diff options
Diffstat (limited to 'debian/config-dir/mods-available/ssl.conf')
-rw-r--r-- | debian/config-dir/mods-available/ssl.conf | 83 |
1 files changed, 83 insertions, 0 deletions
diff --git a/debian/config-dir/mods-available/ssl.conf b/debian/config-dir/mods-available/ssl.conf new file mode 100644 index 0000000..83ca99e --- /dev/null +++ b/debian/config-dir/mods-available/ssl.conf @@ -0,0 +1,83 @@ +# Pseudo Random Number Generator (PRNG): +# Configure one or more sources to seed the PRNG of the SSL library. +# The seed data should be of good random quality. +# WARNING! On some platforms /dev/random blocks if not enough entropy +# is available. This means you then cannot use the /dev/random device +# because it would lead to very long connection times (as long as +# it requires to make more entropy available). But usually those +# platforms additionally provide a /dev/urandom device which doesn't +# block. So, if available, use this one instead. Read the mod_ssl User +# Manual for more details. +# +SSLRandomSeed startup builtin +SSLRandomSeed startup file:/dev/urandom 512 +SSLRandomSeed connect builtin +SSLRandomSeed connect file:/dev/urandom 512 + +## +## SSL Global Context +## +## All SSL configuration in this context applies both to +## the main server and all SSL-enabled virtual hosts. +## + +# +# Some MIME-types for downloading Certificates and CRLs +# +AddType application/x-x509-ca-cert .crt +AddType application/x-pkcs7-crl .crl + +# Pass Phrase Dialog: +# Configure the pass phrase gathering process. +# The filtering dialog program (`builtin' is a internal +# terminal dialog) has to provide the pass phrase on stdout. +SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase + +# Inter-Process Session Cache: +# Configure the SSL Session Cache: First the mechanism +# to use and second the expiring timeout (in seconds). +# (The mechanism dbm has known memory leaks and should not be used). +#SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache +SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) +SSLSessionCacheTimeout 300 + +# Semaphore: +# Configure the path to the mutual exclusion semaphore the +# SSL engine uses internally for inter-process synchronization. +# (Disabled by default, the global Mutex directive consolidates by default +# this) +#Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache + + +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate. See the +# ciphers(1) man page from the openssl package for list of all available +# options. +# Enable only secure ciphers: +SSLCipherSuite HIGH:!aNULL + +# SSL server cipher order preference: +# Use server priorities for cipher algorithm choice. +# Clients may prefer lower grade encryption. You should enable this +# option if you want to enforce stronger encryption, and can afford +# the CPU cost, and did not override SSLCipherSuite in a way that puts +# insecure ciphers first. +# Default: Off +#SSLHonorCipherOrder on + +# The protocols to enable. +# Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2 +# SSL v2 is no longer supported +SSLProtocol all -SSLv3 + +# Allow insecure renegotiation with clients which do not yet support the +# secure renegotiation protocol. Default: Off +#SSLInsecureRenegotiation on + +# Whether to forbid non-SNI clients to access name based virtual hosts. +# Default: Off +#SSLStrictSNIVHostCheck On + +# Warning: Session Tickets require regular reloading of the server! +# Make sure you do this (e.g. via logrotate) before changing this setting! +SSLSessionTickets off |