Modules | Directives | FAQ | Glossary | Sitemap
Apache HTTP Server Version 2.4
Apache > HTTP Server > Documentation > Version 2.4 > SSL/TLS
SSL/TLS Strong Encryption: Compatibility
This page covers backwards compatibility between mod_ssl and other SSL solutions. mod_ssl is not the only SSL solution for Apache; four additional products are (or were) also available: Ben Laurie's freely available Apache-SSL (from where mod_ssl were originally derived in 1998), Red Hat's commercial Secure Web Server (which was based on mod_ssl), Covalent's commercial Raven SSL Module (also based on mod_ssl) and finally C2Net's (now Red Hat's) commercial product Stronghold (based on a different evolution branch, named Sioux up to Stronghold 2.x, and based on mod_ssl since Stronghold 3.x).
mod_ssl mostly provides a superset of the functionality of all the other solutions, so it's simple to migrate from one of the older modules to mod_ssl. The configuration directives and environment variable names used by the older SSL solutions vary from those used in mod_ssl; mapping tables are included here to give the equivalents used by mod_ssl.
See also
Configuration Directives
The mapping between configuration directives used by Apache-SSL 1.x and mod_ssl 2.0.x is given in Table 1. The mapping from Sioux 1.x and Stronghold 2.x is only partial because of special functionality in these interfaces which mod_ssl doesn't provide.
Table 1: Configuration Directive Mapping
| Old Directive | mod_ssl Directive | Comment |
|---|---|---|
| Apache-SSL 1.x & mod_ssl 2.0.x compatibility: | ||
| SSLEnable | SSLEngine on | compactified |
| SSLDisable | SSLEngine off | compactified |
| SSLLogFile file | Use per-module LogLevel setting instead. | |
| SSLRequiredCiphers spec | SSLCipherSuite spec | renamed |
| SSLRequireCipher c1 ... | SSLRequire %{SSL_CIPHER} in {"c1", ...} | generalized |
| SSLBanCipher c1 ... | SSLRequire not (%{SSL_CIPHER} in {"c1", ...}) | generalized |
| SSLFakeBasicAuth | SSLOptions +FakeBasicAuth | merged |
| SSLCacheServerPath dir | - | functionality removed |
| SSLCacheServerPort integer | - | functionality removed |
| Apache-SSL 1.x compatibility: | ||
| SSLExportClientCertificates | SSLOptions +ExportCertData | merged |
| SSLCacheServerRunDir dir | - | functionality not supported |
| Sioux 1.x compatibility: | ||
| SSL_CertFile file | SSLCertificateFile file | renamed |
| SSL_KeyFile file | SSLCertificateKeyFile file | renamed |
| SSL_CipherSuite arg | SSLCipherSuite arg | renamed |
| SSL_X509VerifyDir arg | SSLCACertificatePath arg | renamed |
| SSL_Log file | - | Use per-module LogLevel setting instead. |
| SSL_Connect flag | SSLEngine flag | renamed |
| SSL_ClientAuth arg | SSLVerifyClient arg | renamed |
| SSL_X509VerifyDepth arg | SSLVerifyDepth arg | renamed |
| SSL_FetchKeyPhraseFrom arg | - | not directly mappable; use SSLPassPhraseDialog |
| SSL_SessionDir dir | - | not directly mappable; use SSLSessionCache |
| SSL_Require expr | - | not directly mappable; use SSLRequire |
| SSL_CertFileType arg | - | functionality not supported |
| SSL_KeyFileType arg | - | functionality not supported |
| SSL_X509VerifyPolicy arg | - | functionality not supported |
| SSL_LogX509Attributes arg | - | functionality not supported |
| Stronghold 2.x compatibility: | ||
| StrongholdAccelerator engine | SSLCryptoDevice engine | renamed |
| StrongholdKey dir | - | functionality not needed |
| StrongholdLicenseFile dir | - | functionality not needed |
| SSLFlag flag | SSLEngine flag | renamed |
| SSLSessionLockFile file | SSLMutex file | renamed |
| SSLCipherList spec | SSLCipherSuite spec | renamed |
| RequireSSL | SSLRequireSSL | renamed |
| SSLErrorFile file | - | functionality not supported |
| SSLRoot dir | - | functionality not supported |
| SSL_CertificateLogDir dir | - | functionality not supported |
| AuthCertDir dir | - | functionality not supported |
| SSL_Group name | - | functionality not supported |
| SSLProxyMachineCertPath dir | SSLProxyMachineCertificatePath dir | renamed |
| SSLProxyMachineCertFile file | SSLProxyMachineCertificateFile file | renamed |
| SSLProxyCipherList spec | SSLProxyCipherSpec spec | renamed |
Environment Variables
The mapping between environment variable names used by the older SSL solutions and the names used by mod_ssl is given in Table 2.
