1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
--- docs/conf/extra/httpd-ssl.conf.in.orig 2013-11-11 14:00:57 UTC
+++ docs/conf/extra/httpd-ssl.conf.in
@@ -49,6 +49,43 @@ Listen @@SSLPort@@
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
+# SSL Cipher Suite:
+# List the ciphers that the client is permitted to negotiate,
+# and that httpd will negotiate as the client of a proxied server.
+# See the OpenSSL documentation for a complete list of ciphers, and
+# ensure these follow appropriate best practices for this deployment.
+# httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers,
+# while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.
+SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
+SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4
+
+# By the end of 2016, only TLSv1.2 ciphers should remain in use.
+# Older ciphers should be disallowed as soon as possible, while the
+# kRSA ciphers do not offer forward secrecy. These changes inhibit
+# older clients (such as IE6 SP2 or IE8 on Windows XP, or other legacy
+# non-browser tooling) from successfully connecting.
+#
+# To restrict mod_ssl to use only TLSv1.2 ciphers, and disable
+# those protocols which do not support forward secrecy, replace
+# the SSLCipherSuite and SSLProxyCipherSuite directives above with
+# the following two directives, as soon as practical.
+# SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
+# SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
+
+# User agents such as web browsers are not configured for the user's
+# own preference of either security or performance, therefore this
+# must be the prerogative of the web server administrator who manages
+# cpu load versus confidentiality, so enforce the server's cipher order.
+SSLHonorCipherOrder on
+
+# SSL Protocol support:
+# List the protocol versions which clients are allowed to connect with.
+# Disable SSLv2 and SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0)
+# should be disabled as quickly as practical. By the end of 2016, only
+# the TLSv1.2 protocol or later should remain in use.
+SSLProtocol all -SSLv2 -SSLv3
+SSLProxyProtocol all -SSLv2 -SSLv3
+
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
@@ -77,36 +114,13 @@ SSLMutex "file:@exp_runtimedir@/ssl_mut
DocumentRoot "@exp_htdocsdir@"
ServerName www.example.com:@@SSLPort@@
ServerAdmin you@example.com
-ErrorLog "@exp_logfiledir@/error_log"
-TransferLog "@exp_logfiledir@/access_log"
+ErrorLog "@exp_logfiledir@/httpd-error.log"
+TransferLog "@exp_logfiledir@/httpd-access.log"
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
-# SSL Protocol support:
-# List the protocol versions which clients are allowed to
-# connect with. Disable SSLv2 by default (cf. RFC 6176).
-SSLProtocol all -SSLv2
-
-# SSL Cipher Suite:
-# List the ciphers that the client is permitted to negotiate.
-# See the mod_ssl documentation for a complete list.
-SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
-
-# Speed-optimized SSL Cipher configuration:
-# If speed is your main concern (on busy HTTPS servers e.g.),
-# you might want to force clients to specific, performance
-# optimized ciphers. In this case, prepend those ciphers
-# to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
-# Caveat: by giving precedence to RC4-SHA and AES128-SHA
-# (as in the example below), most connections will no longer
-# have perfect forward secrecy - if the server's key is
-# compromised, captures of past or future traffic must be
-# considered compromised, too.
-#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
-#SSLHonorCipherOrder on
-
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
@@ -249,7 +263,7 @@ BrowserMatch "MSIE [2-5]" \
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
-CustomLog "@exp_logfiledir@/ssl_request_log" \
+CustomLog "@exp_logfiledir@/httpd-ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
|
