- sync with upstream.

ssl.conf

@@ -90,11 +90,15 @@ SSLHonorCipherOrder on
 SSLCipherSuite PROFILE=SYSTEM
 SSLProxyCipherSuite PROFILE=SYSTEM
 
-#   Server Certificate:
-# Point SSLCertificateFile at a PEM encoded certificate.  If
-# the certificate is encrypted, then you will be prompted for a
-# pass phrase.  Note that a kill -HUP will prompt again.  A new
-# certificate can be generated using the genkey(1) command.
+#   Point SSLCertificateFile at a PEM encoded certificate.  If
+#   the certificate is encrypted, then you will be prompted for a
+#   pass phrase.  Note that restarting httpd will prompt again.  Keep
+#   in mind that if you have both an RSA and a DSA certificate you
+#   can configure both in parallel (to also allow the use of DSA
+#   ciphers, etc.)
+#   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
+#   require an ECC certificate which can also be configured in
+#   parallel.
 SSLCertificateFile /etc/pki/tls/certs/localhost.crt
 
 #   Server Private Key:
@@ -102,6 +106,7 @@ SSLCertificateFile /etc/pki/tls/certs/localhost.crt
 #   directive to point at the key file.  Keep in mind that if
 #   you've both a RSA and a DSA private key you can configure
 #   both in parallel (to also allow the use of DSA ciphers, etc.)
+#   ECC keys, when in use, can also be configured in parallel
 SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
 
 #   Server Certificate Chain:
@@ -110,7 +115,7 @@ SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
 #   certificate chain for the server certificate. Alternatively
 #   the referenced file can be the same as SSLCertificateFile
 #   when the CA certificates are directly appended to the server
-#   certificate for convinience.
+#   certificate for convenience.
 #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
 
 #   Certificate Authority (CA):
@@ -170,9 +175,9 @@ SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
 #     This enables optimized SSL connection renegotiation handling when SSL
 #     directives are used in per-directory context. 
 #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
-<Files ~ "\.(cgi|shtml|phtml|php3?)$">
+<FilesMatch "\.(cgi|shtml|phtml|php)$">
     SSLOptions +StdEnvVars
-</Files>
+</FilesMatch>
 <Directory "/var/www/cgi-bin">
     SSLOptions +StdEnvVars
 </Directory>
@@ -184,13 +189,13 @@ SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
 #   approach you can use one of the following variables:
 #   o ssl-unclean-shutdown:
 #     This forces an unclean shutdown when the connection is closed, i.e. no
-#     SSL close notify alert is send or allowed to received.  This violates
+#     SSL close notify alert is sent or allowed to be received.  This violates
 #     the SSL/TLS standard but is needed for some brain-dead browsers. Use
 #     this when you receive I/O errors because of the standard approach where
 #     mod_ssl sends the close notify alert.
 #   o ssl-accurate-shutdown:
 #     This forces an accurate shutdown when the connection is closed, i.e. a
-#     SSL close notify alert is send and mod_ssl waits for the close notify
+#     SSL close notify alert is sent and mod_ssl waits for the close notify
 #     alert of the client. This is 100% SSL/TLS standard compliant, but in
 #     practice often causes hanging connections with brain-dead browsers. Use
 #     this only for browsers where you know that their SSL implementation