2
# Pseudo Random Number Generator (PRNG):
3
# Configure one or more sources to seed the PRNG of the SSL library.
4
# The seed data should be of good random quality.
5
# WARNING! On some platforms /dev/random blocks if not enough entropy
6
# is available. This means you then cannot use the /dev/random device
7
# because it would lead to very long connection times (as long as
8
# it requires to make more entropy available). But usually those
9
# platforms additionally provide a /dev/urandom device which doesn't
10
# block. So, if available, use this one instead. Read the mod_ssl User
11
# Manual for more details.
13
SSLRandomSeed startup builtin
14
SSLRandomSeed connect builtin
15
#SSLRandomSeed startup file:/dev/random 512
16
#SSLRandomSeed startup file:/dev/urandom 512
17
#SSLRandomSeed connect file:/dev/random 512
18
#SSLRandomSeed connect file:/dev/urandom 512
20
# Some MIME-types for downloading Certificates and CRLs
22
AddType application/x-x509-ca-cert .crt
23
AddType application/x-pkcs7-crl .crl
26
# Configure the pass phrase gathering process.
27
# The filtering dialog program (`builtin' is a internal
28
# terminal dialog) has to provide the pass phrase on stdout.
29
SSLPassPhraseDialog builtin
31
# Inter-Process Session Cache:
32
# Configure the SSL Session Cache: First the mechanism
33
# to use and second the expiring timeout (in seconds).
35
#SSLSessionCache shmht:/var/run/apache2/ssl_scache(512000)
36
#SSLSessionCache shmcb:/var/run/apache2/ssl_scache(512000)
37
SSLSessionCache dbm:/var/run/apache2/ssl_scache
38
SSLSessionCacheTimeout 300
41
# Configure the path to the mutual exclusion semaphore the
42
# SSL engine uses internally for inter-process synchronization.
43
SSLMutex file:/var/run/apache2/ssl_mutex
44
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
46
# SSL Protocol Adjustments:
47
# The safe and default but still SSL/TLS standard compliant shutdown
48
# approach is that mod_ssl sends the close notify alert but doesn't wait for
49
# the close notify alert from client. When you need a different shutdown
50
# approach you can use one of the following variables:
51
# o ssl-unclean-shutdown:
52
# This forces an unclean shutdown when the connection is closed, i.e. no
53
# SSL close notify alert is send or allowed to received. This violates
54
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
55
# this when you receive I/O errors because of the standard approach where
56
# mod_ssl sends the close notify alert.
57
# o ssl-accurate-shutdown:
58
# This forces an accurate shutdown when the connection is closed, i.e. a
59
# SSL close notify alert is send and mod_ssl waits for the close notify
60
# alert of the client. This is 100% SSL/TLS standard compliant, but in
61
# practice often causes hanging connections with brain-dead browsers. Use
62
# this only for browsers where you know that their SSL implementation
64
# Notice: Most problems of broken clients are also related to the HTTP
65
# keep-alive facility, so you usually additionally want to disable
66
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
67
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
68
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
69
# "force-response-1.0" for this.
70
SetEnvIf User-Agent ".*MSIE.*" \
71
nokeepalive ssl-unclean-shutdown \
72
downgrade-1.0 force-response-1.0