Table 2: Environment Variable Derivation
| Old Variable | mod_ssl Variable | Comment |
|---|---|---|
| SSL_PROTOCOL_VERSION | SSL_PROTOCOL | renamed |
| SSLEAY_VERSION | SSL_VERSION_LIBRARY | renamed |
| HTTPS_SECRETKEYSIZE | SSL_CIPHER_USEKEYSIZE | renamed |
| HTTPS_KEYSIZE | SSL_CIPHER_ALGKEYSIZE | renamed |
| HTTPS_CIPHER | SSL_CIPHER | renamed |
| HTTPS_EXPORT | SSL_CIPHER_EXPORT | renamed |
| SSL_SERVER_KEY_SIZE | SSL_CIPHER_ALGKEYSIZE | renamed |
| SSL_SERVER_CERTIFICATE | SSL_SERVER_CERT | renamed |
| SSL_SERVER_CERT_START | SSL_SERVER_V_START | renamed |
| SSL_SERVER_CERT_END | SSL_SERVER_V_END | renamed |
| SSL_SERVER_CERT_SERIAL | SSL_SERVER_M_SERIAL | renamed |
| SSL_SERVER_SIGNATURE_ALGORITHM | SSL_SERVER_A_SIG | renamed |
| SSL_SERVER_DN | SSL_SERVER_S_DN | renamed |
| SSL_SERVER_CN | SSL_SERVER_S_DN_CN | renamed |
| SSL_SERVER_EMAIL | SSL_SERVER_S_DN_Email | renamed |
| SSL_SERVER_O | SSL_SERVER_S_DN_O | renamed |
| SSL_SERVER_OU | SSL_SERVER_S_DN_OU | renamed |
| SSL_SERVER_C | SSL_SERVER_S_DN_C | renamed |
| SSL_SERVER_SP | SSL_SERVER_S_DN_SP | renamed |
| SSL_SERVER_L | SSL_SERVER_S_DN_L | renamed |
| SSL_SERVER_IDN | SSL_SERVER_I_DN | renamed |
| SSL_SERVER_ICN | SSL_SERVER_I_DN_CN | renamed |
| SSL_SERVER_IEMAIL | SSL_SERVER_I_DN_Email | renamed |
| SSL_SERVER_IO | SSL_SERVER_I_DN_O | renamed |
| SSL_SERVER_IOU | SSL_SERVER_I_DN_OU | renamed |
| SSL_SERVER_IC | SSL_SERVER_I_DN_C | renamed |
| SSL_SERVER_ISP | SSL_SERVER_I_DN_SP | renamed |
| SSL_SERVER_IL | SSL_SERVER_I_DN_L | renamed |
| SSL_CLIENT_CERTIFICATE | SSL_CLIENT_CERT | renamed |
| SSL_CLIENT_CERT_START | SSL_CLIENT_V_START | renamed |
| SSL_CLIENT_CERT_END | SSL_CLIENT_V_END | renamed |
| SSL_CLIENT_CERT_SERIAL | SSL_CLIENT_M_SERIAL | renamed |
| SSL_CLIENT_SIGNATURE_ALGORITHM | SSL_CLIENT_A_SIG | renamed |
| SSL_CLIENT_DN | SSL_CLIENT_S_DN | renamed |
| SSL_CLIENT_CN | SSL_CLIENT_S_DN_CN | renamed |
| SSL_CLIENT_EMAIL | SSL_CLIENT_S_DN_Email | renamed |
| SSL_CLIENT_O | SSL_CLIENT_S_DN_O | renamed |
| SSL_CLIENT_OU | SSL_CLIENT_S_DN_OU | renamed |
| SSL_CLIENT_C | SSL_CLIENT_S_DN_C | renamed |
| SSL_CLIENT_SP | SSL_CLIENT_S_DN_SP | renamed |
