sni: make ssl_cert configurable per vhost

to support sni we configure ssl_certs on a vhost basis.
additionally this commit introduces a generic configuration hash which
will be used to replace most other parameters in the future.

7 files changed, 0 insertions, 683 deletions

diff --git a/files/include.d/CentOS/ssl_defaults.inc b/files/include.d/CentOS/ssl_defaults.inc
deleted file mode 100644
index 776b7c3..0000000
--- a/files/include.d/CentOS/ssl_defaults.inc
+++ /dev/null
@@ -1,134 +0,0 @@
-#   SSL Engine Switch:
-#   Enable/Disable SSL for this virtual host.
-SSLEngine on
-
-#   SSL Protocol support:
-# List the enable protocol levels with which clients will be able to
-# connect.  Disable SSLv2 access by default:
-SSLProtocol All -SSLv2 -SSLv3
-
-#   SSL Cipher Suite:
-# List the ciphers that the client is permitted to negotiate.
-# See the mod_ssl documentation for a complete list.
-#SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2
-SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
-
-SSLHonorCipherOrder on
-
-#   Server Certificate:
-# Point SSLCertificateFile at a PEM encoded certificate.  If
-# the certificate is encrypted, then you will be prompted for a
-# pass phrase.  Note that a kill -HUP will prompt again.  A new
-# certificate can be generated using the genkey(1) command.
-#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
-
-#   Server Private Key:
-#   If the key is not combined with the certificate, use this
-#   directive to point at the key file.  Keep in mind that if
-#   you've both a RSA and a DSA private key you can configure
-#   both in parallel (to also allow the use of DSA ciphers, etc.)
-#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
-
-#   Server Certificate Chain:
-#   Point SSLCertificateChainFile at a file containing the
-#   concatenation of PEM encoded CA certificates which form the
-#   certificate chain for the server certificate. Alternatively
-#   the referenced file can be the same as SSLCertificateFile
-#   when the CA certificates are directly appended to the server
-#   certificate for convinience.
-#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
-
-#   Certificate Authority (CA):
-#   Set the CA certificate verification path where to find CA
-#   certificates for client authentication or alternatively one
-#   huge file containing all of them (file must be PEM encoded)
-#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
-
-#   Client Authentication (Type):
-#   Client certificate verification type and depth.  Types are
-#   none, optional, require and optional_no_ca.  Depth is a
-#   number which specifies how deeply to verify the certificate
-#   issuer chain before deciding the certificate is not valid.
-#SSLVerifyClient require
-#SSLVerifyDepth  10
-
-#   Access Control:
-#   With SSLRequire you can do per-directory access control based
-#   on arbitrary complex boolean expressions containing server
-#   variable checks and other lookup directives.  The syntax is a
-#   mixture between C and Perl.  See the mod_ssl documentation
-#   for more details.
-#<Location />
-#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
-#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
-#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
-#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
-#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
-#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
-#</Location>
-
-#   SSL Engine Options:
-#   Set various options for the SSL engine.
-#   o FakeBasicAuth:
-#     Translate the client X.509 into a Basic Authorisation.  This means that
-#     the standard Auth/DBMAuth methods can be used for access control.  The
-#     user name is the `one line' version of the client's X.509 certificate.
-#     Note that no password is obtained from the user. Every entry in the user
-#     file needs this password: `xxj31ZMTZzkVA'.
-#   o ExportCertData:
-#     This exports two additional environment variables: SSL_CLIENT_CERT and
-#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
-#     server (always existing) and the client (only existing when client
-#     authentication is used). This can be used to import the certificates
-#     into CGI scripts.
-#   o StdEnvVars:
-#     This exports the standard SSL/TLS related `SSL_*' environment variables.
-#     Per default this exportation is switched off for performance reasons,
-#     because the extraction step is an expensive operation and is usually
-#     useless for serving static content. So one usually enables the
-#     exportation for CGI and SSI requests only.
-#   o StrictRequire:
-#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
-#     under a "Satisfy any" situation, i.e. when it applies access is denied
-#     and no other module can change it.
-#   o OptRenegotiate:
-#     This enables optimized SSL connection renegotiation handling when SSL
-#     directives are used in per-directory context. 
-#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
-<Files ~ "\.(cgi|shtml|phtml|php3?)$">
-    SSLOptions +StdEnvVars
-</Files>
-<Directory "/var/www/cgi-bin">
-    SSLOptions +StdEnvVars
-</Directory>
-
-#   SSL Protocol Adjustments:
-#   The safe and default but still SSL/TLS standard compliant shutdown
-#   approach is that mod_ssl sends the close notify alert but doesn't wait for
-#   the close notify alert from client. When you need a different shutdown
-#   approach you can use one of the following variables:
-#   o ssl-unclean-shutdown:
-#     This forces an unclean shutdown when the connection is closed, i.e. no
-#     SSL close notify alert is send or allowed to received.  This violates
-#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
-#     this when you receive I/O errors because of the standard approach where
-#     mod_ssl sends the close notify alert.
-#   o ssl-accurate-shutdown:
-#     This forces an accurate shutdown when the connection is closed, i.e. a
-#     SSL close notify alert is send and mod_ssl waits for the close notify
-#     alert of the client. This is 100% SSL/TLS standard compliant, but in
-#     practice often causes hanging connections with brain-dead browsers. Use
-#     this only for browsers where you know that their SSL implementation
-#     works correctly. 
-#   Notice: Most problems of broken clients are also related to the HTTP
-#   keep-alive facility, so you usually additionally want to disable
-#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
-#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
-#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
-#   "force-response-1.0" for this.
-SetEnvIf User-Agent ".*MSIE.*" \
-         nokeepalive ssl-unclean-shutdown \
-         downgrade-1.0 force-response-1.0
-
-# set STS Header
-Header add Strict-Transport-Security "max-age=15768000"
diff --git a/files/include.d/Debian/ssl_defaults.inc b/files/include.d/Debian/ssl_defaults.inc
deleted file mode 100644
index 2599a4f..0000000
--- a/files/include.d/Debian/ssl_defaults.inc
+++ /dev/null
@@ -1,144 +0,0 @@
-# Use separate log files for the SSL virtual host; note that LogLevel
-# is not inherited from httpd.conf.
-ErrorLog /var/log/apache2/ssl_error_log
-TransferLog /var/log/apache2/ssl_access_log
-LogLevel warn
-
-#   SSL Engine Switch:
-#   Enable/Disable SSL for this virtual host.
-SSLEngine on
-
-#   SSL Protocol support:
-# List the enable protocol levels with which clients will be able to
-# connect.  Disable SSLv2 access by default:
-SSLProtocol All -SSLv2 -SSLv3
-
-#   SSL Cipher Suite:
-# List the ciphers that the client is permitted to negotiate.
-# See the mod_ssl documentation for a complete list.
-SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
-SSLHonorCipherOrder on
-
-#   Server Certificate:
-# Point SSLCertificateFile at a PEM encoded certificate.  If
-# the certificate is encrypted, then you will be prompted for a
-# pass phrase.  Note that a kill -HUP will prompt again.  A new
-# certificate can be generated using the genkey(1) command.
-#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
-
-#   Server Private Key:
-#   If the key is not combined with the certificate, use this
-#   directive to point at the key file.  Keep in mind that if
-#   you've both a RSA and a DSA private key you can configure
-#   both in parallel (to also allow the use of DSA ciphers, etc.)
-#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
-
-#   Server Certificate Chain:
-#   Point SSLCertificateChainFile at a file containing the
-#   concatenation of PEM encoded CA certificates which form the
-#   certificate chain for the server certificate. Alternatively
-#   the referenced file can be the same as SSLCertificateFile
-#   when the CA certificates are directly appended to the server
-#   certificate for convinience.
-#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
-
-#   Certificate Authority (CA):
-#   Set the CA certificate verification path where to find CA
-#   certificates for client authentication or alternatively one
-#   huge file containing all of them (file must be PEM encoded)
-#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
-
-#   Client Authentication (Type):
-#   Client certificate verification type and depth.  Types are
-#   none, optional, require and optional_no_ca.  Depth is a
-#   number which specifies how deeply to verify the certificate
-#   issuer chain before deciding the certificate is not valid.
-#SSLVerifyClient require
-#SSLVerifyDepth  10
-
-#   Access Control:
-#   With SSLRequire you can do per-directory access control based
-#   on arbitrary complex boolean expressions containing server
-#   variable checks and other lookup directives.  The syntax is a
-#   mixture between C and Perl.  See the mod_ssl documentation
-#   for more details.
