ssl.conf

1. <IfModule mod_ssl.c>
2.  
3. # Pseudo Random Number Generator (PRNG):
4. # Configure one or more sources to seed the PRNG of the SSL library.
5. # The seed data should be of good random quality.
6. # WARNING! On some platforms /dev/random blocks if not enough entropy
7. # is available. This means you then cannot use the /dev/random device
8. # because it would lead to very long connection times (as long as
9. # it requires to make more entropy available). But usually those
10. # platforms additionally provide a /dev/urandom device which doesn't
11. # block. So, if available, use this one instead. Read the mod_ssl User
12. # Manual for more details.
13. #
14. SSLRandomSeed startup builtin
15. SSLRandomSeed startup file:/dev/urandom 512
16. SSLRandomSeed connect builtin
17. SSLRandomSeed connect file:/dev/urandom 512
18.  
19. ##
20. ## SSL Global Context
21. ##
22. ## All SSL configuration in this context applies both to
23. ## the main server and all SSL-enabled virtual hosts.
24. ##
25.  
26. #
27. # Some MIME-types for downloading Certificates and CRLs
28. #
29. AddType application/x-x509-ca-cert .crt
30. AddType application/x-pkcs7-crl .crl
31.  
32. # Pass Phrase Dialog:
33. # Configure the pass phrase gathering process.
34. # The filtering dialog program (`builtin' is a internal
35. # terminal dialog) has to provide the pass phrase on stdout.
36. SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
37.  
38. # Inter-Process Session Cache:
39. # Configure the SSL Session Cache: First the mechanism
40. # to use and second the expiring timeout (in seconds).
41. # (The mechanism dbm has known memory leaks and should not be used).
42. #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
43. SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
44. SSLSessionCacheTimeout 300
45.  
46. # Semaphore:
47. # Configure the path to the mutual exclusion semaphore the
48. # SSL engine uses internally for inter-process synchronization.
49. # (Disabled by default, the global Mutex directive consolidates by default
50. # this)
51. #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
52.  
53.  
54. # SSL Cipher Suite:
55. # List the ciphers that the client is permitted to negotiate. See the
56. # ciphers(1) man page from the openssl package for list of all available
57. # options.
58. # Enable only secure ciphers:
59. SSLCipherSuite HIGH:!aNULL
60.  
61. # SSL server cipher order preference:
62. # Use server priorities for cipher algorithm choice.
63. # Clients may prefer lower grade encryption. You should enable this
64. # option if you want to enforce stronger encryption, and can afford
65. # the CPU cost, and did not override SSLCipherSuite in a way that puts
66. # insecure ciphers first.
67. # Default: Off
68. #SSLHonorCipherOrder on
69.  
70. # The protocols to enable.
71. # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
72. # SSL v2 is no longer supported
73. SSLProtocol all -SSLv3
74.  
75. # Allow insecure renegotiation with clients which do not yet support the
76. # secure renegotiation protocol. Default: Off
77. #SSLInsecureRenegotiation on
78.  
79. # Whether to forbid non-SNI clients to access name based virtual hosts.
80. # Default: Off
81. #SSLStrictSNIVHostCheck On
82.  
83. </IfModule>
84.  
85. # vim: syntax=apache ts=4 sw=4 sts=4 sr noet