- sync with upstream.

This commit is contained in:
Joe Orton 2016-11-02 11:29:45 +00:00
parent 4a0435cd7b
commit 60e3fdb529

View File

@ -90,11 +90,15 @@ SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM SSLProxyCipherSuite PROFILE=SYSTEM
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If # Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a # the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new # pass phrase. Note that restarting httpd will prompt again. Keep
# certificate can be generated using the genkey(1) command. # in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
# require an ECC certificate which can also be configured in
# parallel.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateFile /etc/pki/tls/certs/localhost.crt
# Server Private Key: # Server Private Key:
@ -102,6 +106,7 @@ SSLCertificateFile /etc/pki/tls/certs/localhost.crt
# directive to point at the key file. Keep in mind that if # directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure # you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.) # both in parallel (to also allow the use of DSA ciphers, etc.)
# ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# Server Certificate Chain: # Server Certificate Chain:
@ -110,7 +115,7 @@ SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# certificate chain for the server certificate. Alternatively # certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile # the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server # when the CA certificates are directly appended to the server
# certificate for convinience. # certificate for convenience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# Certificate Authority (CA): # Certificate Authority (CA):
@ -170,9 +175,9 @@ SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# This enables optimized SSL connection renegotiation handling when SSL # This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context. # directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$"> <FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars SSLOptions +StdEnvVars
</Files> </FilesMatch>
<Directory "/var/www/cgi-bin"> <Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars SSLOptions +StdEnvVars
</Directory> </Directory>
@ -184,13 +189,13 @@ SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# approach you can use one of the following variables: # approach you can use one of the following variables:
# o ssl-unclean-shutdown: # o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no # This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates # SSL close notify alert is sent or allowed to be received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use # the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where # this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert. # mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown: # o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a # This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify # SSL close notify alert is sent and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in # alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use # practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation # this only for browsers where you know that their SSL implementation