#test config derived from httpd-2.0/docs/conf/ssl-std.conf -*- text -*-

<IfModule @ssl_module@>
    #base config that can be used by any SSL enabled VirtualHosts
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl    .crl

    <IfDefine TEST_SSL_SESSCACHE>
       SSLSessionCache      ${SSL_SESSCACHE}
    </IfDefine>
    <IfDefine !TEST_SSL_SESSCACHE>
      SSLSessionCache        none
    </IfDefine>

    <IfVersion < 2.3.4>
    #SSLMutex  file:@ServerRoot@/logs/ssl_mutex
    </IfVersion>
    <IfVersion >= 2.3.4>
    # mutex created automatically
    # config needed only if file-based mutexes are used and
    # default lock file dir is inappropriate
    # Mutex file:/path/to/lockdir ssl-cache
    </IfVersion>

    SSLRandomSeed startup builtin
    SSLRandomSeed connect builtin
    #SSLRandomSeed startup file:/dev/random  512
    #SSLRandomSeed startup file:/dev/urandom 512
    #SSLRandomSeed connect file:/dev/random  512
    #SSLRandomSeed connect file:/dev/urandom 512

    SSLProtocol @sslproto@

    <IfModule mod_log_config.c>
        LogFormat "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %>s %b" ssl
        CustomLog logs/ssl_request_log ssl
    </IfModule>

    SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

    <IfDefine TEST_SSL_PASSPHRASE_EXEC>
        SSLPassPhraseDialog  exec:@ServerRoot@/conf/ssl/httpd-passphrase.pl
    </IfDefine>
    #else the default is builtin
    <IfDefine !TEST_SSL_PASSPHRASE_EXEC>
        SSLPassPhraseDialog  builtin
    </IfDefine>

    <IfDefine TEST_SSL_DES3_KEY>
        SSLCertificateFile @SSLCA@/asf/certs/server_des3.crt

        SSLCertificateKeyFile @SSLCA@/asf/keys/server_des3.pem

#        SSLCertificateFile @SSLCA@/asf/certs/server_des3_dsa.crt

#        SSLCertificateKeyFile @SSLCA@/asf/keys/server_des3_dsa.pem
    </IfDefine>
    #else the default is an unencrypted key
    <IfDefine !TEST_SSL_DES3_KEY>
        SSLCertificateFile @SSLCA@/asf/certs/server.crt

        SSLCertificateKeyFile @SSLCA@/asf/keys/server.pem

#        SSLCertificateFile @SSLCA@/asf/certs/server_dsa.crt

#        SSLCertificateKeyFile @SSLCA@/asf/keys/server_dsa.pem
    </IfDefine>

    #SSLCertificateChainFile @SSLCA@/asf/certs/cachain.crt

    SSLCACertificateFile @SSLCA@/asf/certs/ca.crt

    SSLCACertificatePath @ServerRoot@/conf/ssl

    SSLCARevocationFile @SSLCA@/asf/crl/ca-bundle.crl
    <IfVersion >= 2.3.15>
        SSLCARevocationCheck chain
    </IfVersion>

    <VirtualHost @ssl_module_name@>
        SSLEngine on

        #t/ssl/verify.t
        Alias /verify @DocumentRoot@

        <Location /verify>
            SSLVerifyClient require
            SSLVerifyDepth  10
        </Location>

        # t/ssl/pha.t
        <Location /require/small>
            SSLVerifyClient require
            SSLVerifyDepth  10

            SSLRenegBufferSize 10
        </Location>
        Alias /require/small      @DocumentRoot@/modules/cgi

        #t/ssl/require.t
        Alias /require/asf        @DocumentRoot@
        Alias /require/snakeoil   @DocumentRoot@
        Alias /require/certext    @DocumentRoot@
        Alias /require/strcmp     @DocumentRoot@
        Alias /require/intcmp     @DocumentRoot@
        Alias /ssl-fakebasicauth  @DocumentRoot@
        Alias /ssl-fakebasicauth2 @DocumentRoot@
        Alias /ssl-cgi            @DocumentRoot@/modules/cgi
        Alias /require-ssl-cgi    @DocumentRoot@/modules/cgi

        Alias /require-aes128-cgi    @DocumentRoot@/modules/cgi
        Alias /require-aes256-cgi    @DocumentRoot@/modules/cgi

        <Location /require/asf>
            SSLVerifyClient require
            SSLVerifyDepth  10
            SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
                        and %{SSL_CLIENT_S_DN_O} eq "ASF" \
                        and %{SSL_CLIENT_S_DN_OU} in \
                             {"httpd-test", "httpd", "modperl"} )
        </Location>

        <Location /require/snakeoil>
            SSLVerifyClient require
            SSLVerifyDepth  10
            SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
                        and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
                        and %{SSL_CLIENT_S_DN_OU} in \
                             {"Staff", "CA", "Dev"} )
        </Location>

        <Location /require/certext>
            SSLVerifyClient require
            <IfVersion > 2.3.0>
               SSLRequire "Lemons" in PeerExtList("1.3.6.1.4.1.18060.12.0")
            </IfVersion>
            <IfVersion < 2.3.0>
               <IfVersion > 2.1.6>
                  SSLRequire "Lemons" in OID("1.3.6.1.4.1.18060.12.0")
               </IfVersion>
            </IfVersion>
        </Location>

        <Location /require/strcmp>
            SSLRequire "a" < "b"
            SSLRequire "a" lt "b"
        </Location>

        <Location /require/intcmp>
            SSLRequire 2 < 10
            SSLRequire 2 lt 10
        </Location>

        <Location /ssl-cgi>
            SSLOptions +StdEnvVars
        </Location>

        <Location /require-ssl-cgi>
            SSLOptions +StdEnvVars
            SSLVerifyClient require
            SSLVerifyDepth  10
        </Location>

        <Location /require-aes128-cgi>
            SSLCipherSuite AES128-SHA
        </Location>

        <Location /require-aes256-cgi>
            SSLCipherSuite AES256-SHA
        </Location>

        <IfModule @AUTH_MODULE@>
            <Location /ssl-fakebasicauth>
                SSLVerifyClient      require
                SSLVerifyDepth       5
                SSLOptions           +FakeBasicAuth
                AuthName             "Snake Oil Authentication"
                AuthType             Basic
                AuthUserFile         @SSLCA@/asf/ssl.htpasswd
                require              valid-user
            </Location>
        </IfModule>

        # specific to 2.1
        <IfModule mod_authn_anon.c>
            <IfModule mod_auth_basic.c>
                <Location /ssl-fakebasicauth2>
                    SSLVerifyClient      require
                    SSLOptions           +FakeBasicAuth +StdEnvVars
                    AuthName             "Snake Oil Authentication"
                    AuthType             Basic
                    AuthBasicProvider    anon
                    Anonymous            dummy "*"
                    require              valid-user
                </Location>
            </IfModule>
        </IfModule>

        ##
        ## mod_h2 test config
        ##
        <IfModule h2_module>
            LogLevel h2:debug
        </IfModule>

        <IfModule @CGI_MODULE@>
            <Directory @SERVERROOT@/htdocs/modules/h2>
                Options +ExecCGI
                AddHandler cgi-script .pl

            </Directory>
        </IfModule>
        <Location /modules/h2/hello.pl>
            SSLOptions +StdEnvVars
        </Location>
        <IfModule mod_rewrite.c>
            RewriteEngine on
            RewriteRule ^/modules/h2/latest.tar.gz$ /modules/h2/xxx-1.0.2a.tar.gz [R=302,NC]
        </IfModule>

    </VirtualHost>

    # An SSL vhost which does optional ccert checks at vhost level, to
    # check for CVE CAN-2005-2700.
      
    <VirtualHost ssl_optional_cc>
        SSLEngine on
        
        SSLVerifyClient optional

        Alias /require/any        @DocumentRoot@
        Alias /require/none       @DocumentRoot@

        <Location /require/any>
            SSLVerifyClient require
            SSLVerifyDepth  10
        </Location>
    </VirtualHost>

    # An SSL vhost which can be used to trigger PR 33791

    <VirtualHost ssl_pr33791>
       SSLEngine On

       ErrorDocument 400 /index.html

       <Location />
           SSLVerifyClient require
       </Location>
    </VirtualHost>

    # For t/ssl/ocsp.t --
    <Location /modules/ssl/ocsp>
        SetEnv SSL_CA_ROOT @sslca@/asf
    </Location>
    Alias /modules/ssl/ocsp            @DocumentRoot@/modules/cgi/ocsp.pl

    <VirtualHost ssl_ocsp>
       SSLEngine on

     # SSLOCSPResponderCertificateFile is available from 2.4.26
     <IfVersion >= 2.4.26>
       SSLVerifyClient on

       SSLOCSPEnable on
       SSLOCSPDefaultResponder http://@SERVERNAME@:@PORT@/modules/ssl/ocsp
       SSLOCSPResponderCertificateFile @SSLCA@/asf/certs/server.crt

       # Ignore CRL check results
       SSLCARevocationCheck none
     </IfVersion>
    </VirtualHost>

    # For t/ssl/pr43738.t:
    <IfModule mod_actions.c>
        Action application/x-pf-action /modules/cgi/action.pl
        
        AddType application/x-pf-action .pfa
    </IfModule>

    <Location /modules/ssl/aes128/>
         SSLCipherSuite AES128-SHA
    </Location>

    <Location /modules/ssl/aes256/>
         SSLCipherSuite AES256-SHA
    </Location>

</IfModule>