Mod_ssl.so for windows

Even today, the version 1. Confirming: 1. Apparently, the "experimental" tag applies to the entire 1. Only wasted 2 hours of my day before I discovered this thread! Thank you so much!! Version v1. Show 3 more comments. Alex Deroza Alex Deroza 15 6 6 bronze badges. Sign up or log in Sign up using Google. Sign up using Facebook. Sign up using Email and Password. Post as a guest Name. Email Required, but never shown. The Overflow Blog. Podcast Making Agile work for data science.

Pieter Herroelen 5, 2 2 gold badges 28 28 silver badges 36 36 bronze badges. SharpC SharpC 5, 3 3 gold badges 41 41 silver badges 37 37 bronze badges. Which distribution OS are u using? Naga a2enmod is from the Debian world. Abimaran Kugathasan Robert Robert 2, 18 18 silver badges 11 11 bronze badges. SharpC 5, 3 3 gold badges 41 41 silver badges 37 37 bronze badges. If you install Apache from source, then yum will not be able to detect it.

Oscar Gallardo Oscar Gallardo 1, 3 3 gold badges 17 17 silver badges 38 38 bronze badges. Sign up or log in Sign up using Google. Sign up using Facebook. Sign up using Email and Password. Post as a guest Name. Email Required, but never shown.

The Overflow Blog. Podcast Making Agile work for data science. Stack Gives Back With the introduction of this directive, the behavior has been changed: when checking is enabled, CRLs must be present for the validation to succeed - otherwise it will fail with an "unable to get certificate CRL" error. These are used to revoke the remote server certificate on Remote Server Authentication.

This directive sets whether the remote server certificate's CN field is compared against the hostname of the request URL. If both are not equal a status code Bad Gateway is sent. In all releases 2. In these releases, both directives must be set to off to completely avoid remote server certificate name validation. Many users reported this to be very confusing. As of release 2. Only the following configuration will trigger the legacy certificate CN comparison in 2.

This directive sets whether it is checked if the remote server certificate is expired or not. If the check fails a status code Bad Gateway is sent. The check will succeed if the host name from the request URI matches one of the CN attribute s of the certificate's subject, or matches the subjectAltName extension. This feature was introduced in 2. This directive sets the all-in-one file where you keep the certificate chain for all of the client certs in use.

This directive will be needed if the remote server presents a list of CA certificates that are not direct signers of one of the configured client certificates. This referenced file is simply the concatenation of the various PEM-encoded certificate files. Upon startup, each client certificate configured will be examined and a chain of trust will be constructed. This directive sets the all-in-one file where you keep the certificates and keys used for authentication of the proxy server to remote servers.

The referenced file can contain any number of pairs of client certificate and associated private key. Each pair can be specified in either certificate, key or key, certificate order. If the file includes any non-leaf certificate, or any unmatched key and certificate pair, a configuration error will be issued at startup. When challenged to provide a client certificate by a remote server, the server should provide a list of acceptable certificate authority names in the challenge.

The first configured matching certificate will then be supplied in response to the challenge. Keys encoded in PKCS8 format, ie. This directive sets the directory where you keep the client certificates and keys used for authentication of the proxy server to remote servers.

It will only connect to servers using one of the provided protocols. Please refer to SSLProtocol for additional information. When a proxy is configured to forward requests to a remote SSL server, this directive can be used to configure certificate verification of the remote server. The depth actually is the maximum number of intermediate certificate issuers, i. A depth of 0 means that self-signed remote server certificates are accepted only, the default depth of 1 means the remote server certificate can be self-signed or has to be signed by a CA which is directly known to the server i.

This directive can only be used in the global server context because the PRNG is a global facility. This is the always available builtin seeding source. Its usage consumes minimum CPU cycles under runtime and hence can be always used without drawbacks. The source used for seeding the PRNG contains of the current time, the current process id and a randomly chosen bytes extract of the stack.

The drawback is that this is not really a strong source and at startup time where the scoreboard is still not available this source just produces a few bytes of entropy. So you should always, at least for the startup, use an additional seeding source. The drawback is just that the quality of the received data may not be the best. When bytes is specified, only the first bytes number of bytes of its stdout contents form the entropy.

When bytes is not specified, the entirety of the data produced on stdout form the entropy. Using this in the connection context slows down the server too dramatically, of course. So usually you should avoid using external programs in that context. Use this if no random device exists on your platform. This directive can be used to set the amount of memory that will be used for this buffer. Note that in many configurations, the client sending the request body will be untrusted so a denial of service attack by consumption of memory must be considered when changing this configuration setting.

SSLRequire is deprecated and should in general be replaced by Require expr. For the latter, there are also aliases without the leading dashes: lt , le , This directive specifies a general access requirement which has to be fulfilled in order to allow access. It is a very powerful directive because the requirement specification is an arbitrarily complex boolean expression containing any number of access checks.

For varname any of the variables described in Environment Variables can be used. The expression is parsed into an internal machine representation when the configuration is loaded, and then evaluated during request processing. The expression evaluates to true if the left-hand side string matches exactly against the value of an extension identified with this OID. If multiple extensions with the same OID are present, at least one extension must match.

Expressions with types known to the SSL library are rendered to a string before comparison. For an extension of one of these types, the string value will be converted to UTF-8 if necessary, then compared against the left-hand-side expression. HTTPS is enabled for the current connection. This is very handy inside the SSL-enabled virtual host or directories for defending against configuration errors that expose stuff that should be protected.

When this directive is present all requests are denied which are not using SSL. This cache is an optional facility which speeds up parallel request processing. But because modern clients request inlined images and other data via parallel requests usually up to four parallel requests are common those requests are served by different pre-forked server processes. Here an inter-process cache helps to avoid unnecessary session handshakes. This will incur a noticeable speed penalty and may cause problems if using certain browsers, particularly if client certificates are enabled.

This setting is not recommended. This session cache may suffer reliability issues under high load. This makes use of a high-performance cyclic buffer approx. This is the recommended session cache. This makes use of the distcache distributed session caching libraries. The ssl-cache mutex is used to serialize access to the session cache to prevent corruption. This mutex can be configured using the Mutex directive.

It can be set as low as 15 for testing, but should be set to higher values like in real life. Primarily suitable for clustered environments where TLS sessions information should be shared between multiple nodes. The ticket key file must contain 48 bytes of random data, preferably created from a high-entropy source.

On a Unix-based system, a ticket key file can be created as follows:. Ticket keys should be rotated replaced on a frequent basis, as this is the only way to invalidate an existing session ticket - OpenSSL currently doesn't allow to specify a limit for ticket lifetimes. A new ticket key only gets used after restarting the web server. All existing session tickets become invalid after a restart. The ticket key file contains sensitive keying material and should be protected with file permissions similar to those used for SSLCertificateKeyFile.

TLS session tickets are enabled by default. Using them without restarting the web server with an appropriate frequency e. This directive sets the seed used to fake SRP user parameters for unknown users, to avoid leaking whether a given user exists.

Specify a secret string. Configuration of a cache is mandatory for OCSP stapling. With the exception of none and nonenotnull , the same storage types are supported as with SSLSessionCache.

One potential use is when a proxy is used for retrieving OCSP queries. This option sets the maximum allowable age "freshness" when considering OCSP responses for stapling purposes, i.