|
| Hello,
I'm running apache 2.0.59 on FreeBSD. Running httpd is working fine, now
i want to add an ssl area also webmail. I've got the below ssl.conf file,
without comments, and am wondering if there's something else i should add?
I'm thinking i don't want any insecure protocols and want to have the
maximum protection encryption wise from ssl.
Any suggestions welcome.
Dave.
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
<IfDefine SSL>
Listen xxx.xxx.xxx.xxx:443
AddType application/x-x509-ca-cert .crt #also have this line in httpd.conf)
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/var/run/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/var/run/ssl_mutex
<VirtualHost _default_:443>
DocumentRoot "/usr/local/www/data/ssldocs"
ServerName www.example.com:443
ServerAdmin webmaster@example.com
ErrorLog /var/log/httpd-error.log
TransferLog /var/log/httpd-access.log
SSLEngine on
SSLProtocol All -SSLv2
SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW
# I definitely need suggestions on the above two lines, i want only the most
secure protocols to be served or allowed.
SSLCertificateFile /usr/local/etc/apache2/ssl/server.crt
SSLCertificateKeyFile /usr/local/etc/apache2/ssl/server.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/httpd-ssl_request.log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
|
|