|
Size: 1308
Comment:
|
← Revision 3 as of 2023-01-09 03:31:38 ⇥
Size: 1314
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 3: | Line 3: |
| `httpd(8)` does not have built-in support for SSL/TLS encryption, but an official extension module is available. | `httpd(8)` does not have built-in support for [[Encryption/SSL|SSL]]/[[Encryption/TLS|TLS]] encryption, but an official extension module is available. |
| Line 13: | Line 13: |
| The minimal site configuration for `httpd(8)` to use SSL/TLS certificates is: | The minimal site configuration needed to use a certificate is: |
| Line 31: | Line 31: |
| The protocols and ciphers used by `httpd(8)` are handled by server configuration. The following lines are the modern recommended configurations for secure SSL/TLS encryption. | The protocols and ciphers used by `httpd(8)` are handled by server configuration. The following lines are the modern recommendations. |
| Line 45: | Line 45: |
| Note that `all` is a shortcut and the meaning depends on the linked version of OpenSSL. As of version 1.0.1, it expands to `+SSLv2 +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2`. For older versions, it expands to `+SSLv2 +SSLv3 +TLSv1`. | Note that `all` is a shortcut and the meaning depends on the linked SSL library. As of [[Encryption/OpenSSL|OpenSSL version 1.0.1]], it expands to `+SSLv2 +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2`. For older versions, it expands to `+SSLv2 +SSLv3 +TLSv1`. |
Apache SSL
httpd(8) does not have built-in support for SSL/TLS encryption, but an official extension module is available.
Contents
Configuration
The minimal site configuration needed to use a certificate is:
LoadModule ssl_module modules/mod_ssl.so Listen 443 <VirtualHost *:443> ServerName www.example.com SSLEngine on SSLCertificateFile "/path/to/www.example.com.crt" SSLCertificateKeyFile "/path/to/www.example.com.key" </VirtualHost>
Hardening
The protocols and ciphers used by httpd(8) are handled by server configuration. The following lines are the modern recommendations.
SSLProtocol -all +TLSv1.3 +TLSv1.2 SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
Also include the below line to ensure that server configurations are enforced over client selection.
SSLHonorCipherOrder on
Note that all is a shortcut and the meaning depends on the linked SSL library. As of OpenSSL version 1.0.1, it expands to +SSLv2 +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2. For older versions, it expands to +SSLv2 +SSLv3 +TLSv1.