X-Git-Url: https://dehnerts.com/gitweb/?a=blobdiff_plain;f=mods-available%2Fssl.conf;h=a3d7a76a960d80ff178b7dc73cbcf778decc7e0e;hb=3155f712d7a0d0d13871334e8bcb6d562a7a08eb;hp=1e4ce40c445994cbfa0e1fbd38f1312039f475ad;hpb=c1c14e8db7d9ac7055affb2cdab504ec8ed5687f;p=sysconfig%2Fapache2.git diff --git a/mods-available/ssl.conf b/mods-available/ssl.conf index 1e4ce40..a3d7a76 100644 --- a/mods-available/ssl.conf +++ b/mods-available/ssl.conf @@ -33,25 +33,32 @@ AddType application/x-pkcs7-crl .crl # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. -SSLPassPhraseDialog builtin +SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase # Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). -#SSLSessionCache dbm:/var/run/apache2/ssl_scache -SSLSessionCache shmcb:/var/run/apache2/ssl_scache(512000) +# (The mechanism dbm has known memory leaks and should not be used). +#SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache +SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. -SSLMutex file:/var/run/apache2/ssl_mutex +# (Disabled by default, the global Mutex directive consolidates by default +# this) +#Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. # enable only secure ciphers: -SSLCipherSuite HIGH:MEDIUM:!ADH +#SSLCipherSuite HIGH:MEDIUM:!ADH:!MD5 + +# Intermediate compatibility from https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29: +SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA +SSLHonorCipherOrder on # Use this instead if you want to allow cipher upgrades via SGC facility. # In this case you also have to use something like # SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 @@ -59,6 +66,17 @@ SSLCipherSuite HIGH:MEDIUM:!ADH #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL # enable only secure protocols: SSLv3 and TLSv1, but not SSLv2 -SSLProtocol all -SSLv2 +SSLProtocol all -SSLv2 -SSLv3 + +# Compression is rarely supported and vulnerable, see CRIME attack +SSLCompression Off + +# Allow insecure renegotiation with clients which do not yet support the +# secure renegotiation protocol. Default: Off +#SSLInsecureRenegotiation on + +# Whether to forbid non-SNI clients to access name based virtual hosts. +# Default: Off +#SSLStrictSNIVHostCheck On