From 60e3fdb529d58d495d4360dddf2fc9f7a75509cb Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Wed, 2 Nov 2016 11:29:45 +0000 Subject: [PATCH] - sync with upstream. --- ssl.conf | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/ssl.conf b/ssl.conf index e8e6c97..c07d614 100644 --- a/ssl.conf +++ b/ssl.conf @@ -90,11 +90,15 @@ SSLHonorCipherOrder on SSLCipherSuite PROFILE=SYSTEM SSLProxyCipherSuite PROFILE=SYSTEM -# Server Certificate: -# Point SSLCertificateFile at a PEM encoded certificate. If -# the certificate is encrypted, then you will be prompted for a -# pass phrase. Note that a kill -HUP will prompt again. A new -# certificate can be generated using the genkey(1) command. +# Point SSLCertificateFile at a PEM encoded certificate. If +# the certificate is encrypted, then you will be prompted for a +# pass phrase. Note that restarting httpd will prompt again. Keep +# in mind that if you have both an RSA and a DSA certificate you +# can configure both in parallel (to also allow the use of DSA +# ciphers, etc.) +# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt) +# require an ECC certificate which can also be configured in +# parallel. SSLCertificateFile /etc/pki/tls/certs/localhost.crt # Server Private Key: @@ -102,6 +106,7 @@ SSLCertificateFile /etc/pki/tls/certs/localhost.crt # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) +# ECC keys, when in use, can also be configured in parallel SSLCertificateKeyFile /etc/pki/tls/private/localhost.key # Server Certificate Chain: @@ -110,7 +115,7 @@ SSLCertificateKeyFile /etc/pki/tls/private/localhost.key # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server -# certificate for convinience. +# certificate for convenience. #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt # Certificate Authority (CA): @@ -170,9 +175,9 @@ SSLCertificateKeyFile /etc/pki/tls/private/localhost.key # This enables optimized SSL connection renegotiation handling when SSL # directives are used in per-directory context. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire - + SSLOptions +StdEnvVars - + SSLOptions +StdEnvVars @@ -184,13 +189,13 @@ SSLCertificateKeyFile /etc/pki/tls/private/localhost.key # approach you can use one of the following variables: # o ssl-unclean-shutdown: # This forces an unclean shutdown when the connection is closed, i.e. no -# SSL close notify alert is send or allowed to received. This violates +# SSL close notify alert is sent or allowed to be received. This violates # the SSL/TLS standard but is needed for some brain-dead browsers. Use # this when you receive I/O errors because of the standard approach where # mod_ssl sends the close notify alert. # o ssl-accurate-shutdown: # This forces an accurate shutdown when the connection is closed, i.e. a -# SSL close notify alert is send and mod_ssl waits for the close notify +# SSL close notify alert is sent and mod_ssl waits for the close notify # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation