summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJonas Smedegaard <dr@jones.dk>2020-10-17 22:25:08 +0200
committerJonas Smedegaard <dr@jones.dk>2020-10-17 22:25:08 +0200
commit075bb6a63e17bbc6df91b664c78388886a4bddaa (patch)
tree9b0bff53aa47fd64a99ce2c1c44f6a8a625ac87a
parent8d7a538d35781331d38c10393d589e3357cb4500 (diff)
modernize mods snippet gnutls; drop outdated conf.d snippet local-gnutls
-rw-r--r--apache2/conf.d/local-gnutls.conf16
-rw-r--r--apache2/mods-available/gnutls.conf30
-rw-r--r--apache2/mods-available/gnutls.conf.diff43
3 files changed, 36 insertions, 53 deletions
diff --git a/apache2/conf.d/local-gnutls.conf b/apache2/conf.d/local-gnutls.conf
deleted file mode 100644
index d09a06b..0000000
--- a/apache2/conf.d/local-gnutls.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-GnuTLSEnable on
-
-# based on <https://blog.joelj.org/ecdsa-certificates-with-apache-2-4-lets-encrypt/>
-# * only strong EC crypto suites supporting Perfect Forward Secrecy
-# * supported by all SNI-capable browsers
-# Options:
-# * drop %SAFE_RENEGOTIATION for Safari 5.1.9 / OS X 10.6.8 support
-# * add 3DES-CBS after AES-128-CBC for Android 2.3.7 support on non-SNI hosts
-# * add CHACHA20-POLY1305 after ECDHE-ECDSA with libgnutls >= 3.4.0
-GnuTLSPriorities NONE:+ECDHE-ECDSA:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC:+AEAD:+SHA384:+SHA256:+SHA1:+CTYPE-X509:+VERS-TLS-ALL:-VERS-SSL3.0:+COMP-NULL:+CURVE-SECP384R1:+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA256:+SIGN-ECDSA-SHA224:%SERVER_PRECEDENCE:%SAFE_RENEGOTIATION
-
-GnuTLSCertificateFile /etc/ssl/certs/apache2+cacert.org.pem
-GnuTLSKeyFile /etc/ssl/private/apache2.pem
-
-# HSTS: http://www.debian-administration.org/articles/662
-Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
diff --git a/apache2/mods-available/gnutls.conf b/apache2/mods-available/gnutls.conf
index f5cf5f8..3109938 100644
--- a/apache2/mods-available/gnutls.conf
+++ b/apache2/mods-available/gnutls.conf
@@ -1,25 +1,19 @@
<IfModule mod_gnutls.c>
- # The default method is to use a DBM backed cache. It's not super fast, but
- # it's portable and doesn't require another server to be running like
- # memcached
- GnuTLSCache dbm /var/cache/apache2/gnutls_cache
+ # Use an SHMCB backed session cache unless you have special needs.
+ # (The dbm backend has known memory leaks and should not be used).
+ GnuTLSCache shmcb:${APACHE_RUN_DIR}/gnutls_cache(65536)
- # Enable caching (used for ticket expiration even when GnuTLSCache is unused)
- GnuTLSCacheTimeout 600
-
- # mod_gnutls can optionaly use a memcached server to store SSL sessions.
- # This is useful in a cluster environment, where you want all your servers to
- # share a single SSL session cache
+ # An alternative is to use a memcached server to store SSL sessions.
+ # This is useful in a cluster environment,
+ # where you want all your servers to share a single SSL session cache.
#GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com"
- # based on <https://blog.joelj.org/ecdsa-certificates-with-apache-2-4-lets-encrypt/>
- # * only strong EC crypto suites supporting Perfect Forward Secrecy
- # * supported by all SNI-capable browsers
- # Options:
- # * drop %SAFE_RENEGOTIATION for Safari 5.1.9 / OS X 10.6.8 support
- # * add 3DES-CBS after AES-128-CBC for Android 2.3.7 support on non-SNI hosts
- # * add CHACHA20-POLY1305 after ECDHE-ECDSA with libgnutls >= 3.4.0
- GnuTLSPriorities NONE:+ECDHE-ECDSA:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC:+AEAD:+SHA384:+SHA256:+SHA1:+CTYPE-X509:+VERS-TLS-ALL:-VERS-SSL3.0:+COMP-NULL:+CURVE-SECP384R1:+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA256:+SIGN-ECDSA-SHA224:%SERVER_PRECEDENCE:%SAFE_RENEGOTIATION
+ # Require Perfect Forward Secrecy and recent TLS protocol versions
+ # This should be supported by all SNI-capable browsers
+ # You can validate e.g. at <https://www.ssllabs.com/ssltest/>
+ GnuTLSPriorities PFS:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:%SERVER_PRECEDENCE
+
+ GnuTLSOCSPStapling off
</IfModule>
diff --git a/apache2/mods-available/gnutls.conf.diff b/apache2/mods-available/gnutls.conf.diff
index c8561b4..d6504c3 100644
--- a/apache2/mods-available/gnutls.conf.diff
+++ b/apache2/mods-available/gnutls.conf.diff
@@ -1,24 +1,29 @@
---- gnutls.conf.orig 2011-07-19 19:02:55.000000000 +0200
-+++ gnutls.conf 2016-04-28 03:27:13.000000000 +0200
-@@ -5,9 +5,21 @@
- # memcached
- GnuTLSCache dbm /var/cache/apache2/gnutls_cache
+--- gnutls.conf.orig
++++ gnutls.conf
+@@ -1,13 +1,19 @@
+ <IfModule mod_gnutls.c>
-+ # Enable caching (used for ticket expiration even when GnuTLSCache is unused)
-+ GnuTLSCacheTimeout 600
-+
- # mod_gnutls can optionaly use a memcached server to store SSL sessions.
- # This is useful in a cluster environment, where you want all your servers to
- # share a single SSL session cache
+- # The default method is to use a DBM backed cache. It's not super fast, but
+- # it's portable and doesn't require another server to be running like
+- # memcached
+- GnuTLSCache dbm /var/cache/apache2/gnutls_cache
++ # Use an SHMCB backed session cache unless you have special needs.
++ # (The dbm backend has known memory leaks and should not be used).
++ GnuTLSCache shmcb:${APACHE_RUN_DIR}/gnutls_cache(65536)
+
+- # mod_gnutls can optionaly use a memcached server to store SSL sessions.
+- # This is useful in a cluster environment, where you want all your servers to
+- # share a single SSL session cache
++ # An alternative is to use a memcached server to store SSL sessions.
++ # This is useful in a cluster environment,
++ # where you want all your servers to share a single SSL session cache.
#GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com"
-+ # based on <https://blog.joelj.org/ecdsa-certificates-with-apache-2-4-lets-encrypt/>
-+ # * only strong EC crypto suites supporting Perfect Forward Secrecy
-+ # * supported by all SNI-capable browsers
-+ # Options:
-+ # * drop %SAFE_RENEGOTIATION for Safari 5.1.9 / OS X 10.6.8 support
-+ # * add 3DES-CBS after AES-128-CBC for Android 2.3.7 support on non-SNI hosts
-+ # * add CHACHA20-POLY1305 after ECDHE-ECDSA with libgnutls >= 3.4.0
-+ GnuTLSPriorities NONE:+ECDHE-ECDSA:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC:+AEAD:+SHA384:+SHA256:+SHA1:+CTYPE-X509:+VERS-TLS-ALL:-VERS-SSL3.0:+COMP-NULL:+CURVE-SECP384R1:+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA256:+SIGN-ECDSA-SHA224:%SERVER_PRECEDENCE:%SAFE_RENEGOTIATION
++ # Require Perfect Forward Secrecy and recent TLS protocol versions
++ # This should be supported by all SNI-capable browsers
++ # You can validate e.g. at <https://www.ssllabs.com/ssltest/>
++ GnuTLSPriorities PFS:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:%SERVER_PRECEDENCE
++
++ GnuTLSOCSPStapling off
+
</IfModule>