Refresh cipher suites and protocols
The last update was 2016, and it's time to drop TLSv1 and TLSv1.1 as the
base configuration recommended by Mozilla.
https://wiki.mozilla.org/Security/Server_Side_TLS
This is equivalent to a charm-helper's change:
27d6ceb385
Change-Id: Ic7c3751d5cfce33517072bfca865e03f6f84f423
Closes-Bug: #1886630
This commit is contained in:
parent
8f80afe8c3
commit
0a24820971
|
@ -6,8 +6,14 @@ Listen {{ ext_port }}
|
|||
<VirtualHost {{ address }}:{{ ext }}>
|
||||
ServerName {{ endpoint }}
|
||||
SSLEngine on
|
||||
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
|
||||
SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!EXP:!LOW:!MEDIUM
|
||||
|
||||
# This section is based on Mozilla's recommendation
|
||||
# as the "intermediate" profile as of July 7th, 2020.
|
||||
# https://wiki.mozilla.org/Security/Server_Side_TLS
|
||||
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
|
||||
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||
SSLHonorCipherOrder off
|
||||
|
||||
SSLCertificateFile /etc/apache2/ssl/{{ options.service_name }}/cert_{{ endpoint }}
|
||||
SSLCertificateKeyFile /etc/apache2/ssl/{{ options.service_name }}/key_{{ endpoint }}
|
||||
ProxyPass / http://localhost:{{ int }}/
|
||||
|
|
Loading…
Reference in New Issue