Return-Path: <cvs-return-62066-archive-asf-public=cust-asf.ponee.io@httpd.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 29136200D4E
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Thu,  7 Dec 2017 16:09:48 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 28080160C0C; Thu,  7 Dec 2017 15:09:48 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 6DC57160BFE
	for <archive-asf-public@cust-asf.ponee.io>; Thu,  7 Dec 2017 16:09:47 +0100 (CET)
Received: (qmail 50684 invoked by uid 500); 7 Dec 2017 15:09:46 -0000
Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:cvs-help@httpd.apache.org>
list-unsubscribe: <mailto:cvs-unsubscribe@httpd.apache.org>
List-Post: <mailto:cvs@httpd.apache.org>
List-Id: <cvs.httpd.apache.org>
Delivered-To: mailing list cvs@httpd.apache.org
Received: (qmail 50675 invoked by uid 99); 7 Dec 2017 15:09:46 -0000
Received: from Unknown (HELO svn01-us-west.apache.org) (209.188.14.144)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 07 Dec 2017 15:09:46 +0000
Received: from svn01-us-west.apache.org (localhost [127.0.0.1])
	by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org) with ESMTP id 77E343A00A7
	for <cvs@httpd.apache.org>; Thu,  7 Dec 2017 15:09:45 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1817380 - /httpd/test/mod_h2/trunk/conf/httpd.conf
Date: Thu, 07 Dec 2017 15:09:45 -0000
To: cvs@httpd.apache.org
From: icing@apache.org
X-Mailer: svnmailer-1.0.9
Message-Id: <20171207150945.77E343A00A7@svn01-us-west.apache.org>
archived-at: Thu, 07 Dec 2017 15:09:48 -0000

Author: icing
Date: Thu Dec  7 15:09:45 2017
New Revision: 1817380

URL: http://svn.apache.org/viewvc?rev=1817380&view=rev
Log:
use SSLPolicy when available

Modified:
    httpd/test/mod_h2/trunk/conf/httpd.conf

Modified: httpd/test/mod_h2/trunk/conf/httpd.conf
URL: http://svn.apache.org/viewvc/httpd/test/mod_h2/trunk/conf/httpd.conf?rev=1817380&r1=1817379&r2=1817380&view=diff
==============================================================================
--- httpd/test/mod_h2/trunk/conf/httpd.conf (original)
+++ httpd/test/mod_h2/trunk/conf/httpd.conf Thu Dec  7 15:09:45 2017
@@ -161,26 +161,42 @@ DocumentRoot "SUBST_SERVER_ROOT_SUBST/ht
 
     Listen SUBST_PORT_HTTPS_SUBST
 
-    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
-    SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
-    SSLHonorCipherOrder     on
-    SSLCompression          off
-    SSLSessionTickets       off
-
-    SSLPassPhraseDialog  builtin
-    SSLSessionCache        "shmcb:logs/ssl_scache(512000)"
-    SSLSessionCacheTimeout  300
+    <IfVersion >= 2.5.0>
+      SSLPolicy modern
+      # disable proxy cert verification in this test setup
+      SSLProxyVerify none
     
-    # OCSP Stapling, only in httpd 2.3.3 and later
-    SSLUseStapling          on
-    SSLStaplingResponderTimeout 5
-    SSLStaplingReturnResponderErrors off
-    SSLStaplingCache        shmcb:logs/ssl_stapling(32768)
+      <SSLPolicyDefine GoodStapling>
+        SSLUseStapling          on
+        SSLStaplingResponderTimeout 5
+        SSLStaplingReturnResponderErrors off
+      </SSLPolicyDefine>
+      SSLPolicy GoodStapling
+
+    </IfVersion>
+    <IfVersion < 2.5.0>
+      SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
+      SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+      SSLHonorCipherOrder     on
+      SSLCompression          off
+      SSLSessionTickets       off
+
+      SSLPassPhraseDialog  builtin
+      SSLSessionCache        "shmcb:logs/ssl_scache(512000)"
+      SSLSessionCacheTimeout  300
+    
+      SSLProxyProtocol        all -SSLv3 -TLSv1 -TLSv1.1
+      # don't do this at home, kids
+      SSLProxyVerify none
+      SSLProxyCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256    
+
+      # OCSP Stapling, only in httpd 2.3.3 and later
+      SSLUseStapling          on
+      SSLStaplingResponderTimeout 5
+      SSLStaplingReturnResponderErrors off
+    </IfVersion>
 
-    SSLProxyProtocol        all -SSLv3 -TLSv1 -TLSv1.1
-    # don't do this at home, kids
-    SSLProxyVerify none
-    SSLProxyCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256    
+    SSLStaplingCache        shmcb:logs/ssl_stapling(32768)
 
 </IfModule>