-#<Location />
-#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
-#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
-#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
-#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
-#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
-#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
-#</Location>
-
-#   SSL Engine Options:
-#   Set various options for the SSL engine.
-#   o FakeBasicAuth:
-#     Translate the client X.509 into a Basic Authorisation.  This means that
-#     the standard Auth/DBMAuth methods can be used for access control.  The
-#     user name is the `one line' version of the client's X.509 certificate.
-#     Note that no password is obtained from the user. Every entry in the user
-#     file needs this password: `xxj31ZMTZzkVA'.
-#   o ExportCertData:
-#     This exports two additional environment variables: SSL_CLIENT_CERT and
-#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
-#     server (always existing) and the client (only existing when client
-#     authentication is used). This can be used to import the certificates
-#     into CGI scripts.
-#   o StdEnvVars:
-#     This exports the standard SSL/TLS related `SSL_*' environment variables.
-#     Per default this exportation is switched off for performance reasons,
-#     because the extraction step is an expensive operation and is usually
-#     useless for serving static content. So one usually enables the
-#     exportation for CGI and SSI requests only.
-#   o StrictRequire:
-#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
-#     under a "Satisfy any" situation, i.e. when it applies access is denied
-#     and no other module can change it.
-#   o OptRenegotiate:
-#     This enables optimized SSL connection renegotiation handling when SSL
-#     directives are used in per-directory context. 
-#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
-<Files ~ "\.(cgi|shtml|phtml|php3?)$">
-    SSLOptions +StdEnvVars
-</Files>
-<Directory "/var/www/cgi-bin">
-    SSLOptions +StdEnvVars
-</Directory>
-
-#   SSL Protocol Adjustments:
-#   The safe and default but still SSL/TLS standard compliant shutdown
-#   approach is that mod_ssl sends the close notify alert but doesn't wait for
-#   the close notify alert from client. When you need a different shutdown
-#   approach you can use one of the following variables:
-#   o ssl-unclean-shutdown:
-#     This forces an unclean shutdown when the connection is closed, i.e. no
-#     SSL close notify alert is send or allowed to received.  This violates
-#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
-#     this when you receive I/O errors because of the standard approach where
-#     mod_ssl sends the close notify alert.
-#   o ssl-accurate-shutdown:
-#     This forces an accurate shutdown when the connection is closed, i.e. a
-#     SSL close notify alert is send and mod_ssl waits for the close notify
-#     alert of the client. This is 100% SSL/TLS standard compliant, but in
-#     practice often causes hanging connections with brain-dead browsers. Use
-#     this only for browsers where you know that their SSL implementation
-#     works correctly. 
-#   Notice: Most problems of broken clients are also related to the HTTP
-#   keep-alive facility, so you usually additionally want to disable
-#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
-#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
-#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
-#   "force-response-1.0" for this.
-SetEnvIf User-Agent ".*MSIE.*" \
-         nokeepalive ssl-unclean-shutdown \
-         downgrade-1.0 force-response-1.0
-
-#   Per-Server Logging:
-#   The home of a custom SSL log file. Use this when you want a
-#   compact non-error SSL logfile on a virtual host basis.
-CustomLog /var/log/apache2/ssl_request_log \
-          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
-
-# set STS Header
-Header add Strict-Transport-Security "max-age=15768000"
diff --git a/files/include.d/OpenBSD/ssl_defaults.inc b/files/include.d/OpenBSD/ssl_defaults.inc
deleted file mode 100644
index 67cf36f..0000000
--- a/files/include.d/OpenBSD/ssl_defaults.inc
+++ /dev/null
@@ -1,5 +0,0 @@
-SSLEngine on
-#SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2
-SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
-SSLCertificateFile    /etc/ssl/server.crt
-SSLCertificateKeyFile /etc/ssl/private/server.key
diff --git a/files/vhosts.d/CentOS/0-default_ssl.conf b/files/vhosts.d/CentOS/0-default_ssl.conf
deleted file mode 100644
index d018bcc..0000000
--- a/files/vhosts.d/CentOS/0-default_ssl.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-############################################################
-### This file is managed by PUPPET!                     ####
-### Only modify in repo or you will loose the changes!  ####
-############################################################
-
-<VirtualHost *:443>
-    Include include.d/defaults.inc
-    Include include.d/ssl_defaults.inc
-    DocumentRoot /var/www/html
-
-    # Use separate log files for the SSL virtual host; note that LogLevel
-    # is not inherited from httpd.conf.
