diff options
| author |   Hans de Graaff <graaff@gentoo.org> | 2023-09-02 08:49:23 +0200 |
|---|---|---|
| committer | Hans de Graaff <graaff@gentoo.org> | 2023-09-02 08:49:23 +0200 |
| commit | 1f482b45baea01fc1dacad74292ba93c0a1db8bc (patch) | |
| tree | 865dd7f9e5dfebd9649e1a93e1432592260d9395 | |
| parent | Minor shell style fixes (diff) | |
| download | apache-1f482b45baea01fc1dacad74292ba93c0a1db8bc.tar.gz apache-1f482b45baea01fc1dacad74292ba93c0a1db8bc.tar.bz2 apache-1f482b45baea01fc1dacad74292ba93c0a1db8bc.zip | |
Update default ssl vhost config to modern standards
Only enable TLSv1.2+, update cipher suite to only include strong
ciphers, turn off ordering preference to allow clients to use the best
cipher for them.
Signed-off-by: Hans de Graaff <graaff@gentoo.org>
| -rw-r--r-- | 2.4/conf/vhosts.d/00_default_ssl_vhost.conf | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/2.4/conf/vhosts.d/00_default_ssl_vhost.conf b/2.4/conf/vhosts.d/00_default_ssl_vhost.conf index 6abc21d..538a5cb 100644 --- a/2.4/conf/vhosts.d/00_default_ssl_vhost.conf +++ b/2.4/conf/vhosts.d/00_default_ssl_vhost.conf @@ -21,22 +21,22 @@ Listen 443 # Enable/Disable SSL for this virtual host. SSLEngine on + # TLS defaults are set according to the Mozilla intermediate + # configuration: https://ssl-config.mozilla.org/ + ## SSLProtocol: - # Don't use SSLv2 anymore as it's considered to be broken security-wise. - # Also disable SSLv3 as most modern browsers are capable of TLS. - SSLProtocol ALL -SSLv2 -SSLv3 + # Disable old protocol versions that have known flaws or are deprecated. + SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 ## SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. - # This list of ciphers is recommended by mozilla and was stripped off - # its RC4 ciphers. (bug #506924) - SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK + SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ## SSLHonorCipherOrder: - # Prefer the server's cipher preference order as the client may have a - # weak default order. - SSLHonorCipherOrder On + # Don't enforce cipher order since all ciphers are strong and + # clients may have preferences on e.g. hardware capabilities. + SSLHonorCipherOrder Off ## Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If the certificate |