modernize mods snippet gnutls; drop outdated conf.d snippet local-gnutls

author: Jonas Smedegaard <dr@jones.dk> 2020-10-17 22:25:08 +0200
committer: Jonas Smedegaard <dr@jones.dk> 2020-10-17 22:25:08 +0200
commit: 075bb6a63e17bbc6df91b664c78388886a4bddaa (patch)
tree: 9b0bff53aa47fd64a99ce2c1c44f6a8a625ac87a
parent: 8d7a538d35781331d38c10393d589e3357cb4500 (diff)
3 files changed, 36 insertions, 53 deletions
diff --git a/apache2/conf.d/local-gnutls.conf b/apache2/conf.d/local-gnutls.conf
deleted file mode 100644
index d09a06b..0000000
--- a/apache2/conf.d/local-gnutls.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-GnuTLSEnable on
-
-# based on <https://blog.joelj.org/ecdsa-certificates-with-apache-2-4-lets-encrypt/>
-#  * only strong EC crypto suites supporting Perfect Forward Secrecy
-#  * supported by all SNI-capable browsers
-# Options:
-#  * drop %SAFE_RENEGOTIATION for Safari 5.1.9 / OS X 10.6.8 support
-#  * add 3DES-CBS after AES-128-CBC for Android 2.3.7 support on non-SNI hosts
-#  * add CHACHA20-POLY1305 after ECDHE-ECDSA with libgnutls >= 3.4.0
-GnuTLSPriorities NONE:+ECDHE-ECDSA:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC:+AEAD:+SHA384:+SHA256:+SHA1:+CTYPE-X509:+VERS-TLS-ALL:-VERS-SSL3.0:+COMP-NULL:+CURVE-SECP384R1:+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA256:+SIGN-ECDSA-SHA224:%SERVER_PRECEDENCE:%SAFE_RENEGOTIATION
-
-GnuTLSCertificateFile /etc/ssl/certs/apache2+cacert.org.pem
-GnuTLSKeyFile /etc/ssl/private/apache2.pem
-
-# HSTS: http://www.debian-administration.org/articles/662
-Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
diff --git a/apache2/mods-available/gnutls.conf b/apache2/mods-available/gnutls.conf
index f5cf5f8..3109938 100644
--- a/apache2/mods-available/gnutls.conf
+++ b/apache2/mods-available/gnutls.conf
@@ -1,25 +1,19 @@
 <IfModule mod_gnutls.c>
 
-  # The default method is to use a DBM backed cache.  It's not super fast, but
-  # it's portable and doesn't require another server to be running like
-  # memcached
-  GnuTLSCache dbm /var/cache/apache2/gnutls_cache
+  # Use an SHMCB backed session cache unless you have special needs.
+  # (The dbm backend has known memory leaks and should not be used).
+  GnuTLSCache shmcb:${APACHE_RUN_DIR}/gnutls_cache(65536)
 
-  # Enable caching (used for ticket expiration even when GnuTLSCache is unused)
-  GnuTLSCacheTimeout 600
-
-  # mod_gnutls can optionaly use a memcached server to store SSL sessions.
-  # This is useful in a cluster environment, where you want all your servers to
-  # share a single SSL session cache
+  # An alternative is to use a memcached server to store SSL sessions.
+  # This is useful in a cluster environment,
+  # where you want all your servers to share a single SSL session cache.
   #GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com"
 
-  # based on <https://blog.joelj.org/ecdsa-certificates-with-apache-2-4-lets-encrypt/>
-  #  * only strong EC crypto suites supporting Perfect Forward Secrecy
-  #  * supported by all SNI-capable browsers
-  # Options:
-  #  * drop %SAFE_RENEGOTIATION for Safari 5.1.9 / OS X 10.6.8 support
-  #  * add 3DES-CBS after AES-128-CBC for Android 2.3.7 support on non-SNI hosts
-  #  * add CHACHA20-POLY1305 after ECDHE-ECDSA with libgnutls >= 3.4.0
-  GnuTLSPriorities NONE:+ECDHE-ECDSA:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC:+AEAD:+SHA384:+SHA256:+SHA1:+CTYPE-X509:+VERS-TLS-ALL:-VERS-SSL3.0:+COMP-NULL:+CURVE-SECP384R1:+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA256:+SIGN-ECDSA-SHA224:%SERVER_PRECEDENCE:%SAFE_RENEGOTIATION
+  # Require Perfect Forward Secrecy and recent TLS protocol versions
+  # This should be supported by all SNI-capable browsers
+  # You can validate e.g. at <https://www.ssllabs.com/ssltest/>
+  GnuTLSPriorities PFS:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:%SERVER_PRECEDENCE
+
+  GnuTLSOCSPStapling off
 
