Преглед на файлове

Use less restrictive TLS configuration

Until the day TLS 1.3 becomes widely supported, web servers must rely on a fallback to TLS 1.2 with correctly configured server directives and strong cipher suites.

 * https://www.cloudinsidr.com/content/tls-1-3-and-tls-1-2-cipher-suites-demystified-how-to-pick-your-ciphers-wisely/
 * (fr) https://www.ssi.gouv.fr/guide/recommandations-de-securite-relatives-a-tls/
 * https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.6
pull/579/head
Guillaume Vincent преди 4 години
родител
ревизия
cfed362a77
променени са 1 файла, в които са добавени 5 реда и са изтрити 5 реда
  1. +5
    -5
      containers/webserver/httpd-ssl.conf

+ 5
- 5
containers/webserver/httpd-ssl.conf Целия файл

@@ -1,4 +1,4 @@
# https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=modern&openssl=1.1.1d&guideline=5.6
# https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.6
#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
@@ -50,8 +50,8 @@ Listen 443
# ensure these follow appropriate best practices for this deployment.
# httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers,
# while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.
# SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
# SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLProxyCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

# By the end of 2016, only TLSv1.2 ciphers should remain in use.
# Older ciphers should be disallowed as soon as possible, while the
@@ -79,8 +79,8 @@ SSLSessionTickets off
# Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be
# disabled as quickly as practical. By the end of 2016, only the TLSv1.2
# protocol or later should remain in use.
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1

# Pass Phrase Dialog:
# Configure the pass phrase gathering process.


Зареждане…
Отказ
Запис