|
@@ -1,4 +1,4 @@ |
|
|
# https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=modern&openssl=1.1.1d&guideline=5.6 |
|
|
|
|
|
|
|
|
# https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.6 |
|
|
# |
|
|
# |
|
|
# This is the Apache server configuration file providing SSL support. |
|
|
# This is the Apache server configuration file providing SSL support. |
|
|
# It contains the configuration directives to instruct the server how to |
|
|
# It contains the configuration directives to instruct the server how to |
|
@@ -50,8 +50,8 @@ Listen 443 |
|
|
# ensure these follow appropriate best practices for this deployment. |
|
|
# ensure these follow appropriate best practices for this deployment. |
|
|
# httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers, |
|
|
# httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers, |
|
|
# while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a. |
|
|
# while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a. |
|
|
# SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES |
|
|
|
|
|
# SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES |
|
|
|
|
|
|
|
|
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 |
|
|
|
|
|
SSLProxyCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 |
|
|
|
|
|
|
|
|
# By the end of 2016, only TLSv1.2 ciphers should remain in use. |
|
|
# By the end of 2016, only TLSv1.2 ciphers should remain in use. |
|
|
# Older ciphers should be disallowed as soon as possible, while the |
|
|
# Older ciphers should be disallowed as soon as possible, while the |
|
@@ -79,8 +79,8 @@ SSLSessionTickets off |
|
|
# Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be |
|
|
# Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be |
|
|
# disabled as quickly as practical. By the end of 2016, only the TLSv1.2 |
|
|
# disabled as quickly as practical. By the end of 2016, only the TLSv1.2 |
|
|
# protocol or later should remain in use. |
|
|
# protocol or later should remain in use. |
|
|
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2 |
|
|
|
|
|
SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2 |
|
|
|
|
|
|
|
|
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 |
|
|
|
|
|
SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1 |
|
|
|
|
|
|
|
|
# Pass Phrase Dialog: |
|
|
# Pass Phrase Dialog: |
|
|
# Configure the pass phrase gathering process. |
|
|
# Configure the pass phrase gathering process. |
|
|