 </IfModule>
diff --git a/apache2/mods-available/gnutls.conf.diff b/apache2/mods-available/gnutls.conf.diff
index c8561b4..d6504c3 100644
--- a/apache2/mods-available/gnutls.conf.diff
+++ b/apache2/mods-available/gnutls.conf.diff
@@ -1,24 +1,29 @@
---- gnutls.conf.orig	2011-07-19 19:02:55.000000000 +0200
-+++ gnutls.conf	2016-04-28 03:27:13.000000000 +0200
-@@ -5,9 +5,21 @@
-   # memcached
-   GnuTLSCache dbm /var/cache/apache2/gnutls_cache
+--- gnutls.conf.orig
++++ gnutls.conf
+@@ -1,13 +1,19 @@
+ <IfModule mod_gnutls.c>
  
-+  # Enable caching (used for ticket expiration even when GnuTLSCache is unused)
-+  GnuTLSCacheTimeout 600
-+
-   # mod_gnutls can optionaly use a memcached server to store SSL sessions.
-   # This is useful in a cluster environment, where you want all your servers to
-   # share a single SSL session cache
+-  # The default method is to use a DBM backed cache.  It's not super fast, but
+-  # it's portable and doesn't require another server to be running like
+-  # memcached
+-  GnuTLSCache dbm /var/cache/apache2/gnutls_cache
++  # Use an SHMCB backed session cache unless you have special needs.
++  # (The dbm backend has known memory leaks and should not be used).
++  GnuTLSCache shmcb:${APACHE_RUN_DIR}/gnutls_cache(65536)
+ 
+-  # mod_gnutls can optionaly use a memcached server to store SSL sessions.
+-  # This is useful in a cluster environment, where you want all your servers to
+-  # share a single SSL session cache
++  # An alternative is to use a memcached server to store SSL sessions.
++  # This is useful in a cluster environment,
++  # where you want all your servers to share a single SSL session cache.
    #GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com"
  
-+  # based on <https://blog.joelj.org/ecdsa-certificates-with-apache-2-4-lets-encrypt/>
-+  #  * only strong EC crypto suites supporting Perfect Forward Secrecy
-+  #  * supported by all SNI-capable browsers
-+  # Options:
-+  #  * drop %SAFE_RENEGOTIATION for Safari 5.1.9 / OS X 10.6.8 support
-+  #  * add 3DES-CBS after AES-128-CBC for Android 2.3.7 support on non-SNI hosts
-+  #  * add CHACHA20-POLY1305 after ECDHE-ECDSA with libgnutls >= 3.4.0
-+  GnuTLSPriorities NONE:+ECDHE-ECDSA:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC:+AEAD:+SHA384:+SHA256:+SHA1:+CTYPE-X509:+VERS-TLS-ALL:-VERS-SSL3.0:+COMP-NULL:+CURVE-SECP384R1:+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA256:+SIGN-ECDSA-SHA224:%SERVER_PRECEDENCE:%SAFE_RENEGOTIATION
++  # Require Perfect Forward Secrecy and recent TLS protocol versions
++  # This should be supported by all SNI-capable browsers
++  # You can validate e.g. at <https://www.ssllabs.com/ssltest/>
++  GnuTLSPriorities PFS:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:%SERVER_PRECEDENCE
++
++  GnuTLSOCSPStapling off
 +
  </IfModule>
author	Jonas Smedegaard <dr@jones.dk>	2020-10-17 22:25:08 +0200
committer	Jonas Smedegaard <dr@jones.dk>	2020-10-17 22:25:08 +0200
commit	075bb6a63e17bbc6df91b664c78388886a4bddaa (patch)
tree	9b0bff53aa47fd64a99ce2c1c44f6a8a625ac87a
parent	8d7a538d35781331d38c10393d589e3357cb4500 (diff)