pool/apache2
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 644712 from home:adkorte:branches:Apache

Browse Source 
- the "event" MPM is fully supported since 2.4
- configure an OCSP stapling cache by default (still requires enabling
  SSLUseStapling in vhost)

OBS-URL: https://build.opensuse.org/request/show/644712
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=572
This commit is contained in:
Petr Gajdos 2018-11-01 14:07:47 +00:00 committed by Git OBS Bridge
parent cb4ffad5b8
commit e86bea8079
4 changed files with 31 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
apache2-ssl-global.conf
View File

@ -46,12 +46,27 @@
#SSLSessionCache dbm:/var/lib/apache2/ssl_scache #SSLSessionCache dbm:/var/lib/apache2/ssl_scache
#</IfModule> #</IfModule>
<IfModule mod_socache_shmcb.c> <IfModule mod_socache_shmcb.c>
SSLSessionCache shmcb:/var/lib/apache2/ssl_scache(512000) SSLSessionCache shmcb:/var/lib/apache2/ssl_scache(512000)
</IfModule> </IfModule>
SSLSessionCacheTimeout 300 SSLSessionCacheTimeout 300
# Configures the cache used to store OCSP responses which get included in
# the TLS handshake if SSLUseStapling is enabled. Configuration of a cache
# is mandatory for OCSP stapling. With the exception of none and nonenotnull,
# the same storage types are supported as with SSLSessionCache.
#<IfModule mod_socache_dbm.c>
#SSLStaplingCache dbm:/var/lib/apache2/ssl_stapling
#</IfModule>
<IfModule mod_socache_shmcb.c>
SSLStaplingCache shmcb:/var/lib/apache2/ssl_stapling(64000)
</IfModule>
SSLStaplingStandardCacheTimeout 86400
SSLStaplingErrorCacheTimeout 300
SSLStaplingReturnResponderErrors Off
# Pseudo Random Number Generator (PRNG): # Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the # Configure one or more sources to seed the PRNG of the
@ -72,13 +87,13 @@
# SSL protocols # SSL protocols
# Allow TLS version 1.2 only, which is a recommended default these days # Allow TLS version 1.2 only, which is a recommended default these days
# by international information security standards. # by international information security standards.
SSLProtocol TLSv1.2 SSLProtocol TLSv1.2
# SSL Cipher Suite: # SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate. # List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list. # See the mod_ssl documentation for a complete list.
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
# SSLHonorCipherOrder # SSLHonorCipherOrder
# If SSLHonorCipherOrder is disabled, then the client's preferences # If SSLHonorCipherOrder is disabled, then the client's preferences

4
apache2-vhost-ssl.template
View File

@ -35,6 +35,10 @@
# Enable/Disable SSL for this virtual host. # Enable/Disable SSL for this virtual host.
SSLEngine on SSLEngine on
# OCSP Stapling:
# Enable/Disable OCSP for this virtual host.
SSLUseStapling on
# You can use per vhost certificates if SNI is supported. # You can use per vhost certificates if SNI is supported.
SSLCertificateFile /etc/apache2/ssl.crt/vhost-example.crt SSLCertificateFile /etc/apache2/ssl.crt/vhost-example.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/vhost-example.key SSLCertificateKeyFile /etc/apache2/ssl.key/vhost-example.key

7
apache2.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Thu Oct 25 17:28:42 UTC 2018 - Arjen de Korte <suse+build@de-korte.org>
- the "event" MPM is fully supported since 2.4
- configure an OCSP stapling cache by default (still requires enabling
SSLUseStapling in vhost)
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Oct 18 20:41:02 UTC 2018 - Manu Maier <mmanu84@outlook.de> Thu Oct 18 20:41:02 UTC 2018 - Manu Maier <mmanu84@outlook.de>

3
apache2.spec
View File

@ -264,8 +264,7 @@ maximum stability because each server runs in its own process. If a
process dies it will not affect other servers. process dies it will not affect other servers.
%description event %description event
The event MPM (multi-Processing Module) is experimental, so it may or "event" MPM (multi-Processing Module)
may not work as expected.
It uses a separate thread to handle Keep Alive requests and accepting It uses a separate thread to handle Keep Alive requests and accepting
connections. Keep Alive requests have traditionally required httpd to connections. Keep Alive requests have traditionally required httpd to