| SSL_CLIENT_L | SSL_CLIENT_S_DN_L | renamed |
| SSL_CLIENT_IDN | SSL_CLIENT_I_DN | renamed |
| SSL_CLIENT_ICN | SSL_CLIENT_I_DN_CN | renamed |
| SSL_CLIENT_IEMAIL | SSL_CLIENT_I_DN_Email | renamed |
| SSL_CLIENT_IO | SSL_CLIENT_I_DN_O | renamed |
| SSL_CLIENT_IOU | SSL_CLIENT_I_DN_OU | renamed |
| SSL_CLIENT_IC | SSL_CLIENT_I_DN_C | renamed |
| SSL_CLIENT_ISP | SSL_CLIENT_I_DN_SP | renamed |
| SSL_CLIENT_IL | SSL_CLIENT_I_DN_L | renamed |
| SSL_EXPORT | SSL_CIPHER_EXPORT | renamed |
| SSL_KEYSIZE | SSL_CIPHER_ALGKEYSIZE | renamed |
| SSL_SECKEYSIZE | SSL_CIPHER_USEKEYSIZE | renamed |
| SSL_SSLEAY_VERSION | SSL_VERSION_LIBRARY | renamed |
| SSL_STRONG_CRYPTO | - | Not supported by mod_ssl |
| SSL_SERVER_KEY_EXP | - | Not supported by mod_ssl |
| SSL_SERVER_KEY_ALGORITHM | - | Not supported by mod_ssl |
| SSL_SERVER_KEY_SIZE | - | Not supported by mod_ssl |
| SSL_SERVER_SESSIONDIR | - | Not supported by mod_ssl |
| SSL_SERVER_CERTIFICATELOGDIR | - | Not supported by mod_ssl |
| SSL_SERVER_CERTFILE | - | Not supported by mod_ssl |
| SSL_SERVER_KEYFILE | - | Not supported by mod_ssl |
| SSL_SERVER_KEYFILETYPE | - | Not supported by mod_ssl |
| SSL_CLIENT_KEY_EXP | - | Not supported by mod_ssl |
| SSL_CLIENT_KEY_ALGORITHM | - | Not supported by mod_ssl |
| SSL_CLIENT_KEY_SIZE | - | Not supported by mod_ssl |
Custom Log Functions
When mod_ssl is enabled, additional functions exist for the Custom Log Format of mod_log_config as documented in the Reference Chapter. Beside the ``%{varname}x'' eXtension format function which can be used to expand any variables provided by any module, an additional Cryptography ``%{name}c'' cryptography format function exists for backward compatibility. The currently implemented function calls are listed in Table 3.
Table 3: Custom Log Cryptography Function
| Function Call | Description |
|---|---|
| %...{version}c | SSL protocol version |
| %...{cipher}c | SSL cipher |
| %...{subjectdn}c | Client Certificate Subject Distinguished Name |
| %...{issuerdn}c | Client Certificate Issuer Distinguished Name |
| %...{errcode}c | Certificate Verification Error (numerical) |
| %...{errstr}c | Certificate Verification Error (string) |