- sync with upstream.
This commit is contained in:
parent
4a0435cd7b
commit
60e3fdb529
21
ssl.conf
21
ssl.conf
@ -90,11 +90,15 @@ SSLHonorCipherOrder on
|
|||||||
SSLCipherSuite PROFILE=SYSTEM
|
SSLCipherSuite PROFILE=SYSTEM
|
||||||
SSLProxyCipherSuite PROFILE=SYSTEM
|
SSLProxyCipherSuite PROFILE=SYSTEM
|
||||||
|
|
||||||
# Server Certificate:
|
|
||||||
# Point SSLCertificateFile at a PEM encoded certificate. If
|
# Point SSLCertificateFile at a PEM encoded certificate. If
|
||||||
# the certificate is encrypted, then you will be prompted for a
|
# the certificate is encrypted, then you will be prompted for a
|
||||||
# pass phrase. Note that a kill -HUP will prompt again. A new
|
# pass phrase. Note that restarting httpd will prompt again. Keep
|
||||||
# certificate can be generated using the genkey(1) command.
|
# in mind that if you have both an RSA and a DSA certificate you
|
||||||
|
# can configure both in parallel (to also allow the use of DSA
|
||||||
|
# ciphers, etc.)
|
||||||
|
# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
|
||||||
|
# require an ECC certificate which can also be configured in
|
||||||
|
# parallel.
|
||||||
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
|
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
|
||||||
|
|
||||||
# Server Private Key:
|
# Server Private Key:
|
||||||
@ -102,6 +106,7 @@ SSLCertificateFile /etc/pki/tls/certs/localhost.crt
|
|||||||
# directive to point at the key file. Keep in mind that if
|
# directive to point at the key file. Keep in mind that if
|
||||||
# you've both a RSA and a DSA private key you can configure
|
# you've both a RSA and a DSA private key you can configure
|
||||||
# both in parallel (to also allow the use of DSA ciphers, etc.)
|
# both in parallel (to also allow the use of DSA ciphers, etc.)
|
||||||
|
# ECC keys, when in use, can also be configured in parallel
|
||||||
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
|
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
|
||||||
|
|
||||||
# Server Certificate Chain:
|
# Server Certificate Chain:
|
||||||
@ -110,7 +115,7 @@ SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
|
|||||||
# certificate chain for the server certificate. Alternatively
|
# certificate chain for the server certificate. Alternatively
|
||||||
# the referenced file can be the same as SSLCertificateFile
|
# the referenced file can be the same as SSLCertificateFile
|
||||||
# when the CA certificates are directly appended to the server
|
# when the CA certificates are directly appended to the server
|
||||||
# certificate for convinience.
|
# certificate for convenience.
|
||||||
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
|
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
|
||||||
|
|
||||||
# Certificate Authority (CA):
|
# Certificate Authority (CA):
|
||||||
@ -170,9 +175,9 @@ SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
|
|||||||
# This enables optimized SSL connection renegotiation handling when SSL
|
# This enables optimized SSL connection renegotiation handling when SSL
|
||||||
# directives are used in per-directory context.
|
# directives are used in per-directory context.
|
||||||
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
|
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
|
||||||
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
|
<FilesMatch "\.(cgi|shtml|phtml|php)$">
|
||||||
SSLOptions +StdEnvVars
|
SSLOptions +StdEnvVars
|
||||||
</Files>
|
</FilesMatch>
|
||||||
<Directory "/var/www/cgi-bin">
|
<Directory "/var/www/cgi-bin">
|
||||||
SSLOptions +StdEnvVars
|
SSLOptions +StdEnvVars
|
||||||
</Directory>
|
</Directory>
|
||||||
@ -184,13 +189,13 @@ SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
|
|||||||
# approach you can use one of the following variables:
|
# approach you can use one of the following variables:
|
||||||
# o ssl-unclean-shutdown:
|
# o ssl-unclean-shutdown:
|
||||||
# This forces an unclean shutdown when the connection is closed, i.e. no
|
# This forces an unclean shutdown when the connection is closed, i.e. no
|
||||||
# SSL close notify alert is send or allowed to received. This violates
|
# SSL close notify alert is sent or allowed to be received. This violates
|
||||||
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
|
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
|
||||||
# this when you receive I/O errors because of the standard approach where
|
# this when you receive I/O errors because of the standard approach where
|
||||||
# mod_ssl sends the close notify alert.
|
# mod_ssl sends the close notify alert.
|
||||||
# o ssl-accurate-shutdown:
|
# o ssl-accurate-shutdown:
|
||||||
# This forces an accurate shutdown when the connection is closed, i.e. a
|
# This forces an accurate shutdown when the connection is closed, i.e. a
|
||||||
# SSL close notify alert is send and mod_ssl waits for the close notify
|
# SSL close notify alert is sent and mod_ssl waits for the close notify
|
||||||
# alert of the client. This is 100% SSL/TLS standard compliant, but in
|
# alert of the client. This is 100% SSL/TLS standard compliant, but in
|
||||||
# practice often causes hanging connections with brain-dead browsers. Use
|
# practice often causes hanging connections with brain-dead browsers. Use
|
||||||
# this only for browsers where you know that their SSL implementation
|
# this only for browsers where you know that their SSL implementation
|
||||||
|
Loading…
Reference in New Issue
Block a user