TLSOptions [ [ AllowDotLogin ] [ Allow PerUser ] [ ExportCertData ] [ NoCertRequest ] [ StdEnvVars ]
[ dNSNameRequired ] [ iPAddressRquired ]]
Default
None
Context
server config, <Global>, <VirtualHost>
Module
mod_tls
Compatibility
1.2.7rc1 and later
The TLSOptions directive is used to configure various optional behavior of mod_tls. The currently implemented options are:
AllowDotLogin
By default, mod_tls still requires that a user supply a password for authentication, even if a valid client certificate is presented. If this option is enabled, mod_tls will check in the user's home directory for a .tlslogin file, which should contain one or more PEM-encoded certificates. If the certificate presented by the client, if any, matches a certificate in this .tlslogin file, the user will be considered authenticated. The server will still prompt for a password, and if the user's .tlslogin does not exist, or does not contain the client's certificate, then the server will fallback to using the password for authentication.
AllowPerUser
This option affects how mod_tls evaluates any TLSRequired directives. Usually mod_tls will reject any FTP commands, when TLSRequired on or TLSRequired ctrl is in effect, if the client has not successfully negotiated a SSL/TLS handshake. The FTPS specification requires that the SSL/TLS handshake occur, via the AUTH FTP command, before the USER and PASS commands. This means that mod_tls does not know the identity of the connecting client when enforcing TLSRequired. If this AllowPerUser is used, mod_tls will wait until after the PASS command has been processed to enforce any TLSRequired settings.
Important: if AllowPerUser is used, even if TLSRequired on or TLSRequired ctrl are in effect, it will be possible for the connecting client to send usernames and passsword unprotected before mod_tls rejects the connection. This results in a slightly weaker security policy enforcement; please consider carefully if this tradeoff is acceptable for your site.
ExportCertData
Sets the following environment variables, if applicable. Note that doing so increases the memory size of the process quite a bit:
NoCertRequest
Some FTP clients are known to be buggy when handling a server's certificate request. This option causes the server not to include such a request during an SSL handshake.
StdEnvVars
Sets the following environment variables, if applicable. These environment variables are then avaiable for use, such as in LogFormats. Note that doing so increases the memory size of the process quite a bit: increases the memory size of the process quite a bit:
Table 1-2. Enviroment variables
| FTPS | Present if FTP over SSL/TLS is being used |
| TLS_PROTOCOL | SSL protocol version (e.g. SSLv3, TLSv1) |
| TLS_SESSION_ID | Hex-encoded SSL session ID |
| TLS_CIPHER | Cipher specification name |
| TLS_CIPHER_EXPORT | Present if cipher is an export cipher |
| TLS_CIPHER_KEYSIZE_POSSIBLE | Number of cipher bits possible |
| TLS_CIPHER_KEYSIZE_USED | Number of cipher bits used |
| TLS_LIBRARY_VERSION | OpenSSL version |
| TLS_CLIENT_M_VERSION | Client certificate version |
| TLS_CLIENT_M_SERIAL | Client certificate serial number |
| TLS_CLIENT_S_DN | Subject DN of client certificate |
| TLS_CLIENT_S_DN_x509 | Component of client certificate's Subject DN, where x509 is a component of a X509 DN: C,CN,D,I,G,L,O,OU,S,ST,T,UID,Email |
| TLS_CLIENT_I_DN | Issuer DN of client certificate |
| TLS_CLIENT_I_DN_x509 | Component of client certificate's Issuer DN, where x509 is a component of a X509 DN: C,CN,D,I,G,L,O,OU,S,ST,T,UID,Email |
| TLS_CLIENT_V_START | Start time of client certificate validity |
| TLS_CLIENT_V_END | End time of client certificate validity |
| TLS_CLIENT_A_SIG | Client certificate's signature algorithm |
| TLS_CLIENT_A_KEY | Client certificate's public key algorithm |
| TLS_CLIENT_CERT | Client certificate, PEM-encoded |
| TLS_CLIENT_CERT_CHAINn | PEM-encoded certificates in client certificate chain |
| TLS_SERVER_M_VERSION | Server certificate version |
| TLS_SERVER_M_SERIAL | Server certificate serial number |
| TLS_SERVER_S_DN | Subject DN of server certificate |
| TLS_SERVER_S_DN_x509 | Component of server certificate's Subject DN, where x509 is a component of a X509 DN: C,CN,D,I,G,L,O,OU,S,ST,T,UID,Email |
| TLS_SERVER_I_DN | Issuer DN of server certificate |
| TLS_SERVER_I_DN_x509 | Component of server certificate's Issuer DN, where x509 is a component of a X509 DN: C,CN,D,I,G,L,O,OU,S,ST,T,UID,Email |
| TLS_SERVER_V_START | Start time of server certificate validity |
| TLS_SERVER_V_END | End time of server certificate validity |
| TLS_SERVER_A_SIG | Server certificate's signature algorithm |
| TLS_SERVER_A_KEY | Server certificate's public key algorithm |
| TLS_SERVER_CERT | Server certificate, PEM-encoded |
dNSNameRequired
This option will cause mod_tls to perform checks on a client's certificate once the SSL handshake has been completed: the client's certificate will be searched for the subjectAltName X509v3 extension, and, in that extension, the dNSName value will be looked up. Unless a dNSName value is present, and the value matches the DNS name to which the client's IP address resolves, the SSL session is closed. This check is only performed during SSL handshakes on the control channel. Note that if UseReverseDNS is off, this option is automatically disabled.
iPAddressRequired
This option will cause mod_tls to perform checks on a client's certificate once the SSL handshake has been completed: the client's certificate will be searched for the subjectAltName X509v3 extension, and, in that extension, the iPAddress value will be looked up. Unless an iPAddress value is present, and the value matches the IP address of the client, the SSL session is closed. This check is only performed during SSL handshakes on the control channel.