Apache Module mod_ibm_ssl

Description:	Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocol support for IBM HTTP Server
Status:	Extension
Module Identifier:	ibm_ssl_module
Source File:	mod_ibm_ssl.c

Summary

This module provides SSL and TLS support for IBM HTTP Server. This documentation is a supplement to the IBM Information Center and is primarily oriented towards IBM HTTP Server 8.0 and later. If a directive is not listed, consult the information center.

Directives

Topics

Example configuration
Tracing SSL
Elliptic Curve (ECC) in IHS
Elliptic Curve, SP800-131, and related options
SNI - Server Name Indication

Example configuration

Example command line invocation to generate a new keystore with a self-signed certificate in it:

$ /opt/IHS/bin/gskcapicmd -keydb -create -db /opt/IHS/conf/key.kdb -pw yourpassword -stash
$ /opt/IHS/bin/gskcapicmd -cert -create -db /opt/IHS/conf/key.kdb -stashed -size 2048 -sig_alg SHA256_WITH_RSA -san_dnsname example.com,www.example.com -label selfsigned -dn "CN=$(hostname)" -default_cert yes -expire 1000

Example IHS configuration to enable SSL with default ciphers:

Listen 0.0.0.0:443
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
<VirtualHost *:443>
ServerName example.com
SSLEnable
KeyFile /opt/IHS/conf/key.kdb
</VirtualHost>

Tracing SSL

Several kinds of tracing are available with this module.

To trace high level SSL operations, set LogLevel to debug and add SSLTrace to the bottom of the global configuration.
To trace low-level SSL operations, edit bin/envvars in your IHS installation root and add the following variables:
```
GSK_TRACE_FILE=/tmp/gsktrace_log
GSK_TRACE_FILE_SIZE=104857600
GSK_TRACE_FILE_NUMBER=5
export GSK_TRACE_FILE
export GSK_TRACE_FILE_SIZE
export GSK_TRACE_FILE_NUMBER
```
Perform a complete stop and start of the webserver to pickup the environment variable changes.
To trace plaintext communications to diagnose HTTP problems, use mod_net_trace
To log end-to-end handshake times (for diagnosing performance issues), turn on the SSLTrace directive and log the SSL_HANDSHAKE_TIME environment variable, e.g.:
```
LogFormat "%h %l %u %t \"%r\" %>s %b %{SSL_HANDSHAKE_TIME}e" common
```

Elliptic Curve (ECC) in IHS

In 9.0 and later, ECC ciphers are now configured by default on distributed systems. ECC ciphers are preferred over RSA cipher suites. To reverse the cipher order, SSLReverseCipherOrder can be used.
Servers can create ECDSA certificates with bin/gskcapicmd (or gskkyman on z/OS) and use ECDHE-ECDSA ciphers using SSLCipherSpec.

IHS can be configured to prefer an ECDSA certificate if a client supports it and to fallback to an RSA certificate otherwise. See SSLServerCert for more information.

ECDHE-RSA ciphers

TLS_ECDHE_RSA_WITH_NULL_SHA(C010)
TLS_ECDHE_RSA_WITH_RC4_128_SHA(C011)
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA(C012)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(C013)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(C014)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(C027)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(C028)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(C02F)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(C030)

ECDHE-ECDSA ciphers (requires ECDSA certificate)

TLS_ECDHE_ECDSA_WITH_RC4_128_SHA(C007)
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA(C008)
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(C009)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(C00A)
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(C023)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(C024)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(C02B)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(C02C)

z/OS configuration

ICSF must be available to use ECDHE, ECDSA, or AES-GCM ciphers. IHS does not report an error if these ciphers are enabled but not supported on the current level of z/OS. At startup, IHS probes to see if a very basic level of ICSF support appears to be available. If it fails, only a few RSA ciphers are enabled.
ECDHE, ECDSA, and AES-GCM may require granting the webserver userid access to CSFSERV resources. See RACF CSFSERV Resource Requirements in the z/OS System SSL documentation.

Elliptic Curve, SP800-131, and related options

Can an SP800-131a profile be directly configured?: SSLFIPSEnable takes an optional argument of "SP800131A"
Can protocols older than TLSv1.2 be disabled?: See SSLProtocolDisable
Is TLSv1.2 supported?: Yes.
Can TLSV1.2 signature algorithm restrictions be set?: Yes, see SSLAttributeSet with attribute ID 245, a type of BUFF, and a string value such as: "GSK_TLS_SIGALG_RSA_WITH_SHA224,GSK_TLS_SIGALG_RSA_WITH_SHA256,GSK_T LS_SIGALG_RSA_WITH_SHA384,GSK_TLS_SIGALG_RSA_WITH_SHA512,GSK_TLS_SIG ALG_ECDSA_WITH_SHA224,GSK_TLS_SIGALG_ECDSA_WITH_SHA256,GSK_TLS_SIGAL G_ECDSA_WITH_SHA384,GSK_TLS_SIGALG_ECDSA_WITH_SHA512"
Can FIPS140-2 restrictions be enabled?: Yes, see SSLFIPSEnable
Can a "Suite B" profile of settings be configured?: Yes, See SSLSuiteBMode and the optional arguments of SSLFIPSEnable

SNI - Server Name Indication

Server Name Indication (SNI) support for IBM HTTP Server allows certificate selection to be based on the SNI extension sent by TLS clients. It does not allow other handshake-related settings from a name-based virtualhost to be used.

Definitions for SNI

Each virtual host with a matching address-spec (such as "*:443") forms a name-based virtual host group
The first listed virtual host in a name-based virtual host group is the default virtual host

Requirements for SNI

The default virtual host must specify the "SNI" argument to the SSLEnable directive.
Only virtual hosts with a single address-spec (such as "*:443") can participate in SNI.
Non-default virtual hosts for a name-based virtual host should not contain directives from this module (i.e. SSL directives) other than SSLServerCert, SSLEnable. Handshake related directives have no affect on the handshake in non-default virtual hosts.

Two forms of SNI

In the first form of SNI, only a single virtual host is used, and the SSLSNIMap directive is used to map between hostnames and certificate labels.

<virtualhost *:443>
  ServerName example.com
  SSLEnable SNI
  SSLServerCert default
  SSLSNIMap a.example.com sni1-rsa
  # On z/OS, this second label requires PH18102 and z/OS V2R3 (or later)
  SSLSNIMap a.example.com sni1-ecdsa
  SSLSNIMap b.example.com sni2
  KeyFile /opt/IBM/HTTPServer/conf/key.kdb
  # ... Any other SSL directives
</virtualhost>

In the second form of SNI, a series of virtual hosts are created, and the mapping from hostnames to certificate labels is via ServerName, non-wildcard ServerAlias, and SSLServerCert.

# Key store with certificates for each "SSLServerCert" or ServerName in later matching vhosts.
KeyFile /opt/IBM/HTTPServer/conf/key.kdb
<virtualhost *:443>
  ServerName example.com
  SSLEnable SNI
  # ... any other SSL directives to be shared with later matching vhosts
  # If not defined globally, Key store with certificates for each "SSLServerCert" or ServerName in later matching vhosts.
  # KeyFile /opt/IBM/HTTPServer/conf/key.kdb
</virtualhost>
<virtualhost *:443>
  ServerName a.example.com
  SSLEnable
  SSLServerCert sni1

  # If no global KeyFile is specified, a KeyFile must be listed in each subsequent virtual host. This KeyFile must exist and contain the 
  # specified SSLServerCert but will not be used at runtime.
  # KeyFile /opt/IBM/HTTPServer/conf/key.kdb

  # No other SSL directives should be used, they cannot influence the handshake. Non SSL directives can be scoped to this virtual host.
</virtualhost>
<virtualhost *:443>
  ServerName b.example.com
  ServerAlias other.example.com
  SSLEnable
  SSLServerCert sni2

  # If no global KeyFile is specified, a KeyFile must be listed in each subsequent virtual host. This KeyFile must exist and contain the 
  # specified SSLServerCert but will not be used at runtime.
  # KeyFile /opt/IBM/HTTPServer/conf/key.kdb

  # No other SSL directives should be used, they cannot influence the handshake. Non SSL directives can be scoped to this virtual host.
</virtualhost>

KeyFile Directive

Description:	Identifies the keyfile containing certificates and private keys.
Syntax:	`KeyFile /path/to/key.kdb [/prompt] \| /saf [owner/]saf-keyring-name`
Default:	`unset`
Context:	server config, virtual host
Status:	Extension
Module:	mod_ibm_ssl

This directive configures the SSL key file to be used for the enclosing virtual host. A corresponding stashfile (*.sth) is automatically used with the same base name as the specified KeyFile.

On z/OS, the name of a SAF keyring can be specified following a first argument of /saf. For more details on the syntax and usafe of SAF keyrings, see the definition of GSK_KEYRING_FILE in the z/OS Cryptographic Services System SSL Programming topic in your release of z/OS.

If the second argument is /prompt, IBM HTTP Server will interactively prompt for the corresponding password instead of using the stash file referenced above.

SSLAllowLegacyCerts Directive

Description:	Allows use of non-standard certificate policy.
Syntax:	`SSLAllowLegacyCerts ON\|OFF`
Default:	`ON`
Context:	server config, virtual host
Status:	Extension
Module:	mod_ibm_ssl
Compatibility:	On z/OS, RFC5280 is replaced with RFC3280 below

When this directive is turned off, only the standard policy for certificates will be applied. That is, only certificates meeting the requirements in RFC5280 (part of the X.509 standard) will be accepted as valid.

The IBM Global Security Kit has deprecated the use of legacy certificates. However, if you still must use a pre-X.509 certificate, this directive may be toggled on and the certificate will be used as long as it is valid.

Compatibility

Prior to PI69979 (9.0.0.0 and 9.0.0.1), the default was OFF on distributed platforms.

SSLAllowNonCriticalInhibitAnyPolicy Directive

Description:	Enables toleration of non-crticial InhibitAnyPolicy extension
Syntax:	`SSLAllowNonCriticalInhibitAnyPolicy ON\|OFF`
Default:	`OFF`
Context:	virtual host
Status:	Extension
Module:	mod_ibm_ssl
Compatibility:	Requirs PI91351

RFC 5280 requires that the "InhibitAnyPolicy" extension be marked critical. This directive configures IHS to accept a non-critical "InhibitAnyPolicy" extension.

SSLAttributeSet Directive

Description:	Directly configures underlying GSKit security library settings.
Syntax:	`SSLAttributeSet [proxy:]gskit-id val [ENUM\|NUMERIC\|BUFF\|BUFFNULL]`
Default:	`none`
Context:	virtual host
Status:	Extension
Module:	mod_ibm_ssl
Compatibility:	IHS 7.0 only supports setting "enum" types, and doesn't support the "proxy:" prefix. 'BUFFNULL' added in PI76874

Sets underlying IBM Tivoli Global Security Kit (GSKit) configuration. Advanced usage only at the recommendation of IHS support.

