Accepting request 252743 from home:lnussel:branches:Apache

- move most ssl options to ssl-global.conf. There is usually no need for every vhost to re-define the ciphers for example (bnc#865582). Drop some commented entries that only lead to confusion. OBS-URL: https://build.opensuse.org/request/show/252743 OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=407
2014-09-29 08:10:08 +00:00
parent 4b31aea044
commit 163b7694ca
3 changed files with 69 additions and 155 deletions
--- a/apache2-ssl-global.conf
+++ b/apache2-ssl-global.conf
@@ -70,6 +70,63 @@
 	#SSLRandomSeed startup file:/dev/urandom 512
 	#SSLRandomSeed connect file:/dev/urandom 512

+	#  SSL protocols
+	#  Supporting TLS only is adequate nowadays
+	SSLProtocol all -SSLv2 -SSLv3
+
+	#   SSL Cipher Suite:
+	#   List the ciphers that the client is permitted to negotiate.
+	#   See the mod_ssl documentation for a complete list.
+	SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+
+	#   Server Certificate:
+	#   Point SSLCertificateFile at a PEM encoded certificate.  If
+	#   the certificate is encrypted, then you will be prompted for a
+	#   pass phrase.  Note that a kill -HUP will prompt again.  Keep
+	#   in mind that if you have both an RSA and a DSA certificate you
+	#   can configure both in parallel (to also allow the use of DSA
+	#   ciphers, etc.)
+	#SSLCertificateFile /etc/apache2/ssl.crt/server.crt
+	#SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt
+
+	#   Server Private Key:
+	#   If the key is not combined with the certificate, use this
+	#   directive to point at the key file.  Keep in mind that if
+	#   you've both a RSA and a DSA private key you can configure
+	#   both in parallel (to also allow the use of DSA ciphers, etc.)
+	#SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
+	#SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key
+
+	#   Server Certificate Chain:
+	#   Point SSLCertificateChainFile at a file containing the
+	#   concatenation of PEM encoded intermediate CA
+	#   certificates which form the certificate chain for the
+	#   server certificate. Alternatively the referenced file
+	#   can be the same as SSLCertificateFile when the CA
+	#   certificates are directly appended to the server
+	#   certificate for convinience.
+	#SSLCertificateChainFile /etc/apache2/ssl.crt/chain.crt
+
+	#   Certificate Authority (CA):
+	#   Set the CA certificate verification path where to find CA
+	#   certificates for client authentication or alternatively one
+	#   huge file containing all of them (file must be PEM encoded)
+	#   Note: Inside SSLCACertificatePath you need hash symlinks
+	#         to point to the certificate files. Use the provided
+	#         Makefile to update the hash symlinks after changes.
+	#SSLCACertificatePath /etc/apache2/ssl.crt
+	#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
+
+	#   Certificate Revocation Lists (CRL):
+	#   Set the CA revocation path where to find CA CRLs for client
+	#   authentication or alternatively one huge file containing all
+	#   of them (file must be PEM encoded)
+	#   Note: Inside SSLCARevocationPath you need hash symlinks
+	#         to point to the certificate files. Use the provided
+	#         Makefile to update the hash symlinks after changes.
+	#SSLCARevocationPath /etc/apache2/ssl.crl
+	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
+
 </IfModule>
 </IfDefine>
 </IfDefine>