pool/apache2-mod_nss
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
0ca3b0025c
apache2-mod_nss/mod_nss.conf.in
Petr Gajdos dab7162805 Accepting request 427944 from home:vitezslav_cizek:branches:Apache:Modules 
- don't disable SSLV2, because it doesn't work with NSS 3.24
  (boo#993642)
  * add mod_nss-dont_disable_SSLV2.patch
- remove deprecated NSSSessionCacheTimeout option from mod_nss.conf.in
  (bsc#998176)
- change ownership of the gencert generated NSS database so apache
  can read it (bsc#998180)
  * add mod_nss-gencert-correct-ownership.patch
- use correct configuration path in mod_nss.conf.in (bsc#996282)
- remove %post migration code from the old alias directory
- generate dummy certificates if there aren't any in mod_nss.d

OBS-URL: https://build.opensuse.org/request/show/427944
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=28
2016-09-16 07:23:46 +00:00

306 lines
13 KiB
Plaintext
Raw Blame History

# This is /etc/apache2/conf.d/mod_nss.conf
#
# Configuration for mod_nss starts in this file.
#
# Contents:
# 1) generic information about mod_nss and its relation to mod_ssl
# 2) initialization and loading of the apache module in the SUSE framework
# 3) hints on specifics for the configuration.
#..............................................................................
#
# 1) generic information about mod_nss and its relation to mod_ssl
#
# Concurrency of apache crypto modules:
#
# mod_nss implements SSL/TLS protocol support for the apache webserver and
# is an alternative to mod_ssl. Both modules can be initialized at the same
# time, but, obviously, the protocol handlers ("SSLEngine on" for mod_ssl
# and "NSSEngine on" for mod_nss) cannot be active simultaneously, at a
# global scope, or in the context of a VirtualHost configuration directive
# block.
#
# If for a port that apache listens on, only one VirtualHost section
# has the directive "NSSEngine" set to "on", it will have precedence over
# all other VirtualHost declarations (that may have SSLEngine set to on
# in their context). A simultaneaous operation of both modules for different
# VirtualHosts on the same IP Address and port is not possible.
#
# Reason:
# The browser/client connects to the web server's port 443 and initializes
# an SSL/TLS handshake. If SSLv3 protocol is used, there is no way for the
# client to specify the host that it wants to connect to, unless the crypto
# has been fully initialized already. Similarly, the server cannot present
# the correct certificate to the browser that matches the requested hostname.
# As a consequence, if endpoints are limited to SSLv3, only one web server and
# no virtual servers can be bound to one address. Each additional web server
# would need a new IP address.
# Starting with TLSv1.0, the protocol comes with the Server Name Indication
# (SNI) extension that allows the client to specify the requested hostname
# before the cryptographical part of the protocol is initialized. However,
# this type of hostname distinction is handled by the crypto library in
# combination with mod_ssl or mod_nss, not by apache's core.
# This means that in a dual mod_ssl and mod_nss configuration that is not
# selective on IP addresses, and even if you use TLSv1.0 and newer only,
# only one out of mod_ssl or mod_nss will be active.
# Consequences:
# a) If you need support for encrypted connections using _both_ mod_nss and
# mod_ssl, you should consider using more than one IP addresses, and
# configure the server's crypto engine/module bound to the IP address.
# b) If you do NOT need both mod_nss and mod_ssl simultaneaously in apache,
# it is recommended to decide for one and deactivate the other.
#
# Certificates:
# The directory /etc/apache2/mod_nss.d contains everything that mod_nss
# needs: keys, certificates. The default configuration has reference
# to .db files in /etc/apache2/mod_nss.d that shall illustrate how the
# configuration should/could look like.
#
# In addition to providing a central location to store keys and certificates,
# /etc/apache2/mod_nss.d may also contain configuration files that are
# included directly after this documentation text. Note that only files
# named *.conf are included!
#
#
#..............................................................................
# 2) initialization and loading of the apache module in the SUSE framework
#
# To get SSL/TLS support activated in apache, two things have to be done:
# a) configure and initialize the crypto module that provides the SSL/TLS
# protocol support in apache
# b) tell apache to listen on the port where browsers typically connect to
# if they want to talk SSL/TLS. Normally TCP port 443.
#
# about a):
# The apache module (a shared object file) is loaded by the framework if
# the config variable APACHE_MODULES set in /etc/sysconfig/apache2
# contains the module name ("nss", without the preceding "mod_").
# Either you edit /etc/sysconfig/apache2 manually and add the module name
# nss to the other modules in APACHE_MODULES, or you let the command
#
# a2enmod nss
#
# do this for you. "a2enmod -d nss" reverses that change and disables mod_nss
# again.
# All of the configuration directives set in the default config files are
# conditional for the loading of the module, which is evident when looking at
# the "<IfModule mod_ssl.c>" that shows up further below.
#
# about b)
# The Listen directive in /etc/apache2/listen_nss.conf is conditional on
# the server-flag "SSL". Add the word SSL to the variable
# APACHE_SERVER_FLAGS in the file /etc/sysconfig/apache2 .
#
# Please note that /etc/apache2/listen.conf is read/included from the apache
# main configuration file /etc/apache2/httpd.conf;
# /etc/apache2/listen_nss.conf is read from this file, just below.
#
# Additional information can also be found in
# /usr/share/doc/packages/apache2-mod_nss/README-SUSE.txt
#
# Roman Drahtmueller <draht@suse.com>
#
<IfDefine SSL>