These settings are applied after directives such as SSLCipherSpec and generally override what was previously set.

On z/OS, the file /usr/include/gskssl.h contains the symbolic names for the keys and values that are useable with this directive

SSLCheckCertificateExpiration Directive

Description:	Checks for expired or expiring certificates at startup.
Syntax:	`SSLCheckCertificateExpiration days\|-1 ["no_expired"]`
Default:	`Disabled`
Context:	server config, virtual host
Status:	Extension
Module:	mod_ibm_ssl
Compatibility:	IHS 9.0.0.0 and later. Not available on z/OS.

If this directive is specified with a days parameter greater than zero, IHS will check the validity range of each certificate (personal, issuer, and immediate) in each configured KeyFile during SSL initialization.
For each certificate expiring within the specified number of days, the server will write a ALERT level message to the servers ErrorLog with the message ID "SSL0191E".

If this directive is enabled, certificates which have already expired are printed at NOTICE level with message ID "SSL0192E", unless the second parameter is the string "no_expired". To report only expired certificates, specify -1 for the first parameter.

Example:

Listen 443 # Warn about expired certificates, or certificates expiring in the next 30 days SSLCheckCertificateExpiration 30 <VirtualHost *:443> SSLEnable ... </VirtualHost>

Results in: "SSL0191E: Certificate label 'expiresoon' in key store /opt/IHS/conf/key.kdb will expire in 22 days"

Notes

A KeyFile must be used (by SSLEnable or SSLProxyEngine ON) to be checked.
This directive is merged from the base configuration to each virtual host.
If the same KeyFile is in multiple SSL enabled virtual hosts with this directive implicitly or explicitly specified, the reporting will happen in each virtual host.

SSLCipherSpec Directive

Description:	Determines which SSL ciphers should be permitted.
Syntax:	`SSLCipherSpec [ALL\|SSLv2\|SSLv3\|TLSv10\|TLSv11\|TLSv12\|TLSv13] [+\|-]cipher-shortname\|[+\|-]cipher-longname ...`
Default:	`8.0 and later: reasonable default ciphers (SSLv2, weak, export, and NULL removed)`
Context:	server config, virtual host
Status:	Extension
Module:	mod_ibm_ssl
Compatibility:	A separate syntax for z/OS is documented in the next section.

z/OS limitations

When the first argument is "ALL", multiple ciphers can appear on one line and can be prefixed with +/- to add to or remove from the compiled-in defaults. On z/OS, the cryptographic library uses a single merged list of ciphers for SSLv3 and all later protocols, so the first argument must always be "ALL" instead of a protocol name.

This directive allows the configuration of the specific SSL ciphers, as well as their order. Each protocol starts with a set of reasonable default ciphers, and this directive can add, remove, or re-order those ciphers.

The first argument specifies the name of a specific SSL protocol whose ciphers will be adjusted, or "ALL" to adjust all protocols for which the following ciphers are applicable. If "ALL" is specified, and a cipher cannot be removed or added due to not being applicable to that protocol, no error is reported. This allows a cipher to be added or removed from any protocol where it might be supported, without having to know in advance exactly where it applies.

Protocol argument quirks

If a specific protocol is specified, and a cipher does not apply to that protocol (for example, a cipher added in TLSv12 applied to TLSv10), startup will fail.
On z/OS, only "ALL" is permitted due to the way underlying SSL cipher configuration works on this platform
For backward compatibility, The value "TLS" is accepted and applies to TLSv10, TLSv11, TLSv12, and TLSv13. The use of "TLS" should be avoided due to its ambiguity with TLSv10 in other contexts.
A "." seprator is accepted between the final two digits of the protocol, for example "TLSv1.2" is accepted as "TLSv12".

The second argument specifies the cipher to add or remove. Ciphers prefixed with a minus symbol are removed from the current set of ciphers, and ciphers with a plus symbol (or no symbol at all) are added.

Reset defaults

Each protocol starts with a default list of ciphers. The cipher list for each protocol is ordered, the server picks the first entry in the cipher list that the client also supports. This list can be changed in several ways:

You can add or subtract specific ciphers with the +/- syntax. Additions append to the cipher list, meaning additions have a lower precedence.
You can empty the list (default or otherwise) with a special value of NONE.
If the first cipher in an SSLCipherSpec directive has no + or -, and it affects protocol X and protocol X is still using its default list, the requested cipher replaces the default list (this is effectively the legacy behavior). Subsequent changes to protocol X without +/- act as if + was present.
After PH30598 (9.0.5.7, 8.5.5.19) the pseudo-cipher "-RSA" may be used to remove RSA key exchange ciphers from the defaults. It must be the first cipher argument and no other cipher arguments may follow on the same line. It only removes RSA key exchange ciphers that are enabled by default, if weaker RSA ciphers have been explicitly added prior to this directive, they will not be removed.
"-CBC" is also supported with similar semantics as "-RSA"

After PH51473, the RSA and CBC pseudo-ciphers can be used with a "+" prefix.

The third case is a complicated compromise to tolerate legacy configurations while protecting against "SSLCipherSpec very-old-cipher" disabling more advanced ciphers inadvertently, in future protocols where very-old-cipher is not applicable

The second argument can be repeated, but "NONE" is only accepted in the initial position.

The first time a protocol is changed by this directive, if the cipher argument is not prefixed by a plus or minus symbol, the defaults are discarded and the current cipher becomes the only cipher.