-    ErrorLog logs/ssl_error_log
-    TransferLog logs/ssl_access_log
-    LogLevel warn
-
-    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
-    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
-</VirtualHost>
-
-# vim: ts=4 filetype=apache
diff --git a/files/vhosts.d/Debian/0-default_ssl.conf b/files/vhosts.d/Debian/0-default_ssl.conf
deleted file mode 100644
index 870215c..0000000
--- a/files/vhosts.d/Debian/0-default_ssl.conf
+++ /dev/null
@@ -1,170 +0,0 @@
-<IfModule mod_ssl.c>
-<VirtualHost _default_:443>
-	ServerAdmin webmaster@localhost
-	
-	DocumentRoot /var/www/
-	<Directory />
-		Options FollowSymLinks
-		AllowOverride None
-	</Directory>
-	<Directory /var/www/>
-		Options Indexes FollowSymLinks MultiViews
-		AllowOverride None
-		Order allow,deny
-		allow from all
-	</Directory>
-
-	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
-	<Directory "/usr/lib/cgi-bin">
-		AllowOverride None
-		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
-		Order allow,deny
-		Allow from all
-	</Directory>
-
-	ErrorLog /var/log/apache2/error.log
-
-	# Possible values include: debug, info, notice, warn, error, crit,
-	# alert, emerg.
-	LogLevel warn
-
-	CustomLog /var/log/apache2/ssl_access.log combined
-
-	Alias /doc/ "/usr/share/doc/"
-	<Directory "/usr/share/doc/">
-		Options Indexes MultiViews FollowSymLinks
-		AllowOverride None
-		Order deny,allow
-		Deny from all
-		Allow from 127.0.0.0/255.0.0.0 ::1/128
-	</Directory>
-
-	#   SSL Engine Switch:
-	#   Enable/Disable SSL for this virtual host.
-	SSLEngine on
-
-	#   A self-signed (snakeoil) certificate can be created by installing
-	#   the ssl-cert package. See
-	#   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
-	#   If both key and certificate are stored in the same file, only the
-	#   SSLCertificateFile directive is needed.
-	SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
-	SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
-
-	#   Server Certificate Chain:
-	#   Point SSLCertificateChainFile at a file containing the
-	#   concatenation of PEM encoded CA certificates which form the
-	#   certificate chain for the server certificate. Alternatively
-	#   the referenced file can be the same as SSLCertificateFile
-	#   when the CA certificates are directly appended to the server
-	#   certificate for convinience.
-	#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
-
-	#   Certificate Authority (CA):
-	#   Set the CA certificate verification path where to find CA
-	#   certificates for client authentication or alternatively one
-	#   huge file containing all of them (file must be PEM encoded)
-	#   Note: Inside SSLCACertificatePath you need hash symlinks
-	#         to point to the certificate files. Use the provided
-	#         Makefile to update the hash symlinks after changes.
-	#SSLCACertificatePath /etc/ssl/certs/
-	#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
-
-	#   Certificate Revocation Lists (CRL):
-	#   Set the CA revocation path where to find CA CRLs for client
-	#   authentication or alternatively one huge file containing all
-	#   of them (file must be PEM encoded)
-	#   Note: Inside SSLCARevocationPath you need hash symlinks
-	#         to point to the certificate files. Use the provided
-	#         Makefile to update the hash symlinks after changes.
-	#SSLCARevocationPath /etc/apache2/ssl.crl/
-	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
-
-	#   Client Authentication (Type):
-	#   Client certificate verification type and depth.  Types are
-	#   none, optional, require and optional_no_ca.  Depth is a
-	#   number which specifies how deeply to verify the certificate
-	#   issuer chain before deciding the certificate is not valid.
-	#SSLVerifyClient require
-	#SSLVerifyDepth  10
-
-	#   Access Control:
-	#   With SSLRequire you can do per-directory access control based
-	#   on arbitrary complex boolean expressions containing server
-	#   variable checks and other lookup directives.  The syntax is a
-	#   mixture between C and Perl.  See the mod_ssl documentation
-	#   for more details.
