#test config derived from httpd-2.0/docs/conf/ssl-std.conf -*- text -*- #base config that can be used by any SSL enabled VirtualHosts AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLSessionCache ${SSL_SESSCACHE} SSLSessionCache none #SSLMutex file:@ServerRoot@/logs/ssl_mutex = 2.3.4> # mutex created automatically # config needed only if file-based mutexes are used and # default lock file dir is inappropriate # Mutex file:/path/to/lockdir ssl-cache SSLRandomSeed startup builtin SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 SSLProtocol @sslproto@ LogFormat "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %>s %b" ssl CustomLog logs/ssl_request_log ssl SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLPassPhraseDialog exec:@ServerRoot@/conf/ssl/httpd-passphrase.pl #else the default is builtin SSLPassPhraseDialog builtin SSLCertificateFile @SSLCA@/asf/certs/server_des3.crt SSLCertificateKeyFile @SSLCA@/asf/keys/server_des3.pem # SSLCertificateFile @SSLCA@/asf/certs/server_des3_dsa.crt # SSLCertificateKeyFile @SSLCA@/asf/keys/server_des3_dsa.pem #else the default is an unencrypted key SSLCertificateFile @SSLCA@/asf/certs/server.crt SSLCertificateKeyFile @SSLCA@/asf/keys/server.pem # SSLCertificateFile @SSLCA@/asf/certs/server_dsa.crt # SSLCertificateKeyFile @SSLCA@/asf/keys/server_dsa.pem #SSLCertificateChainFile @SSLCA@/asf/certs/cachain.crt SSLCACertificateFile @SSLCA@/asf/certs/ca.crt SSLCACertificatePath @ServerRoot@/conf/ssl SSLCARevocationFile @SSLCA@/asf/crl/ca-bundle.crl = 2.3.15> SSLCARevocationCheck chain SSLEngine on #t/ssl/verify.t Alias /verify @DocumentRoot@ SSLVerifyClient require SSLVerifyDepth 10 # t/ssl/pha.t SSLVerifyClient require SSLVerifyDepth 10 SSLRenegBufferSize 10 Alias /require/small @DocumentRoot@/modules/cgi #t/ssl/require.t Alias /require/asf @DocumentRoot@ Alias /require/snakeoil @DocumentRoot@ Alias /require/certext @DocumentRoot@ Alias /require/strcmp @DocumentRoot@ Alias /require/intcmp @DocumentRoot@ Alias /ssl-fakebasicauth @DocumentRoot@ Alias /ssl-fakebasicauth2 @DocumentRoot@ Alias /ssl-cgi @DocumentRoot@/modules/cgi Alias /require-ssl-cgi @DocumentRoot@/modules/cgi Alias /require-aes128-cgi @DocumentRoot@/modules/cgi Alias /require-aes256-cgi @DocumentRoot@/modules/cgi SSLVerifyClient require SSLVerifyDepth 10 SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \ and %{SSL_CLIENT_S_DN_O} eq "ASF" \ and %{SSL_CLIENT_S_DN_OU} in \ {"httpd-test", "httpd", "modperl"} ) SSLVerifyClient require SSLVerifyDepth 10 SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \ and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ and %{SSL_CLIENT_S_DN_OU} in \ {"Staff", "CA", "Dev"} ) SSLVerifyClient require 2.3.0> SSLRequire "Lemons" in PeerExtList("1.3.6.1.4.1.18060.12.0") 2.1.6> SSLRequire "Lemons" in OID("1.3.6.1.4.1.18060.12.0") SSLRequire "a" < "b" SSLRequire "a" lt "b" SSLRequire 2 < 10 SSLRequire 2 lt 10 SSLOptions +StdEnvVars SSLOptions +StdEnvVars SSLVerifyClient require SSLVerifyDepth 10 SSLCipherSuite AES128-SHA SSLCipherSuite AES256-SHA SSLVerifyClient require SSLVerifyDepth 5 SSLOptions +FakeBasicAuth AuthName "Snake Oil Authentication" AuthType Basic AuthUserFile @SSLCA@/asf/ssl.htpasswd require valid-user # specific to 2.1 SSLVerifyClient require SSLOptions +FakeBasicAuth +StdEnvVars AuthName "Snake Oil Authentication" AuthType Basic AuthBasicProvider anon Anonymous dummy "*" require valid-user ## ## mod_h2 test config ## LogLevel h2:debug Options +ExecCGI AddHandler cgi-script .pl SSLOptions +StdEnvVars RewriteEngine on RewriteRule ^/modules/h2/latest.tar.gz$ /modules/h2/xxx-1.0.2a.tar.gz [R=302,NC] # An SSL vhost which does optional ccert checks at vhost level, to # check for CVE CAN-2005-2700. SSLEngine on SSLVerifyClient optional Alias /require/any @DocumentRoot@ Alias /require/none @DocumentRoot@ SSLVerifyClient require SSLVerifyDepth 10 # An SSL vhost which can be used to trigger PR 33791 SSLEngine On ErrorDocument 400 /index.html SSLVerifyClient require # For t/ssl/ocsp.t -- SetEnv SSL_CA_ROOT @sslca@/asf Alias /modules/ssl/ocsp @DocumentRoot@/modules/cgi/ocsp.pl SSLEngine on # SSLOCSPResponderCertificateFile is available from 2.4.26 = 2.4.26> SSLVerifyClient on SSLOCSPEnable on SSLOCSPDefaultResponder http://@SERVERNAME@:@PORT@/modules/ssl/ocsp SSLOCSPResponderCertificateFile @SSLCA@/asf/certs/server.crt # Ignore CRL check results SSLCARevocationCheck none # For t/ssl/pr43738.t: Action application/x-pf-action /modules/cgi/action.pl AddType application/x-pf-action .pfa SSLCipherSuite AES128-SHA SSLCipherSuite AES256-SHA