diff options
author | Thomas Backlund <tmb@mageia.org> | 2016-03-01 21:03:52 +0200 |
---|---|---|
committer | Thomas Backlund <tmb@mageia.org> | 2016-03-01 21:03:52 +0200 |
commit | 129d74ec8077943dda8e03ac40e66dde650d54dd (patch) | |
tree | 7c0990e183dca2d934c6d31b8164549e75fce3ef /modules/apache/templates | |
parent | eab7e45d61da681f74c88939cb7b654802bb87fc (diff) | |
download | puppet-129d74ec8077943dda8e03ac40e66dde650d54dd.tar puppet-129d74ec8077943dda8e03ac40e66dde650d54dd.tar.gz puppet-129d74ec8077943dda8e03ac40e66dde650d54dd.tar.bz2 puppet-129d74ec8077943dda8e03ac40e66dde650d54dd.tar.xz puppet-129d74ec8077943dda8e03ac40e66dde650d54dd.zip |
enforce hardened ssl
Diffstat (limited to 'modules/apache/templates')
-rw-r--r-- | modules/apache/templates/01_default_ssl_vhost.conf | 8 | ||||
-rw-r--r-- | modules/apache/templates/vhost_ssl.conf | 3 |
2 files changed, 8 insertions, 3 deletions
diff --git a/modules/apache/templates/01_default_ssl_vhost.conf b/modules/apache/templates/01_default_ssl_vhost.conf index d2aa9f94..c9cdcfcd 100644 --- a/modules/apache/templates/01_default_ssl_vhost.conf +++ b/modules/apache/templates/01_default_ssl_vhost.conf @@ -29,12 +29,14 @@ SSLEngine on # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. -SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW +SSLHonorCipherOrder On +SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS + # SSL Protocol support: # List the enable protocol levels with which clients will be able to -# connect. Disable SSLv2 access by default: -SSLProtocol all -SSLv2 +# connect. Disable SSLv2/v3 access by default: +SSLProtocol ALL -SSLv2 -SSLv3 <%- if wildcard_sslcert == 'true' then -%> SSLCertificateFile /etc/ssl/wildcard.<%= domain %>.crt diff --git a/modules/apache/templates/vhost_ssl.conf b/modules/apache/templates/vhost_ssl.conf index a26d2509..e39e6820 100644 --- a/modules/apache/templates/vhost_ssl.conf +++ b/modules/apache/templates/vhost_ssl.conf @@ -1,4 +1,7 @@ SSLEngine on + SSLProtocol ALL -SSLv2 -SSLv3 + SSLHonorCipherOrder On + SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS <%- if wildcard_sslcert == 'true' then -%> SSLCertificateFile /etc/ssl/wildcard.<%= domain %>.crt SSLCertificateKeyFile /etc/ssl/wildcard.<%= domain %>.key |