-	#<Location />
-	#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
-	#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
-	#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
-	#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
-	#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
-	#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
-	#</Location>
-
-	#   SSL Engine Options:
-	#   Set various options for the SSL engine.
-	#   o FakeBasicAuth:
-	#     Translate the client X.509 into a Basic Authorisation.  This means that
-	#     the standard Auth/DBMAuth methods can be used for access control.  The
-	#     user name is the `one line' version of the client's X.509 certificate.
-	#     Note that no password is obtained from the user. Every entry in the user
-	#     file needs this password: `xxj31ZMTZzkVA'.
-	#   o ExportCertData:
-	#     This exports two additional environment variables: SSL_CLIENT_CERT and
-	#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
-	#     server (always existing) and the client (only existing when client
-	#     authentication is used). This can be used to import the certificates
-	#     into CGI scripts.
-	#   o StdEnvVars:
-	#     This exports the standard SSL/TLS related `SSL_*' environment variables.
-	#     Per default this exportation is switched off for performance reasons,
-	#     because the extraction step is an expensive operation and is usually
-	#     useless for serving static content. So one usually enables the
-	#     exportation for CGI and SSI requests only.
-	#   o StrictRequire:
-	#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
-	#     under a "Satisfy any" situation, i.e. when it applies access is denied
-	#     and no other module can change it.
-	#   o OptRenegotiate:
-	#     This enables optimized SSL connection renegotiation handling when SSL
-	#     directives are used in per-directory context.
-	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
-	<FilesMatch "\.(cgi|shtml|phtml|php)$">
-		SSLOptions +StdEnvVars
-	</FilesMatch>
-	<Directory /usr/lib/cgi-bin>
-		SSLOptions +StdEnvVars
-	</Directory>
-
-	#   SSL Protocol Adjustments:
-	#   The safe and default but still SSL/TLS standard compliant shutdown
-	#   approach is that mod_ssl sends the close notify alert but doesn't wait for
-	#   the close notify alert from client. When you need a different shutdown
-	#   approach you can use one of the following variables:
-	#   o ssl-unclean-shutdown:
-	#     This forces an unclean shutdown when the connection is closed, i.e. no
-	#     SSL close notify alert is send or allowed to received.  This violates
-	#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
-	#     this when you receive I/O errors because of the standard approach where
-	#     mod_ssl sends the close notify alert.
-	#   o ssl-accurate-shutdown:
-	#     This forces an accurate shutdown when the connection is closed, i.e. a
-	#     SSL close notify alert is send and mod_ssl waits for the close notify
-	#     alert of the client. This is 100% SSL/TLS standard compliant, but in
-	#     practice often causes hanging connections with brain-dead browsers. Use
-	#     this only for browsers where you know that their SSL implementation
-	#     works correctly.
-	#   Notice: Most problems of broken clients are also related to the HTTP
-	#   keep-alive facility, so you usually additionally want to disable
-	#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
-	#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
-	#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
-	#   "force-response-1.0" for this.
-	BrowserMatch ".*MSIE.*" \
-		nokeepalive ssl-unclean-shutdown \
-		downgrade-1.0 force-response-1.0
-
-</VirtualHost>
-</IfModule>
diff --git a/files/vhosts.d/Gentoo/0-default_ssl.conf b/files/vhosts.d/Gentoo/0-default_ssl.conf
deleted file mode 100644
index a123de8..0000000
--- a/files/vhosts.d/Gentoo/0-default_ssl.conf
+++ /dev/null
@@ -1,200 +0,0 @@
-############################################################
-#### this file is managed by PUPPET                     ####
-#### only modify in svn or you will loose the changes ! ####
-############################################################
-<IfDefine SSL>
-<IfDefine SSL_DEFAULT_VHOST>
-<IfModule ssl_module>
-# see bug #178966 why this is in here
-
-# When we also provide SSL we have to listen to the HTTPS port
-# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
-# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
-Listen 443
-NameVirtualHost *:443
-LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{SSL_PROTOCOL}x %{SSL_CIPHER}x" sslcombined
-UseCanonicalName On
-
-<VirtualHost _default_:443>
-	Include /etc/apache2/vhosts.d/default_vhost.include
-	ErrorLog /var/log/apache2/ssl_error_log
-
-	<IfModule log_config_module>
-		TransferLog /var/log/apache2/ssl_access_log
-	</IfModule>
-
-	## SSL Engine Switch:
-	# Enable/Disable SSL for this virtual host.
