[hcoop/zz_old/config/apache2.git] / mods-available / ssl.conf

<IfModule mod_ssl.c>
#
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
#
SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512

##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##

#
#   Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog  builtin

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism 
#   to use and second the expiring timeout (in seconds).
#SSLSessionCache         dbm:/var/run/apache2/ssl_scache
SSLSessionCache        shmcb:/var/run/apache2/ssl_scache(512000)
SSLSessionCacheTimeout  300

#   Semaphore:
#   Configure the path to the mutual exclusion semaphore the
#   SSL engine uses internally for inter-process synchronization. 
SSLMutex  file:/var/run/apache2/ssl_mutex

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
#   enable only secure ciphers:
SSLCipherSuite HIGH:MEDIUM:!ADH
#   Use this instead if you want to allow cipher upgrades via SGC facility.
#   In this case you also have to use something like 
#        SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
#   see http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html.en#upgradeenc
#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
SSLProtocol all -SSLv2

</IfModule>
Commit	Line	Data
64803503	1	<IfModule mod_ssl.c>
	2	#
	3	# Pseudo Random Number Generator (PRNG):
	4	# Configure one or more sources to seed the PRNG of the SSL library.
	5	# The seed data should be of good random quality.
	6	# WARNING! On some platforms /dev/random blocks if not enough entropy
	7	# is available. This means you then cannot use the /dev/random device
	8	# because it would lead to very long connection times (as long as
	9	# it requires to make more entropy available). But usually those
	10	# platforms additionally provide a /dev/urandom device which doesn't
	11	# block. So, if available, use this one instead. Read the mod_ssl User
	12	# Manual for more details.
	13	#
	14	SSLRandomSeed startup builtin
	15	SSLRandomSeed startup file:/dev/urandom 512
	16	SSLRandomSeed connect builtin
	17	SSLRandomSeed connect file:/dev/urandom 512
	18
	19	##
	20	## SSL Global Context
	21	##
	22	## All SSL configuration in this context applies both to
	23	## the main server and all SSL-enabled virtual hosts.
	24	##
	25
	26	#
	27	# Some MIME-types for downloading Certificates and CRLs
	28	#
	29	AddType application/x-x509-ca-cert .crt
	30	AddType application/x-pkcs7-crl .crl
	31
	32	# Pass Phrase Dialog:
	33	# Configure the pass phrase gathering process.
	34	# The filtering dialog program (`builtin' is a internal
	35	# terminal dialog) has to provide the pass phrase on stdout.
	36	SSLPassPhraseDialog builtin
	37
	38	# Inter-Process Session Cache:
	39	# Configure the SSL Session Cache: First the mechanism
	40	# to use and second the expiring timeout (in seconds).
	41	#SSLSessionCache dbm:/var/run/apache2/ssl_scache
	42	SSLSessionCache shmcb:/var/run/apache2/ssl_scache(512000)
	43	SSLSessionCacheTimeout 300
	44
	45	# Semaphore:
	46	# Configure the path to the mutual exclusion semaphore the
	47	# SSL engine uses internally for inter-process synchronization.
	48	SSLMutex file:/var/run/apache2/ssl_mutex
	49
	50	# SSL Cipher Suite:
	51	# List the ciphers that the client is permitted to negotiate.
	52	# See the mod_ssl documentation for a complete list.
	53	# enable only secure ciphers:
	54	SSLCipherSuite HIGH:MEDIUM:!ADH
	55	# Use this instead if you want to allow cipher upgrades via SGC facility.
	56	# In this case you also have to use something like
	57	# SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
	58	# see http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html.en#upgradeenc
	59	#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
	60
	61	# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
	62	SSLProtocol all -SSLv2
	63
	64	</IfModule>