1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
#test config derived from httpd-2.0/docs/conf/ssl-std.conf
<IfModule @ssl_module@>
#base config that can be used by any SSL enabled VirtualHosts
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLSessionCache none
#XXX: would be nice to test these
#SSLSessionCache shm:@ServerRoot@/logs/ssl_scache(512000)
#SSLSessionCache dbm:@ServerRoot@/logs/ssl_scache
#SSLSessionCacheTimeout 300
#SSLMutex file:@ServerRoot@/logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
<IfModule mod_log_config.c>
LogFormat "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %>s %b" ssl
CustomLog logs/ssl_request_log ssl
</IfModule>
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
<IfDefine TEST_SSL_PASSPHRASE_EXEC>
SSLPassPhraseDialog exec:@ServerRoot@/conf/ssl/httpd-passphrase.pl
</IfDefine>
#else the default is builtin
<IfDefine !TEST_SSL_PASSPHRASE_EXEC>
SSLPassPhraseDialog builtin
</IfDefine>
<IfDefine TEST_SSL_DES3_KEY>
SSLCertificateFile @SSLCA@/asf/certs/server_des3.crt
SSLCertificateKeyFile @SSLCA@/asf/keys/server_des3.pem
# SSLCertificateFile @SSLCA@/asf/certs/server_des3_dsa.crt
# SSLCertificateKeyFile @SSLCA@/asf/keys/server_des3_dsa.pem
</IfDefine>
#else the default is an unencrypted key
<IfDefine !TEST_SSL_DES3_KEY>
SSLCertificateFile @SSLCA@/asf/certs/server.crt
SSLCertificateKeyFile @SSLCA@/asf/keys/server.pem
# SSLCertificateFile @SSLCA@/asf/certs/server_dsa.crt
# SSLCertificateKeyFile @SSLCA@/asf/keys/server_dsa.pem
</IfDefine>
#SSLCertificateChainFile @SSLCA@/asf/certs/cachain.crt
SSLCACertificateFile @SSLCA@/asf/certs/ca.crt
SSLCACertificatePath @ServerRoot@/conf/ssl
SSLCARevocationFile @SSLCA@/asf/crl/ca-bundle.crl
<VirtualHost @ssl_module_name@>
SSLEngine on
#t/ssl/verify.t
Alias /verify @DocumentRoot@
<Location /verify>
SSLVerifyClient require
SSLVerifyDepth 10
</Location>
#t/ssl/require.t
Alias /require/asf @DocumentRoot@
Alias /require/snakeoil @DocumentRoot@
Alias /ssl-fakebasicauth @DocumentRoot@
Alias /ssl-cgi @DocumentRoot@/modules/cgi
Alias /require-ssl-cgi @DocumentRoot@/modules/cgi
<Location /require/asf>
SSLVerifyClient require
SSLVerifyDepth 10
SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
and %{SSL_CLIENT_S_DN_O} eq "ASF" \
and %{SSL_CLIENT_S_DN_OU} in \
{"httpd-test", "httpd", "modperl"} )
</Location>
<Location /require/snakeoil>
SSLVerifyClient require
SSLVerifyDepth 10
SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
and %{SSL_CLIENT_S_DN_OU} in \
{"Staff", "CA", "Dev"} )
</Location>
<Location /ssl-cgi>
SSLOptions +StdEnvVars
</Location>
<Location /require-ssl-cgi>
SSLOptions +StdEnvVars
SSLVerifyClient require
SSLVerifyDepth 10
</Location>
<IfModule @AUTH_MODULE@>
<Location /ssl-fakebasicauth>
SSLVerifyClient require
SSLVerifyDepth 5
SSLOptions +FakeBasicAuth
AuthName "Snake Oil Authentication"
AuthType Basic
AuthUserFile @SSLCA@/asf/ssl.htpasswd
require valid-user
</Location>
</IfModule>
</VirtualHost>
</IfModule>
|
