diff options
author | Lars Wendler <polynomial-c@gentoo.org> | 2014-04-20 18:44:54 +0200 |
---|---|---|
committer | Lars Wendler <polynomial-c@gentoo.org> | 2014-04-20 18:44:54 +0200 |
commit | 9154fa2d2a6b8f0b59c5b1d83c8186a4249d7f8f (patch) | |
tree | f492ced6390f9fa781bbefa7982a2b773f270b35 /2.4/conf/vhosts.d | |
parent | Fixed startup of init scripts (diff) | |
download | apache-9154fa2d2a6b8f0b59c5b1d83c8186a4249d7f8f.tar.gz apache-9154fa2d2a6b8f0b59c5b1d83c8186a4249d7f8f.tar.bz2 apache-9154fa2d2a6b8f0b59c5b1d83c8186a4249d7f8f.zip |
Disabled SSLCompression by default (bug #507324). Replaced old weak with strong ciphers (bug #506924).
Diffstat (limited to '2.4/conf/vhosts.d')
-rw-r--r-- | 2.4/conf/vhosts.d/00_default_ssl_vhost.conf | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/2.4/conf/vhosts.d/00_default_ssl_vhost.conf b/2.4/conf/vhosts.d/00_default_ssl_vhost.conf index 98bfc2f..bb39547 100644 --- a/2.4/conf/vhosts.d/00_default_ssl_vhost.conf +++ b/2.4/conf/vhosts.d/00_default_ssl_vhost.conf @@ -21,10 +21,22 @@ Listen 443 # Enable/Disable SSL for this virtual host. SSLEngine on + ## SSLProtocol: + # Don't use SSLv2 anymore as it's considered to be broken security-wise. + # Also disable SSLv3 as most modern browsers are capable of TLS. + SSLProtocol ALL -SSLv2 -SSLv3 + ## SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. - SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL + # This list of ciphers is recommended by mozilla and was stripped off + # its RC4 ciphers. (bug #506924) + SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK + + ## SSLHonorCipherOrder: + # Prefer the server's cipher preference order as the client may have a + # weak default order. + SSLHonorCipherOrder On ## Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If the certificate |