1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
|
# ----------------------------SSL----------------------------------
# This is an example configuration file for Apache-SSL.
# Copyright (C) 1995,6,7,8,9,2000,2001 Ben Laurie
# Adapted to the Debian configuration by the Debian Apache Maintainers Team.
# Note that all SSL options can apply to virtual hosts.
# Disable SSL version 2 (you should always do this)
# Debian maintainers note: this options has been disabled since it seems
# to give some problems in certain setups but
# should be used whenever possible.
#SSLNoV2
# Disable CA list sending for testing...
#SSLNoCAList
# Load some randomness.
# This is loaded at startup, reading at most 1024 bytes from /dev/urandom.
# You may prefer to use /dev/random, but be aware that some OSes (e.g. Linux)
# insist on returning all 1024 bytes, thus blocking the server until the
# randomness is available.
# The randomness will be _shared_ between all server instances. You can have
# as many of these as you want.
SSLRandomFile file /dev/urandom 1024
# And this one will be loaded before SSL is negotiated for each connection.
# Again, you can have as many of these as you want, and they will all be used
# at each connection.
#SSLRandomFilePerConnection egd /path/to/egd/socket 1024
SSLRandomFilePerConnection file /dev/urandom 1024
# Disable SSL. Useful in combination with virtual hosts. Note that SSLEnable is
# now also supported.
#SSLDisable
SSLEnable
# Set the path for the global cache server executable.
# If this facility gives you trouble, you can disable it by setting
# CACHE_SESSIONS to FALSE in apache_ssl.c
#SSLCacheServerPath ../src/modules/ssl/splashcache 3333@scuzzy ssl
SSLCacheServerPath /usr/lib/apache-ssl/gcache
# Set the global cache server port number, or path. If it is a path, a Unix
# domain socket is used. If a number, a TCP socket.
#SSLCacheServerPort 1234
SSLCacheServerPort /var/run/gcache_port
# Directory for the cache server to run in (in case of crashes). Optional.
#SSLCacheServerRunDir /tmp
# Set the session cache timeout, in seconds (set to 15 for testing, use a
# higher value in real life)
SSLSessionCacheTimeout 15
# Set the CA certificate verification path (must be PEM encoded).
# (in addition to getenv("SSL_CERT_DIR"), I think).
#SSLCACertificatePath /home/ben/work/apache-ssl/apache_1.3.4-ssl/SSLconf/conf
#SSLCACertificatePath /etc/apache-ssl
# Set the CA certificate verification file (must be PEM encoded).
# (in addition to getenv("SSL_CERT_FILE"), I think).
#SSLCACertificateFile /some/where/somefile
#SSLCACertificateFile /home/ben/work/apache-ssl/apache_1.3.4-ssl/SSLconf/conf/httpsd.pem
# Point SSLCertificateFile at a PEM encoded certificate.
# If the certificate is encrypted, then you will be prompted for a pass phrase.
# A test certificate can be generated with "make certificate".
#SSLCertificateFile /home/ben/work/apache-ssl/apache_1.3.4-ssl/SSLconf/conf/httpsd.pem
