436d9fbf |
1 | <IfModule mod_ssl.c> |
2 | |
3 | # Pseudo Random Number Generator (PRNG): |
4 | # Configure one or more sources to seed the PRNG of the SSL library. |
5 | # The seed data should be of good random quality. |
6 | # WARNING! On some platforms /dev/random blocks if not enough entropy |
7 | # is available. This means you then cannot use the /dev/random device |
8 | # because it would lead to very long connection times (as long as |
9 | # it requires to make more entropy available). But usually those |
10 | # platforms additionally provide a /dev/urandom device which doesn't |
11 | # block. So, if available, use this one instead. Read the mod_ssl User |
12 | # Manual for more details. |
13 | # |
14 | SSLRandomSeed startup builtin |
15 | SSLRandomSeed startup file:/dev/urandom 512 |
16 | SSLRandomSeed connect builtin |
17 | SSLRandomSeed connect file:/dev/urandom 512 |
18 | |
19 | ## |
20 | ## SSL Global Context |
21 | ## |
22 | ## All SSL configuration in this context applies both to |
23 | ## the main server and all SSL-enabled virtual hosts. |
24 | ## |
25 | |
26 | # |
27 | # Some MIME-types for downloading Certificates and CRLs |
28 | # |
29 | AddType application/x-x509-ca-cert .crt |
30 | AddType application/x-pkcs7-crl .crl |
31 | |
32 | # Pass Phrase Dialog: |
33 | # Configure the pass phrase gathering process. |
34 | # The filtering dialog program (`builtin' is a internal |
35 | # terminal dialog) has to provide the pass phrase on stdout. |
09c20003 |
36 | SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase |
436d9fbf |
37 | |
38 | # Inter-Process Session Cache: |
39 | # Configure the SSL Session Cache: First the mechanism |
40 | # to use and second the expiring timeout (in seconds). |
41 | # (The mechanism dbm has known memory leaks and should not be used). |
42 | #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache |
43 | SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) |
44 | SSLSessionCacheTimeout 300 |
45 | |
46 | # Semaphore: |
47 | # Configure the path to the mutual exclusion semaphore the |
48 | # SSL engine uses internally for inter-process synchronization. |
49 | # (Disabled by default, the global Mutex directive consolidates by default |
50 | # this) |
51 | #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache |
52 | |
53 | |
54 | # SSL Cipher Suite: |
55 | # List the ciphers that the client is permitted to negotiate. See the |
56 | # ciphers(1) man page from the openssl package for list of all available |
57 | # options. |
58 | # Enable only secure ciphers: |
09c20003 |
59 | SSLCipherSuite HIGH:!aNULL |
436d9fbf |
60 | |
09c20003 |
61 | # SSL server cipher order preference: |
62 | # Use server priorities for cipher algorithm choice. |
63 | # Clients may prefer lower grade encryption. You should enable this |
64 | # option if you want to enforce stronger encryption, and can afford |
65 | # the CPU cost, and did not override SSLCipherSuite in a way that puts |
66 | # insecure ciphers first. |
67 | # Default: Off |
436d9fbf |
68 | #SSLHonorCipherOrder on |
69 | |
70 | # The protocols to enable. |
71 | # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2 |
72 | # SSL v2 is no longer supported |
09c20003 |
73 | SSLProtocol all -SSLv3 |
436d9fbf |
74 | |
75 | # Allow insecure renegotiation with clients which do not yet support the |
76 | # secure renegotiation protocol. Default: Off |
77 | #SSLInsecureRenegotiation on |
78 | |
79 | # Whether to forbid non-SNI clients to access name based virtual hosts. |
80 | # Default: Off |
81 | #SSLStrictSNIVHostCheck On |
82 | |
83 | </IfModule> |
84 | |
85 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet |