X-Git-Url: https://dehnerts.com/gitweb/?a=blobdiff_plain;f=mods-available%2Fssl.conf;fp=mods-available%2Fssl.conf;h=79f5a12869e7a1a4488a5dbcd92455be37428c08;hb=13d64a00b526b5b5c3dca9fab2a1e59bad9489d8;hp=1e4ce40c445994cbfa0e1fbd38f1312039f475ad;hpb=054188200e8677710a0be31e9114b2ab2aa0a966;p=sysconfig%2Fapache2.git diff --git a/mods-available/ssl.conf b/mods-available/ssl.conf index 1e4ce40..79f5a12 100644 --- a/mods-available/ssl.conf +++ b/mods-available/ssl.conf @@ -33,25 +33,26 @@ AddType application/x-pkcs7-crl .crl # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. -SSLPassPhraseDialog builtin +SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase # Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). -#SSLSessionCache dbm:/var/run/apache2/ssl_scache -SSLSessionCache shmcb:/var/run/apache2/ssl_scache(512000) +# (The mechanism dbm has known memory leaks and should not be used). +#SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache +SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. -SSLMutex file:/var/run/apache2/ssl_mutex +SSLMutex file:${APACHE_RUN_DIR}/ssl_mutex # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. # enable only secure ciphers: -SSLCipherSuite HIGH:MEDIUM:!ADH +SSLCipherSuite HIGH:MEDIUM:!ADH:!MD5 # Use this instead if you want to allow cipher upgrades via SGC facility. # In this case you also have to use something like # SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 @@ -61,4 +62,12 @@ SSLCipherSuite HIGH:MEDIUM:!ADH # enable only secure protocols: SSLv3 and TLSv1, but not SSLv2 SSLProtocol all -SSLv2 +# Allow insecure renegotiation with clients which do not yet support the +# secure renegotiation protocol. Default: Off +#SSLInsecureRenegotiation on + +# Whether to forbid non-SNI clients to access name based virtual hosts. +# Default: Off +#SSLStrictSNIVHostCheck On +