From cfed362a77bad0f729a002a4495ca0bf9bf5d85d Mon Sep 17 00:00:00 2001 From: Guillaume Vincent Date: Thu, 10 Dec 2020 13:59:12 +0100 Subject: [PATCH] Use less restrictive TLS configuration Until the day TLS 1.3 becomes widely supported, web servers must rely on a fallback to TLS 1.2 with correctly configured server directives and strong cipher suites. * https://www.cloudinsidr.com/content/tls-1-3-and-tls-1-2-cipher-suites-demystified-how-to-pick-your-ciphers-wisely/ * (fr) https://www.ssi.gouv.fr/guide/recommandations-de-securite-relatives-a-tls/ * https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.6 --- containers/webserver/httpd-ssl.conf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/containers/webserver/httpd-ssl.conf b/containers/webserver/httpd-ssl.conf index a0fc4be..f443c28 100644 --- a/containers/webserver/httpd-ssl.conf +++ b/containers/webserver/httpd-ssl.conf @@ -1,4 +1,4 @@ -# https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=modern&openssl=1.1.1d&guideline=5.6 +# https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.6 # # This is the Apache server configuration file providing SSL support. # It contains the configuration directives to instruct the server how to @@ -50,8 +50,8 @@ Listen 443 # ensure these follow appropriate best practices for this deployment. # httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers, # while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a. -# SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES -# SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES +SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 +SSLProxyCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 # By the end of 2016, only TLSv1.2 ciphers should remain in use. # Older ciphers should be disallowed as soon as possible, while the @@ -79,8 +79,8 @@ SSLSessionTickets off # Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be # disabled as quickly as practical. By the end of 2016, only the TLSv1.2 # protocol or later should remain in use. -SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2 -SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2 +SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 +SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1 # Pass Phrase Dialog: # Configure the pass phrase gathering process.