pool/apache2-mod_nss
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
factory
apache2-mod_nss/vhost-nss.template
Petr Gajdos 39ebee229b Accepting request 584463 from home:vitezslav_cizek:branches:Apache:Modules 
- Since the update to NSS 3.35, the default NSS certificate
  database format changed from Berkley DB to SQLite
- use %license tag

- Update to 1.0.15
  * Try to auto-detect the NSS database format if not specified
  * Update nss_pcache.8 man page to drop directory and prefix
  * When a token is configured in password file only authenticate once
  * Return an error when NSSPassPhraseDialog is invalid
  * Move 3DES ciphers down from HIGH to MEDIUM to match OpenSSL 1.0.2k+
  * Add -Werror=implicit-function-declaration to CFLAGS
  * Handle group membership when testing for file permissions
  * NSS system-wide policy now disables SSLv3, don't use it in tests
  * Add missing error messages for libssl errors
  * Fix doc typo in SSL_[SERVER|CLIENT]_SAN_IPaddr env variable name
  * When including additional test config use specific extension
  * Fix the TLS Session ID cache
  * Make an invalid protocol setting fatal
  * Don't use same NSS db in nss_pcache as mod_nss, use NSS_NoDB_Init()
  * Add info log message when FIPS is enabled
      * Add AES-256 and drop DES, CAST128, SKIPJACK as wrapping key types
  * Fix removal of CR from PEM certificates
  * Add OCSP caching and timeout tuning knobs
  * Check the NSS database directory permissions as well as the files
    inside it for read access on startup.
  * Add in simple aliases for ciphers to fix those that
    don't follow the pattern (dhe_rsa_aes_128_sha256,
    dhe_rsa_aes_256_sha256) and those with typos
    (camelia_128_sha, camelia_256_sha)
  * Fix semaphore leak

OBS-URL: https://build.opensuse.org/request/show/584463
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=40
2018-03-09 16:02:16 +00:00

142 lines
5.4 KiB
Plaintext
Raw Permalink Blame History

##
## SSL Virtual Host Context
##
## The idea is that certificate specific options belong to a VirtualHost
## directive block, while the cipher and protocol configuration is a global
## setting that comes from /etc/apache2/conf.d/mod_nss.conf .
## The system-wide mod_nss.conf does not have any certificate-specific
## options set, so you would need to set them in your own config.
##
## Please place this file into /etc/apache2/vhosts.d with a name that ends
## in .conf . Files not named *.conf are ignored by the configuration
## framework.
<VirtualHost _default_:443>
# General setup for the virtual host
#DocumentRoot "@apache_prefix@/htdocs"
#ServerName www.example.com:443
#ServerAdmin you@example.com
# mod_nss can log to separate log files, you can choose to do that if you'd like
# LogLevel is not inherited from httpd.conf.
#ErrorLog /var/log/apache2/error_log
#TransferLog /var/log/apache2/access_log
LogLevel warn
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
NSSEngine on
# SSL Cipher Suite:
#
# The NSSCipherSuite directive is present in the NSS-specific system-wide
# configuration file /etc/apache2/conf.d/mod_nss.conf .
# You may set the cipher suite on a virtual host basis here, too.
# SSL Certificate Nickname:
# The nickname of the RSA server certificate you are going to use.
NSSNickname Server-Cert
# SSL Certificate Nickname:
# The nickname of the ECC server certificate you are going to use, if you
# have an ECC-enabled version of NSS and mod_nss
#NSSECCNickname Server-Cert-ecc
# Server Certificate Database:
# The NSS security database directory that holds the certificates and
# keys. The database consists of 3 files: cert9.db, key4.db and secmod.db.
# Provide the directory that these files exist.
NSSCertificateDatabase /etc/apache2/mod_nss.d
# Database Prefix:
# In order to be able to store multiple NSS databases in one directory
# they need unique names. This option sets the database prefix used for
# cert8.db and key3.db.
#NSSDBPrefix my-prefix-
# Client Authentication (Type):
# Client certificate verification type. Types are none, optional and
# require.
#NSSVerifyClient none
#
# Online Certificate Status Protocol (OCSP).
# Verify that certificates have not been revoked before accepting them.
#NSSOCSP off
#
# Use a default OCSP responder. If enabled this will be used regardless
# of whether one is included in a client certificate. Note that the
# server certificate is verified during startup.
#
# NSSOCSPDefaultURL defines the service URL of the OCSP responder
# NSSOCSPDefaultName is the nickname of the certificate to trust to
# sign the OCSP responses.
#NSSOCSPDefaultResponder on
#NSSOCSPDefaultURL http://example.com/ocsp/status
#NSSOCSPDefaultName ocsp-nickname
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_nss documentation
# for more details.
#<Location />
#NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "NSSRequireSSL" or "NSSRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#NSSOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
NSSOptions +StdEnvVars
</Files>
<Directory "@apache_prefix@/cgi-bin">
NSSOptions +StdEnvVars
</Directory>
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
#CustomLog /var/log/apache2/ssl_request_log \
# "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
Reference in New Issue View Git Blame Copy Permalink