The ListenHTTPS section defines a listener that operates in
HTTPS. The section declaration begins with the keyword ListenHTTPS
optionally followed by a string supplying symbolic name for that
listener:
ListenHTTPS "main" ... End
The purpose of the symbolic name is the same as in ListenHTTP
statement. All keywords defined for ListenHTTP can be used
for ListenHTTPS as well. See ListenHTTP, for a detailed
discussion of these.
Statements specific for this section are:
Specifies the server certificate. Filename is either a certificate file name, or the name of a directory containing certificate files.
A certificate file is a file containing the certificate, possibly a certificate chain and the signature for this server, in that order.
This directive is mandatory within ListenHTTPS.
Multiple Cert directives are allowed. If multiple directives
are used, the first one is the default certificate, with additional
certificates used if the client requests them.
The ordering of the directives is important: the first certificate where the CN matches the client request will be used, so put your directives in the most-specific-to-least specific order (i.e. wildcard certificates after host-specific certificates).
Cert directives must precede all other SSL-specific directives.
Specifies whether the listener must ask for the client’s HTTPS certificate. Allowed values for mode are:
Depth is the depth of verification for a client certificate (up to 9). The default depth limit is 9, allowing for the peer certificate and additional 9 CA certificates that must be verified.
Disable the SSL protocol proto and all lower protocols as well.
Allowed values for proto are: SSLv2, SSLv3,
TLSv1, TLSv1_1, TLSv1_2.
For example:
Disable TLSv1
This disables SSLv2, SSLv3 and TLSv1, thus allowing only TLSv1_1 and TLSv1_2.
Defines the list of ciphers (for TLSv2 and below) or ciphersuites (for TLSv3) that will be accepted by the SSL connection. The typeopt option defines how to interpret the ciphers argument that follows it:
-cipherlistSets the list of ciphers that affects only TLSv2 and prior protocols.
The syntax is the same as in OpenSSL ciphers and
SSL_CTX_set_cipher_list functions. See (ciphers(1))ciphers,
for a detailed discussion.
-ciphersuitesSets the list of TLSv3 ciphersuites. This list will be combined with any TLSv1.2 and below cipher lists that may have been configured.
The format for ciphers is a simple colon separated list of TLSv1.3 ciphersuite names from the list below:
TLS_AES_128_CCM_8_SHA256
TLS_AES_128_CCM_SHA256
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
If typeopt is not supplied, -cipherlist is assumed.
Notice, that a single Ciphers statement can set both TLSv2 and
TLSv3 ciphersuites, e.g.:
Ciphers "HIGH:@STRENGTH:!RSA" -ciphersuites "TLS_AES_256_GCM_SHA384"
If set true, the server will broadcast a preference to use
ciphers in the order supplied in the Ciphers directive. If the
value is false, the server will accept any cipher from the
Ciphers list. Default value is false.
If mode is 0, client initiated renegotiation will be disabled. This will mitigate DoS exploits based on client renegotiation, regardless of the patch status of clients and servers related to Secure renegotiation. If mode is 1, secure renegotiation is supported. If mode value is 2, insecure renegotiation is supported.
The default value is 0.
Set the list of trusted CA’s for this server. The filename is the name of a file containing a sequence of CA certificates (in PEM format). The names of the defined CA certificates will be sent to the client on connection.
Set the certificate authority list. The filename is the name of a file with CA root certificates, in PEM format.
Please note, that there is an important difference between the
CAlist and the VerifyList. The CAlist tells the
client (browser) which client certificates it should send. The
VerifyList defines which CAs are actually used for the
verification of the returned certificate.
Set the Certificate Revocation List file. Filename is the name of a file that contains the CRLs (in PEM format).
Behave like an HTTP/1.0 server for HTTPS clients. If mode is
0, always conform to HTTPS/1.1. If it is 1, do not allow multiple
requests on SSL connections. If the value is 2 (default), disable multiple
requests on SSL connections only for MSIE clients.