ISPConfig3 devel
parent: 6e0b35c4 | patch | commit | ignore whitespace
CSoellinger
2016-04-27 473f0615eb7adeea7433328274d38446f13d3e11 
Updating SSL options at ispconfig vhost based on the mozilla ssl configuration generator
https://mozilla.github.io/server-side-tls/ssl-config-generator/
1 files modified
24 ■■■■ changed files
install/tpl/apache_ispconfig.vhost.master 24 ●●●● patch | view | raw | blame | history 
 install/tpl/apache_ispconfig.vhost.master


@@ -62,26 +62,36 @@




  # SSL Configuration


  <tmpl_var name="ssl_comment">SSLEngine On


  <tmpl_if name='apache_version' op='>=' value='2.3.16' format='version'>


  <tmpl_var name="ssl_comment">SSLProtocol All -SSLv3


  <tmpl_else>


  <tmpl_var name="ssl_comment">SSLProtocol All -SSLv2 -SSLv3


  </tmpl_if>


  <tmpl_var name="ssl_comment">SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt


  <tmpl_var name="ssl_comment">SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key


  <tmpl_var name="ssl_bundle_comment">SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle




  <tmpl_var name="ssl_comment">SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4


  <tmpl_var name="ssl_comment">SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS


  <tmpl_var name="ssl_comment">SSLHonorCipherOrder On


  <tmpl_if name='apache_version' op='>=' value='2.4.3' format='version'>


  <tmpl_var name="ssl_comment">SSLCompression Off


  </tmpl_if>


  <tmpl_if name='apache_version' op='>=' value='2.4.11' format='version'>


  <tmpl_var name="ssl_comment">SSLSessionTickets Off


  </tmpl_if>




  <IfModule mod_headers.c>


    Header always add Strict-Transport-Security "max-age=15768000"


  </IfModule>




<tmpl_if name='apache_version' op='>=' value='1.4' format='version'>


<tmpl_var name="ssl_comment">SSLUseStapling on


<tmpl_var name="ssl_comment">SSLStaplingResponderTimeout 5


<tmpl_var name="ssl_comment">SSLStaplingReturnResponderErrors off


</tmpl_if>


  <tmpl_if name='apache_version' op='>=' value='2.3.3' format='version'>


  <tmpl_var name="ssl_comment">SSLUseStapling On


  <tmpl_var name="ssl_comment">SSLStaplingResponderTimeout 5


  <tmpl_var name="ssl_comment">SSLStaplingReturnResponderErrors Off


  </tmpl_if>


</VirtualHost>




<tmpl_if name='apache_version' op='>=' value='2.4' format='version'>


<tmpl_if name='apache_version' op='>=' value='2.3.3' format='version'>


<IfModule mod_ssl.c>


  <tmpl_var name="ssl_comment">SSLStaplingCache shmcb:/var/run/ocsp(128000)


</IfModule>