# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
- SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
+ SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# ciphers(1) man page from the openssl package for list of all available
# options.
# Enable only secure ciphers:
- SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+ SSLCipherSuite HIGH:!aNULL
- # Speed-optimized SSL Cipher configuration:
- # If speed is your main concern (on busy HTTPS servers e.g.),
- # you might want to force clients to specific, performance
- # optimized ciphers. In this case, prepend those ciphers
- # to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
- # Caveat: by giving precedence to RC4-SHA and AES128-SHA
- # (as in the example below), most connections will no longer
- # have perfect forward secrecy - if the server's key is
- # compromised, captures of past or future traffic must be
- # considered compromised, too.
- #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
+ # SSL server cipher order preference:
+ # Use server priorities for cipher algorithm choice.
+ # Clients may prefer lower grade encryption. You should enable this
+ # option if you want to enforce stronger encryption, and can afford
+ # the CPU cost, and did not override SSLCipherSuite in a way that puts
+ # insecure ciphers first.
+ # Default: Off
#SSLHonorCipherOrder on
# The protocols to enable.
# Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
# SSL v2 is no longer supported
- SSLProtocol all
+ SSLProtocol all -SSLv3
# Allow insecure renegotiation with clients which do not yet support the
# secure renegotiation protocol. Default: Off