github.com/drud/ddev@v1.21.5-alpha1.0.20230226034409-94fcc4b94453/containers/ddev-webserver/ddev-webserver-base-files/etc/apache2/mods-available/ssl.conf (about)

     1  <IfModule mod_ssl.c>
     2  
     3  	# Pseudo Random Number Generator (PRNG):
     4  	# Configure one or more sources to seed the PRNG of the SSL library.
     5  	# The seed data should be of good random quality.
     6  	# WARNING! On some platforms /dev/random blocks if not enough entropy
     7  	# is available. This means you then cannot use the /dev/random device
     8  	# because it would lead to very long connection times (as long as
     9  	# it requires to make more entropy available). But usually those
    10  	# platforms additionally provide a /dev/urandom device which doesn't
    11  	# block. So, if available, use this one instead. Read the mod_ssl User
    12  	# Manual for more details.
    13  	#
    14  	SSLRandomSeed startup builtin
    15  	SSLRandomSeed startup file:/dev/urandom 512
    16  	SSLRandomSeed connect builtin
    17  	SSLRandomSeed connect file:/dev/urandom 512
    18  
    19  	##
    20  	##  SSL Global Context
    21  	##
    22  	##  All SSL configuration in this context applies both to
    23  	##  the main server and all SSL-enabled virtual hosts.
    24  	##
    25  
    26  	#
    27  	#   Some MIME-types for downloading Certificates and CRLs
    28  	#
    29  	AddType application/x-x509-ca-cert .crt
    30  	AddType application/x-pkcs7-crl	.crl
    31  
    32  	#   Pass Phrase Dialog:
    33  	#   Configure the pass phrase gathering process.
    34  	#   The filtering dialog program (`builtin' is a internal
    35  	#   terminal dialog) has to provide the pass phrase on stdout.
    36  	SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase
    37  
    38  	#   Inter-Process Session Cache:
    39  	#   Configure the SSL Session Cache: First the mechanism 
    40  	#   to use and second the expiring timeout (in seconds).
    41  	#   (The mechanism dbm has known memory leaks and should not be used).
    42  	#SSLSessionCache		 dbm:${APACHE_RUN_DIR}/ssl_scache
    43  	SSLSessionCache		shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
    44  	SSLSessionCacheTimeout  300
    45  
    46  	#   Semaphore:
    47  	#   Configure the path to the mutual exclusion semaphore the
    48  	#   SSL engine uses internally for inter-process synchronization. 
    49  	#   (Disabled by default, the global Mutex directive consolidates by default
    50  	#   this)
    51  	#Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
    52  
    53  
    54  	#   SSL Cipher Suite:
    55  	#   List the ciphers that the client is permitted to negotiate. See the
    56  	#   ciphers(1) man page from the openssl package for list of all available
    57  	#   options.
    58  	#   Enable only secure ciphers:
    59  	SSLCipherSuite HIGH:!aNULL
    60  
    61  	# SSL server cipher order preference:
    62  	# Use server priorities for cipher algorithm choice.
    63  	# Clients may prefer lower grade encryption.  You should enable this
    64  	# option if you want to enforce stronger encryption, and can afford
    65  	# the CPU cost, and did not override SSLCipherSuite in a way that puts
    66  	# insecure ciphers first.
    67  	# Default: Off
    68  	#SSLHonorCipherOrder on
    69  
    70  	#   The protocols to enable.
    71  	#   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
    72  	#   SSL v2  is no longer supported
    73  	SSLProtocol all -SSLv3
    74  
    75  	#   Allow insecure renegotiation with clients which do not yet support the
    76  	#   secure renegotiation protocol. Default: Off
    77  	#SSLInsecureRenegotiation on
    78  
    79  	#   Whether to forbid non-SNI clients to access name based virtual hosts.
    80  	#   Default: Off
    81  	#SSLStrictSNIVHostCheck On
    82  
    83  </IfModule>
    84  
    85  # vim: syntax=apache ts=4 sw=4 sts=4 sr noet