thomas
/
sovereign
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Use "modern" SSLCipherSuite per Mozilla recommendations. 

See https://wiki.mozilla.org/Security/Server_Side_TLS for details.
Removes RC4 cipher. Fixes issue #341.
Also explicitly disabled SSLCompression and enables OCSP stapling.

We should put all these settings in
/etc/apache2/mods-enabled/ssl.conf
to avoid duplication...
Sven Neuhaus 10 years ago
parent
c898aa98d6
commit
a088d9c456
8 changed files with 41 additions and 8 deletions
Unified View Show Diff Stats
  1. 5
    1
      roles/blog/templates/etc_apache2_sites-available_blog.j2
  2. 5
    1
      roles/git/templates/etc_apache2_sites-available_cgit.j2
  3. 5
    1
      roles/mailserver/templates/etc_apache2_sites-available_autoconfig.j2
  4. 6
    1
      roles/newebe/templates/etc_apache2_sites-available_newebe.j2
  5. 5
    1
      roles/news/templates/etc_apache2_sites-available_selfoss.j2
  6. 5
    1
      roles/owncloud/templates/etc_apache2_sites-available_owncloud.j2
  7. 5
    1
      roles/readlater/templates/etc_apache2_sites-available_wallabag.j2
  8. 5
    1
      roles/webmail/templates/etc_apache2_sites-available_roundcube.j2

+ 5
- 1
roles/blog/templates/etc_apache2_sites-available_blog.j2 View File

13 
     SSLEngine on
 13 
     SSLEngine on
14 
     SSLProtocol ALL -SSLv2 -SSLv3
 14 
     SSLProtocol ALL -SSLv2 -SSLv3
15 
     SSLHonorCipherOrder On
 15 
     SSLHonorCipherOrder On
16 
-    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
16 
+    SSLCompression off
17 
+    SSLUseStapling On
18 
+    SSLStaplingResponderTimeout 5
19 
+    SSLStaplingReturnResponderErrors off
20 
+    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
17 
     SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
 21 
     SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
18 
     SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
 22 
     SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
19 
     SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
 23 
     SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem

+ 5
- 1
roles/git/templates/etc_apache2_sites-available_cgit.j2 View File

10 
     SSLEngine on
 10 
     SSLEngine on
11 
     SSLProtocol ALL -SSLv2 -SSLv3
 11 
     SSLProtocol ALL -SSLv2 -SSLv3
12 
     SSLHonorCipherOrder On
 12 
     SSLHonorCipherOrder On
13 
-    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
13 
+    SSLCompression off
14 
+    SSLUseStapling On
15 
+    SSLStaplingResponderTimeout 5
16 
+    SSLStaplingReturnResponderErrors off
17 
+    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
14 
     SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
 18 
     SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
15 
     SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
 19 
     SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
16 
     SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
 20 
     SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem

+ 5
- 1
roles/mailserver/templates/etc_apache2_sites-available_autoconfig.j2 View File

21 
     SSLEngine on
 21 
     SSLEngine on
22 
     SSLProtocol ALL -SSLv2 -SSLv3
 22 
     SSLProtocol ALL -SSLv2 -SSLv3
23 
     SSLHonorCipherOrder On
 23 
     SSLHonorCipherOrder On
24 
-    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
24 
+    SSLCompression off
25 
+    SSLUseStapling On
26 
+    SSLStaplingResponderTimeout 5
27 
+    SSLStaplingReturnResponderErrors off
28 
+    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
25 
     SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
 29 
     SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
26 
     SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
 30 
     SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
27 
     SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
 31 
     SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem

