25.5.2. Configuration Directives for SSL
The directives in
/etc/httpd/conf.d/ssl.conf file can be configured to enable secure Web communications using TLS. See Resolution for POODLE SSLv3.0 vulnerability (CVE-2014-3566) in httpd for important information on disabling SSL while enabling TLS.
Important
Due to the vulnerability described in POODLE: SSLv3 vulnerability (CVE-2014-3566), Red Hat recommends disabling
SSL and using only TLSv1.1 or TLSv1.2. Backwards compatibility can be achieved using TLSv1.0. Many products Red Hat supports have the ability to use SSLv2 or SSLv3 protocols, or enable them by default. However, the use of SSLv2 or SSLv3 is now strongly recommended against.
SetEnvIf
SetEnvIf sets environment variables based on the headers of incoming connections. It is not solely an SSL directive, though it is present in the supplied /etc/httpd/conf.d/ssl.conf file. It's purpose in this context is to disable HTTP keepalive and to allow SSL to close the connection without a closing notification from the client browser. This setting is necessary for certain browsers that do not reliably shut down the SSL connection.
For more information on other directives within the SSL configuration file, refer to the following URLs:
- http://localhost/manual/mod/mod_ssl.html
Note
In most cases, SSL directives are configured appropriately during the installation of Red Hat Enterprise Linux. Be careful when altering Apache HTTP Secure Server directives, misconfiguration can lead to security vulnerabilities.
