# This is /etc/apache2/conf.d/mod_nss.conf
#
# Configuration for mod_nss starts in this file.
# 
# Contents:
# 1) generic information about mod_nss and its relation to mod_ssl
# 2) initialization and loading of the apache module in the SUSE framework
# 3) hints on specifics for the configuration.
#..............................................................................
#
# 1) generic information about mod_nss and its relation to mod_ssl
# 
# Concurrency of apache crypto modules:
#
# mod_nss implements SSL/TLS protocol support for the apache webserver and
# is an alternative to mod_ssl. Both modules can be initialized at the same
# time, but, obviously, the protocol handlers ("SSLEngine on" for mod_ssl
# and "NSSEngine on" for mod_nss) cannot be active simultaneously, at a
# global scope, or in the context of a VirtualHost configuration directive
# block.
#
# If for a port that apache listens on, only one VirtualHost section
# has the directive "NSSEngine" set to "on", it will have precedence over
# all other VirtualHost declarations (that may have SSLEngine set to on
# in their context). A simultaneaous operation of both modules for different
# VirtualHosts on the same IP Address and port is not possible.
#
# Reason:
# The browser/client connects to the web server's port 443 and initializes
# an SSL/TLS handshake. If SSLv3 protocol is used, there is no way for the
# client to specify the host that it wants to connect to, unless the crypto
# has been fully initialized already. Similarly, the server cannot present 
# the correct certificate to the browser that matches the requested hostname.
# As a consequence, if endpoints are limited to SSLv3, only one web server and
# no virtual servers can be bound to one address. Each additional web server
# would need a new IP address.
# Starting with TLSv1.0, the protocol comes with the Server Name Indication
# (SNI) extension that allows the client to specify the requested hostname
# before the cryptographical part of the protocol is initialized. However,
# this type of hostname distinction is handled by the crypto library in 
# combination with mod_ssl or mod_nss, not by apache's core.
# This means that in a dual mod_ssl and mod_nss configuration that is not
# selective on IP addresses, and even if you use TLSv1.0 and newer only,
# only one out of mod_ssl or mod_nss will be active.
# Consequences:
# a) If you need support for encrypted connections using _both_ mod_nss and
#    mod_ssl, you should consider using more than one IP addresses, and
#    configure the server's crypto engine/module bound to the IP address.
# b) If you do NOT need both mod_nss and mod_ssl simultaneaously in apache,
#    it is recommended to decide for one and deactivate the other.
#
# Certificates:
# The directory /etc/apache2/mod_nss.d contains everything that mod_nss
# needs: keys, certificates. The default configuration has reference
# to .db files in /etc/apache2/mod_nss.d that shall illustrate how the
# configuration should/could look like.
#
# In addition to providing a central location to store keys and certificates,
# /etc/apache2/mod_nss.d may also contain configuration files that are
# included directly after this documentation text. Note that only files
# named *.conf are included!
#
#
#..............................................................................
# 2) initialization and loading of the apache module in the SUSE framework
#
# To get SSL/TLS support activated in apache, two things have to be done:
# a) configure and initialize the crypto module that provides the SSL/TLS
#    protocol support in apache
# b) tell apache to listen on the port where browsers typically connect to
#    if they want to talk SSL/TLS. Normally TCP port 443.
#
# about a):
# The apache module (a shared object file) is loaded by the framework if
# the config variable APACHE_MODULES set in /etc/sysconfig/apache2
# contains the module name ("nss", without the preceding "mod_").
# Either you edit /etc/sysconfig/apache2 manually and add the module name
# nss to the other modules in APACHE_MODULES, or you let the command
#
#	a2enmod nss
#
# do this for you. "a2enmod -d nss" reverses that change and disables mod_nss
# again.
# All of the configuration directives set in the default config files are
# conditional for the loading of the module, which is evident when looking at
# the "<IfModule mod_ssl.c>" that shows up further below.
#
# about b)
# The Listen directive in /etc/apache2/listen_nss.conf is conditional on
# the server-flag "SSL". Add the word SSL to the variable 
# APACHE_SERVER_FLAGS in the file /etc/sysconfig/apache2 .
#
# Please note that /etc/apache2/listen.conf is read/included from the apache
# main configuration file /etc/apache2/httpd.conf; 
# /etc/apache2/listen_nss.conf is read from this file, just below.
#
# Additional information can also be found in 
# /usr/share/doc/packages/apache2-mod_nss/README-SUSE.txt
#
# Roman Drahtmueller <draht@suse.com>
#


<IfDefine SSL>
<IfDefine !NOSSL>
<IfModule mod_nss.c>

Include /etc/apache2/listen_nss.conf
IncludeOptional /etc/apache2/mod_nss.d/*.conf



##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##
##  Please note that _this_ file used to contain a VirtualHost
##  section in previous versions/releases. It is now part of the
##  /etc/apache2/vhosts.d/vhost-nss.template file, and is not
##  activated by default.
##  

#
#   Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
NSSPassPhraseDialog  exec:/usr/sbin/apache2-systemd-ask-pass

#   Pass Phrase Helper:
#   This helper program stores the token password pins between
#   restarts of Apache.
NSSPassPhraseHelper @apache_bin@/nss_pcache

#   Configure the SSL Session Cache. 
#   NSSSessionCacheSize is the number of entries in the cache.
#   NSSSession3CacheTimeout is the SSL3/TLS session timeout (in seconds).
NSSSessionCacheSize 10000
NSSSession3CacheTimeout 86400

#
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. Those platforms usually also provide a non-blocking
# device, /dev/urandom, which may be used instead.
# As a rule of thumb, /dev/urandom should only be used for short-term
# secrets (eg. keys, session keys, credentials), while longer-living
# secrets such as key pair for a certificate should receive its 
# randomness from /dev/random .
#
# This does not support seeding the RNG with each connection.

