Chapter 5. Other issues

Table of Contents
5.1. Additional Directives
5.2. Proxying HTTPS
5.3. Extended Validation
5.4. Server Gated Cryptography

5.1. Additional Directives

There are a handful of mod_ssl directives that we have not used yet. Brief references to most of them follow - see the mod_ssl documentation ( for further information. Some of these options were not included in mod_ssl for Apache 1.3.


Some CAs issue certificates which are not signed directly by keys mentioned in browser root certificates. In theses cases one or more "intermediate certificates" are needed to link the server certificate to the appropriate Root certificate. These intermediate certificates are made available by the CAs and Apache needs to supply them to browsers. This directive identifies a file containing all the necessary intermediate certificates.


When a client certificate is requested by mod_ssl, a list of acceptable Certificate Authority names is sent to the client in the SSL handshake. These CA names can be used by the client to select an appropriate client certificate out of those it has available. The list of acceptable CA is normally all those in SSLCACertificateFile, but this directive allows a different list to be supplied.

SSLCACertificatePath, SSLCARevocationPath, SSLCADNRequestPath

These directives work like SSLCACertificateFile, SSLCARevocationFile, and SSLCADNRequestFile except that they identify directories containing certificate files, rather than the files themselves.


Limits the number of intermediate certificates that will be used to verify the link between a client certificate and the appropriate CA root.


Specifies various ways in which a pass phrase can be provided if needed to access a private key.


Allows you to chose which protocol out of SSLv2, SSLv3, TLSv1 or ALL will be accepted.


This directive enables use of a cryptographic hardware accelerator board to offload some of the SSL processing overhead. OpenSSL support for the device is required.


When choosing a cipher during an SSLv3 or TLSv1 handshake, normally the client's preference is used. If this directive is enabled, the server's preference will be used instead.


Various directives starting SSLProxy... allow Apache to be configured as a web proxy for SSL connections.

Note that SSLOptions accepts more options than have so far been mentioned, and SSLRequire can be used to implement a range of restrictions, not just ones related to client certificates. See the Aapche documentation for details.