summaryrefslogtreecommitdiffstats
path: root/debian/config-dir/mods-available/ssl.conf
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 15:01:31 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 15:01:31 +0000
commitc9cf025fadfe043f0f2f679e10d1207d8a158bb6 (patch)
tree3a94effe0bdc0a6814d8134f4ed840d7cc6b6f19 /debian/config-dir/mods-available/ssl.conf
parentAdding upstream version 2.4.57. (diff)
downloadapache2-debian/2.4.57-2.tar.xz
apache2-debian/2.4.57-2.zip
Adding debian version 2.4.57-2.debian/2.4.57-2
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/config-dir/mods-available/ssl.conf')
-rw-r--r--debian/config-dir/mods-available/ssl.conf83
1 files changed, 83 insertions, 0 deletions
diff --git a/debian/config-dir/mods-available/ssl.conf b/debian/config-dir/mods-available/ssl.conf
new file mode 100644
index 0000000..83ca99e
--- /dev/null
+++ b/debian/config-dir/mods-available/ssl.conf
@@ -0,0 +1,83 @@
+# Pseudo Random Number Generator (PRNG):
+# Configure one or more sources to seed the PRNG of the SSL library.
+# The seed data should be of good random quality.
+# WARNING! On some platforms /dev/random blocks if not enough entropy
+# is available. This means you then cannot use the /dev/random device
+# because it would lead to very long connection times (as long as
+# it requires to make more entropy available). But usually those
+# platforms additionally provide a /dev/urandom device which doesn't
+# block. So, if available, use this one instead. Read the mod_ssl User
+# Manual for more details.
+#
+SSLRandomSeed startup builtin
+SSLRandomSeed startup file:/dev/urandom 512
+SSLRandomSeed connect builtin
+SSLRandomSeed connect file:/dev/urandom 512
+
+##
+## SSL Global Context
+##
+## All SSL configuration in this context applies both to
+## the main server and all SSL-enabled virtual hosts.
+##
+
+#
+# Some MIME-types for downloading Certificates and CRLs
+#
+AddType application/x-x509-ca-cert .crt
+AddType application/x-pkcs7-crl .crl
+
+# Pass Phrase Dialog:
+# Configure the pass phrase gathering process.
+# The filtering dialog program (`builtin' is a internal
+# terminal dialog) has to provide the pass phrase on stdout.
+SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
+
+# Inter-Process Session Cache:
+# Configure the SSL Session Cache: First the mechanism
+# to use and second the expiring timeout (in seconds).
+# (The mechanism dbm has known memory leaks and should not be used).
+#SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
+SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
+SSLSessionCacheTimeout 300
+
+# Semaphore:
+# Configure the path to the mutual exclusion semaphore the
+# SSL engine uses internally for inter-process synchronization.
+# (Disabled by default, the global Mutex directive consolidates by default
+# this)
+#Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
+
+
+# SSL Cipher Suite:
+# List the ciphers that the client is permitted to negotiate. See the
+# ciphers(1) man page from the openssl package for list of all available
+# options.
+# Enable only secure ciphers:
+SSLCipherSuite HIGH:!aNULL
+
+# SSL server cipher order preference:
+# Use server priorities for cipher algorithm choice.
+# Clients may prefer lower grade encryption. You should enable this
+# option if you want to enforce stronger encryption, and can afford
+# the CPU cost, and did not override SSLCipherSuite in a way that puts
+# insecure ciphers first.
+# Default: Off
+#SSLHonorCipherOrder on
+
+# The protocols to enable.
+# Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
+# SSL v2 is no longer supported
+SSLProtocol all -SSLv3
+
+# Allow insecure renegotiation with clients which do not yet support the
+# secure renegotiation protocol. Default: Off
+#SSLInsecureRenegotiation on
+
+# Whether to forbid non-SNI clients to access name based virtual hosts.
+# Default: Off
+#SSLStrictSNIVHostCheck On
+
+# Warning: Session Tickets require regular reloading of the server!
+# Make sure you do this (e.g. via logrotate) before changing this setting!
+SSLSessionTickets off