summaryrefslogtreecommitdiff
path: root/apache2/conf.d/local-gnutls.conf
diff options
context:
space:
mode:
Diffstat (limited to 'apache2/conf.d/local-gnutls.conf')
-rw-r--r--apache2/conf.d/local-gnutls.conf11
1 files changed, 10 insertions, 1 deletions
diff --git a/apache2/conf.d/local-gnutls.conf b/apache2/conf.d/local-gnutls.conf
index 9db70dc..d09a06b 100644
--- a/apache2/conf.d/local-gnutls.conf
+++ b/apache2/conf.d/local-gnutls.conf
@@ -1,5 +1,14 @@
GnuTLSEnable on
-GnuTLSPriorities NORMAL
+
+# based on <https://blog.joelj.org/ecdsa-certificates-with-apache-2-4-lets-encrypt/>
+# * only strong EC crypto suites supporting Perfect Forward Secrecy
+# * supported by all SNI-capable browsers
+# Options:
+# * drop %SAFE_RENEGOTIATION for Safari 5.1.9 / OS X 10.6.8 support
+# * add 3DES-CBS after AES-128-CBC for Android 2.3.7 support on non-SNI hosts
+# * add CHACHA20-POLY1305 after ECDHE-ECDSA with libgnutls >= 3.4.0
+GnuTLSPriorities NONE:+ECDHE-ECDSA:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC:+AEAD:+SHA384:+SHA256:+SHA1:+CTYPE-X509:+VERS-TLS-ALL:-VERS-SSL3.0:+COMP-NULL:+CURVE-SECP384R1:+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA256:+SIGN-ECDSA-SHA224:%SERVER_PRECEDENCE:%SAFE_RENEGOTIATION
+
GnuTLSCertificateFile /etc/ssl/certs/apache2+cacert.org.pem
GnuTLSKeyFile /etc/ssl/private/apache2.pem
generated by cgit v1.2.3 (git 2.46.0) at 2025-01-13 20:21:50 +0000