Commit f8987930 authored by Marius Cramer's avatar Marius Cramer
Browse files

- added intermediate SSL security profile (see...

- added intermediate SSL security profile (see https://mozilla.github.io/server-side-tls/ssl-config-generator/)
- TODO: admin option to choose between intermediate (default) and modern
parent 0e899eee
......@@ -53,12 +53,22 @@
<tmpl_if name='ssl_enabled'>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
<IfModule mod_headers.c>
Header always add Strict-Transport-Security "max-age=15768000"
</IfModule>
SSLCertificateFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='ssl_domain'>.crt
SSLCertificateKeyFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='ssl_domain'>.key
<tmpl_if name='has_bundle_cert'>
<tmpl_if name='apache_version' op='<' value='2.4.8' format='version'>
SSLCertificateChainFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='ssl_domain'>.bundle
</tmpl_if>
<tmpl_if name='apache_version' op='>=' value='2.4' format='version'>
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
</tmpl_if>
</tmpl_if>
</tmpl_if>
</IfModule>
......
  • Da fehlt das Cache Verzeichnis meines Erachtens.

    # OCSP Stapling, only in httpd 2.3.3 and later
        SSLUseStapling          on
        SSLStaplingResponderTimeout 5
        SSLStaplingReturnResponderErrors off
        # On Apache 2.4+, SSLStaplingCache must be set *outside* of the VirtualHost
        SSLStaplingCache        shmcb:/var/run/ocsp(128000)
     
        # Enable this if your want HSTS (recommended)
        # Header add Strict-Transport-Security "max-age=15768000"
     
        ...
    </VirtualHost>
    # TLS Session cache, outside of virtual host, apache 2.4+
    # the path doesn't need to exist
    SSLSessionCache         shmcb:/path/to/ssl_gcache_data(5120000)

    https://wiki.mozilla.org/Security/Server_Side_TLS#Apache

    Wenn ich dieses Template in 3.0.5.4p8 nutze, bekomm ich einen Error 500 und im log wird über das fehlende Cache Verzeichnis geklagt :)

Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment