summaryrefslogtreecommitdiff
path: root/apache2/mods-available/ssl.conf.diff
diff options
context:
space:
mode:
Diffstat (limited to 'apache2/mods-available/ssl.conf.diff')
-rw-r--r--apache2/mods-available/ssl.conf.diff38
1 files changed, 38 insertions, 0 deletions
diff --git a/apache2/mods-available/ssl.conf.diff b/apache2/mods-available/ssl.conf.diff
new file mode 100644
index 0000000..ec349f3
--- /dev/null
+++ b/apache2/mods-available/ssl.conf.diff
@@ -0,0 +1,38 @@
+--- ssl.conf.orig
++++ ssl.conf
+@@ -56,7 +56,8 @@
+ # ciphers(1) man page from the openssl package for list of all available
+ # options.
+ # Enable only secure ciphers:
+- SSLCipherSuite HIGH:!aNULL
++ # More info: <https://scotthelme.co.uk/https-cheat-sheet/>
++ SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+
+ # SSL server cipher order preference:
+ # Use server priorities for cipher algorithm choice.
+@@ -65,12 +66,12 @@
+ # the CPU cost, and did not override SSLCipherSuite in a way that puts
+ # insecure ciphers first.
+ # Default: Off
+- #SSLHonorCipherOrder on
++ SSLHonorCipherOrder on
+
+ # The protocols to enable.
+- # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
++ # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
+ # SSL v2 is no longer supported
+- SSLProtocol all -SSLv3
++ SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+
+ # Allow insecure renegotiation with clients which do not yet support the
+ # secure renegotiation protocol. Default: Off
+@@ -80,6 +81,9 @@
+ # Default: Off
+ #SSLStrictSNIVHostCheck On
+
++ SSLUseStapling On
++ SSLStaplingCache "shmcb:${APACHE_RUN_DIR}/ssl_stapling(32768)"
++
+ </IfModule>
+
+ # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
generated by cgit v1.2.3 (git 2.46.0) at 2025-02-05 01:14:30 +0000