Legacy syntax

A legacy syntax is supported which includes a single argument (cipher name), however its use is not recommended and may not be combined with the full syntax above. The legacy syntax is likely to counter-intuitively disable ciphers new to TLSv1.2 when common ciphers are configured.

When the legacy syntax is used, the following logic is applied: For each protocol, If the specified cipher is applicable to the protocol, and the protocol is still using the default cipher list, the cipher list is replaced by the specified protocol. If the defaults are not in use (as in for subsequent uses of this directive) then the cipher is added to the current overridden list.

To illustrate the undesirable affects of the legact syntax:

"SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA256" is a TLSv12-only cipher, so it indirectly disables all other TLSv12 ciphers but doesn't do anything to the TLSv11 or TLSv10 cipher list.
"SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5" specifies a cipher present ONLY in TLS prior to TLSv12. This directive sets TLSv10 and TLSv11 to just the specified cipher but leaves TLSv12 unchanged.
"SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA" is common to TLSv10, TLSv11, and TLSv12. This directive removes all other available ciphers from each of these protocols.

Examples:

# Remove 3DES anywhere it shows up

SSLCipherSpec ALL -SSL_RSA_WITH_3DES_EDE_CBC_SHA

# Replace (no +/-) TLSv12 cipher list 

SSLCipherSpec TLSv12 TLS_RSA_WITH_AES_128_GCM_SHA256

SSLCipherSpec TLSv12 TLS_RSA_WITH_AES_256_GCM_SHA384

# Remove RSA key exchange (non-PFS) ciphers (requires 9.0.5.7 or later)
SSLCipherSpec ALL -RSA

SSLCipherSpec ALL -TLS_RSA_WITH_AES_128_CBC_SHA -TLS_RSA_WITH_AES_256_CBC_SHA

Merging

Normally, this directive is only specified inside a virtual host. In the event it is specified both inside and outside of a virtual host, the virtual hosts configured SSL ciphers will be the union of the two lists.

SSLClientAuth Directive

Description:	Configures IBM HTTP Server to request a client certificate from the browser
Syntax:	`SSLClientAuth none\|optional\|required\|required_reset`
Default:	`SSLClientAuth none`
Context:	server config, virtual host
Status:	Extension
Module:	mod_ibm_ssl

This directive configures if and how IBM HTTP Server will request an SSL certificate from clients. This feature is sometimes referred to as "mutual authentication" because it adds authentication of the client to the typical SSL server authentication.

none: No client certificate will be requested
optional: A client certificate will be requested, but no action is taken if a certificate is not presented.
required: A client certificate will be requested, and a failure to present one will result in a HTTP 403 error.
required_reset: A client certificate will be requested, and a failure to present one will result in a TLS alert being sent to the browser

SSLCompression Directive

Description:	Controls server-side support for TLS Compression
Syntax:	`SSLCompression ON\|OFF`
Default:	`SSLCompression OFF`
Context:	virtual host
Status:	Extension
Module:	mod_ibm_ssl
Compatibility:	Not available on z/OS.

This directive can be used to re-enable TLS compression TLS compression in web browsers is vulnerable to man in the middle attacks when malicious content is introduced.

SSLDisable Directive

Description:	DisablesSSL for the enclosing virtual host
Syntax:	`SSLDisable`
Default:	`unset`
Context:	server config, virtual host
Status:	Extension
Module:	mod_ibm_ssl

This directive configures the enclosing virtual host to NOT use the SSL protocol. This is only necessary in non-SSL virtual hosts in the unusual case when the base server configuration has been configured for SSL with SSLEnable, which is automatically inherited by all virtual hosts.

SSLEnable Directive

Description:	Enables SSL for the enclosing virtual host
Syntax:	`SSLEnable [SNI]`
Default:	`unset`
Context:	server config, virtual host
Status:	Extension
Module:	mod_ibm_ssl

This directive configures the enclosing virtual host to use the SSL protocol. The SNI option is only valid on the default (first listed) virtualhost for a set of name-based virtual hosts

Graceful Restart

SSL0263W can be issued if mod_ibm_ssl goes from being not loaded (via LoadModule) to being loaded across an graceful restart. While in general modules may be removed or added during a graceful restart, mod_ibm_ssl cannot support this sequence.

SSLFatalErrorLimit Directive

Description:	Gracefully terminates a process reporting too many fatal handshake errors
Syntax:	`SSLFatalErrorLimit failures`
Default:	`SSLFatalErrorLimit 0`
Context:	virtual host
Status:	Extension
Module:	mod_ibm_ssl
Compatibility:	Requires PH32229

In some rare cases, an individual process will stop processing handshakes and return errors such as SSL0209E/SSL0212E/SSL0203E. If this directive is set to non-zero, the process will gracefully exit after seeing the specified number of SSL0209E/SSL0212E/SSL0203E failures.

This directive is NOT inherited from the base server config to virtual hosts.

SSLFIPSDisable Directive

Description:	Configures an SSL enabled virtual host to NOT use FIPS 140-2 certified ciphers
Syntax:	`SSLFIPSDisable`
Default:	`SSLFIPSDisable`
Context:	server config, virtual host
Status:	Extension
Module:	mod_ibm_ssl
Compatibility:	Directive and functionality not available on z/OS until IBM HTTP Server 8.5

This directive causes the server to use the default SSL implementation in the bundled GSKit library. This directive is normally not required unless SSLFIPSEnable appears in global server configuration.

