# /etc/apache2/sites-available/ku-default-ssl-vhosts
#
# ::copy::
# ::maintainer::
#
<IfModule mod_ssl.c>
  <VirtualHost *:443>
	ServerAlias *
	UseCanonicalName Off
	VirtualDocumentRoot ::apache.autovirtual_root::/%0/docs
	VirtualScriptAlias  ::apache.autovirtual_root::/%0/cgi-bin

	CustomLog /var/log/apache2/access.log vcommon

	ServerAdmin ::apache.server_admin::
	ServerSignature On

	SSLEngine on
	SSLCertificateFile    /etc/ssl/certs/::cert.filename::.pem
	SSLCertificateKeyFile /etc/ssl/private/::cert.filename::.key
	#SSLCertificateChainFile /path-to-keys/bundle.crt

	#[ku]
	#
	# - restrict protocol choiches to tls1 (no ssl2, no ssl3 .. IE6 goodbye!)
	# - select best ciphers available
	#
	# (taken from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/)
	#
	SSLProtocol ALL -SSLv2 ::apache.ssl_protocols::
	SSLHonorCipherOrder On
	SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS


	<FilesMatch "\.(cgi|shtml|phtml|php)$">
		SSLOptions +StdEnvVars
	</FilesMatch>
	<Directory /usr/lib/cgi-bin>
		SSLOptions +StdEnvVars
	</Directory>

	BrowserMatch "MSIE [2-6]" \
		nokeepalive ssl-unclean-shutdown \
		downgrade-1.0 force-response-1.0
	# MSIE 7 and newer should be able to use keepalive
	BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
