCACertificateFile.
In Apache2, SSLCACertificate file is for Client Authentication, whereas
in earlier versions it was for CertificateAuthority. Earlier versions of
Apache 2.0 were able to use both interchangeably. Do not use both at the
same time. Only if you're doing Client Authentication.
As far as your cipher suite goes... You'll also want to disable MD5
based ciphers. (Opera 9.x will warn of weak ciphers in use as there are
a few MD5 based in SSLv3/TLSv1.x)
Hope this helps,
--Sal
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majord...@modssl.org
