apache: Just use Mozilla recommended settings
Removed all RedHat default settings and just added Mozilla recommended modern settings.
This commit is contained in:
parent
affeddd2cc
commit
bace8a39b4
2 changed files with 6 additions and 41 deletions
|
|
@ -7,40 +7,10 @@
|
|||
|
||||
Listen 443
|
||||
|
||||
# Pass Phrase Dialog:
|
||||
# Configure the pass phrase gathering process.
|
||||
# The filtering dialog program (`builtin' is a internal
|
||||
# terminal dialog) has to provide the pass phrase on stdout.
|
||||
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
|
||||
# Use Mozilla recommended modern ciphers
|
||||
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
|
||||
SSLHonorCipherOrder off
|
||||
SSLSessionTickets off
|
||||
|
||||
# Inter-Process Session Cache:
|
||||
# Configure the SSL Session Cache: First the mechanism
|
||||
# to use and second the expiring timeout (in seconds).
|
||||
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
|
||||
SSLSessionCacheTimeout 300
|
||||
|
||||
# Pseudo Random Number Generator (PRNG):
|
||||
# Configure one or more sources to seed the PRNG of the
|
||||
# SSL library. The seed data should be of good random quality.
|
||||
# WARNING! On some platforms /dev/random blocks if not enough entropy
|
||||
# is available. This means you then cannot use the /dev/random device
|
||||
# because it would lead to very long connection times (as long as
|
||||
# it requires to make more entropy available). But usually those
|
||||
# platforms additionally provide a /dev/urandom device which doesn't
|
||||
# block. So, if available, use this one instead. Read the mod_ssl User
|
||||
# Manual for more details.
|
||||
SSLRandomSeed startup file:/dev/urandom 256
|
||||
SSLRandomSeed connect builtin
|
||||
#SSLRandomSeed startup file:/dev/random 512
|
||||
#SSLRandomSeed connect file:/dev/random 512
|
||||
#SSLRandomSeed connect file:/dev/urandom 512
|
||||
|
||||
#
|
||||
# Use "SSLCryptoDevice" to enable any supported hardware
|
||||
# accelerators. Use "openssl engine -v" to list supported
|
||||
# engine names. NOTE: If you enable an accelerator and the
|
||||
# server does not start, consult the error logs and ensure
|
||||
# your accelerator is functioning properly.
|
||||
#
|
||||
SSLCryptoDevice builtin
|
||||
#SSLCryptoDevice ubsec
|
||||
SSLUseStapling On
|
||||
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
|
||||
|
|
|
|||
|
|
@ -3,12 +3,7 @@
|
|||
DocumentRoot /srv/web/{{ inventory_hostname }}
|
||||
|
||||
Protocols h2 http/1.1
|
||||
|
||||
SSLEngine on
|
||||
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
|
||||
SSLCipherSuite {{ tls_ciphers }}
|
||||
SSLHonorCipherOrder off
|
||||
SSLSessionTickets off
|
||||
|
||||
# Server certificates
|
||||
SSLCertificateKeyFile {{ tls_private }}/{{ inventory_hostname }}.key
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue