Following Eric Covener's advise from
http://www.mail-archive.com/docs@httpd.apache.org/msg07081.html
I'm using this space to kick-off an SSL How-to, which we will use to replace the current, highly out-dated one.
In the first step I'll just fill in the titles. I really hope for some participation here Please also take into consideration features from 2.4, such as OSCP
Also consider that recommendations should include security at a high enough level to make sense. For generating certs, that means 2048, for picking cipher suites, that means strong encryption, etc.
make sure Listen 443 is *before* Listen 80..
Why before??? --DRuggeri
Because http://wiki.apache.org/httpd/InternalDummyConnection
elaborate on the option of SNI.
These are two. Not 3409.
Required:
Smart to have:
We should probably follow: http://journal.paul.querna.org/articles/2010/07/10/overclocking-mod_ssl/
for some good guidelines on SSLCipherSuite, or mod_ssl in general
Required for client auth
Enabling OCSP for client auth
When you encrypt a private key with a passphrase, httpd will need access to that passphrase. There are three ways to handle this situation:
WARNING: Although you may implement elaborate methods to protect your passphrase, the httpd image in memory contains the passphrase as a string which can be obtained by triggering a core dump (ie. in the event the root process is compromised).