chef/cookbooks/apache2/templates/suse/mods/ssl.conf.erb from crowbar/crowbar-core

chef/cookbooks/apache2/templates/suse/mods/ssl.conf.erb
Summary

Maintainability

Test Coverage

Issues
##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##

# These are the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see <URL:https:///httpd.apache.org/docs/2.4/mod/mod_ssl.html>
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.

# This global SSL configuration is ignored if 
# "SSL" is not defined, or if "NOSSL" is defined.
<IfDefine SSL>
<IfDefine !NOSSL>
<IfModule mod_ssl.c>

    #
    #   Some MIME-types for downloading Certificates and CRLs
    #
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl    .crl



        #   SSL Cipher Suite:
        #   List the ciphers that the client is permitted to negotiate.
        #   See the mod_ssl documentation for a complete list.
        #
        SSLCipherSuite          DEFAULT_SUSE

    #   SSLHonorCipherOrder
    #   If SSLHonorCipherOrder is disabled, then the client's preferences
    #   for chosing the cipher during the TLS handshake are used.
    #   If set to on, then the above SSLCipherSuite is used, in the order
    #   given, with the first supported match on both ends.
    SSLHonorCipherOrder on


    #   Pass Phrase Dialog:
    #   Configure the pass phrase gathering process.
    #   The filtering dialog program (`builtin' is a internal
    #   terminal dialog) has to provide the pass phrase on stdout.
    <IfDefine SYSTEMD>
    SSLPassPhraseDialog exec:/usr/sbin/apache2-systemd-ask-pass
    </IfDefine>
    <IfDefine !SYSTEMD>
    SSLPassPhraseDialog  builtin
    </IfDefine>

    #   Inter-Process Session Cache:
    #   Configure the SSL Session Cache: First the mechanism 
    #   to use and second the expiring timeout (in seconds).
    #   shm means the same as shmht. 
    #   Note that on most platforms shared memory segments are not allowed to be on 
    #   network-mounted drives, so in that case you need to use the dbm method.
    #SSLSessionCache        none

    #<IfModule mod_socache_dbm.c>
    #SSLSessionCache         dbm:/var/lib/apache2/ssl_scache
    #</IfModule>

    <IfModule mod_socache_shmcb.c>
    SSLSessionCache         shmcb:/var/lib/apache2/ssl_scache(1024000)
    </IfModule>
    SSLSessionCacheTimeout  1800


    #   Pseudo Random Number Generator (PRNG):
    #   Configure one or more sources to seed the PRNG of the 
    #   SSL library. The seed data should be of good random quality.
    #   WARNING! On some platforms /dev/random blocks if not enough entropy
    #   is available. This means you then cannot use the /dev/random device
    #   because it would lead to very long connection times (as long as
    #   it requires to make more entropy available). But usually those
    #   platforms additionally provide a /dev/urandom device which doesn't
    #   block. So, if available, use this one instead. Read the mod_ssl User
    #   Manual for more details.
    SSLRandomSeed startup builtin
    SSLRandomSeed connect builtin
    #SSLRandomSeed startup file:/dev/random  512
    #SSLRandomSeed connect file:/dev/random  512
    #SSLRandomSeed startup file:/dev/urandom 512
    #SSLRandomSeed connect file:/dev/urandom 512

</IfModule>
</IfDefine>
</IfDefine>