From 129d74ec8077943dda8e03ac40e66dde650d54dd Mon Sep 17 00:00:00 2001 From: Thomas Backlund Date: Tue, 1 Mar 2016 21:03:52 +0200 Subject: enforce hardened ssl --- modules/apache/templates/01_default_ssl_vhost.conf | 8 +++++--- modules/apache/templates/vhost_ssl.conf | 3 +++ 2 files changed, 8 insertions(+), 3 deletions(-) (limited to 'modules') diff --git a/modules/apache/templates/01_default_ssl_vhost.conf b/modules/apache/templates/01_default_ssl_vhost.conf index d2aa9f94..c9cdcfcd 100644 --- a/modules/apache/templates/01_default_ssl_vhost.conf +++ b/modules/apache/templates/01_default_ssl_vhost.conf @@ -29,12 +29,14 @@ SSLEngine on # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. -SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW +SSLHonorCipherOrder On +SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS + # SSL Protocol support: # List the enable protocol levels with which clients will be able to -# connect. Disable SSLv2 access by default: -SSLProtocol all -SSLv2 +# connect. Disable SSLv2/v3 access by default: +SSLProtocol ALL -SSLv2 -SSLv3 <%- if wildcard_sslcert == 'true' then -%> SSLCertificateFile /etc/ssl/wildcard.<%= domain %>.crt diff --git a/modules/apache/templates/vhost_ssl.conf b/modules/apache/templates/vhost_ssl.conf index a26d2509..e39e6820 100644 --- a/modules/apache/templates/vhost_ssl.conf +++ b/modules/apache/templates/vhost_ssl.conf @@ -1,4 +1,7 @@ SSLEngine on + SSLProtocol ALL -SSLv2 -SSLv3 + SSLHonorCipherOrder On + SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS <%- if wildcard_sslcert == 'true' then -%> SSLCertificateFile /etc/ssl/wildcard.<%= domain %>.crt SSLCertificateKeyFile /etc/ssl/wildcard.<%= domain %>.key -- cgit v1.2.1