# # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the SSL library. # The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). But usually those # platforms additionally provide a /dev/urandom device which doesn't # block. So, if available, use this one instead. Read the mod_ssl User # Manual for more details. # SSLRandomSeed startup builtin SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect builtin SSLRandomSeed connect file:/dev/urandom 512 ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # # Some MIME-types for downloading Certificates and CRLs # AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog <%= node['apache']['mod_ssl']['pass_phrase_dialog'] %> # Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). SSLSessionCache <%= node['apache']['mod_ssl']['session_cache'] %> SSLSessionCacheTimeout <%= node['apache']['mod_ssl']['session_cache_timeout'] %> <% if node['apache']['version'] != '2.4' -%> # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. SSLMutex <%= node['apache']['mod_ssl']['mutex'] %> <% end -%> # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. # enable only secure ciphers: SSLCipherSuite <%= node['apache']['mod_ssl']['cipher_suite'] %> # Speed-optimized SSL Cipher configuration: # If speed is your main concern (on busy HTTPS servers e.g.), # you might want to force clients to specific, performance # optimized ciphers. In this case, prepend those ciphers # to the SSLCipherSuite list, and enable SSLHonorCipherOrder. # Caveat: by giving precedence to RC4-SHA and AES128-SHA # (as in the example below), most connections will no longer # have perfect forward secrecy - if the server's key is # compromised, captures of past or future traffic must be # considered compromised, too. #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 SSLHonorCipherOrder <%= node['apache']['mod_ssl']['honor_cipher_order'] %> # The protocols to enable. # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2 # SSL v2 is no longer supported SSLProtocol <%= node['apache']['mod_ssl']['protocol'] %> # Allow insecure renegotiation with clients which do not yet support the # secure renegotiation protocol. Default: Off SSLInsecureRenegotiation <%= node['apache']['mod_ssl']['insecure_renegotiation'] %> <% unless node['apache']['mod_ssl']['strict_sni_vhost_check'] == "Off"%> # Whether to forbid non-SNI clients to access name based virtual hosts. # Default: Off SSLStrictSNIVHostCheck <%= node['apache']['mod_ssl']['strict_sni_vhost_check'] %> <% end %> <% if node['apache']['version'] == '2.4' -%> # Enable compression on the SSL level # Enabling compression causes security issues in most setups (the so called CRIME attack). # Default: Off SSLCompression <%= node['apache']['mod_ssl']['compression'] %> # OCSP Stapling, only in httpd 2.3.3 and later # This option enables OCSP stapling, as defined by the "Certificate Status Request" TLS # extension specified in RFC 6066. If enabled (and requested by the client), mod_ssl will # include an OCSP response for its own certificate in the TLS handshake. # Configuring an SSLStaplingCache is a prerequisite for enabling OCSP stapling. # Default: Off <% if node['apache']['mod_ssl']['use_stapling'] == 'On' -%> SSLUseStapling <%= node['apache']['mod_ssl']['use_stapling'] %> SSLStaplingResponderTimeout <%= node['apache']['mod_ssl']['stapling_responder_timeout'] %> SSLStaplingReturnResponderErrors <%= node['apache']['mod_ssl']['stapling_return_responder_errors'] %> SSLStaplingCache <%= node['apache']['mod_ssl']['stapling_cache'] %> <% end -%> <% end -%> <% node['apache']['mod_ssl']['directives'].sort_by { |key, val| key }.each do |directive, value| -%> <%= directive %> <%= value %> <% end -%>