When using SSL directives, you should consider the following:
Limiting encryption to 128 bits or higher, rewriting HTTP (port 80)
requests to HTTPS (port 443), logging SSL request information in the
access log, and enabling certificate revocation lists (CRL).
You should consider the following when you want to enable SSL directives
in the IBM® HTTP Server
httpd.conf configuration
file:
- Limiting IBM HTTP Server to encrypt at only 128 bits or
higher. There are several methods of configuring IBM HTTP
Server to restrict and limit SSL to allow only 128 bit browsers and
128,168 bit ciphers access to Web content. For complete information,
refer to Limiting IBM HTTP Server to encrypt at only
128 bits or higher .
- How to rewrite HTTP (port 80) requests to HTTPS (port 443). The mod_rewrite.c rewrite
module provided with IBM HTTP Server can be used as an
effective way to automatically rewrite all HTTP requests to HTTPS.
For complete information refer to How to rewrite HTTP (port 80) requests to HTTPS (port
443).
- Logging SSL request information in the access log for IBM HTTP
Server. The IBM HTTP Server implementation provides Secure
Sockets Layer (SSL) environment variables that are configurable with
the LogFormat directive in the httpd.conf configuration
file. For complete information refer to Logging SSL request information in the access log
for IBM HTTP Server.
- Enabling certificate revocation lists (CRL) in IBM HTTP
Server. Certificate revocation provides the ability to revoke
a client certificate given to the IBM HTTP
Server by the browser when the key is compromised or when access permission
to the key is revoked. CRL represents a database that contains a list
of certificates revoked before their scheduled expiration date. For
complete information refer to SSL Certificate revocation list and Online Certificate Status Protocol.