From 565a8369df3586cc780c5ade5a9fe9b34f972bcd Mon Sep 17 00:00:00 2001
From: Jonas Smedegaard <dr@jones.dk>
Date: Thu, 28 Apr 2016 03:22:35 +0200
Subject: Improved crypto suites.

---
 apache2/conf.d/local-gnutls.conf | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/apache2/conf.d/local-gnutls.conf b/apache2/conf.d/local-gnutls.conf
index 9db70dc..d09a06b 100644
--- a/apache2/conf.d/local-gnutls.conf
+++ b/apache2/conf.d/local-gnutls.conf
@@ -1,5 +1,14 @@
 GnuTLSEnable on
-GnuTLSPriorities NORMAL
+
+# based on <https://blog.joelj.org/ecdsa-certificates-with-apache-2-4-lets-encrypt/>
+#  * only strong EC crypto suites supporting Perfect Forward Secrecy
+#  * supported by all SNI-capable browsers
+# Options:
+#  * drop %SAFE_RENEGOTIATION for Safari 5.1.9 / OS X 10.6.8 support
+#  * add 3DES-CBS after AES-128-CBC for Android 2.3.7 support on non-SNI hosts
+#  * add CHACHA20-POLY1305 after ECDHE-ECDSA with libgnutls >= 3.4.0
+GnuTLSPriorities NONE:+ECDHE-ECDSA:+AES-256-GCM:+AES-128-GCM:+AES-256-CBC:+AES-128-CBC:+AEAD:+SHA384:+SHA256:+SHA1:+CTYPE-X509:+VERS-TLS-ALL:-VERS-SSL3.0:+COMP-NULL:+CURVE-SECP384R1:+SIGN-ECDSA-SHA512:+SIGN-ECDSA-SHA384:+SIGN-ECDSA-SHA256:+SIGN-ECDSA-SHA224:%SERVER_PRECEDENCE:%SAFE_RENEGOTIATION
+
 GnuTLSCertificateFile /etc/ssl/certs/apache2+cacert.org.pem
 GnuTLSKeyFile /etc/ssl/private/apache2.pem
 
-- 
cgit v1.2.3