enforce hardened ssl

author: Thomas Backlund <tmb@mageia.org> 2016-03-01 21:03:52 +0200
committer: Thomas Backlund <tmb@mageia.org> 2016-03-01 21:03:52 +0200
commit: 129d74ec8077943dda8e03ac40e66dde650d54dd (patch)
tree: 7c0990e183dca2d934c6d31b8164549e75fce3ef /modules/apache/templates
parent: eab7e45d61da681f74c88939cb7b654802bb87fc (diff)
download: puppet-129d74ec8077943dda8e03ac40e66dde650d54dd.tar
puppet-129d74ec8077943dda8e03ac40e66dde650d54dd.tar.gz
puppet-129d74ec8077943dda8e03ac40e66dde650d54dd.tar.bz2
puppet-129d74ec8077943dda8e03ac40e66dde650d54dd.tar.xz
puppet-129d74ec8077943dda8e03ac40e66dde650d54dd.zip
2 files changed, 8 insertions, 3 deletions
diff --git a/modules/apache/templates/01_default_ssl_vhost.conf b/modules/apache/templates/01_default_ssl_vhost.conf
index d2aa9f94..c9cdcfcd 100644
--- a/modules/apache/templates/01_default_ssl_vhost.conf
+++ b/modules/apache/templates/01_default_ssl_vhost.conf
@@ -29,12 +29,14 @@ SSLEngine on
 #   SSL Cipher Suite:
 #   List the ciphers that the client is permitted to negotiate.
 #   See the mod_ssl documentation for a complete list.
-SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
+SSLHonorCipherOrder On
+SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
+
 
 #   SSL Protocol support:
 # List the enable protocol levels with which clients will be able to
-# connect.  Disable SSLv2 access by default:
-SSLProtocol all -SSLv2
+# connect.  Disable SSLv2/v3 access by default:
+SSLProtocol ALL -SSLv2 -SSLv3
 
 <%- if wildcard_sslcert == 'true' then -%>
 SSLCertificateFile /etc/ssl/wildcard.<%= domain %>.crt
diff --git a/modules/apache/templates/vhost_ssl.conf b/modules/apache/templates/vhost_ssl.conf
index a26d2509..e39e6820 100644
--- a/modules/apache/templates/vhost_ssl.conf
+++ b/modules/apache/templates/vhost_ssl.conf
@@ -1,4 +1,7 @@
         SSLEngine on
+        SSLProtocol ALL -SSLv2 -SSLv3
+        SSLHonorCipherOrder On
+        SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
   <%- if wildcard_sslcert == 'true' then -%>
         SSLCertificateFile /etc/ssl/wildcard.<%= domain %>.crt
         SSLCertificateKeyFile /etc/ssl/wildcard.<%= domain %>.key
author	Thomas Backlund <tmb@mageia.org>	2016-03-01 21:03:52 +0200
committer	Thomas Backlund <tmb@mageia.org>	2016-03-01 21:03:52 +0200
commit	129d74ec8077943dda8e03ac40e66dde650d54dd (patch)
tree	7c0990e183dca2d934c6d31b8164549e75fce3ef /modules/apache/templates
parent	eab7e45d61da681f74c88939cb7b654802bb87fc (diff)
download	puppet-129d74ec8077943dda8e03ac40e66dde650d54dd.tar puppet-129d74ec8077943dda8e03ac40e66dde650d54dd.tar.gz puppet-129d74ec8077943dda8e03ac40e66dde650d54dd.tar.bz2 puppet-129d74ec8077943dda8e03ac40e66dde650d54dd.tar.xz puppet-129d74ec8077943dda8e03ac40e66dde650d54dd.zip