Browse Source

Use less restrictive TLS configuration

Until the day TLS 1.3 becomes widely supported, web servers must rely on a fallback to TLS 1.2 with correctly configured server directives and strong cipher suites.

 * https://www.cloudinsidr.com/content/tls-1-3-and-tls-1-2-cipher-suites-demystified-how-to-pick-your-ciphers-wisely/
 * (fr) https://www.ssi.gouv.fr/guide/recommandations-de-securite-relatives-a-tls/
 * https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.6
pull/579/head
Guillaume Vincent 4 years ago
parent
commit
cfed362a77
1 changed files with 5 additions and 5 deletions
  1. +5
    -5
      containers/webserver/httpd-ssl.conf

+ 5
- 5
containers/webserver/httpd-ssl.conf View File

@@ -1,4 +1,4 @@
# https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=modern&openssl=1.1.1d&guideline=5.6
# https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.6
# #
# This is the Apache server configuration file providing SSL support. # This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to # It contains the configuration directives to instruct the server how to
@@ -50,8 +50,8 @@ Listen 443
# ensure these follow appropriate best practices for this deployment. # ensure these follow appropriate best practices for this deployment.
# httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers, # httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers,
# while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a. # while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.
# SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
# SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLProxyCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384


# By the end of 2016, only TLSv1.2 ciphers should remain in use. # By the end of 2016, only TLSv1.2 ciphers should remain in use.
# Older ciphers should be disallowed as soon as possible, while the # Older ciphers should be disallowed as soon as possible, while the
@@ -79,8 +79,8 @@ SSLSessionTickets off
# Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be # Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be
# disabled as quickly as practical. By the end of 2016, only the TLSv1.2 # disabled as quickly as practical. By the end of 2016, only the TLSv1.2
# protocol or later should remain in use. # protocol or later should remain in use.
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1


# Pass Phrase Dialog: # Pass Phrase Dialog:
# Configure the pass phrase gathering process. # Configure the pass phrase gathering process.


Loading…
Cancel
Save