Accepting request 252743 from home:lnussel:branches:Apache

- move most ssl options to ssl-global.conf. There is usually no need
  for every vhost to re-define the ciphers for example (bnc#865582).
  Drop some commented entries that only lead to confusion.

OBS-URL: https://build.opensuse.org/request/show/252743
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=407

apache2-ssl-global.conf

@@ -70,6 +70,63 @@
 	#SSLRandomSeed startup file:/dev/urandom 512
 	#SSLRandomSeed connect file:/dev/urandom 512
 
+	#  SSL protocols
+	#  Supporting TLS only is adequate nowadays
+	SSLProtocol all -SSLv2 -SSLv3
+
+	#   SSL Cipher Suite:
+	#   List the ciphers that the client is permitted to negotiate.
+	#   See the mod_ssl documentation for a complete list.
+	SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+
+	#   Server Certificate:
+	#   Point SSLCertificateFile at a PEM encoded certificate.  If
+	#   the certificate is encrypted, then you will be prompted for a
+	#   pass phrase.  Note that a kill -HUP will prompt again.  Keep
+	#   in mind that if you have both an RSA and a DSA certificate you
+	#   can configure both in parallel (to also allow the use of DSA
+	#   ciphers, etc.)
+	#SSLCertificateFile /etc/apache2/ssl.crt/server.crt
+	#SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt
+
+	#   Server Private Key:
+	#   If the key is not combined with the certificate, use this
+	#   directive to point at the key file.  Keep in mind that if
+	#   you've both a RSA and a DSA private key you can configure
+	#   both in parallel (to also allow the use of DSA ciphers, etc.)
+	#SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
+	#SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key
+
+	#   Server Certificate Chain:
+	#   Point SSLCertificateChainFile at a file containing the
+	#   concatenation of PEM encoded intermediate CA
+	#   certificates which form the certificate chain for the
+	#   server certificate. Alternatively the referenced file
+	#   can be the same as SSLCertificateFile when the CA
+	#   certificates are directly appended to the server
+	#   certificate for convinience.
+	#SSLCertificateChainFile /etc/apache2/ssl.crt/chain.crt
+
+	#   Certificate Authority (CA):
+	#   Set the CA certificate verification path where to find CA
+	#   certificates for client authentication or alternatively one
+	#   huge file containing all of them (file must be PEM encoded)
+	#   Note: Inside SSLCACertificatePath you need hash symlinks
+	#         to point to the certificate files. Use the provided
+	#         Makefile to update the hash symlinks after changes.
+	#SSLCACertificatePath /etc/apache2/ssl.crt
+	#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
+
+	#   Certificate Revocation Lists (CRL):
+	#   Set the CA revocation path where to find CA CRLs for client
+	#   authentication or alternatively one huge file containing all
+	#   of them (file must be PEM encoded)
+	#   Note: Inside SSLCARevocationPath you need hash symlinks
+	#         to point to the certificate files. Use the provided
+	#         Makefile to update the hash symlinks after changes.
+	#SSLCARevocationPath /etc/apache2/ssl.crl
+	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
+
 </IfModule>
 </IfDefine>
 </IfDefine>

apache2-vhost-ssl.template

@@ -38,160 +38,10 @@
 	#   Enable/Disable SSL for this virtual host.
 	SSLEngine on
 
