Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/2.4/conf
diff options
context:
space:
mode:
Diffstat (limited to '2.4/conf')
-rw-r--r--2.4/conf/modules.d/40_mod_ssl.conf4
-rw-r--r--2.4/conf/vhosts.d/00_default_ssl_vhost.conf14
2 files changed, 17 insertions, 1 deletions
diff --git a/2.4/conf/modules.d/40_mod_ssl.conf b/2.4/conf/modules.d/40_mod_ssl.conf
index 07c7514..803572a 100644
--- a/2.4/conf/modules.d/40_mod_ssl.conf
+++ b/2.4/conf/modules.d/40_mod_ssl.conf
@@ -60,4 +60,8 @@ SSLSessionCacheTimeout 300
Mutex file:/run/apache_ssl_mutex ssl-cache
</IfDefine>
+## SSL Compression:
+# Known to be vulnerable thus disabled by default (bug #507324).
+SSLCompression off
+
# vim: ts=4 filetype=apache
diff --git a/2.4/conf/vhosts.d/00_default_ssl_vhost.conf b/2.4/conf/vhosts.d/00_default_ssl_vhost.conf
index 98bfc2f..bb39547 100644
--- a/2.4/conf/vhosts.d/00_default_ssl_vhost.conf
+++ b/2.4/conf/vhosts.d/00_default_ssl_vhost.conf
@@ -21,10 +21,22 @@ Listen 443
# Enable/Disable SSL for this virtual host.
SSLEngine on
+ ## SSLProtocol:
+ # Don't use SSLv2 anymore as it's considered to be broken security-wise.
+ # Also disable SSLv3 as most modern browsers are capable of TLS.
+ SSLProtocol ALL -SSLv2 -SSLv3
+
## SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
- SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+ # This list of ciphers is recommended by mozilla and was stripped off
+ # its RC4 ciphers. (bug #506924)
+ SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
+
+ ## SSLHonorCipherOrder:
+ # Prefer the server's cipher preference order as the client may have a
+ # weak default order.
+ SSLHonorCipherOrder On
## Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If the certificate