From 489b7ba022546ac4f9ea04478b7386804870e614 Mon Sep 17 00:00:00 2001
From: Donald Stufft <donald@stufft.io>
Date: Tue, 10 Mar 2015 19:51:46 -0400
Subject: [PATCH] Specify ciphers that optimize for security and performance

* Prefer the ECDHE + AESGCM ciper suites first, these represent the
  best performance and the best security.
* Then, prefer the DH + AESGCM, these are equivilant to the first in
  terms of security, however they are slower.
* Then, we'll prefer any AES cipher that supports PFS, sorting by
  strength, then performance.
* Then we'll prefer any non PFS cipher, with AESGCM first, but finally
  any another non PFS cipher.
* We then exclude any AES256 ciphers, we exclude there here instead of
  just not mentioning them so that they can be renabled simply by
  removing the !AES256. We exclude them because they are not
  meaningfully more secure than AES128, however they are slower.
* We then exclude !aNULL, this is needed because we're not manually
  specifying every cipher by name, and we're not specifying any
  authentication. This will ensure that no matter what we'll always
  have *some* authentication.
* We then exclude !eNULL, this isn't really needed since all of our
  included ciphers have encryption specified. It exists primarily for
  symmetry with !aNULL.
* We then exclude !MD5, much like !aNULL this is done because we don't
  specify a digest anywhere, so we want to make sure we don't support
  MD5.
* Finally we exclude DSS, PSK, and SRP. These are just to make
  debugging the list easier. It's basically impossible to get a DSS
  certificate issued instead of a RSA certificate and nobody really
  uses PSK or SRP.

This will drop support for IE8 on Windows XP, essentially dropping
support for all versions of IE on Windows XP. Windows XP users
would need to use Firefox or Chrome to use the service.

Change-Id: I4744a6f42b8f7ab4a4b41ad856ecaa424d8ce3fc
---
 templates/vhost.erb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/templates/vhost.erb b/templates/vhost.erb
index 9980ea4..0262019 100644
--- a/templates/vhost.erb
+++ b/templates/vhost.erb
@@ -21,6 +21,11 @@
 
   SSLEngine on
   SSLProtocol All -SSLv2 -SSLv3
+  # Once the machine is using something to terminate TLS that supports ECDHE
+  # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
+  # only is guarenteed.
+  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+  SSLHonorCipherOrder on
   SSLCertificateFile      <%= scope.lookupvar("openstackid::ssl_cert_file") %>
   SSLCertificateKeyFile   <%= scope.lookupvar("openstackid::ssl_key_file") %>
 <% if scope.lookupvar("openstackid::ssl_chain_file") != "" %>