-	SSLEngine on
-
-	## SSL Cipher Suite:
-	# List the ciphers that the client is permitted to negotiate.
-	# See the mod_ssl documentation for a complete list.
-	#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
-    #SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2
-    SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:@STRENGTH
- 
-    SSLCertificateFile /e/certs/server.crt
-    SSLCertificateKeyFile /e/certs/server.key
-    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
-        SSLOptions +StdEnvVars
-    </Files>
-
-    RewriteEngine on
-      RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
-      RewriteRule .* - [F]
-    ServerSignature Off
-
-	## Server Certificate:
-	# Point SSLCertificateFile at a PEM encoded certificate. If the certificate
-	# is encrypted, then you will be prompted for a pass phrase. Note that a 
-	# kill -HUP will prompt again. Keep in mind that if you have both an RSA
-	# and a DSA certificate you can configure both in parallel (to also allow
-	# the use of DSA ciphers, etc.)
-	#SSLCertificateFile /etc/apache2/ssl/server.crt
-	#SSLCertificateFile /etc/apache2/ssl/server-dsa.crt
-	
-	## Server Private Key:
-	# If the key is not combined with the certificate, use this directive to
-	# point at the key file. Keep in mind that if you've both a RSA and a DSA
-	# private key you can configure both in parallel (to also allow the use of
-	# DSA ciphers, etc.)
-	#SSLCertificateKeyFile /etc/apache2/ssl/server.key
-	#SSLCertificateKeyFile /etc/apache2/ssl/server-dsa.key
-	
-	## Server Certificate Chain:
-	# Point SSLCertificateChainFile at a file containing the concatenation of 
-	# PEM encoded CA certificates which form the certificate chain for the
-	# server certificate. Alternatively the referenced file can be the same as
-	# SSLCertificateFile when the CA certificates are directly appended to the
-	# server certificate for convinience.
-	#SSLCertificateChainFile /etc/apache2/ssl/ca.crt
-	
-	## Certificate Authority (CA):
-	# Set the CA certificate verification path where to find CA certificates
-	# for client authentication or alternatively one huge file containing all
-	# of them (file must be PEM encoded).
-	# Note: Inside SSLCACertificatePath you need hash symlinks to point to the
-	# certificate files. Use the provided Makefile to update the hash symlinks
-	# after changes.
-	#SSLCACertificatePath /etc/apache2/ssl/ssl.crt
-	#SSLCACertificateFile /etc/apache2/ssl/ca-bundle.crt
-	
-	## Certificate Revocation Lists (CRL):
-	# Set the CA revocation path where to find CA CRLs for client authentication
-	# or alternatively one huge file containing all of them (file must be PEM 
-	# encoded).
-	# Note: Inside SSLCARevocationPath you need hash symlinks to point to the
-	# certificate files. Use the provided Makefile to update the hash symlinks
-	# after changes.
-	#SSLCARevocationPath /etc/apache2/ssl/ssl.crl
-	#SSLCARevocationFile /etc/apache2/ssl/ca-bundle.crl
-	
-	## Client Authentication (Type):
-	# Client certificate verification type and depth. Types are none, optional,
-	# require and optional_no_ca. Depth is a number which specifies how deeply
-	# to verify the certificate issuer chain before deciding the certificate is
-	# not valid.
-	#SSLVerifyClient require
-	#SSLVerifyDepth  10
-	
-	## Access Control:
-	# With SSLRequire you can do per-directory access control based on arbitrary
-	# complex boolean expressions containing server variable checks and other
-	# lookup directives. The syntax is a mixture between C and Perl. See the
-	# mod_ssl documentation for more details.
-	#<Location />
-	#	#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
-	#	and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
-	#	and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
-	#	and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
-	#	and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
-	#	or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
-	#</Location>
-
-	## SSL Engine Options:
-	# Set various options for the SSL engine.
