Overview
Apache Versions
* In general, OHS shipped with OAS 10g is based on Apache 1.3.
* If you installed standalone OHS from OAS 10g Companion CD, then it’s based on Apache 2.0.
* See this file for details on what Apache versions are shipped with OAS 10g.
* See this post on how to find Apache Version.
* Sample output from bundled OHS (based on Apache 1.3):
Apache Version Oracle-Application-Server-10g/10.1.3.5.0 Oracle-HTTP-Server Apache Release 10334100 Apache API Version 19990320
* Sample output from stand-alone OHS (based on Apache 2.0):
Apache Version Oracle-Application-Server-10g/10.1.3.5.0 Oracle-HTTP-Server Apache API Version 20020903
Caveats
* Both Apache 1.3 and 2.0 based OHS installs come with mod_ossl, NOT mod_ssl. mod_ossl is a modified version of mod_ssl from Oracle.
* OHS comes with an undocumented(?) directive named SSLCACheck. It needs to be set to On for CRL support.
SSLCRLCheck On
* For OHS based on Apache 1.3 (bundled), expired CRL files are used by default.
* For OHS based on Apache 2.0(stand-alone), expired CRLs are NOT used by default.
Setup
* Follow this post to setup server side, client side SSL as well as CRL support.
* You need to set SSLCACheck to On for CRL support.
* For example, in ssl.conf:
SSLEngine on SSLWallet file:/opt/oracle/ohs/conf/ssl.wlt/wallet1 SSLVerifyClient require SSLCRLCheck On #SSLCARevocationFile /opt/oracle/ohs/conf/ssl.crl1/exampleca.crl SSLCARevocationPath /opt/oracle/ohs/conf/ssl.crl1/
* Oddly, you need to rename the file name extension from r0 to rN in order for CRL to work.
bash-3.00$ pwd /opt/oracle/ohs/conf/ssl.crl1 bash-3.00$ ls 513cbb9e.rN Makefile exampleca.crl
* As mentioned before, for stand alone OHS, CRL files need to be current. Expired CRL files are ignored.