From 78b7b389840f5342fc1b9bf7f874ba5794df0055 Mon Sep 17 00:00:00 2001 From: Stephane Lapie Date: Tue, 9 Sep 2014 11:46:22 +0900 Subject: Added virtualhost configuration fields to make SSL engine options configurable (namely, protocol, cipher suite, honor cipher order, ssl proxy engine, ssl proxy verification) --- .../apache_mod_security.inc | 12 ++- .../apache_mod_security-dev/apache_virtualhost.xml | 87 +++++++++++++++++----- 2 files changed, 75 insertions(+), 24 deletions(-) (limited to 'config/apache_mod_security-dev') diff --git a/config/apache_mod_security-dev/apache_mod_security.inc b/config/apache_mod_security-dev/apache_mod_security.inc index b24a5d1c..1ef78819 100644 --- a/config/apache_mod_security-dev/apache_mod_security.inc +++ b/config/apache_mod_security-dev/apache_mod_security.inc @@ -541,10 +541,14 @@ EOF; #check ssl if(isset($virtualhost["ssl_cert"]) && $virtualhost["ssl_cert"] !="none" && $virtualhost["proto"] == "https") { - $vh_config.= " SSLEngine on\n SSLProtocol all -SSLv2\n SSLProxyEngine on\n SSLProxyVerify none\n"; - $vh_config.= " SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL\n"; + $vh_config.= " SSLEngine on\n"; + $vh_config.= " SSLProtocol ". ($virtualhost['ssl_protocol'] ? $virtualhost['ssl_protocol'] : "all -SSLv2") ."\n"; + $vh_config.= " SSLProxyEngine ". ($virtualhost['ssl_proxy_engine'] ? "on" : "off") ."\n"; + $vh_config.= " SSLProxyVerify ". ($virtualhost['ssl_proxy_verify'] ? $virtualhost['ssl_proxy_verify'] : "none") ."\n"; + $vh_config.= " SSLCipherSuite ". ($virtualhost['ssl_cipher_suite'] ? $virtualhost['ssl_cipher_suite'] : "ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL") ."\n"; + $vh_config.= " SSLHonorCipherOrder ". ($virtualhost['ssl_honor_cipher_order'] ? "on" : "off") ."\n"; - $svr_cert = lookup_cert($virtualhost["ssl_cert"]); + $svr_cert = lookup_cert($virtualhost["ssl_cert"]); if ($svr_cert != false) { if(base64_decode($svr_cert['crt'])) { file_put_contents(APACHEDIR . "/etc/" . APACHEVERSION . "/{$virtualhost["ssl_cert"]}.crt",apache_textarea_decode($svr_cert['crt']),LOCK_EX); @@ -565,7 +569,7 @@ EOF; file_put_contents(APACHEDIR . "/etc/" . APACHEVERSION . "/{$virtualhost["reverse_int_ca"]}.crt",apache_textarea_decode($cli_ca['crt']),LOCK_EX); $vh_config.= " SSLCACertificateFile ". APACHEDIR . "/etc/" . APACHEVERSION . "/{$virtualhost["reverse_int_ca"]}.crt\n"; } - } + } #Custom Options $vh_config.= apache_textarea_decode($virtualhost['custom'])."\n\n"; diff --git a/config/apache_mod_security-dev/apache_virtualhost.xml b/config/apache_mod_security-dev/apache_virtualhost.xml index 8558c490..ca448cd2 100644 --- a/config/apache_mod_security-dev/apache_virtualhost.xml +++ b/config/apache_mod_security-dev/apache_virtualhost.xml @@ -256,6 +256,72 @@ input + + + + + locations + rowhelper + + + + location + Server Location + + name + name + none + select_source + + + + + SSL Environment + listtopic + + + SSL Protocol + ssl_protocol + 50 + + input + all -SSLv2 + + + SSL Cipher Suite + ssl_cipher_suite + 50 + + input + ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL + + + SSL Honor Cipher Order + ssl_honor_cipher_order + + off + checkbox + + + SSL Proxy Engine + ssl_proxy_engine + + on + checkbox + + + SSL Proxy Verify + ssl_proxy_verify + + select + + + + + + + none + HTTPS SSL certificate ssl_cert @@ -286,25 +352,6 @@ refid none - - - - - locations - rowhelper - - - - location - Server Location - - name - name - none - select_source - - - Logging listtopic @@ -315,7 +362,7 @@ checkbox - + Log file logfile -- cgit v1.2.3