drupal-configs/apache2/mods-enabled/ssl.conf

   1 <IfModule mod_ssl.c>
   2
   3         # Pseudo Random Number Generator (PRNG):
   4         # Configure one or more sources to seed the PRNG of the SSL library.
   5         # The seed data should be of good random quality.
   6         # WARNING! On some platforms /dev/random blocks if not enough entropy
   7         # is available. This means you then cannot use the /dev/random device
   8         # because it would lead to very long connection times (as long as
   9         # it requires to make more entropy available). But usually those
  10         # platforms additionally provide a /dev/urandom device which doesn't
  11         # block. So, if available, use this one instead. Read the mod_ssl User
  12         # Manual for more details.
  13         #
  14         SSLRandomSeed startup builtin
  15         SSLRandomSeed startup file:/dev/urandom 512
  16         SSLRandomSeed connect builtin
  17         SSLRandomSeed connect file:/dev/urandom 512
  18
  19         ##
  20         ##  SSL Global Context
  21         ##
  22         ##  All SSL configuration in this context applies both to
  23         ##  the main server and all SSL-enabled virtual hosts.
  24         ##
  25
  26         #
  27         #   Some MIME-types for downloading Certificates and CRLs
  28         #
  29         AddType application/x-x509-ca-cert .crt
  30         AddType application/x-pkcs7-crl .crl
  31
  32         #   Pass Phrase Dialog:
  33         #   Configure the pass phrase gathering process.
  34         #   The filtering dialog program (`builtin' is a internal
  35         #   terminal dialog) has to provide the pass phrase on stdout.
  36         SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase
  37
  38         #   Inter-Process Session Cache:
  39         #   Configure the SSL Session Cache: First the mechanism
  40         #   to use and second the expiring timeout (in seconds).
  41         #   (The mechanism dbm has known memory leaks and should not be used).
  42         #SSLSessionCache                 dbm:${APACHE_RUN_DIR}/ssl_scache
  43         SSLSessionCache         shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
  44         SSLSessionCacheTimeout  300
  45
  46         #   Semaphore:
  47         #   Configure the path to the mutual exclusion semaphore the
  48         #   SSL engine uses internally for inter-process synchronization.
  49         #   (Disabled by default, the global Mutex directive consolidates by default
  50         #   this)
  51         #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
  52
  53
  54         #   SSL Cipher Suite:
  55         #   List the ciphers that the client is permitted to negotiate. See the
  56         #   ciphers(1) man page from the openssl package for list of all available
  57         #   options.
  58         #   Enable only secure ciphers:
  59         SSLCipherSuite HIGH:!aNULL
  60
  61         # SSL server cipher order preference:
  62         # Use server priorities for cipher algorithm choice.
  63         # Clients may prefer lower grade encryption.  You should enable this
  64         # option if you want to enforce stronger encryption, and can afford
  65         # the CPU cost, and did not override SSLCipherSuite in a way that puts
  66         # insecure ciphers first.
  67         # Default: Off
  68         #SSLHonorCipherOrder on
  69
  70         #   The protocols to enable.
  71         #   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
  72         #   SSL v2  is no longer supported
  73         SSLProtocol all -SSLv3
  74
  75         #   Allow insecure renegotiation with clients which do not yet support the
  76         #   secure renegotiation protocol. Default: Off
  77         #SSLInsecureRenegotiation on
  78
  79         #   Whether to forbid non-SNI clients to access name based virtual hosts.
  80         #   Default: Off
  81         #SSLStrictSNIVHostCheck On
  82
  83 </IfModule>
  84
  85 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet