# Global SSL configuration NSSPassPhraseDialog file:$SERVER_ROOT/conf/password.conf NSSPassPhraseHelper $SERVER_ROOT/bin/nss_pcache NSSSessionCacheSize 10000 NSSSessionCacheTimeout 100 NSSSession3CacheTimeout 86400 Listen 0.0.0.0:$SERVER_PORT Listen 0.0.0.0:8001 LogLevel debug CoreDumpDirectory $SERVER_ROOT ServerName $SERVER_NAME DocumentRoot $SERVER_ROOT/content NSSSNI $SNI NSSEngine on NSSFIPS off NSSOCSP off NSSRenegotiation on NSSCipherSuite +rsa_rc4_128_md5,+rsa_3des_sha,+rsa_des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProtocol SSLv3,TLSv1.0 NSSNickname Server-Cert NSSCertificateDatabase $DBPREFIX$SERVER_ROOT/alias NSSVerifyClient none NSSUserName SSL_CLIENT_S_DN_UID NSSCipherSuite +rsa_rc4_128_md5 NSSCipherSuite RC4-SHA # In openssl equivalent of AES:-ECDH:-ADH:-PSK:-DH # In NSS equivalent of AES:-ECDH NSSCipherSuite AES+RSA NSSCipherSuite +dhe_rsa_aes_128_sha NSSOptions +StdEnvVars +CompatEnvVars +ExportCertData NSSVerifyClient require NSSOptions +StdEnvVars +CompatEnvVars +ExportCertData NSSVerifyClient require NSSRequire ( %{SSL_CLIENT_S_DN_UID} eq "alpha" \ or %{SSL_CLIENT_S_DN_UID} eq "gamma" ) \ and %{SSL_CLIENT_S_DN_O} eq "example.com" \ and %{SSL_CLIENT_S_DN_OU} eq "People" NSSOptions +StdEnvVars +CompatEnvVars +ExportCertData +FakeBasicAuth NSSVerifyClient require AuthType Basic AuthName Cert AuthUserFile conf/htpasswd Require valid-user NSSRequire %{SSL_CIPHER_USEKEYSIZE} > 40 NSSRequire %{SSL_CIPHER_USEKEYSIZE} > 4000 NSSRequire %{SSL_PROTOCOL} eq "SSLv3" NSSRequire %{SSL_PROTOCOL} eq "TLSv1" NSSRequire %{SSL_PROTOCOL} eq "TLSv1.1" NSSRequire %{SSL_PROTOCOL} eq "TLSv1.2" NSSOptions +ExportCertData +CompatEnvVars +StdEnvVars NSSProxyEngine on NSSProxyCipherSuite +rsa_rc4_128_md5,+rsa_3des_sha,+rsa_des_sha,+rsa_aes_128_sha,+rsa_aes_256_sha NSSProxyProtocol TLSv1.0,TLSv1.2 ProxyPreserveHost $PRESERVEHOST ProxyPass /proxy https://www1.example.com:8000/proxydata ProxyPassReverse /proxy https://www1.example.com:8000/proxydata ProxyPass /google https://www.google.com/ ProxyPassReverse /google https://www.google.com/ # # For testing protocol handling # ServerName $SERVER_NAME DocumentRoot $SERVER_ROOT/content NSSEngine on NSSFIPS off NSSOCSP off NSSRenegotiation on NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+rsa_aes_128_gcm_sha_256 NSSProtocol TLSv1.2 NSSNickname Server-Cert NSSVerifyClient none # A bit redundant since the initial handshake should fail if no TLSv1.2 NSSRequire %{SSL_PROTOCOL} eq "TLSv1.2" NSSOptions +ExportCertData +CompatEnvVars +StdEnvVars # # SNI testing. Requires that you add an entry like this to /etc/hosts: # # www1.example.com # # 25 of these are needed # # Test with something like: # curl --cacert alias/ca.pem -v https://www1.example.com:8000/index.html # # Output should be something like: Basic index page for sni1 # include conf.d/*