SSLCertificateFile /etc/apache-ssl/apache.pem
# If the key is not combined with the certificate, use this directive to
# point at the key file. If this starts with a '/' it specifies an absolute
# path, otherwise it is relative to the default certificate area. That is, it
# means "<default>/private/<keyfile>".
#SSLCertificateKeyFile /some/place/with/your.key
# Set SSLVerifyClient to:
# 0 if no certicate is required
# 1 if the client may present a valid certificate
# 2 if the client must present a valid certificate
# 3 if the client may present a valid certificate but it is not required to
# have a valid CA
SSLVerifyClient 0
# How deeply to verify before deciding they don't have a valid certificate
SSLVerifyDepth 10
# CRL Handling
# N.B. Cached sessions are _not_ rechecked against the CRL, so make sure
# SSLSessionCacheTimeout is set low enough.
# Add this directive to check the client cert against its CRL
# OpenSSL will look for the CRL in the CA path (i.e. the path set with
# SSLCACertificatePath), and will expect to find a symlink from <hash>.r<n>
# to the CRL in PEM format. It is up to you to ensure an in-date CRL is
# available at that location. This hash can be generated like so:
# hash=`openssl crl -hash -in $file -noout`
# ln -sf $file $hash.r0
SSLUseCRL
# Check all certificates in the client certificate chain instead of just
# the final one.
SSLCRLCheckAll
# Allow revoked certificates through, but set an environment variable (to YES)
SSLOnRevocationSetEnv SSL_REVOKED
# Allow a certificate with an expired CRL through, but set an environment
# variable (to YES). Note that with this unset, the error returned is
# certificate expired (TLS doesn't have an error for CRL expired! Doh!)
SSLOnCRLExpirySetEnv SSL_CRL_EXPIRED
# Allow a certificate with no CRL through, but set an environment variable
# (to YES)
SSLOnNoCRLSetEnv SSL_NO_CRL
# If you have enabled client cert exports (in buff.h) you need to use
# SSLExportClientCertificates to enable them. Note that the server still has to
# mess about with certs even if this is disabled (and exports are enabled)
# because the cert chain is received before we can know whether it is needed or
# not.
# Export client certificates and the certificate chain behind them to CGIs.
# The certificates are base 64 encoded in the environment variables
# SSL_CLIENT_CERT and SSL_CLIENT_CERT_CHAIN_n, where n runs from 1 upwards.
#<Location /cgi-bin/>
# SSLExportClientCertificates
#</Location>
# Translate the client X509 into a Basic authorisation. This means that the
# standard Auth/DBMAuth methods can be used for access control. The user name
# is the "one line" version of the client's X509 certificate. Note that no
# password is obtained from the user. Every entry in the user file needs this
# password: xxj31ZMTZzkVA. See the code for further explanation.
SSLFakeBasicAuth
# List the ciphers that the client is permitted to negotiate. See the source
# for a definitive list. For example:
#SSLRequiredCiphers RC4-MD5:RC4-SHA:IDEA-CBC-MD5:DES-CBC3-SHA
# These two can be used per-directory to require or ban ciphers. Note that (at
# least in the current version) Apache-SSL will not attempt to renegotiate if a
# cipher is banned (or not required).
# You should probably at least ban the null encryption ciphers.
#SSLRequireCipher
#SSLBanCipher NULL-MD5:NULL-SHA
# A home for miscellaneous rubbish generated by SSL. Much of it is duplicated
# in the error log file. Put this somewhere where it cannot be used for symlink
# attacks on a real server (i.e. somewhere where only root can write).
# Don't use this anymore! Now everything is logged in the error log.
#SSLLogFile /var/log/apache-ssl/ssl.log
# Custom logging
CustomLog /var/log/apache-ssl/ssl.log "%t %{version}c %{cipher}c %{clientcert}c"
# Watch what's going on
#TransferLog /var/log/apache-ssl/transfer.log
# Debian maintainers note:
# these are just examples on how some SSL directives might be used.
# (adapted from the original httpd.conf file provided by Ben Laurie)
#<Directory /<path_to_some_dirs>>
# This directive forbids access except when SSL is in use. Very handy for
# defending against configuration errors that expose stuff that should be
# protected
# SSLRequireSSL
# Conversely, you can forbid SSL with...
# SSLDenySSL
#</Directory>
#<VirtualHost foo:8888>
# This directive disable SSL for a specific virtualhost
#SSLDisable
# Conversely, you can enable it with...
#SSLEnable
#</VirtualHost>
# If you want, you can disable SSL globally, and enable it in a virtual host...
#SSLDisable
#<VirtualHost bar:8887>
# SSLEnable
#</VirtualHost>
|
