436d9fbf |
1 | <IfModule mod_ssl.c> |
2 | |
3 | # Pseudo Random Number Generator (PRNG): |
4 | # Configure one or more sources to seed the PRNG of the SSL library. |
5 | # The seed data should be of good random quality. |
6 | # WARNING! On some platforms /dev/random blocks if not enough entropy |
7 | # is available. This means you then cannot use the /dev/random device |
8 | # because it would lead to very long connection times (as long as |
9 | # it requires to make more entropy available). But usually those |
10 | # platforms additionally provide a /dev/urandom device which doesn't |
11 | # block. So, if available, use this one instead. Read the mod_ssl User |
12 | # Manual for more details. |
13 | # |
14 | SSLRandomSeed startup builtin |
15 | SSLRandomSeed startup file:/dev/urandom 512 |
16 | SSLRandomSeed connect builtin |
17 | SSLRandomSeed connect file:/dev/urandom 512 |
18 | |
19 | ## |
20 | ## SSL Global Context |
21 | ## |
22 | ## All SSL configuration in this context applies both to |
23 | ## the main server and all SSL-enabled virtual hosts. |
24 | ## |
25 | |
26 | # |
27 | # Some MIME-types for downloading Certificates and CRLs |
28 | # |
29 | AddType application/x-x509-ca-cert .crt |
30 | AddType application/x-pkcs7-crl .crl |
31 | |
32 | # Pass Phrase Dialog: |
33 | # Configure the pass phrase gathering process. |
34 | # The filtering dialog program (`builtin' is a internal |
35 | # terminal dialog) has to provide the pass phrase on stdout. |
36 | SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase |
37 | |
38 | # Inter-Process Session Cache: |
39 | # Configure the SSL Session Cache: First the mechanism |
40 | # to use and second the expiring timeout (in seconds). |
41 | # (The mechanism dbm has known memory leaks and should not be used). |
42 | #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache |
43 | SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) |
44 | SSLSessionCacheTimeout 300 |
45 | |
46 | # Semaphore: |
47 | # Configure the path to the mutual exclusion semaphore the |
48 | # SSL engine uses internally for inter-process synchronization. |
49 | # (Disabled by default, the global Mutex directive consolidates by default |
50 | # this) |
51 | #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache |
52 | |
53 | |
54 | # SSL Cipher Suite: |
55 | # List the ciphers that the client is permitted to negotiate. See the |
56 | # ciphers(1) man page from the openssl package for list of all available |
57 | # options. |
58 | # Enable only secure ciphers: |
59 | SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 |
60 | |
61 | # Speed-optimized SSL Cipher configuration: |
62 | # If speed is your main concern (on busy HTTPS servers e.g.), |
63 | # you might want to force clients to specific, performance |
64 | # optimized ciphers. In this case, prepend those ciphers |
65 | # to the SSLCipherSuite list, and enable SSLHonorCipherOrder. |
66 | # Caveat: by giving precedence to RC4-SHA and AES128-SHA |
67 | # (as in the example below), most connections will no longer |
68 | # have perfect forward secrecy - if the server's key is |
69 | # compromised, captures of past or future traffic must be |
70 | # considered compromised, too. |
71 | #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 |
72 | #SSLHonorCipherOrder on |
73 | |
74 | # The protocols to enable. |
75 | # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2 |
76 | # SSL v2 is no longer supported |
77 | SSLProtocol all |
78 | |
79 | # Allow insecure renegotiation with clients which do not yet support the |
80 | # secure renegotiation protocol. Default: Off |
81 | #SSLInsecureRenegotiation on |
82 | |
83 | # Whether to forbid non-SNI clients to access name based virtual hosts. |
84 | # Default: Off |
85 | #SSLStrictSNIVHostCheck On |
86 | |
87 | </IfModule> |
88 | |
89 | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet |
90 | SSLStaplingCache "shmcb:logs/stapling-cache(150000)" |