Improved crypto suites.

1 files changed, 10 insertions, 1 deletions

diff --git a/apache2/conf.d/local-gnutls.conf b/apache2/conf.d/local-gnutls.conf
index 9db70dc..d09a06b 100644
--- a/apache2/conf.d/local-gnutls.conf
+++ b/apache2/conf.d/local-gnutls.conf
@@ -1,5 +1,14 @@
 GnuTLSEnable on
-GnuTLSPriorities NORMAL
+
+# based on <https://blog.joelj.org/ecdsa-certificates-with-apache-2-4-lets-encrypt/>
+#  * only strong EC crypto suites supporting Perfect Forward Secrecy
+#  * supported by all SNI-capable browsers
+# Options:
+#  * drop %SAFE_RENEGOTIATION for Safari 5.1.9 / OS X 10.6.8 support
+#  * add 3DES-CBS after AES-128-CBC for Android 2.3.7 support on non-SNI hosts
+#  * add CHACHA20-POLY1305 after ECDHE-ECDSA with libgnutls >= 3.4.0
+GnuTLSPriorities NONE:+ECDHE-ECDSA:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC:+AEAD:+SHA384:+SHA256:+SHA1:+CTYPE-X509:+VERS-TLS-ALL:-VERS-SSL3.0:+COMP-NULL:+CURVE-SECP384R1:+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA256:+SIGN-ECDSA-SHA224:%SERVER_PRECEDENCE:%SAFE_RENEGOTIATION
+
 GnuTLSCertificateFile /etc/ssl/certs/apache2+cacert.org.pem
 GnuTLSKeyFile /etc/ssl/private/apache2.pem