From 075bb6a63e17bbc6df91b664c78388886a4bddaa Mon Sep 17 00:00:00 2001 From: Jonas Smedegaard Date: Sat, 17 Oct 2020 22:25:08 +0200 Subject: modernize mods snippet gnutls; drop outdated conf.d snippet local-gnutls --- apache2/conf.d/local-gnutls.conf | 16 ------------ apache2/mods-available/gnutls.conf | 30 +++++++++-------------- apache2/mods-available/gnutls.conf.diff | 43 ++++++++++++++++++--------------- 3 files changed, 36 insertions(+), 53 deletions(-) delete mode 100644 apache2/conf.d/local-gnutls.conf (limited to 'apache2') diff --git a/apache2/conf.d/local-gnutls.conf b/apache2/conf.d/local-gnutls.conf deleted file mode 100644 index d09a06b..0000000 --- a/apache2/conf.d/local-gnutls.conf +++ /dev/null @@ -1,16 +0,0 @@ -GnuTLSEnable on - -# based on -# * only strong EC crypto suites supporting Perfect Forward Secrecy -# * supported by all SNI-capable browsers -# Options: -# * drop %SAFE_RENEGOTIATION for Safari 5.1.9 / OS X 10.6.8 support -# * add 3DES-CBS after AES-128-CBC for Android 2.3.7 support on non-SNI hosts -# * add CHACHA20-POLY1305 after ECDHE-ECDSA with libgnutls >= 3.4.0 -GnuTLSPriorities NONE:+ECDHE-ECDSA:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC:+AEAD:+SHA384:+SHA256:+SHA1:+CTYPE-X509:+VERS-TLS-ALL:-VERS-SSL3.0:+COMP-NULL:+CURVE-SECP384R1:+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA256:+SIGN-ECDSA-SHA224:%SERVER_PRECEDENCE:%SAFE_RENEGOTIATION - -GnuTLSCertificateFile /etc/ssl/certs/apache2+cacert.org.pem -GnuTLSKeyFile /etc/ssl/private/apache2.pem - -# HSTS: http://www.debian-administration.org/articles/662 -Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" diff --git a/apache2/mods-available/gnutls.conf b/apache2/mods-available/gnutls.conf index f5cf5f8..3109938 100644 --- a/apache2/mods-available/gnutls.conf +++ b/apache2/mods-available/gnutls.conf @@ -1,25 +1,19 @@ - # The default method is to use a DBM backed cache. It's not super fast, but - # it's portable and doesn't require another server to be running like - # memcached - GnuTLSCache dbm /var/cache/apache2/gnutls_cache + # Use an SHMCB backed session cache unless you have special needs. + # (The dbm backend has known memory leaks and should not be used). + GnuTLSCache shmcb:${APACHE_RUN_DIR}/gnutls_cache(65536) - # Enable caching (used for ticket expiration even when GnuTLSCache is unused) - GnuTLSCacheTimeout 600 - - # mod_gnutls can optionaly use a memcached server to store SSL sessions. - # This is useful in a cluster environment, where you want all your servers to - # share a single SSL session cache + # An alternative is to use a memcached server to store SSL sessions. + # This is useful in a cluster environment, + # where you want all your servers to share a single SSL session cache. #GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com" - # based on - # * only strong EC crypto suites supporting Perfect Forward Secrecy - # * supported by all SNI-capable browsers - # Options: - # * drop %SAFE_RENEGOTIATION for Safari 5.1.9 / OS X 10.6.8 support - # * add 3DES-CBS after AES-128-CBC for Android 2.3.7 support on non-SNI hosts - # * add CHACHA20-POLY1305 after ECDHE-ECDSA with libgnutls >= 3.4.0 - GnuTLSPriorities NONE:+ECDHE-ECDSA:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC:+AEAD:+SHA384:+SHA256:+SHA1:+CTYPE-X509:+VERS-TLS-ALL:-VERS-SSL3.0:+COMP-NULL:+CURVE-SECP384R1:+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA256:+SIGN-ECDSA-SHA224:%SERVER_PRECEDENCE:%SAFE_RENEGOTIATION + # Require Perfect Forward Secrecy and recent TLS protocol versions + # This should be supported by all SNI-capable browsers + # You can validate e.g. at + GnuTLSPriorities PFS:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:%SERVER_PRECEDENCE + + GnuTLSOCSPStapling off diff --git a/apache2/mods-available/gnutls.conf.diff b/apache2/mods-available/gnutls.conf.diff index c8561b4..d6504c3 100644 --- a/apache2/mods-available/gnutls.conf.diff +++ b/apache2/mods-available/gnutls.conf.diff @@ -1,24 +1,29 @@ ---- gnutls.conf.orig 2011-07-19 19:02:55.000000000 +0200 -+++ gnutls.conf 2016-04-28 03:27:13.000000000 +0200 -@@ -5,9 +5,21 @@ - # memcached - GnuTLSCache dbm /var/cache/apache2/gnutls_cache +--- gnutls.conf.orig ++++ gnutls.conf +@@ -1,13 +1,19 @@ + -+ # Enable caching (used for ticket expiration even when GnuTLSCache is unused) -+ GnuTLSCacheTimeout 600 -+ - # mod_gnutls can optionaly use a memcached server to store SSL sessions. - # This is useful in a cluster environment, where you want all your servers to - # share a single SSL session cache +- # The default method is to use a DBM backed cache. It's not super fast, but +- # it's portable and doesn't require another server to be running like +- # memcached +- GnuTLSCache dbm /var/cache/apache2/gnutls_cache ++ # Use an SHMCB backed session cache unless you have special needs. ++ # (The dbm backend has known memory leaks and should not be used). ++ GnuTLSCache shmcb:${APACHE_RUN_DIR}/gnutls_cache(65536) + +- # mod_gnutls can optionaly use a memcached server to store SSL sessions. +- # This is useful in a cluster environment, where you want all your servers to +- # share a single SSL session cache ++ # An alternative is to use a memcached server to store SSL sessions. ++ # This is useful in a cluster environment, ++ # where you want all your servers to share a single SSL session cache. #GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com" -+ # based on -+ # * only strong EC crypto suites supporting Perfect Forward Secrecy -+ # * supported by all SNI-capable browsers -+ # Options: -+ # * drop %SAFE_RENEGOTIATION for Safari 5.1.9 / OS X 10.6.8 support -+ # * add 3DES-CBS after AES-128-CBC for Android 2.3.7 support on non-SNI hosts -+ # * add CHACHA20-POLY1305 after ECDHE-ECDSA with libgnutls >= 3.4.0 -+ GnuTLSPriorities NONE:+ECDHE-ECDSA:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC:+AEAD:+SHA384:+SHA256:+SHA1:+CTYPE-X509:+VERS-TLS-ALL:-VERS-SSL3.0:+COMP-NULL:+CURVE-SECP384R1:+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA256:+SIGN-ECDSA-SHA224:%SERVER_PRECEDENCE:%SAFE_RENEGOTIATION ++ # Require Perfect Forward Secrecy and recent TLS protocol versions ++ # This should be supported by all SNI-capable browsers ++ # You can validate e.g. at ++ GnuTLSPriorities PFS:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:%SERVER_PRECEDENCE ++ ++ GnuTLSOCSPStapling off + -- cgit v1.2.3