...
| Code Block |
|---|
|
<VirtualHost *:443>
...
# Optionally add request logging
CustomLog logs/ssl_client_request_log "%h %l %u %t %{SSL_CLIENT_I_DN}x %{SSL_CLIENT_S_DN}x"
# These directives should already be set. Adjust SSLCipherSuite if necessary.
SSLEngine on
SSLProtocol -all +TLSv1.2 +SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
# There should already be a SSLCertificateFile and SSLCertificateKeyFile for your server certificates
SSLCertificateFile /etc/pki/tls/certs/example.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/example.com.key
# Add the DoD CA Root Certificates
SSLCACertificateFile /etc/pki/tls/certs/DoD_CAs.pem
# Add the CA CRL File. Again, this adds a significant amount to the Apache startup
# time and has a sight impact on overall performance.
SSLCARevocationFile /etc/pki/tls/certs/allDoDCRLs.pem
<Location />
SSLRequireSSL
# For setup and testing purposes, you can set this value to "require". If you do so, and there's a certificate problem,
# the user will see a browser error (ERR_BAD_SSL_CLIENT_AUTH_CERT) rather than a PCR-360 authentication error.
# Ensure this value is "optional" once you verify that the server is receiving the certificate. If it's "required",
# the browser can/will get stuck in a redirect loop.
SSLVerifyClient optional
SSLVerifyDepth 10
SSLUserName SSL_CLIENT_S_DN_CN
SSLOptions +ExportCertData +FakeBasicAuth +StdEnvVars
</Location>
...
</VirtualHost> |
FIPS 140-2
FIPS 140-2 cryptography can be enabled in Apache with OpenSSL by using the "SSLFIPS on" directive. This must be placed in the main httpd.conf file. Installation and configuration are outside the scope of this document.
...
