-LoadModule ssl_module lib/apache/libssl.so
-AddModule mod_ssl.c
+LoadModule ssl_module modules/libssl.so
+<IfModule mod_ssl.c>
##--------------------------------------------------------------------------
## Add additional SSL configuration directives which provide a
## robust default configuration: virtual server on port 443
##
## SSL Support
##
-## When we also provide SSL we have to listen to the
+## When we also provide SSL we have to listen to the
## standard HTTP port (see above) and to the HTTPS port
##
Listen 443
## the main server and all SSL-enabled virtual hosts.
##
-#
-# Some MIME-types for downloading Certificates and CRLs
-#
-AddType application/x-x509-ca-cert .crt
-AddType application/x-pkcs7-crl .crl
-
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
-SSLPassPhraseDialog builtin
+SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First either `none'
# or `dbm:/path/to/file' for the mechanism to use and
# second the expiring timeout (in seconds).
-#SSLSessionCache none
-#SSLSessionCache dbm:logs/ssl_scache
-SSLSessionCache shm:/var/run/ssl_scache(512000)
-SSLSessionCacheTimeout 300
+#SSLSessionCache none
+#SSLSessionCache dbm:logs/ssl_scache
+SSLSessionCache shm:/var/run/ssl_scache(512000)
+SSLSessionCacheTimeout 300
+
+# FOLLOW SECURE DEFAULTS: https://wiki.mozilla.org/Security/Server_Side_TLS
+
+# Usable SSL protocol flavors:
+# This directive can be used to control the SSL protocol flavors mod_ssl
+# should use when establishing its server environment. Clients then can only
+# connect with one of the provided protocols.
+SSLProtocol all -SSLv2 -SSLv3
+
+# SSL Cipher Suite:
+# List the ciphers that the client is permitted to negotiate.
+# See the mod_ssl documentation for a complete list.
+SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
# Semaphore:
# Configure the path to the mutual explusion semaphore the
-# SSL engine uses internally for inter-process synchronization.
+# SSL engine uses internally for inter-process synchronization.
SSLMutex file:/var/run/ssl_mutex
# Pseudo Random Number Generator (PRNG):
-# Configure one or more sources to seed the PRNG of the
+# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
-#SSLRandomSeed startup file:/dev/random 512
+#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
-#SSLRandomSeed connect file:/dev/random 512
+#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
# Logging:
# The home of the dedicated SSL protocol logfile. Errors are
-# additionally duplicated in the general error log file. Put
+# additionally duplicated in the general error log file. Put
# this somewhere where it cannot be used for symlink attacks on
# a real server (i.e. somewhere where only root can write).
# Log levels are (ascending order: higher ones include lower ones):
# none, error, warn, info, trace, debug.
-SSLLog /var/log/httpd/ssl_engine_log
+SSLLog logs/ssl_engine_log
SSLLogLevel info
<VirtualHost _default_:443>
SSLEngine on
#SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
-SSLCertificateFile /etc/httpd/server.crt
-SSLCertificateKeyFile /etc/httpd/server.key
-#SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca.crt
-#SSLCACertificatePath /etc/httpd/conf/ssl.crt
-#SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt
-#SSLCARevocationPath /etc/httpd/conf/ssl.crl
-#SSLCARevocationFile /etc/httpd/conf/ssl.crl/ca-bundle.crl
+SSLCertificateFile /etc/apache/server.crt
+SSLCertificateKeyFile /etc/apache/server.key
+#SSLCertificateChainFile /etc/apache/conf/ssl.crt/ca.crt
+#SSLCACertificatePath /etc/apache/conf/ssl.crt
+#SSLCACertificateFile /etc/apache/conf/ssl.crt/ca-bundle.crt
+#SSLCARevocationPath /etc/apache/conf/ssl.crl
+#SSLCARevocationFile /etc/apache/conf/ssl.crl/ca-bundle.crl
#SSLVerifyClient require
-#SSLVerifyDepth 10
+#SSLVerifyDepth 10
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
<Files ~ "\.(cgi|shtml)$">
- SSLOptions +StdEnvVars
+ SSLOptions +StdEnvVars
</Files>
-<Directory "/home/httpd/html/cgi-bin">
- SSLOptions +StdEnvVars
+<Directory "/home/services/apache/html/cgi-bin">
+ SSLOptions +StdEnvVars
</Directory>
-SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
-CustomLog /var/log/httpd/ssl_request_log \
- "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
-</VirtualHost>
+<IfModule mod_setenvif.c>
+ SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
+</IfModule>
+
+#<IfModule mod_log_config.c>
+# CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+# # enable common log too, otherwise you be suprised of no access logs
+# CustomLog logs/access_log common
+#</IfModule>
+
+</VirtualHost>
+
+</IfModule>
projects / packages / apache1-mod_ssl.git / blobdiff