## This is the Apache server configuration file providing SSL support.# It c

1. #
2. # This is the Apache server configuration file providing SSL support.
3. # It contains the configuration directives to instruct the server how to
4. # serve pages over an https connection. For detailing information about these
5. # directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
6. #
7. # Do NOT simply read the instructions in here without understanding
8. # what they do.  They're here only as hints or reminders.  If you are unsure
9. # consult the online docs. You have been warned.  
10. #
11.  
12. LoadModule ssl_module modules/mod_ssl.so
13.  
14. #
15. # When we also provide SSL we have to listen to the
16. # the HTTPS port in addition.
17. #
18. Listen 443
19.  
20. ##
21. ##  SSL Global Context
22. ##
23. ##  All SSL configuration in this context applies both to
24. ##  the main server and all SSL-enabled virtual hosts.
25. ##
26.  
27. SSLCertificateFile /etc/pki/tls/certs/star_med.crt
28. SSLCertificateKeyFile /etc/pki/tls/private/star_med.key
29. SSLCertificateChainFile /etc/pki/tls/certs/incommon.crt
30. ErrorLog logs/ssl_error_log
31. TransferLog logs/ssl_access_log
32. LogLevel warn
33.  
34. #   Pass Phrase Dialog:
35. #   Configure the pass phrase gathering process.
36. #   The filtering dialog program (`builtin' is a internal
37. #   terminal dialog) has to provide the pass phrase on stdout.
38. SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
39.  
40. #   Inter-Process Session Cache:
41. #   Configure the SSL Session Cache: First the mechanism
42. #   to use and second the expiring timeout (in seconds).
43. #SSLSessionCache        dc:UNIX:/var/cache/mod_ssl/distcache
44. SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
45. SSLSessionCacheTimeout  300
46.  
47. #   Semaphore:
48. #   Configure the path to the mutual exclusion semaphore the
49. #   SSL engine uses internally for inter-process synchronization.
50. Mutex default
51.  
52. #   Pseudo Random Number Generator (PRNG):
53. #   Configure one or more sources to seed the PRNG of the
54. #   SSL library. The seed data should be of good random quality.
55. #   WARNING! On some platforms /dev/random blocks if not enough entropy
56. #   is available. This means you then cannot use the /dev/random device
57. #   because it would lead to very long connection times (as long as
58. #   it requires to make more entropy available). But usually those
59. #   platforms additionally provide a /dev/urandom device which doesn't
60. #   block. So, if available, use this one instead. Read the mod_ssl User
61. #   Manual for more details.
62. SSLRandomSeed startup file:/dev/urandom  256
63. SSLRandomSeed connect builtin
64. #SSLRandomSeed startup file:/dev/random  512
65. #SSLRandomSeed connect file:/dev/random  512
66. #SSLRandomSeed connect file:/dev/urandom 512
67.  
68. #
69. # Use "SSLCryptoDevice" to enable any supported hardware
70. # accelerators. Use "openssl engine -v" to list supported
71. # engine names.  NOTE: If you enable an accelerator and the
72. # server does not start, consult the error logs and ensure
73. # your accelerator is functioning properly.
74. #
75. SSLCryptoDevice builtin
76. #SSLCryptoDevice ubsec
77.  
78. ##
79. ## SSL Virtual Host Context
80. ##
81.  
82. <VirtualHost _default_:443>
83.  
84. # General setup for the virtual host, inherited from global configuration
85. #DocumentRoot "/var/www/html"
86. #ServerName www.example.com:443
87.  
88. # Use separate log files for the SSL virtual host; note that LogLevel
89. # is not inherited from httpd.conf.
90. #   SSL Engine Switch:
91. #   Enable/Disable SSL for this virtual host.
92. SSLEngine on
93.  
94. #   SSL Protocol support:
95. # List the enable protocol levels with which clients will be able to
96. # connect.  Disable SSLv2 access by default:
97. SSLProtocol all -SSLv2
98.  
99. #   SSL Cipher Suite:
100. #   List the ciphers that the client is permitted to negotiate.
101. #   See the mod_ssl documentation for a complete list.
102. SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
103.  
104. #   SSL Cipher Honor Order:
105. #   On a busy HTTPS server you may want to enable this directive
106. #   to force clients to use one of the faster ciphers like RC4-SHA
107. #   or AES128-SHA in the order defined by SSLCipherSuite.
108. #SSLHonorCipherOrder on
109.  