SSLFIPSEnable Directive

Description:	Configures an SSL enabled virtual host to use FIPS 140-2 certified ciphers
Syntax:	`SSLFIPSEnable [SP800131A\|uncertified\|uncertified_only]...`
Default:	`unset`
Context:	server config, virtual host
Status:	Extension
Module:	mod_ibm_ssl
Compatibility:	Directive and functionality not available on z/OS until IBM HTTP Server 8.5. No arguments are supported on z/OS.

This directive causes the server to use the FIPS 140-2 validated cryptographic modules and ciphers available in the bundled GSKit library. It augments, not replaces, the SSLEnable directive.

IBM HTTP Server 8.5 and later on z/OS supports this directive being enabled only in a global (base configuration, outside of any vhost) context only. On z/OS, a FIPS compatible KeyFile must be created with gskkyman for both IBM HTTP Server and the WAS Plugin. FIPS compatible keystores on z/OS only allow certs with strong cryptography to be stored inside of them.

Optional arguments perform further configuration:

SP800131A: This enables a macro setting within the security library that tracks to current NIST SP800-131A recommendations. The exact set of ciphers, protocols, and algorithms supported may change over time.
SSLSuiteB-128: This enables a macro setting within the security library that tracks to current NSA Suite B recommendations. The exact set of ciphers, protocols, and algorithms supported may change over time. This mode is a very restrictive set of protocols and ciphers. SSLSuiteB is accepted as an alias.
SSLSuiteB-192: Like SSLSuiteB-128, but even stronger algorithms
uncertified: IHS contains two cryptographic modules. One is a FIPS140-2 certified implementation, the other is the service stream for the certified implementation where bugfixes and enhancements can be delivered without jeopardizing certification. This setting configures IHS to use FIPS140-2 approved algorithms, but does not use the certified cryptograhic module.
The uncertified module is what is used in the absense of SSLEnable.

SSLGSKitTraceEnable Directive

Description:	Enables GSKit trace.
Syntax:	`SSLGSKitTraceEnable c:/trace.log[ size-in-MB [num-files [options ]]]`
Default:	`Disabled, but if just only first parameter is used the other paremters default to 250MB and 4 files.`
Context:	server config
Status:	Extension
Module:	mod_ibm_ssl
Compatibility:	Not available on z/OS.

This directive enables the equivalent of setting the GSK_TRACE_FILE GSK_TRACE_FILE_SIZE, and GSK_TRACE_FILE_NUMBER environment variables.

The final parameter, options, can be set to "1" to enable GSK_TRACE_NO_BUFFERING

SSLHandshakeTimeout Directive

Description:	Configures timeout on handshake operations
Syntax:	`SSLHandshakeTimeout IO-timeout [end-to-end timeout[ms]]`
Default:	`SSLHandshakeTimeout 5 10`
Context:	virtual host
Status:	Extension
Module:	mod_ibm_ssl
Compatibility:	Pre-9.0, this timeout defaulted to the core `Timeout` value. After 9.0, even if the directive is not explicitly specified, the defaults above will be used.

This directive can be used to reduce the timeout for SSL handshake I/O operations and to impose an end-to-end timeout on SSL handshakes.

<VirtualHost *:443> SSLEnable Timeout 60 SSLHandshakeTimeout 5 </VirtualHost>

<VirtualHost *:443> SSLEnable Timeout 60 SSLHandshakeTimeout 2 4000ms </VirtualHost>

A value of 0 for either value will use the core Timeout value.

SSLMinimumRSAKeySize Directive

Description:	Enforces a minimum RSA key size for certificates. See usage for platform differences.
Syntax:	`SSLMinimumRSAKeySize bits`
Default:	`0 (no minimum)`
Context:	server config, virtual host
Status:	Extension
Module:	mod_ibm_ssl
Compatibility:	Added in PH51709

This directive is primarily used to enforce a minimum RSA key size for client certificates. The exact behavior depends on the capabilities provided by the platform security library.

On z/OS, the key size is enforced on client certificates received by the server. The issuers of the client certificates are not checked. This uses GSK_PEER_RSA_MIN_KEY_SIZE in the System SSL programming guide.
On Distributed platforms:
- The key size is enforced on all certificates sent or received by mod_ibm_ssl, including their full certificate chains.
- The environment variables SSL_CLIENT_KEY_ALG ("RSA", "EC_ecPublicKey") and SSL_CLIENT_KEY_SIZE are provided to use in logging and conditional expressions.

In the event the minimum is not met, the SSL handshake will fail.

Scope

This directive does not have any affect on certificates sent or received by the WebSphere WebServer Plug-in.

SSLOCSPCacheSize Directive

Description:	Enables OCSP caching and specifies the maximum number of elements in the cache.
Syntax:	`SSLOCSPCacheSize elements`
Default:	`see synopsis`
Context:	virtual host
Status:	Extension
Module:	mod_ibm_ssl
Compatibility:	PH54894

This directive specifies the size of the internal OCSP response cache.

Defaults: On Linux, AIX and Windows the default is 0 (no caching). On z/OS, the system default is 256. Further details can be found in the System SSL programmers guide of your zOS release.
Lifetime: The "nextUpdate" time of the OCSP response, or HTTP cache headers, determines the lifetime of cache entries. Entries can be evicted when the cache is full based on LRU.
Merging: This directive is not merged/inherited from global to virtual host scope
Scope: There is one cache per SSL enabled virtual host, per IHS child process.
Statistics: If the /server-status interface is accessed over HTTPS, some basic info about the OCSP cache for the virtual host and process handling the request is displayed torwards the bottom of the page. Not available on zOS.

