Improved crypto suites.

author: Jonas Smedegaard <dr@jones.dk> 2016-04-28 03:22:35 +0200
committer: Jonas Smedegaard <dr@jones.dk> 2016-04-28 03:22:35 +0200
commit: 565a8369df3586cc780c5ade5a9fe9b34f972bcd (patch)
tree: f21ba2867cf24817d2243dd0b9ffbd1ed1a7f553 /apache2/conf.d
parent: 6a7c5b32260b1ef2a491bcfcfb51db8c1ee20714 (diff)
1 files changed, 10 insertions, 1 deletions
diff --git a/apache2/conf.d/local-gnutls.conf b/apache2/conf.d/local-gnutls.conf
index 9db70dc..d09a06b 100644
--- a/apache2/conf.d/local-gnutls.conf
+++ b/apache2/conf.d/local-gnutls.conf
@@ -1,5 +1,14 @@
 GnuTLSEnable on
-GnuTLSPriorities NORMAL
+
+# based on <https://blog.joelj.org/ecdsa-certificates-with-apache-2-4-lets-encrypt/>
+#  * only strong EC crypto suites supporting Perfect Forward Secrecy
+#  * supported by all SNI-capable browsers
+# Options:
+#  * drop %SAFE_RENEGOTIATION for Safari 5.1.9 / OS X 10.6.8 support
+#  * add 3DES-CBS after AES-128-CBC for Android 2.3.7 support on non-SNI hosts
+#  * add CHACHA20-POLY1305 after ECDHE-ECDSA with libgnutls >= 3.4.0
+GnuTLSPriorities NONE:+ECDHE-ECDSA:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC:+AEAD:+SHA384:+SHA256:+SHA1:+CTYPE-X509:+VERS-TLS-ALL:-VERS-SSL3.0:+COMP-NULL:+CURVE-SECP384R1:+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA256:+SIGN-ECDSA-SHA224:%SERVER_PRECEDENCE:%SAFE_RENEGOTIATION
+
 GnuTLSCertificateFile /etc/ssl/certs/apache2+cacert.org.pem
 GnuTLSKeyFile /etc/ssl/private/apache2.pem
author	Jonas Smedegaard <dr@jones.dk>	2016-04-28 03:22:35 +0200
committer	Jonas Smedegaard <dr@jones.dk>	2016-04-28 03:22:35 +0200
commit	565a8369df3586cc780c5ade5a9fe9b34f972bcd (patch)
tree	f21ba2867cf24817d2243dd0b9ffbd1ed1a7f553 /apache2/conf.d
parent	6a7c5b32260b1ef2a491bcfcfb51db8c1ee20714 (diff)