<IfModule mod_ssl.c>
-#
-# Pseudo Random Number Generator (PRNG):
-# Configure one or more sources to seed the PRNG of the SSL library.
-# The seed data should be of good random quality.
-# WARNING! On some platforms /dev/random blocks if not enough entropy
-# is available. This means you then cannot use the /dev/random device
-# because it would lead to very long connection times (as long as
-# it requires to make more entropy available). But usually those
-# platforms additionally provide a /dev/urandom device which doesn't
-# block. So, if available, use this one instead. Read the mod_ssl User
-# Manual for more details.
-#
-SSLRandomSeed startup builtin
-SSLRandomSeed startup file:/dev/urandom 512
-SSLRandomSeed connect builtin
-SSLRandomSeed connect file:/dev/urandom 512
-
-##
-## SSL Global Context
-##
-## All SSL configuration in this context applies both to
-## the main server and all SSL-enabled virtual hosts.
-##
-
-#
-# Some MIME-types for downloading Certificates and CRLs
-#
-AddType application/x-x509-ca-cert .crt
-AddType application/x-pkcs7-crl .crl
-
-# Pass Phrase Dialog:
-# Configure the pass phrase gathering process.
-# The filtering dialog program (`builtin' is a internal
-# terminal dialog) has to provide the pass phrase on stdout.
-SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
-
-# Inter-Process Session Cache:
-# Configure the SSL Session Cache: First the mechanism
-# to use and second the expiring timeout (in seconds).
-# (The mechanism dbm has known memory leaks and should not be used).
-#SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
-SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
-SSLSessionCacheTimeout 300
-
-# Semaphore:
-# Configure the path to the mutual exclusion semaphore the
-# SSL engine uses internally for inter-process synchronization.
-# (Disabled by default, the global Mutex directive consolidates by default
-# this)
-#Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
-
-# SSL Cipher Suite:
-# List the ciphers that the client is permitted to negotiate.
-# See the mod_ssl documentation for a complete list.
-# enable only secure ciphers:
-#SSLCipherSuite HIGH:MEDIUM:!ADH:!MD5
-
-# Intermediate compatibility from https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29:
-SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
-SSLHonorCipherOrder on
-# Use this instead if you want to allow cipher upgrades via SGC facility.
-# In this case you also have to use something like
-# SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
-# see http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html.en#upgradeenc
-#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
-
-# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
-SSLProtocol all -SSLv2 -SSLv3
-
-# Compression is rarely supported and vulnerable, see CRIME attack
-SSLCompression Off
-
-# Allow insecure renegotiation with clients which do not yet support the
-# secure renegotiation protocol. Default: Off
-#SSLInsecureRenegotiation on
-
-# Whether to forbid non-SNI clients to access name based virtual hosts.
-# Default: Off
-#SSLStrictSNIVHostCheck On
+
+ # Pseudo Random Number Generator (PRNG):
+ # Configure one or more sources to seed the PRNG of the SSL library.
+ # The seed data should be of good random quality.
+ # WARNING! On some platforms /dev/random blocks if not enough entropy
+ # is available. This means you then cannot use the /dev/random device
+ # because it would lead to very long connection times (as long as
+ # it requires to make more entropy available). But usually those
+ # platforms additionally provide a /dev/urandom device which doesn't
+ # block. So, if available, use this one instead. Read the mod_ssl User
+ # Manual for more details.
+ #
+ SSLRandomSeed startup builtin
+ SSLRandomSeed startup file:/dev/urandom 512
+ SSLRandomSeed connect builtin
+ SSLRandomSeed connect file:/dev/urandom 512
+
+ ##
+ ## SSL Global Context
+ ##
+ ## All SSL configuration in this context applies both to
+ ## the main server and all SSL-enabled virtual hosts.
+ ##
+
+ #
+ # Some MIME-types for downloading Certificates and CRLs
+ #
+ AddType application/x-x509-ca-cert .crt
+ AddType application/x-pkcs7-crl .crl
+
+ # Pass Phrase Dialog:
+ # Configure the pass phrase gathering process.
+ # The filtering dialog program (`builtin' is a internal
+ # terminal dialog) has to provide the pass phrase on stdout.
+ SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
+
+ # Inter-Process Session Cache:
+ # Configure the SSL Session Cache: First the mechanism
+ # to use and second the expiring timeout (in seconds).
+ # (The mechanism dbm has known memory leaks and should not be used).
+ #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
+ SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
+ SSLSessionCacheTimeout 300
+
+ # Semaphore:
+ # Configure the path to the mutual exclusion semaphore the
+ # SSL engine uses internally for inter-process synchronization.
+ # (Disabled by default, the global Mutex directive consolidates by default
+ # this)
+ #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
+
+
+ # SSL Cipher Suite:
+ # List the ciphers that the client is permitted to negotiate. See the
+ # ciphers(1) man page from the openssl package for list of all available
+ # options.
+ # Enable only secure ciphers:
+ #SSLCipherSuite HIGH:!aNULL
+
+ # Intermediate compatibility from https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29:
+ # intermediate configuration
+ SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+ SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+ SSLHonorCipherOrder off
+ SSLSessionTickets off
+
+ SSLUseStapling On
+ SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
+
+ # SSL server cipher order preference:
+ # Use server priorities for cipher algorithm choice.
+ # Clients may prefer lower grade encryption. You should enable this
+ # option if you want to enforce stronger encryption, and can afford
+ # the CPU cost, and did not override SSLCipherSuite in a way that puts
+ # insecure ciphers first.
+ # Default: Off
+ #SSLHonorCipherOrder on
+
+ # The protocols to enable.
+ # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
+ # SSL v2 is no longer supported
+ #SSLProtocol all -SSLv3
+
+ # Compression is rarely supported and vulnerable, see CRIME attack
+ SSLCompression Off
+
+ # Allow insecure renegotiation with clients which do not yet support the
+ # secure renegotiation protocol. Default: Off
+ #SSLInsecureRenegotiation on
+
+ # Whether to forbid non-SNI clients to access name based virtual hosts.
+ # Default: Off
+ #SSLStrictSNIVHostCheck On
</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
projects / sysconfig / apache2.git / commitdiff