-	#  SSL protocols
+	#   You can use per vhost certificates if SNI is supported.
-	#  Supporting TLS only is adequate nowadays
+	SSLCertificateFile /etc/apache2/ssl.crt/vhost-example.crt
-	SSLProtocol all -SSLv2
+	SSLCertificateKeyFile /etc/apache2/ssl.key/vhost-example.key
-
+	#SSLCertificateChainFile /etc/apache2/ssl.crt/vhost-example-chain.crt
-	#   SSL Cipher Suite:
-	#   List the ciphers that the client is permitted to negotiate.
-	#   See the mod_ssl documentation for a complete list.
-	SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
-
-	#   Speed-optimized SSL Cipher configuration:
-	#   If speed is your main concern (on busy HTTPS servers e.g.),
-	#   you might want to force clients to specific, performance
-	#   optimized ciphers. In this case, prepend those ciphers
-	#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
-	#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
-	#   (as in the example below), most connections will no longer
-	#   have perfect forward secrecy - if the server's key is
-	#   compromised, captures of past or future traffic must be
-	#   considered compromised, too.
-	#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
-	#SSLHonorCipherOrder on 
-
-	#   Server Certificate:
-	#   Point SSLCertificateFile at a PEM encoded certificate.  If
-	#   the certificate is encrypted, then you will be prompted for a
-	#   pass phrase.  Note that a kill -HUP will prompt again.  Keep
-	#   in mind that if you have both an RSA and a DSA certificate you
-	#   can configure both in parallel (to also allow the use of DSA
-	#   ciphers, etc.)
-	SSLCertificateFile /etc/apache2/ssl.crt/server.crt
-	#SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt
-
-	#   Server Private Key:
-	#   If the key is not combined with the certificate, use this
-	#   directive to point at the key file.  Keep in mind that if
-	#   you've both a RSA and a DSA private key you can configure
-	#   both in parallel (to also allow the use of DSA ciphers, etc.)
-	SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
-	#SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key
-
-	#   Server Certificate Chain:
-	#   Point SSLCertificateChainFile at a file containing the
-	#   concatenation of PEM encoded CA certificates which form the
-	#   certificate chain for the server certificate. Alternatively
-	#   the referenced file can be the same as SSLCertificateFile
-	#   when the CA certificates are directly appended to the server
-	#   certificate for convinience.
-	#SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt
-
-	#   Certificate Authority (CA):
-	#   Set the CA certificate verification path where to find CA
-	#   certificates for client authentication or alternatively one
-	#   huge file containing all of them (file must be PEM encoded)
-	#   Note: Inside SSLCACertificatePath you need hash symlinks
-	#         to point to the certificate files. Use the provided
-	#         Makefile to update the hash symlinks after changes.
-	#SSLCACertificatePath /etc/apache2/ssl.crt
-	#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
-
-	#   Certificate Revocation Lists (CRL):
-	#   Set the CA revocation path where to find CA CRLs for client
-	#   authentication or alternatively one huge file containing all
-	#   of them (file must be PEM encoded)
-	#   Note: Inside SSLCARevocationPath you need hash symlinks
-	#         to point to the certificate files. Use the provided
-	#         Makefile to update the hash symlinks after changes.
-	#SSLCARevocationPath /etc/apache2/ssl.crl
-	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
-
-	#   Client Authentication (Type):
-	#   Client certificate verification type and depth.  Types are
-	#   none, optional, require and optional_no_ca.  Depth is a
-	#   number which specifies how deeply to verify the certificate
-	#   issuer chain before deciding the certificate is not valid.
-	#SSLVerifyClient require
-	#SSLVerifyDepth  10
-
-	#   Access Control:
-	#   With SSLRequire you can do per-directory access control based
-	#   on arbitrary complex boolean expressions containing server
-	#   variable checks and other lookup directives.  The syntax is a
-	#   mixture between C and Perl.  See the mod_ssl documentation
-	#   for more details.
-	#<Location />
-	#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
-	#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
-	#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
-	#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
-	#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
-	#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
-	#</Location>
-
-	#   SSL Engine Options:
-	#   Set various options for the SSL engine.
-	#   o FakeBasicAuth:
-	#     Translate the client X.509 into a Basic Authorisation.  This means that
-	#     the standard Auth/DBMAuth methods can be used for access control.  The
-	#     user name is the `one line' version of the client's X.509 certificate.
-	#     Note that no password is obtained from the user. Every entry in the user
-	#     file needs this password: `xxj31ZMTZzkVA'.
-	#   o ExportCertData:
-	#     This exports two additional environment variables: SSL_CLIENT_CERT and
-	#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
-	#     server (always existing) and the client (only existing when client
-	#     authentication is used). This can be used to import the certificates
-	#     into CGI scripts.
-	#   o StdEnvVars:
-	#     This exports the standard SSL/TLS related `SSL_*' environment variables.
-	#     Per default this exportation is switched off for performance reasons,
-	#     because the extraction step is an expensive operation and is usually
-	#     useless for serving static content. So one usually enables the
-	#     exportation for CGI and SSI requests only.
-	#   o StrictRequire:
-	#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
-	#     under a "Satisfy any" situation, i.e. when it applies access is denied
-	#     and no other module can change it.
-	#   o OptRenegotiate:
-	#     This enables optimized SSL connection renegotiation handling when SSL
-	#     directives are used in per-directory context. 
-	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
-	<FilesMatch "\.(cgi|shtml|phtml|php)$">
-	    SSLOptions +StdEnvVars
-	</FilesMatch>
-	<Directory "/srv/www/cgi-bin">
-	    SSLOptions +StdEnvVars
-	</Directory>
-
-	#   SSL Protocol Adjustments:
-	#   The safe and default but still SSL/TLS standard compliant shutdown
-	#   approach is that mod_ssl sends the close notify alert but doesn't wait for
-	#   the close notify alert from client. When you need a different shutdown
-	#   approach you can use one of the following variables:
-	#   o ssl-unclean-shutdown:
-	#     This forces an unclean shutdown when the connection is closed, i.e. no
-	#     SSL close notify alert is send or allowed to received.  This violates
-	#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
-	#     this when you receive I/O errors because of the standard approach where
-	#     mod_ssl sends the close notify alert.
-	#   o ssl-accurate-shutdown:
-	#     This forces an accurate shutdown when the connection is closed, i.e. a
-	#     SSL close notify alert is send and mod_ssl waits for the close notify
-	#     alert of the client. This is 100% SSL/TLS standard compliant, but in
-	#     practice often causes hanging connections with brain-dead browsers. Use
-	#     this only for browsers where you know that their SSL implementation
-	#     works correctly. 
-	#   Notice: Most problems of broken clients are also related to the HTTP
-	#   keep-alive facility, so you usually additionally want to disable
-	#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
-	#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
-	#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
-	#   "force-response-1.0" for this.
-	BrowserMatch "MSIE [2-5]" \
-		 nokeepalive ssl-unclean-shutdown \
-		 downgrade-1.0 force-response-1.0
 
 	#   Per-Server Logging:
 	#   The home of a custom SSL log file. Use this when you want a

apache2.changes

@@ -33,6 +33,13 @@ Mon Jul 21 07:21:21 UTC 2014 - mc@suse.com
 - provide httpd.service as alias for apache2.service for
   compatibility reasons (bnc#888093)
 
+-------------------------------------------------------------------
+Mon Apr 14 08:47:02 UTC 2014 - lnussel@suse.de
+
+- move most ssl options to ssl-global.conf. There is usually no need
+  for every vhost to re-define the ciphers for example (bnc#865582).
+  Drop some commented entries that only lead to confusion.
+
 -------------------------------------------------------------------
 Thu Mar 27 16:18:27 UTC 2014 - crrodriguez@opensuse.org