Accepting request 644712 from home:adkorte:branches:Apache

- the "event" MPM is fully supported since 2.4 - configure an OCSP stapling cache by default (still requires enabling SSLUseStapling in vhost) OBS-URL: https://build.opensuse.org/request/show/644712 OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=572
2018-11-01 14:07:47 +00:00
parent cb4ffad5b8
commit e86bea8079
4 changed files with 31 additions and 6 deletions
--- a/apache2-ssl-global.conf
+++ b/apache2-ssl-global.conf
@@ -46,12 +46,27 @@
 	#SSLSessionCache         dbm:/var/lib/apache2/ssl_scache
 	#</IfModule>

-        <IfModule mod_socache_shmcb.c>
+	<IfModule mod_socache_shmcb.c>
 	SSLSessionCache         shmcb:/var/lib/apache2/ssl_scache(512000)
-        </IfModule>
+	</IfModule>

 	SSLSessionCacheTimeout  300

+	#   Configures the cache used to store OCSP responses which get included in
+	#   the TLS handshake if SSLUseStapling is enabled. Configuration of a cache
+	#   is mandatory for OCSP stapling. With the exception of none and nonenotnull,
+	#   the same storage types are supported as with SSLSessionCache.
+	#<IfModule mod_socache_dbm.c>
+	#SSLStaplingCache       dbm:/var/lib/apache2/ssl_stapling
+	#</IfModule>
+
+	<IfModule mod_socache_shmcb.c>
+	SSLStaplingCache        shmcb:/var/lib/apache2/ssl_stapling(64000)
+	</IfModule>
+
+	SSLStaplingStandardCacheTimeout         86400
+	SSLStaplingErrorCacheTimeout            300
+	SSLStaplingReturnResponderErrors        Off

 	#   Pseudo Random Number Generator (PRNG):
 	#   Configure one or more sources to seed the PRNG of the 
@@ -72,13 +87,13 @@

 	# SSL protocols
 	# Allow TLS version 1.2 only, which is a recommended default these days
-    # by international information security standards.
+	# by international information security standards.
 	SSLProtocol TLSv1.2

 	#   SSL Cipher Suite:
 	#   List the ciphers that the client is permitted to negotiate.
 	#   See the mod_ssl documentation for a complete list.
-        SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+	SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

 	#   SSLHonorCipherOrder
 	#   If SSLHonorCipherOrder is disabled, then the client's preferences