From 7ff59b58a70f2c09f2906e2579e7867116f4f5e4 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Arkadiusz=20Mi=C5=9Bkiewicz?= Date: Tue, 22 Oct 2019 14:47:50 +0200 Subject: [PATCH] - update to current intermediate mozilla recommendation --- apache-mod_ssl.conf | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/apache-mod_ssl.conf b/apache-mod_ssl.conf index f8d7e2c..575c5c8 100644 --- a/apache-mod_ssl.conf +++ b/apache-mod_ssl.conf @@ -58,20 +58,13 @@ SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/cache/httpd/ssl_scache(512000) SSLSessionCacheTimeout 300 -# FOLLOW SECURE DEFAULTS: https://wiki.mozilla.org/Security/Server_Side_TLS +# https://ssl-config.mozilla.org/#server=apache&server-version=2.4.39&config=modern&hsts=false -# Usable SSL protocol flavors: -# This directive can be used to control the SSL protocol flavors mod_ssl -# should use when establishing its server environment. Clients then can only -# connect with one of the provided protocols. -SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 - -# SSL Cipher Suite: -# List the ciphers that the client is permitted to negotiate. -# See the mod_ssl documentation for a complete list. -SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:TLSv1.3 - -SSLHonorCipherOrder on +# intermediate configuration, tweak to your needs +SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 +SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 +SSLHonorCipherOrder off +SSLSessionTickets off SSLCompression off -- 2.44.0