+ 6
- 1
roles/newebe/templates/etc_apache2_sites-available_newebe.j2 View File

9 
     ServerName {{ newebe_domain }}
 9 
     ServerName {{ newebe_domain }}
10 
     SSLEngine On
 10 
     SSLEngine On
11
11
12 
+    SSLEngine on
12 
     SSLProtocol ALL -SSLv2 -SSLv3
 13 
     SSLProtocol ALL -SSLv2 -SSLv3
13 
     SSLHonorCipherOrder On
 14 
     SSLHonorCipherOrder On
14 
-    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
15 
+    SSLCompression off
16 
+    SSLUseStapling On
17 
+    SSLStaplingResponderTimeout 5
18 
+    SSLStaplingReturnResponderErrors off
19 
+    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
15 
     SSLCertificateFile /etc/ssl/certs/wildcard_public_cert.crt
 20 
     SSLCertificateFile /etc/ssl/certs/wildcard_public_cert.crt
16 
     SSLCertificateKeyFile /etc/ssl/private/wildcard_private.key
 21 
     SSLCertificateKeyFile /etc/ssl/private/wildcard_private.key
17 
     SSLCACertificateFile /etc/ssl/certs/wildcard_ca.pem
 22 
     SSLCACertificateFile /etc/ssl/certs/wildcard_ca.pem

+ 5
- 1
roles/news/templates/etc_apache2_sites-available_selfoss.j2 View File

10 
     SSLEngine on
 10 
     SSLEngine on
11 
     SSLProtocol ALL -SSLv2 -SSLv3
 11 
     SSLProtocol ALL -SSLv2 -SSLv3
12 
     SSLHonorCipherOrder On
 12 
     SSLHonorCipherOrder On
13 
-    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
13 
+    SSLCompression off
14 
+    SSLUseStapling On
15 
+    SSLStaplingResponderTimeout 5
16 
+    SSLStaplingReturnResponderErrors off
17 
+    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
14 
     SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
 18 
     SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
15 
     SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
 19 
     SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
16 
     SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
 20 
     SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem

+ 5
- 1
roles/owncloud/templates/etc_apache2_sites-available_owncloud.j2 View File

10 
     SSLEngine on
 10 
     SSLEngine on
11 
     SSLProtocol ALL -SSLv2 -SSLv3
 11 
     SSLProtocol ALL -SSLv2 -SSLv3
12 
     SSLHonorCipherOrder On
 12 
     SSLHonorCipherOrder On
13 
-    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
13 
+    SSLCompression off
14 
+    SSLUseStapling On
15 
+    SSLStaplingResponderTimeout 5
16 
+    SSLStaplingReturnResponderErrors off
17 
+    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
14 
     SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
 18 
     SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
15 
     SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
 19 
     SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
16 
     SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
 20 
     SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem

+ 5
- 1
roles/readlater/templates/etc_apache2_sites-available_wallabag.j2 View File

10 
     SSLEngine on
 10 
     SSLEngine on
11 
     SSLProtocol ALL -SSLv2 -SSLv3
 11 
     SSLProtocol ALL -SSLv2 -SSLv3
12 
     SSLHonorCipherOrder On
 12 
     SSLHonorCipherOrder On
13 
-    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
13 
+    SSLCompression off
14 
+    SSLUseStapling On
15 
+    SSLStaplingResponderTimeout 5
16 
+    SSLStaplingReturnResponderErrors off
17 
+    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
14 
     SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
 18 
     SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
15 
     SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
 19 
     SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
16 
     SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
 20 
     SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem

+ 5
- 1
roles/webmail/templates/etc_apache2_sites-available_roundcube.j2 View File

10 
     SSLEngine on
 10 
     SSLEngine on
11 
     SSLProtocol ALL -SSLv2 -SSLv3
 11 
     SSLProtocol ALL -SSLv2 -SSLv3
12 
     SSLHonorCipherOrder On
 12 
     SSLHonorCipherOrder On
13 
-    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
13 
+    SSLCompression off
14 
+    SSLUseStapling On
15 
+    SSLStaplingResponderTimeout 5
16 
+    SSLStaplingReturnResponderErrors off
17 
+    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
14 
     SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
 18 
     SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
15 
     SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
 19 
     SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
16 
     SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
 20 
     SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem

Write Preview
Loading…
Cancel
Save