-
-	## FakeBasicAuth:
-	# Translate the client X.509 into a Basic Authorisation. This means that the
-	# standard Auth/DBMAuth methods can be used for access control. The user 
-	# name is the `one line' version of the client's X.509 certificate. 
-	# Note that no password is obtained from the user. Every entry in the user 
-	# file needs this password: `xxj31ZMTZzkVA'.
-	
-	## ExportCertData:
-	# This exports two additional environment variables: SSL_CLIENT_CERT and 
-	# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the server
-	# (always existing) and the client (only existing when client 
-	# authentication is used). This can be used to import the certificates into
-	# CGI scripts.
-	
-	## StdEnvVars:
-	# This exports the standard SSL/TLS related `SSL_*' environment variables. 
-	# Per default this exportation is switched off for performance reasons, 
-	# because the extraction step is an expensive operation and is usually 
-	# useless for serving static content. So one usually enables the exportation
-	# for CGI and SSI requests only.
-
-	## StrictRequire:
-	# This denies access when "SSLRequireSSL" or "SSLRequire" applied even under
-	# a "Satisfy any" situation, i.e. when it applies access is denied and no
-	# other module can change it.
-
-	## OptRenegotiate:
-	# This enables optimized SSL connection renegotiation handling when SSL 
-	# directives are used in per-directory context.
-	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
-	<FilesMatch "\.(cgi|shtml|phtml|php)$">
-		SSLOptions +StdEnvVars
-	</FilesMatch>
-
-	<Directory "/var/www/localhost/cgi-bin">
-		SSLOptions +StdEnvVars
-	</Directory>
-
-	## SSL Protocol Adjustments:
-	# The safe and default but still SSL/TLS standard compliant shutdown
-	# approach is that mod_ssl sends the close notify alert but doesn't wait
-	# for the close notify alert from client. When you need a different
-	# shutdown approach you can use one of the following variables:
-
-	## ssl-unclean-shutdown:
-	# This forces an unclean shutdown when the connection is closed, i.e. no
-	# SSL close notify alert is send or allowed to received.  This violates the
-	# SSL/TLS standard but is needed for some brain-dead browsers. Use this when
-	# you receive I/O errors because of the standard approach where mod_ssl
-	# sends the close notify alert.
-
-	## ssl-accurate-shutdown:
-	# This forces an accurate shutdown when the connection is closed, i.e. a
-	# SSL close notify alert is send and mod_ssl waits for the close notify
-	# alert of the client. This is 100% SSL/TLS standard compliant, but in
-	# practice often causes hanging connections with brain-dead browsers. Use
-	# this only for browsers where you know that their SSL implementation works
-	# correctly. 
-	# Notice: Most problems of broken clients are also related to the HTTP 
-	# keep-alive facility, so you usually additionally want to disable 
-	# keep-alive for those clients, too. Use variable "nokeepalive" for this.
-	# Similarly, one has to force some clients to use HTTP/1.0 to workaround
-	# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
-	# "force-response-1.0" for this.
-	<IfModule setenvif_module>
-		BrowserMatch ".*MSIE.*" \
-			nokeepalive ssl-unclean-shutdown \
-			downgrade-1.0 force-response-1.0
-	</IfModule>
-
-	## Per-Server Logging:
-	# The home of a custom SSL log file. Use this when you want a compact 
-	# non-error SSL logfile on a virtual host basis.
-	<IfModule log_config_module>
-		CustomLog /var/log/apache2/ssl_request_log \
-			"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
-	</IfModule>
-</VirtualHost>
-</IfModule>
-</IfDefine>
-</IfDefine>
-
-# vim: ts=4 filetype=apache
diff --git a/files/vhosts.d/OpenBSD/0-default_ssl.conf b/files/vhosts.d/OpenBSD/0-default_ssl.conf
deleted file mode 100644
index 53ea262..0000000
--- a/files/vhosts.d/OpenBSD/0-default_ssl.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-<VirtualHost *:443>
-    Include include.d/defaults.inc
-    Include include.d/ssl_defaults.inc
-
-    DocumentRoot /var/www/htdocs/default/www/
-    ErrorLog /var/www/htdocs/default/logs/default_error_log
-    CustomLog /var/www/htdocs/default/logs/default_access_log combined
-</VirtualHost>
-