[devops@ECSC00106787 conf.d]$ less ssl.conf# o ExportCertData:# This e

1. [devops@ECSC00106787 conf.d]$ less ssl.conf
2. #   o ExportCertData:
3. #     This exports two additional environment variables: SSL_CLIENT_CERT and
4. #     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
5. #     server (always existing) and the client (only existing when client
6. #     authentication is used). This can be used to import the certificates
7. #     into CGI scripts.
8. #   o StdEnvVars:
9. #     This exports the standard SSL/TLS related `SSL_*' environment variables.
10. #     Per default this exportation is switched off for performance reasons,
11. #     because the extraction step is an expensive operation and is usually
12. #     useless for serving static content. So one usually enables the
13. #     exportation for CGI and SSI requests only.
14. #   o StrictRequire:
15. #     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
16. #     under a "Satisfy any" situation, i.e. when it applies access is denied
17. #     and no other module can change it.
18. #   o OptRenegotiate:
19. #     This enables optimized SSL connection renegotiation handling when SSL
20. #     directives are used in per-directory context.
21. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
22. <Files ~ "\.(cgi|shtml|phtml|php3?)$">
23.     SSLOptions +StdEnvVars
24. </Files>
25. <Directory "/var/www/cgi-bin">
26.     SSLOptions +StdEnvVars
27. </Directory>
28.  
29. #   SSL Protocol Adjustments:
30. #   The safe and default but still SSL/TLS standard compliant shutdown
31. #   approach is that mod_ssl sends the close notify alert but doesn't wait for
32. #   the close notify alert from client. When you need a different shutdown
33. #   approach you can use one of the following variables:
34. #   o ssl-unclean-shutdown:
35. #     This forces an unclean shutdown when the connection is closed, i.e. no
36. #     SSL close notify alert is send or allowed to received.  This violates
37. #     the SSL/TLS standard but is needed for some brain-dead browsers. Use
38. #     this when you receive I/O errors because of the standard approach where
39. #     mod_ssl sends the close notify alert.
40. #   o ssl-accurate-shutdown:
41. #     This forces an accurate shutdown when the connection is closed, i.e. a
42. #     SSL close notify alert is send and mod_ssl waits for the close notify
43. #     alert of the client. This is 100% SSL/TLS standard compliant, but in
44. #     practice often causes hanging connections with brain-dead browsers. Use
45. #     this only for browsers where you know that their SSL implementation
46. #     works correctly.
47. #   Notice: Most problems of broken clients are also related to the HTTP
48. #   keep-alive facility, so you usually additionally want to disable
49. #   keep-alive for those clients, too. Use variable "nokeepalive" for this.
50. #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
51. #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
52. #   "force-response-1.0" for this.
53. SetEnvIf User-Agent ".*MSIE.*" \
54.          nokeepalive ssl-unclean-shutdown \
55.          downgrade-1.0 force-response-1.0
56.  
57. #   Per-Server Logging:
58. #   The home of a custom SSL log file. Use this when you want a
59. #   compact non-error SSL logfile on a virtual host basis.
60. CustomLog logs/ssl_request_log \
61.           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
62.  
63. </VirtualHost>