7f007e36bec06aba6b3a0f84a64f2abf99edfcd8gsteinPatch origin: in-house
9bd71e35f5d26d26d23fe3a677401828e842ed72wrowePatch status: Solaris-specific; not suitable for upstream
2a6c49cfaef5979a5a06098f3ce987cd76769409manojPatch status: SSLProtocol part submitted to upstream
a548c09e6a8ca1b059d0e93b5256c6ccb2b3c3cdrbb@@ -24,9 +24,9 @@
a548c09e6a8ca1b059d0e93b5256c6ccb2b3c3cdrbb # Manual for more details.
cf6bf6c34c936e6a6fe731dbce4a5c3c8bf8e9a3gstein #SSLRandomSeed startup file:/dev/random 512
35330e0d79ceb8027223bbb8330a381b1f989d6etrawick-#SSLRandomSeed startup file:/dev/urandom 512
6f6f4a4bca281779d196acbdd5c017bb90858305trawick+SSLRandomSeed startup file:/dev/urandom 512
8dd4618c4709236b4ea297d7250d282e463ce2d8rbb #SSLRandomSeed connect file:/dev/random 512
09bd86d0db1114ee23eda0a6eb76ca055877a1cftrawick-#SSLRandomSeed connect file:/dev/urandom 512
2deb319e6b3de239f45c16a3e9e836d44f1f7108rbb+SSLRandomSeed connect file:/dev/urandom 512
2a4b7a53f3573605d4f5686f03a67c37425dc22bgregames@@ -42,6 +42,10 @@
2a4b7a53f3573605d4f5686f03a67c37425dc22bgregames ## the main server and all SSL-enabled virtual hosts.
2a4b7a53f3573605d4f5686f03a67c37425dc22bgregames+# Enable FIPS 140 mode, this requires the openssl pkg mediator
5b233db661cfc7c8c420dfe63d8e7058bc5d3e62trawick+# be set to install the fips-140 version of OpenSSL and mod_ssl.
f467b575e2698cfeb818b357b00b2a13873eb309trawick+#SSLFIPS on
f467b575e2698cfeb818b357b00b2a13873eb309trawick # SSL Cipher Suite:
f467b575e2698cfeb818b357b00b2a13873eb309trawick # List the ciphers that the client is permitted to negotiate,
f467b575e2698cfeb818b357b00b2a13873eb309trawick # and that httpd will negotiate as the client of a proxied server.
f467b575e2698cfeb818b357b00b2a13873eb309trawick@@ -73,11 +77,11 @@
f467b575e2698cfeb818b357b00b2a13873eb309trawick # SSL Protocol support:
f467b575e2698cfeb818b357b00b2a13873eb309trawick # List the protocol versions which clients are allowed to connect with.
f467b575e2698cfeb818b357b00b2a13873eb309trawick-# Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be
f467b575e2698cfeb818b357b00b2a13873eb309trawick+# SSLv3 is disabled by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be
f467b575e2698cfeb818b357b00b2a13873eb309trawick # disabled as quickly as practical. By the end of 2016, only the TLSv1.2
f467b575e2698cfeb818b357b00b2a13873eb309trawick # protocol or later should remain in use.
f467b575e2698cfeb818b357b00b2a13873eb309trawick-SSLProtocol all -SSLv3
f467b575e2698cfeb818b357b00b2a13873eb309trawick-SSLProxyProtocol all -SSLv3
f467b575e2698cfeb818b357b00b2a13873eb309trawick+SSLProtocol all
f467b575e2698cfeb818b357b00b2a13873eb309trawick+SSLProxyProtocol all
f467b575e2698cfeb818b357b00b2a13873eb309trawick # Pass Phrase Dialog:
f467b575e2698cfeb818b357b00b2a13873eb309trawick # Configure the pass phrase gathering process.
f467b575e2698cfeb818b357b00b2a13873eb309trawick@@ -122,7 +126,7 @@
f467b575e2698cfeb818b357b00b2a13873eb309trawick # General setup for the virtual host
f467b575e2698cfeb818b357b00b2a13873eb309trawick DocumentRoot "@exp_htdocsdir@"
f467b575e2698cfeb818b357b00b2a13873eb309trawick-ServerName www.example.com:@@SSLPort@@
f467b575e2698cfeb818b357b00b2a13873eb309trawick+ServerName 127.0.0.1:@@SSLPort@@
f467b575e2698cfeb818b357b00b2a13873eb309trawick ServerAdmin you@example.com
f467b575e2698cfeb818b357b00b2a13873eb309trawick ErrorLog "@exp_logfiledir@/error_log"
f467b575e2698cfeb818b357b00b2a13873eb309trawick TransferLog "@exp_logfiledir@/access_log"