NSSRandomSeed startup builtin
#NSSRandomSeed startup file:/dev/random  512
#NSSRandomSeed startup file:/dev/urandom 512


#
# TLS Negotiation configuration under RFC 5746
#
# Only renegotiate if the peer's hello bears the TLS renegotiation_info
# extension. Default off.
NSSRenegotiation off

# Peer must send Signaling Cipher Suite Value (SCSV) or
# Renegotiation Info (RI) extension in ALL handshakes.  Default: off
NSSRequireSafeNegotiation off



# main switch: You may want to turn this on in the context of a VirtualHost
# definition, not here globally.
# NSSEngine on

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_nss documentation for a complete list.

# The following cipher suite is the default that comes with mod_nss 1.0.14,
# plus some additional ciphers
NSSCipherSuite +aes_128_sha_256,+aes_256_sha_256,+ecdhe_ecdsa_aes_128_gcm_sha_256,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,+ecdhe_rsa_aes_128_gcm_sha_256,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha,+rsa_aes_128_gcm_sha_256,+rsa_aes_128_sha,+rsa_aes_256_sha,+ecdh_rsa_aes_256_sha,+ecdh_rsa_aes_128_sha

#   SSL Protocol:
#   Cryptographic protocols that provide communication security.
#   NSS handles the specified protocols as "ranges", and automatically
#   negotiates the use of the strongest protocol for a connection starting
#   with the maximum specified protocol and downgrading as necessary to the
#   minimum specified protocol that can be used between two processes.
#   Since all protocol ranges are completely inclusive, and no protocol in the
#   middle of a range may be excluded, the entry "NSSProtocol SSLv3,TLSv1.2"
#   is identical to the entry "NSSProtocol SSLv3,TLSv1.0,TLSv1.1,TLSv1.2".
#   Here, we disable SSLv3, but allow TLSv1.0 through TLSv1.2 :
NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2

#   SSL Certificate Nickname:
#   The nickname of the RSA server certificate you are going to use.
#
#   This is commented out, as it belongs to a VirtualHost definition.
#   If there are no VirtualHost statements in your configuration, then
#   here is the right spot:
#NSSNickname Server-Cert

#   SSL Certificate Nickname:
#   The nickname of the ECC server certificate you are going to use, if you
#   have an ECC-enabled version of NSS and mod_nss
#NSSECCNickname Server-Cert-ecc

#   Server Certificate Database:
#   The NSS security database directory that holds the certificates and
#   keys. The database consists of 3 files: cert8.db, key3.db and secmod.db.
#   Provide the directory that these files exist.
#NSSCertificateDatabase @apache_conf@/mod_nss.d

#   Database Prefix:
#   In order to be able to store multiple NSS databases in one directory
#   they need unique names. This option sets the database prefix used for
#   cert8.db and key3.db.
#NSSDBPrefix my-prefix-

#   Client Authentication (Type):
#   Client certificate verification type.  Types are none, optional and
#   require.
#NSSVerifyClient none

#
#   Online Certificate Status Protocol (OCSP).
#   Verify that certificates have not been revoked before accepting them.
#NSSOCSP off

#
#   Use a default OCSP responder. If enabled this will be used regardless
#   of whether one is included in a client certificate. Note that the
#   server certificate is verified during startup.
#
#   NSSOCSPDefaultURL defines the service URL of the OCSP responder
#   NSSOCSPDefaultName is the nickname of the certificate to trust to
#       sign the OCSP responses.
#NSSOCSPDefaultResponder on
#NSSOCSPDefaultURL http://example.com/ocsp/status
#NSSOCSPDefaultName ocsp-nickname

#   Access Control:
#   With SSLRequire you can do per-directory access control based
#   on arbitrary complex boolean expressions containing server
#   variable checks and other lookup directives.  The syntax is a
#   mixture between C and Perl.  See the mod_nss documentation
#   for more details.
#<Location />
#NSSRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>

#   SSL Engine Options:
#   Set various options for the SSL engine.
#   o FakeBasicAuth:
#     Translate the client X.509 into a Basic Authorisation.  This means that
#     the standard Auth/DBMAuth methods can be used for access control.  The
#     user name is the `one line' version of the client's X.509 certificate.
#     Note that no password is obtained from the user. Every entry in the user
#     file needs this password: `xxj31ZMTZzkVA'.
#   o ExportCertData:
#     This exports two additional environment variables: SSL_CLIENT_CERT and
#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
#     server (always existing) and the client (only existing when client
#     authentication is used). This can be used to import the certificates
#     into CGI scripts.
#   o StdEnvVars:
#     This exports the standard SSL/TLS related `SSL_*' environment variables.
#     Per default this exportation is switched off for performance reasons,
#     because the extraction step is an expensive operation and is usually
#     useless for serving static content. So one usually enables the
#     exportation for CGI and SSI requests only.
#   o StrictRequire:
#     This denies access when "NSSRequireSSL" or "NSSRequire" applied even
#     under a "Satisfy any" situation, i.e. when it applies access is denied
#     and no other module can change it.
#   o OptRenegotiate:
#     This enables optimized SSL connection renegotiation handling when SSL
#     directives are used in per-directory context. 
#NSSOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    NSSOptions +StdEnvVars
</Files>
<Directory "@apache_prefix@/cgi-bin">
    NSSOptions +StdEnvVars
</Directory>


</IfModule>
</IfDefine>
</IfDefine>