OCSP Cache statistics (Linux, AIX, Windows)

Legend for the fields in /server-status. Note: The output data and format is intended to be human readable and is subject to change i.e. the output format MUST NOT be considered a specification.

read_hit: the number of times a valid current OCSP response was found in the cache and so no actual OCSP request was required.
read_miss: the number of times a valid current OCSP response was not found in the cache and so an actual OCSP request was required.
write_hit: the number of times a response was renewed in the cache – this should match read_hit unless the response was found in the cache but could not be used for other reasons.
write_miss: the number of times a new response was added to the cache.
new: the number of new OCSP requests requested – this is write_miss - read_miss.
lost: the number of times an otherwise still valid cache entry was lost due to lack of space.
promoted_hit: the number of times a promoted item was found in the cache.
promoted_event: the number of ocsp responses that were promoted.
resume ratio: the ratio of renewed to all cache writes, the higher the better.
hit ratio: ratio of renewed cache hits that were used. Note: responses that have expired will not be used which can lower this ratio.
cache hit ratio: percentage ratio of OCSP responses used from the cache compared to the total including cached and those from new OCSP requests.

SSLOCSPConnectionTimeout Directive

Description:	Enables connect() timeout on outobuund OCSP connections
Syntax:	`SSLOCSPConnectionTimeout seconds`
Default:	`SSLOCSPConnectionTimeout 10`
Context:	virtual host
Status:	Extension
Module:	mod_ibm_ssl
Compatibility:	Requires PH01222

This directive can specify a timeout for connecting to an OCSP server while validating a client certificate. Prior to PH01222, there was no explicit default, and especially on Windows the connection attempt could have for an extended time if it was not completed or actively refused.

This directive is inherited from the base server config to virtual hosts.

SSLOCSPEnable Directive

Description:	The SSLOCSPEnable directive enables checking of client certificates through OCSP responders defined in the Authority Information Access (AIA) extension of their certificate.
Syntax:	`SSLOCSPEnable`
Default:	`not set`
Context:	virtual host
Status:	Extension
Module:	mod_ibm_ssl
Compatibility:	Distributed platforms only prior to PI46822. On z/OS, requires z/OS V2R2 or later

If SSLOCSPEnable is set, and any certificate in the SSL client certificate chain contains an AIA extension, IBM HTTP Server contacts the OCSP responder indicated by the AIA extension to check revocation status of that certificate.

If both OCSP and CRL checking is configured, OCSP checking is performed before any CRL checking. CRL checking occurs only if the result of the OCSP checking is unknown or inconclusive.

If both SSLOCSPEnable and SSLOCSPResponderURL are configured, the responder defined by SSLOCSPResponderURL is checked first. If the revocation status is unknown or inconclusive, IBM HTTP Server checks OCSP responders for SSLOCSPEnable.

https URIs are not supported for OCSP.

SSLOCSPResponderURL Directive

Description:	The SSLOCSPResponderURL directive enables checking of client certificates through a statically configured online certificate status protocol (OCSP) responder.
Syntax:	`SSLOCSPResponderURL fully-qualified-url`
Default:	`not set`
Context:	virtual host
Status:	Extension
Module:	mod_ibm_ssl
Compatibility:	Distributed platforms only prior to PI46822. On z/OS, requires z/OS V2R2 or later

If both OCSP and CRL checking is configured, OCSP checking is performed before any CRL checking. CRL checking occurs only if the result of the OCSP checking is unknown or inconclusive.

https URIs are not supported for OCSP.

SSLProtocolDisable Directive

Description:	The SSLProtocolDisable directive allows you to disable individual SSL protocols.
Syntax:	`SSLProtocolDisable [PROXY\|SERVER] SSLv2\|SSLv3\|TLSv10\|TLSv11\|TLSv12\|TLSv13 ...`
Default:	`see notes`
Context:	virtual host
Status:	Extension
Module:	mod_ibm_ssl

This directive can be used to disable individual SSL protocols. Multiple protocols can be specified, separated by spaces.

In scopes with SSLProxyEngine set to "ON", this directive also controls the protocols used for outbound TLS connections. To change one without changing another, specify "PROXY" or "SERVER" as the first argument.

Defaults

Default protocols using the latest available maintenance: TLSv12 TLSv13

SSLv2 and SSLv3 have always been disabled by default in this release
TLSv1.0 and TLSv1.1 are disabled by default in 9.0.5.9 and later (PH36870).
>TLSv13 is disabled by default on z/OS and on PROXY (outbound via mod_proxy_http) connections.

SSLProtocolEnable Directive

Description:	The SSLProtocolEnable directive allows you to enable individual SSL protocols.
Syntax:	`SSLProtocolEnable [PROXY\|SERVER] SSLv2\|SSLv3\|TLSv10\|TLSv11\|TLSv12\|TLSv13 ...`
Default:	`see notes for SSLProtocolDisable`
Context:	virtual host
Status:	Extension
Module:	mod_ibm_ssl

This directive can be used to enable individual SSL protocols.

z/OS

Before explicitly enabling TLS1.3, consider the performance information below.

TLS 1.3 performs best on z15 and later and with the servers RSA private key stores on a PKDS and ICSF APAR OA58358 installed.
If a TLS1.3-enabled webserver is not restarted at least as frequently as the "ServerKeyRefresh" interval specified in the TLS13Options directive, SSL session reuse will be diminished (proportional to the number of child processes) which may have a marginal affect on performance. The default (and maximum) ServerKeyRefresh interval is 7 days.

