Following Eric Covener's advise from

http://www.mail-archive.com/docs@httpd.apache.org/msg07081.html

I'm using this space to kick-off an SSL How-to, which we will use to replace the current, highly out-dated one.

In the first step I'll just fill in the titles. I really hope for some participation here :) Please also take into consideration features from 2.4, such as OSCP

Also consider that recommendations should include security at a high enough level to make sense. For generating certs, that means 2048, for picking cipher suites, that means strong encryption, etc.

create a (self-signed) certificate or certificate request

add a listen directive

make sure Listen 443 is *before* Listen 80..

Why before??? --DRuggeri

Because http://wiki.apache.org/httpd/InternalDummyConnection

add a VH *:443

elaborate on the option of SNI.

add cert-related directives

These are two. Not 3409.

Required:

Smart to have:

We should probably follow: http://journal.paul.querna.org/articles/2010/07/10/overclocking-mod_ssl/ for some good guidelines on SSLCipherSuite, or mod_ssl in general ;)

Required for client auth

Enabling OCSP for client auth

Handling the passphrase

When you encrypt a private key with a passphrase, httpd will need access to that passphrase. There are three ways to handle this situation:

WARNING: Although you may implement elaborate methods to protect your passphrase, the httpd image in memory contains the passphrase as a string which can be obtained by triggering a core dump (ie. in the event the root process is compromised).

SettingUpModSSL (last edited 2011-10-12 08:52:29 by TomasPospisek)