1 --- docs/conf/extra/httpd-ssl.conf.in.orig 2013-11-11 14:00:57 UTC
2 +++ docs/conf/extra/httpd-ssl.conf.in
3 @@ -49,6 +49,43 @@ Listen @@SSLPort@@
4 AddType application/x-x509-ca-cert .crt
5 AddType application/x-pkcs7-crl .crl
8 +# List the ciphers that the client is permitted to negotiate,
9 +# and that httpd will negotiate as the client of a proxied server.
10 +# See the OpenSSL documentation for a complete list of ciphers, and
11 +# ensure these follow appropriate best practices for this deployment.
12 +# httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers,
13 +# while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.
14 +SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
15 +SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4
17 +# By the end of 2016, only TLSv1.2 ciphers should remain in use.
18 +# Older ciphers should be disallowed as soon as possible, while the
19 +# kRSA ciphers do not offer forward secrecy. These changes inhibit
20 +# older clients (such as IE6 SP2 or IE8 on Windows XP, or other legacy
21 +# non-browser tooling) from successfully connecting.
23 +# To restrict mod_ssl to use only TLSv1.2 ciphers, and disable
24 +# those protocols which do not support forward secrecy, replace
25 +# the SSLCipherSuite and SSLProxyCipherSuite directives above with
26 +# the following two directives, as soon as practical.
27 +# SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
28 +# SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
30 +# User agents such as web browsers are not configured for the user's
31 +# own preference of either security or performance, therefore this
32 +# must be the prerogative of the web server administrator who manages
33 +# cpu load versus confidentiality, so enforce the server's cipher order.
34 +SSLHonorCipherOrder on
36 +# SSL Protocol support:
37 +# List the protocol versions which clients are allowed to connect with.
38 +# Disable SSLv2 and SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0)
39 +# should be disabled as quickly as practical. By the end of 2016, only
40 +# the TLSv1.2 protocol or later should remain in use.
41 +SSLProtocol all -SSLv2 -SSLv3
42 +SSLProxyProtocol all -SSLv2 -SSLv3
45 # Configure the pass phrase gathering process.
46 # The filtering dialog program (`builtin' is a internal
47 @@ -77,36 +114,13 @@ SSLMutex "file:@exp_runtimedir@/ssl_mut
48 DocumentRoot "@exp_htdocsdir@"
49 ServerName www.example.com:@@SSLPort@@
50 ServerAdmin you@example.com
51 -ErrorLog "@exp_logfiledir@/error_log"
52 -TransferLog "@exp_logfiledir@/access_log"
53 +ErrorLog "@exp_logfiledir@/httpd-error.log"
54 +TransferLog "@exp_logfiledir@/httpd-access.log"
57 # Enable/Disable SSL for this virtual host.
60 -# SSL Protocol support:
61 -# List the protocol versions which clients are allowed to
62 -# connect with. Disable SSLv2 by default (cf. RFC 6176).
63 -SSLProtocol all -SSLv2
66 -# List the ciphers that the client is permitted to negotiate.
67 -# See the mod_ssl documentation for a complete list.
68 -SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
70 -# Speed-optimized SSL Cipher configuration:
71 -# If speed is your main concern (on busy HTTPS servers e.g.),
72 -# you might want to force clients to specific, performance
73 -# optimized ciphers. In this case, prepend those ciphers
74 -# to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
75 -# Caveat: by giving precedence to RC4-SHA and AES128-SHA
76 -# (as in the example below), most connections will no longer
77 -# have perfect forward secrecy - if the server's key is
78 -# compromised, captures of past or future traffic must be
79 -# considered compromised, too.
80 -#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
81 -#SSLHonorCipherOrder on
84 # Point SSLCertificateFile at a PEM encoded certificate. If
85 # the certificate is encrypted, then you will be prompted for a
86 @@ -249,7 +263,7 @@ BrowserMatch "MSIE [2-5]" \
88 # The home of a custom SSL log file. Use this when you want a
89 # compact non-error SSL logfile on a virtual host basis.
90 -CustomLog "@exp_logfiledir@/ssl_request_log" \
91 +CustomLog "@exp_logfiledir@/httpd-ssl_request.log" \
92 "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"