64803503 |
1 | <IfModule mod_ssl.c> |
2 | # |
3 | # Pseudo Random Number Generator (PRNG): |
4 | # Configure one or more sources to seed the PRNG of the SSL library. |
5 | # The seed data should be of good random quality. |
6 | # WARNING! On some platforms /dev/random blocks if not enough entropy |
7 | # is available. This means you then cannot use the /dev/random device |
8 | # because it would lead to very long connection times (as long as |
9 | # it requires to make more entropy available). But usually those |
10 | # platforms additionally provide a /dev/urandom device which doesn't |
11 | # block. So, if available, use this one instead. Read the mod_ssl User |
12 | # Manual for more details. |
13 | # |
14 | SSLRandomSeed startup builtin |
15 | SSLRandomSeed startup file:/dev/urandom 512 |
16 | SSLRandomSeed connect builtin |
17 | SSLRandomSeed connect file:/dev/urandom 512 |
18 | |
19 | ## |
20 | ## SSL Global Context |
21 | ## |
22 | ## All SSL configuration in this context applies both to |
23 | ## the main server and all SSL-enabled virtual hosts. |
24 | ## |
25 | |
26 | # |
27 | # Some MIME-types for downloading Certificates and CRLs |
28 | # |
29 | AddType application/x-x509-ca-cert .crt |
30 | AddType application/x-pkcs7-crl .crl |
31 | |
32 | # Pass Phrase Dialog: |
33 | # Configure the pass phrase gathering process. |
34 | # The filtering dialog program (`builtin' is a internal |
35 | # terminal dialog) has to provide the pass phrase on stdout. |
36 | SSLPassPhraseDialog builtin |
37 | |
38 | # Inter-Process Session Cache: |
39 | # Configure the SSL Session Cache: First the mechanism |
40 | # to use and second the expiring timeout (in seconds). |
41 | #SSLSessionCache dbm:/var/run/apache2/ssl_scache |
42 | SSLSessionCache shmcb:/var/run/apache2/ssl_scache(512000) |
43 | SSLSessionCacheTimeout 300 |
44 | |
45 | # Semaphore: |
46 | # Configure the path to the mutual exclusion semaphore the |
47 | # SSL engine uses internally for inter-process synchronization. |
48 | SSLMutex file:/var/run/apache2/ssl_mutex |
49 | |
50 | # SSL Cipher Suite: |
51 | # List the ciphers that the client is permitted to negotiate. |
52 | # See the mod_ssl documentation for a complete list. |
53 | # enable only secure ciphers: |
54 | SSLCipherSuite HIGH:MEDIUM:!ADH |
55 | # Use this instead if you want to allow cipher upgrades via SGC facility. |
56 | # In this case you also have to use something like |
57 | # SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 |
58 | # see http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html.en#upgradeenc |
59 | #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL |
60 | |
61 | # enable only secure protocols: SSLv3 and TLSv1, but not SSLv2 |
62 | SSLProtocol all -SSLv2 |
63 | |
64 | </IfModule> |