SSL directive considerations

When using SSL directives, you should consider the following: Limiting encryption to 128 bits or higher, rewriting HTTP (port 80) requests to HTTPS (port 443), logging SSL request information in the access log, and enabling certificate revocation lists (CRL).

You should consider the following when you want to enable SSL directives in the IBM HTTP Server httpd.conf configuration file:

  • Limiting IBM HTTP Server to encrypt at only 128 bits or higher. There are several methods of configuring IBM HTTP Server to restrict and limit SSL to allow only 128 bit browsers and 128,168 bit ciphers access to Web content.

  • How to rewrite HTTP (port 80) requests to HTTPS (port 443). The mod_rewrite.c rewrite module provided with IBM HTTP Server can be used as an effective way to automatically rewrite all HTTP requests to HTTPS. For complete information refer to How to rewrite HTTP (port 80) requests to HTTPS (port 443).

  • Logging SSL request information in the access log for IBM HTTP Server. The IBM HTTP Server implementation provides Secure Sockets Layer (SSL) environment variables that are configurable with the LogFormat directive in the httpd.conf configuration file. For complete information refer to Logging SSL request information in the access log for IBM HTTP Server.

  • Enable certificate revocation lists (CRL) in IBM HTTP Server. Certificate revocation provides the ability to revoke a client certificate given to the IBM HTTP Server by the browser when the key is compromised or when access permission to the key is revoked. CRL represents a database that contains a list of certificates revoked before their scheduled expiration date. For complete information refer to SSL Certificate revocation list and Online Certificate Status Protocol.


Related tasks