Ssloptions – Oracle B12255-01 User Manual
Page 151
Security Services Implemented Within Oracle HTTP Server
Managing Security
8-21
SSLOptions
Controls various runtime options on a per-directory basis. In general,
if multiple options apply to a directory, the most comprehensive option is applied
(options are not merged). However, if all of the options in an SSLOptions directive
are preceded by a plus (’+’) or minus (’-’) symbol, then the options are merged.
Options preceded by a plus are added to the options currently in force, and options
preceded by a minus are removed from the options currently in force.
Category
Value
Valid Values
■
StdEnvVars
: Creates the standard set of CGI/SSI environment
variables that are related to SSL. This is disabled by default
because the extraction operation uses a lot of CPU time and
usually has no application when serving static content.
Typically, you only enable this for CGI/SSI requests.
■
ExportCertData
: Enables the following additional CGI/SSI
variables:
SSL_SERVER_CERT
SSL_CLIENT_CERT
SSL_CLIENT_CERT_CHAIN_n
(where n= 0, 1, 2...)
These variables contain the Privacy Enhanced Mail
(
)-encoded X.509 certificates for the server and the client
for the current HTTPS connection, and can be used by CGI
scripts for deeper certificate checking. All other certificates of
the client certificate chain are provided. This option is “Off” by
default because there is a performance cost associated with
using it.
SSL_CLIENT_CERT_CHAIN_n
variables are in the following
order: SSL_CLIENT_CERT_CHAIN_0 is the intermediate CA
who signs SSL_CLIENT_CERT. SSL_CLIENT_CERT_CHAIN_1
is the intermediate CA who signs SSL_CLIENT_CERT_CHAIN_
0
, and so forth, with SSL_CLIENT_ROOT_CERT as the root CA.
■
FakeBasicAuth
: Translates the subject
of the client
certificate into an HTTP basic authorization
user name. This means that the standard HTTP server
authentication methods can be used for access control. Note that
no password is obtained from the user; the string ’password’ is
substituted.