110. #   Certificate Authority (CA):
111. #   Set the CA certificate verification path where to find CA
112. #   certificates for client authentication or alternatively one
113. #   huge file containing all of them (file must be PEM encoded)
114. #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
115.  
116. #   Client Authentication (Type):
117. #   Client certificate verification type and depth.  Types are
118. #   none, optional, require and optional_no_ca.  Depth is a
119. #   number which specifies how deeply to verify the certificate
120. #   issuer chain before deciding the certificate is not valid.
121. #SSLVerifyClient require
122. #SSLVerifyDepth  10
123.  
124. #   Access Control:
125. #   With SSLRequire you can do per-directory access control based
126. #   on arbitrary complex boolean expressions containing server
127. #   variable checks and other lookup directives.  The syntax is a
128. #   mixture between C and Perl.  See the mod_ssl documentation
129. #   for more details.
130. #<Location />
131. #SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
132. #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
133. #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
134. #            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
135. #            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
136. #           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
137. #</Location>
138.  
139. #   SSL Engine Options:
140. #   Set various options for the SSL engine.
141. #   o FakeBasicAuth:
142. #     Translate the client X.509 into a Basic Authorisation.  This means that
143. #     the standard Auth/DBMAuth methods can be used for access control.  The
144. #     user name is the `one line' version of the client's X.509 certificate.
145. #     Note that no password is obtained from the user. Every entry in the user
146. #     file needs this password: `xxj31ZMTZzkVA'.
147. #   o ExportCertData:
148. #     This exports two additional environment variables: SSL_CLIENT_CERT and
149. #     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
150. #     server (always existing) and the client (only existing when client
151. #     authentication is used). This can be used to import the certificates
152. #     into CGI scripts.
153. #   o StdEnvVars:
154. #     This exports the standard SSL/TLS related `SSL_*' environment variables.
155. #     Per default this exportation is switched off for performance reasons,
156. #     because the extraction step is an expensive operation and is usually
157. #     useless for serving static content. So one usually enables the
158. #     exportation for CGI and SSI requests only.
159. #   o StrictRequire:
160. #     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
161. #     under a "Satisfy any" situation, i.e. when it applies access is denied
162. #     and no other module can change it.
163. #   o OptRenegotiate:
164. #     This enables optimized SSL connection renegotiation handling when SSL
165. #     directives are used in per-directory context.
166. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
167. <Files ~ "\.(cgi|shtml|phtml|php3?)$">
168.     SSLOptions +StdEnvVars
169. </Files>
170. <Directory "/var/www/cgi-bin">
171.     SSLOptions +StdEnvVars
172. </Directory>
173.  
174. #   SSL Protocol Adjustments:
175. #   The safe and default but still SSL/TLS standard compliant shutdown
176. #   approach is that mod_ssl sends the close notify alert but doesn't wait for
177. #   the close notify alert from client. When you need a different shutdown
178. #   approach you can use one of the following variables:
179. #   o ssl-unclean-shutdown:
180. #     This forces an unclean shutdown when the connection is closed, i.e. no
181. #     SSL close notify alert is send or allowed to received.  This violates
182. #     the SSL/TLS standard but is needed for some brain-dead browsers. Use
183. #     this when you receive I/O errors because of the standard approach where
184. #     mod_ssl sends the close notify alert.
185. #   o ssl-accurate-shutdown:
186. #     This forces an accurate shutdown when the connection is closed, i.e. a
187. #     SSL close notify alert is send and mod_ssl waits for the close notify
188. #     alert of the client. This is 100% SSL/TLS standard compliant, but in
189. #     practice often causes hanging connections with brain-dead browsers. Use
190. #     this only for browsers where you know that their SSL implementation
191. #     works correctly.
192. #   Notice: Most problems of broken clients are also related to the HTTP
193. #   keep-alive facility, so you usually additionally want to disable
194. #   keep-alive for those clients, too. Use variable "nokeepalive" for this.
195. #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
196. #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
197. #   "force-response-1.0" for this.
198. SetEnvIf User-Agent ".*MSIE.*" \
199.          nokeepalive ssl-unclean-shutdown \
200.          downgrade-1.0 force-response-1.0
201.  
202. #   Per-Server Logging:
203. #   The home of a custom SSL log file. Use this when you want a
204. #   compact non-error SSL logfile on a virtual host basis.
205. CustomLog logs/ssl_request_log \
206.           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
207.  
208. </VirtualHost>