<IfDefine !NOSSL>
<IfModule mod_nss.c>
Include /etc/apache2/listen_nss.conf
IncludeOptional /etc/apache2/mod_nss.d/*.conf
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
## Please note that _this_ file used to contain a VirtualHost
## section in previous versions/releases. It is now part of the
## /etc/apache2/vhosts.d/vhost-nss.template file, and is not
## activated by default.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
NSSPassPhraseDialog exec:/usr/sbin/apache2-systemd-ask-pass
# Pass Phrase Helper:
# This helper program stores the token password pins between
# restarts of Apache.
NSSPassPhraseHelper @apache_bin@/nss_pcache
# Configure the SSL Session Cache.
# NSSSessionCacheSize is the number of entries in the cache.
# NSSSession3CacheTimeout is the SSL3/TLS session timeout (in seconds).
NSSSessionCacheSize 10000
NSSSession3CacheTimeout 86400
#
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. Those platforms usually also provide a non-blocking
# device, /dev/urandom, which may be used instead.
# As a rule of thumb, /dev/urandom should only be used for short-term
# secrets (eg. keys, session keys, credentials), while longer-living
# secrets such as key pair for a certificate should receive its
# randomness from /dev/random .
#
# This does not support seeding the RNG with each connection.
NSSRandomSeed startup builtin
#NSSRandomSeed startup file:/dev/random 512
#NSSRandomSeed startup file:/dev/urandom 512
#
# TLS Negotiation configuration under RFC 5746
#
# Only renegotiate if the peer's hello bears the TLS renegotiation_info
# extension. Default off.
NSSRenegotiation off
# Peer must send Signaling Cipher Suite Value (SCSV) or
# Renegotiation Info (RI) extension in ALL handshakes. Default: off
NSSRequireSafeNegotiation off
# main switch: You may want to turn this on in the context of a VirtualHost
# definition, not here globally.
# NSSEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_nss documentation for a complete list.
# The following cipher suite is the default that comes with mod_nss 1.0.14,
# plus some additional ciphers
NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdh_rsa_aes_128_sha
# SSL Protocol:
# Cryptographic protocols that provide communication security.
# NSS handles the specified protocols as "ranges", and automatically
# negotiates the use of the strongest protocol for a connection starting
# with the maximum specified protocol and downgrading as necessary to the
# minimum specified protocol that can be used between two processes.
# Since all protocol ranges are completely inclusive, and no protocol in the
# middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.2"
# is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2".
# Here, we disable SSLv3, but allow TLSv1.0 through TLSv1.2 :
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
# SSL Certificate Nickname:
# The nickname of the RSA server certificate you are going to use.
#
# This is commented out, as it belongs to a VirtualHost definition.
# If there are no VirtualHost statements in your configuration, then
# here is the right spot:
#NSSNickname Server-Cert
# SSL Certificate Nickname:
# The nickname of the ECC server certificate you are going to use, if you
# have an ECC-enabled version of NSS and mod_nss
#NSSECCNickname Server-Cert-ecc
# Server Certificate Database:
# The NSS security database directory that holds the certificates and
# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db.
# Provide the directory that these files exist.
#NSSCertificateDatabase @apache_conf@/mod_nss.d
# Database Prefix:
# In order to be able to store multiple NSS databases in one directory
# they need unique names. This option sets the database prefix used for
# cert8.db and key3.db.
#NSSDBPrefix my-prefix-
# Client Authentication (Type):
# Client certificate verification type. Types are none, optional and
# require.
#NSSVerifyClient none
#
# Online Certificate Status Protocol (OCSP).
# Verify that certificates have not been revoked before accepting them.
#NSSOCSP off
#
# Use a default OCSP responder. If enabled this will be used regardless
# of whether one is included in a client certificate. Note that the
# server certificate is verified during startup.
#
# NSSOCSPDefaultURL defines the service URL of the OCSP responder
# NSSOCSPDefaultName is the nickname of the certificate to trust to
# sign the OCSP responses.
#NSSOCSPDefaultResponder on
#NSSOCSPDefaultURL http://example.com/ocsp/status
#NSSOCSPDefaultName ocsp-nickname
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_nss documentation
# for more details.
#<Location />
#NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "NSSRequireSSL" or "NSSRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#NSSOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
NSSOptions +StdEnvVars
</Files>
<Directory "@apache_prefix@/cgi-bin">
NSSOptions +StdEnvVars
</Directory>
</IfModule>
</IfDefine>
</IfDefine>
Reference in New Issue View Git Blame Copy Permalink