diff options
| author | Joe Orton <jorton@redhat.com> | 2016-11-02 11:29:45 +0000 |
|---|---|---|
| committer | Joe Orton <jorton@redhat.com> | 2016-11-02 11:29:45 +0000 |
| commit | 60e3fdb529d58d495d4360dddf2fc9f7a75509cb (patch) | |
| tree | e369e1caaa5fe1ec367be1809ea07ec2ee92f059 | |
| parent | 4a0435cd7b98675e67c387eb9cd5170112c6b494 (diff) | |
| download | httpd-60e3fdb529d58d495d4360dddf2fc9f7a75509cb.tar.gz httpd-60e3fdb529d58d495d4360dddf2fc9f7a75509cb.tar.xz httpd-60e3fdb529d58d495d4360dddf2fc9f7a75509cb.zip | |
- sync with upstream.
| -rw-r--r-- | ssl.conf | 25 |
1 files changed, 15 insertions, 10 deletions
@@ -90,11 +90,15 @@ SSLHonorCipherOrder on SSLCipherSuite PROFILE=SYSTEM SSLProxyCipherSuite PROFILE=SYSTEM -# Server Certificate: -# Point SSLCertificateFile at a PEM encoded certificate. If -# the certificate is encrypted, then you will be prompted for a -# pass phrase. Note that a kill -HUP will prompt again. A new -# certificate can be generated using the genkey(1) command. +# Point SSLCertificateFile at a PEM encoded certificate. If +# the certificate is encrypted, then you will be prompted for a +# pass phrase. Note that restarting httpd will prompt again. Keep +# in mind that if you have both an RSA and a DSA certificate you +# can configure both in parallel (to also allow the use of DSA +# ciphers, etc.) +# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt) +# require an ECC certificate which can also be configured in +# parallel. SSLCertificateFile /etc/pki/tls/certs/localhost.crt # Server Private Key: @@ -102,6 +106,7 @@ SSLCertificateFile /etc/pki/tls/certs/localhost.crt # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) +# ECC keys, when in use, can also be configured in parallel SSLCertificateKeyFile /etc/pki/tls/private/localhost.key # Server Certificate Chain: @@ -110,7 +115,7 @@ SSLCertificateKeyFile /etc/pki/tls/private/localhost.key # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server -# certificate for convinience. +# certificate for convenience. #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt # Certificate Authority (CA): @@ -170,9 +175,9 @@ SSLCertificateKeyFile /etc/pki/tls/private/localhost.key # This enables optimized SSL connection renegotiation handling when SSL # directives are used in per-directory context. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire -<Files ~ "\.(cgi|shtml|phtml|php3?)$"> +<FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars -</Files> +</FilesMatch> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> @@ -184,13 +189,13 @@ SSLCertificateKeyFile /etc/pki/tls/private/localhost.key # approach you can use one of the following variables: # o ssl-unclean-shutdown: # This forces an unclean shutdown when the connection is closed, i.e. no -# SSL close notify alert is send or allowed to received. This violates +# SSL close notify alert is sent or allowed to be received. This violates # the SSL/TLS standard but is needed for some brain-dead browsers. Use # this when you receive I/O errors because of the standard approach where # mod_ssl sends the close notify alert. # o ssl-accurate-shutdown: # This forces an accurate shutdown when the connection is closed, i.e. a -# SSL close notify alert is send and mod_ssl waits for the close notify +# SSL close notify alert is sent and mod_ssl waits for the close notify # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation |