= Apache SSL = `httpd(8)` does not have built-in support for [[Encryption/SSL|SSL]]/[[Encryption/TLS|TLS]] encryption, but an official extension module is available. <> ---- == Configuration == The minimal site configuration needed to use a certificate is: {{{ LoadModule ssl_module modules/mod_ssl.so Listen 443 ServerName www.example.com SSLEngine on SSLCertificateFile "/path/to/www.example.com.crt" SSLCertificateKeyFile "/path/to/www.example.com.key" }}} === Hardening === The protocols and ciphers used by `httpd(8)` are handled by server configuration. The following lines are the modern recommendations. {{{ SSLProtocol -all +TLSv1.3 +TLSv1.2 SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH }}} Also include the below line to ensure that server configurations are enforced over client selection. {{{ SSLHonorCipherOrder on }}} Note that `all` is a shortcut and the meaning depends on the linked SSL library. As of [[Encryption/OpenSSL|OpenSSL version 1.0.1]], it expands to `+SSLv2 +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2`. For older versions, it expands to `+SSLv2 +SSLv3 +TLSv1`. ---- CategoryRicottone