apache2 configs (/etc/apache2/mods-enabled/ssl.conf)

1. refreshed
2. /etc/apache2/mods-enabled/ssl.conf
3.  
4. <IfModule mod_ssl.c>
5.  
6.     # Pseudo Random Number Generator (PRNG):
7.     # Configure one or more sources to seed the PRNG of the SSL library.
8.     # The seed data should be of good random quality.
9.     # WARNING! On some platforms /dev/random blocks if not enough entropy
10.     # is available. This means you then cannot use the /dev/random device
11.     # because it would lead to very long connection times (as long as
12.     # it requires to make more entropy available). But usually those
13.     # platforms additionally provide a /dev/urandom device which doesn't
14.     # block. So, if available, use this one instead. Read the mod_ssl User
15.     # Manual for more details.
16.     #
17.     SSLRandomSeed startup builtin
18.     SSLRandomSeed startup file:/dev/urandom 512
19.     SSLRandomSeed connect builtin
20.     SSLRandomSeed connect file:/dev/urandom 512
21.  
22.     ##
23.     ##  SSL Global Context
24.     ##
25.     ##  All SSL configuration in this context applies both to
26.     ##  the main server and all SSL-enabled virtual hosts.
27.     ##
28.  
29.     #
30.     #   Some MIME-types for downloading Certificates and CRLs
31.     #
32.     AddType application/x-x509-ca-cert .crt
33.     AddType application/x-pkcs7-crl .crl
34.  
35.     #   Pass Phrase Dialog:
36.     #   Configure the pass phrase gathering process.
37.     #   The filtering dialog program (`builtin' is a internal
38.     #   terminal dialog) has to provide the pass phrase on stdout.
39.     SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase
40.  
41.     #   Inter-Process Session Cache:
42.     #   Configure the SSL Session Cache: First the mechanism
43.     #   to use and second the expiring timeout (in seconds).
44.     #   (The mechanism dbm has known memory leaks and should not be used).
45.     #SSLSessionCache         dbm:${APACHE_RUN_DIR}/ssl_scache
46.     SSLSessionCache     shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
47.     SSLSessionCacheTimeout  300
48.  
49.     #   Semaphore:
50.     #   Configure the path to the mutual exclusion semaphore the
51.     #   SSL engine uses internally for inter-process synchronization.
52.     #   (Disabled by default, the global Mutex directive consolidates by default
53.     #   this)
54.     #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
55.  
56.  
57.     #   SSL Cipher Suite:
58.     #   List the ciphers that the client is permitted to negotiate. See the
59.     #   ciphers(1) man page from the openssl package for list of all available
60.     #   options.
61.     #   Enable only secure ciphers:
62.     SSLCipherSuite HIGH:!aNULL
63.  
64.     # SSL server cipher order preference:
65.     # Use server priorities for cipher algorithm choice.
66.     # Clients may prefer lower grade encryption.  You should enable this
67.     # option if you want to enforce stronger encryption, and can afford
68.     # the CPU cost, and did not override SSLCipherSuite in a way that puts
69.     # insecure ciphers first.
70.     # Default: Off
71.     #SSLHonorCipherOrder on
72.  
73.     #   The protocols to enable.
74.     #   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
75.     #   SSL v2  is no longer supported
76.     SSLProtocol all -SSLv3
77.  
78.     #   Allow insecure renegotiation with clients which do not yet support the
79.     #   secure renegotiation protocol. Default: Off
80.     #SSLInsecureRenegotiation on
81.  
82.     #   Whether to forbid non-SNI clients to access name based virtual hosts.
83.     #   Default: Off
84.     #SSLStrictSNIVHostCheck On
85.  
86. </IfModule>
87.  
88. # vim: syntax=apache ts=4 sw=4 sts=4 sr noet