blob: f8804d61eadac396634b59cf44be37243e7e02e3 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
--- docs/conf/extra/httpd-ssl.conf.in.orig 2015-01-31 12:20:34 UTC
+++ docs/conf/extra/httpd-ssl.conf.in
@@ -42,11 +42,30 @@ Listen @@SSLPort@@
## the main server and all SSL-enabled virtual hosts.
##
+## disable unsecure SSL protocols
+SSLProtocol ALL -SSLv2 -SSLv3
+
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+## The following entries can be used as suggestions,
+## for more information see:
+## - http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite
+## - http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
+##
+## To test your SSL implementation use for example security/sslscan or for public reachable systems https://www.ssllabs.com/
+
+## sample for OpenSSL >= 1.0.x (with RC4)
+# SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
+
+## sample for OpenSSL >= 1.0.x (keep support for IE8 on XP)
+# SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4"
+
+## sample for OpenSSL >= 1.0.x (no RC4 support)
+# SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
+
# Speed-optimized SSL Cipher configuration:
# If speed is your main concern (on busy HTTPS servers e.g.),
# you might want to force clients to specific, performance
@@ -105,8 +124,8 @@ SSLSessionCacheTimeout 300
DocumentRoot "@exp_htdocsdir@"
ServerName www.example.com:@@SSLPort@@
ServerAdmin you@example.com
-ErrorLog "@exp_logfiledir@/error_log"
-TransferLog "@exp_logfiledir@/access_log"
+ErrorLog "@exp_logfiledir@/httpd-error.log"
+TransferLog "@exp_logfiledir@/httpd-access.log"
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
@@ -265,7 +284,7 @@ BrowserMatch "MSIE [2-5]" \
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
-CustomLog "@exp_logfiledir@/ssl_request_log" \
+CustomLog "@exp_logfiledir@/httpd-ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
|
