diff options
Diffstat (limited to 'pki/base/tps/apache/conf/nss.conf')
-rw-r--r-- | pki/base/tps/apache/conf/nss.conf | 100 |
1 files changed, 98 insertions, 2 deletions
diff --git a/pki/base/tps/apache/conf/nss.conf b/pki/base/tps/apache/conf/nss.conf index 43f7753d..0c7b7b6c 100644 --- a/pki/base/tps/apache/conf/nss.conf +++ b/pki/base/tps/apache/conf/nss.conf @@ -17,6 +17,8 @@ # Listen 0.0.0.0:[SECURE_PORT] +Listen 0.0.0.0:[NON_CLIENTAUTH_SECURE_PORT] + ## ## SSL Global Context ## @@ -59,7 +61,7 @@ NSSSession3CacheTimeout 86400 # General setup for the virtual host #DocumentRoot "/htdocs" -#ServerName [SERVER_NAME]:[SECURE_PORT] +#ServerName [Server_Name]:[Secure_Port] #ServerAdmin you@example.com # mod_ssl logs to separate log files, you can choose to do that if you'd like @@ -90,7 +92,7 @@ NSSCertificateDatabase [SERVER_ROOT]/alias # Client Authentication (Type): # Client certificate verification type. Types are none, optional and # require. -NSSVerifyClient none +NSSVerifyClient require # Access Control: # With SSLRequire you can do per-directory access control based @@ -150,3 +152,97 @@ NSSVerifyClient none </VirtualHost> +<VirtualHost _default_:[NON_CLIENTAUTH_SECURE_PORT]> + +# General setup for the virtual host +#DocumentRoot "/htdocs" +#ServerName [Server_Name]:[Non_Clientauth_Secure_Port] +#ServerAdmin you@example.com + +# mod_ssl logs to separate log files, you can choose to do that if you'd like +ErrorLog [SERVER_ROOT]/logs/error_log +TransferLog [SERVER_ROOT]/logs/access_log + +# SSL Engine Switch: +# Enable/Disable SSL for this virtual host. +NSSEngine on + +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate. +# See the mod_nss documentation for a complete list. +NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha + +NSSProtocol SSLv3,TLSv1 + +# SSL Certificate Nickname: +# The nickname of the server certificate you are going to use. +NSSNickname "Server-Cert cert-[INSTANCE_ID]" + +# Server Certificate Database: +# The NSS security database directory that holds the certificates and +# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db. +# Provide the directory that these files exist. +NSSCertificateDatabase [SERVER_ROOT]/alias + +# Client Authentication (Type): +# Client certificate verification type. Types are none, optional and +# require. +NSSVerifyClient none + +# Access Control: +# With SSLRequire you can do per-directory access control based +# on arbitrary complex boolean expressions containing server +# variable checks and other lookup directives. The syntax is a +# mixture between C and Perl. See the mod_nss documentation +# for more details. +#<Location /> +#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ +# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ +# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ +# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ +# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ +# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ +#</Location> + +# SSL Engine Options: +# Set various options for the SSL engine. +# o FakeBasicAuth: +# Translate the client X.509 into a Basic Authorisation. This means that +# the standard Auth/DBMAuth methods can be used for access control. The +# user name is the `one line' version of the client's X.509 certificate. +# Note that no password is obtained from the user. Every entry in the user +# file needs this password: `xxj31ZMTZzkVA'. +# o ExportCertData: +# This exports two additional environment variables: SSL_CLIENT_CERT and +# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the +# server (always existing) and the client (only existing when client +# authentication is used). This can be used to import the certificates +# into CGI scripts. +# o StdEnvVars: +# This exports the standard SSL/TLS related `SSL_*' environment variables. +# Per default this exportation is switched off for performance reasons, +# because the extraction step is an expensive operation and is usually +# useless for serving static content. So one usually enables the +# exportation for CGI and SSI requests only. +# o StrictRequire: +# This denies access when "SSLRequireSSL" or "SSLRequire" applied even +# under a "Satisfy any" situation, i.e. when it applies access is denied +# and no other module can change it. +# o OptRenegotiate: +# This enables optimized SSL connection renegotiation handling when SSL +# directives are used in per-directory context. +#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire +<Files ~ "\.(cgi|shtml|phtml|php3?)$"> + NSSOptions +StdEnvVars +</Files> +<Directory "/cgi-bin"> + NSSOptions +StdEnvVars +</Directory> + +# Per-Server Logging: +# The home of a custom SSL log file. Use this when you want a +# compact non-error SSL logfile on a virtual host basis. +#CustomLog [SERVER_ROOT]/logs/ssl_request_log \ +# "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + +</VirtualHost> |