= Apache SSL =

`httpd(8)` does not have built-in support for [[Encryption/SSL|SSL]]/[[Encryption/TLS|TLS]] encryption, but an official extension module is available.

<<TableOfContents>>

----



== Configuration ==

The minimal site configuration needed to use a certificate is:

{{{
LoadModule ssl_module modules/mod_ssl.so

Listen 443
<VirtualHost *:443>
  ServerName www.example.com
  SSLEngine on
  SSLCertificateFile "/path/to/www.example.com.crt"
  SSLCertificateKeyFile "/path/to/www.example.com.key"
</VirtualHost>
}}}



=== Hardening ===

The protocols and ciphers used by `httpd(8)` are handled by server configuration. The following lines are the modern recommendations.

{{{
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
}}}

Also include the below line to ensure that server configurations are enforced over client selection. 

{{{
SSLHonorCipherOrder on
}}}

Note that `all` is a shortcut and the meaning depends on the linked SSL library. As of [[Encryption/OpenSSL|OpenSSL version 1.0.1]], it expands to `+SSLv2 +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2`. For older versions, it expands to `+SSLv2 +SSLv3 +TLSv1`.



----
CategoryRicottone