SSLProxyEngine Directive

Description:	Adds SSL support to outgoing reverse proxy connections
Syntax:	`SSLProxyEngine on\|off`
Default:	`SSLProxyEngine offnone`
Context:	server config, virtual host
Status:	Extension
Module:	mod_ibm_ssl

This directive configures IHS to handle https URL's for reverse proxy directives such as ProxyPass and RewriteRule.

A KeyFile must be set and contain the trust chain for any origin servers.

This directive is not supported when IBM HTTP Server is used with WebSphere Application Server. Only the WebSphere WebServer Plug-in is supported.

SSLRenegotiation Directive

Description:	Controls IBM HTTP Server support of TLS renegotiation
Syntax:	`SSLRenegotiation on\|off\|LEGACY_AND_RFC5746`
Default:	`SSLRenegotiation off`
Context:	virtual host
Status:	Extension
Module:	mod_ibm_ssl
Compatibility:	see below

This directive controls the types of TLS renegotiation permitted by IBM HTTP Server. TLS renegotiation is how clents can initiate a new SSL handshake on an existing secure connection, which is rarely used by normal browser-based clients.

OFF (default): No renegotiation is permitted.
ON: Secure renegotiation, as currently defined by RFC5746, is permitted.
LEGACY_AND_RFC5746: Both secure renegotiation and legacy insecure renegotiation are permitted.

Compatibility

This directive supercedes the SSLInsecureRenegotiation directive in IBM HTTP Server 8.0 and later.

SSLReverseCipherOrder Directive

Description:	Reverses the order of preferred ciphers.
Syntax:	`SSLReverseCipherOrder`
Context:	server config, virtual host
Status:	Extension
Module:	mod_ibm_ssl

In version 9 and later, the default order of ciphers prioritizes some stronger ciphers than previously used by default. Use this directive to reverse the cipher order, rather than picking and choosing the exact order with SSLCipherSpec.

SSLServerCert Directive

Description:	Identifies the certificate label of a personal certificate that the server should use to authenticate to clients.
Syntax:	`SSLServerCert [cryptograhic token name:]label-name [[cryptograhic token name:]label-name]`
Default:	`unset`
Context:	server config, virtual host
Status:	Extension
Module:	mod_ibm_ssl

Each KeyFile may contain multiple personal certificates (certificates with private keys) as well as a single personal certificate marked as the default certificate. If you want IBM HTTP Server to use any certificates other than the default, specify SSLServerCert.

Two certificate labels may be specified as a space-delimited list where one certificate must contain an RSA key and the other must contain an ECDSA key. The server will choose a certificate based on the client's capabilities. If a client supports both key types, the certificate listed first in SSLServerCert is used regardless of how the ciphers are ordered using SSLCipherSpec.

Distributed platforms only.

Specifying a list

SSLServerCert ecc_label rsa_label

Any labels containing spaces must be quoted. Spaces will need to be escaped if more than one label is specified.

Specifying a single label containing spaces

SSLServerCert "RSA Label Example"

Specifying a list of labels containing spaces

SSLServerCert "ecc\ label" "rsa\ label"

If cryprographic hardware is in use, this directive is mandatory to communicate the cryptographic token name (the token name can be obtained using the crypto hardware vendor's tools such as pkcsconf:

Cryptographic hardware example

SSLServerCert mytoken:mycertlabel

On z/OS, the second label is only used when PH18102 is present and the operating system release is V2R3 or later.

SSLSkipCloseNofify Directive

Description:	Flag to disable sending a TLS close_notify during Apache socket shutdown
Syntax:	`SSLSkipCloseNotif ON\|OFF`
Default:	`OFF (close_notify is sent)`
Context:	server config, virtual host
Status:	Extension
Module:	mod_ibm_ssl
Compatibility:	PH30841

9.0.5.2 added TLS13 support. Separate from TLS13, IHS began sending the TLS close_notify alert when the underlying Apache connection to the client was closed. This flag disables the new behavior

SSLSNIMap Directive

Description:	Establishes servername to certificate label pairs
Syntax:	`SSLSNIMap hostname cert-label`
Default:	`unset`
Context:	server config, virtual host
Status:	Extension
Module:	mod_ibm_ssl

This directive maps server names transmitted via the TLS Server Name Extension to certificate labels, which allows the certificate presented to vary based on the hostname used by the client.

See the >SNI section for more details.

SSLSuiteBMode Directive

Description:	Enables the "Suite B" profile for the enclosing virtual host
Syntax:	`SSLSuiteBMode 128\|192`
Default:	`unset`
Context:	server config, virtual host
Status:	Extension
Module:	mod_ibm_ssl

This directive configures the enclosing virtual host to use the "Suite B" profile for TLS. This profile drastically reduces the available signature algorithm and cipher specs that will be used by the server. The set of acceptable algorithms and ciphers is subject to change over time as relevant standards change.

The 128 and 192 arguments refer to the two levels of security discussed in RFC 6460.

Setting this directive overrides most previous SSL directives. Only SSLAttributeSet is processed later (with a higher priority).
All Suite B profiles require the servers certificate chain to use strong ECC signatures.
At the time of this writing, RFC 6460 documents the restrictions of "Suite B".

SSLSupportedCurves Directive

Description:	Selects the set of Elliptic Curves used during the handshake. See usage for platform differences.
Syntax:	`SSLSupportedCurves TLSv12\|TLSv13 curve-list`
Default:	`see usage`
Context:	server config, virtual host
Status:	Extension
Module:	mod_ibm_ssl
Compatibility:	Added in PH51678

During handshakes that use ECDHE key exchange, the client and server must negotiate a named curve that both sides support. This directive allows the curves that the server will offer to be customized.

Default and available settings:

Property	Linux, AIX, Windows	z/OS
TLSv12 default	secp256r1, secp384r1, secp521r1	secp256r1, secp384r1, secp521r1
TLSv13 default	x25519, secp256r1, secp384r1, secp521r1, x448	x25519, secp256r1, secp384r1, secp521r1
Supported values	Comma separated selected from pattern: GSK_TLS_SUPPORTED_GROUP_ECDHE_{X25519,SECP256R1,SECP384R1,SECP521R1,X448}	Four-digit codes with no separator from: System SSL Programming Guide

TLSv12 configurability

On Linux, AIX, and Windows only TLSv13 curves are configurable. TLSv12 curves cannot be changed.
On z/OS, OA61783 is required to configure TLSv12 curves.

Default changes

PH51678 removed secp224r1 and secp192r1 from the TLSv12 defaults on z/OS.
PH39992 removed x25519 and x448 from s390/s390x linux defaults

Example

# zOS: add x25519 to defaults for TLSv12 SSLSupportedCurves TLSv12 0029002300240025 # zOS: add x448 to the end of defaults SSLSupportedCurves TLSv13 00290023002400250030 # Linux, AIX, Windows: use only secp384r1 and secp521r1 SSLSupportedCurves TLSv13 GSK_TLS_SUPPORTED_GROUP_ECDHE_SECP384R1,GSK_TLS_SUPPORTED_GROUP_ECDHE_SECP521R1

SSLTrace Directive

Description:	Enables extended tracing for SSL communication
Syntax:	`SSLTrace`
Default:	`unset`
Context:	server config, virtual host
Status:	Extension
Module:	mod_ibm_ssl

This directive enables extra tracing in the ErrorLog for various SSL related operations. SSLTrace is only useful with LogLevel set to debug.

SSLUnknownRevocationStatus Directive

Description:	Specifies how IBM HTTP Server reacts when IBM HTTP Server cannot readily determine the revocation status, which is coming through CRL or OCSP.
Syntax:	`SSLUnknownRevocationStatus ignore\|log\|log_always\|deny`
Default:	`SSLUnknownRevocationStatus ignore`
Context:	virtual host
Status:	Extension
Module:	mod_ibm_ssl
Compatibility:	Distributed platforms only. On zOS, unknown revocation status results in a handshake error.t

ignore: Specifies that a debug level message is issued when a handshake completes and the revocation status is not known. This message is not re-issued when the SSL session is resumed.
log: Specifies that a notice-level message is issued when a handshake completes and the revocation status is not known. This message is not re-issued when the SSL session is resumed.
log_always: Specifies that a notice-level message is issued when a handshake completes and the revocation status is not known. IBM HTTP Server issues the same message for subsequent handshakes.
deny: Specifies that a notice-level message is issued when a handshake completes, the revocation status is not known, the session is not resumable, and the HTTPS connection is immediately closed. IBM HTTP Server reports the same message for subsequent handshakes.

Whenever a message is logged for UnknownRevocationStatus, the SSL_UNKNOWNREVOCATION_SUBJECT variable, an internal SSL environment variable, is set. You can log this variable with the following LogFormat syntax:

%{SSL_UNKNOWNREVOCATION_SUBJECT}e

You could also use the variable in mod_rewrite expressions when this directive directive has any value other than deny. Use the following variable name in your RewriteCond directive:

%{ENV:SSL_UNKNOWNREVOCATION_SUBJECT}

SSLVersion Directive

Description:	Performs access control based on negotiated TLS version
Syntax:	`SSLVersion SSLv2\|SSLv3\|TLSv1\|TLSv1.1\|TLSv1.2`
Default:	`Disabled`
Context:	directory
Status:	Extension
Module:	mod_ibm_ssl
Compatibility:	deprecated

This directive returns an HTTP Forbidden response if the specified TLS version has not been negotiated. It does not cause the connection to be renegotiated, and cannot itself directly cause a customized HTTP response be sent to the client. This directive serves little practical purpose.

TLS13Options Directive

Description:	General purpose directive to configure options for the TLSv1.3 protocol.
Syntax:	`TLS13Options option[=value] [option[=value] ...]`
Default:	`NumTickets = 6, ServerKeyRefresh=608400`
Context:	server config, virtual host
Status:	Extension
Module:	mod_ibm_ssl
Compatibility:

This directive allows the following options to be set for the TLSv1.3 protocol:

AllowLegacyCerts[=ON|OFF]: Allows legacy SHA1 certificates to be used. Default is OFF.
NumTickets=n: Sets the number of session tickets to the value n. Default is 6.
ServerKeyRefresh=n: z/OS only. Sets the frequency for rotating the key used for TLSv13 session tickets. Default is 608400 (7 days).

Apache Module mod_ibm_ssl

Summary

Directives

Topics

See also

ECDHE-RSA ciphers

ECDHE-ECDSA ciphers (requires ECDSA certificate)

z/OS configuration

Compatibility

Notes

z/OS limitations

Protocol argument quirks

Reset defaults

Legacy syntax

Merging

Graceful Restart

Scope

OCSP Cache statistics (Linux, AIX, Windows)

Defaults

z/OS

Compatibility

Specifying a list

Specifying a single label containing spaces

Specifying a list of labels containing spaces

Cryptographic hardware example

TLSv12 configurability

Default changes

Example