blob: ec349f385d01719fc1e54553a309e9cca260474d (
plain)
- --- ssl.conf.orig
- +++ ssl.conf
- @@ -56,7 +56,8 @@
- # ciphers(1) man page from the openssl package for list of all available
- # options.
- # Enable only secure ciphers:
- - SSLCipherSuite HIGH:!aNULL
- + # More info: <https://scotthelme.co.uk/https-cheat-sheet/>
- + SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
-
- # SSL server cipher order preference:
- # Use server priorities for cipher algorithm choice.
- @@ -65,12 +66,12 @@
- # the CPU cost, and did not override SSLCipherSuite in a way that puts
- # insecure ciphers first.
- # Default: Off
- - #SSLHonorCipherOrder on
- + SSLHonorCipherOrder on
-
- # The protocols to enable.
- - # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
- + # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
- # SSL v2 is no longer supported
- - SSLProtocol all -SSLv3
- + SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
-
- # Allow insecure renegotiation with clients which do not yet support the
- # secure renegotiation protocol. Default: Off
- @@ -80,6 +81,9 @@
- # Default: Off
- #SSLStrictSNIVHostCheck On
-
- + SSLUseStapling On
- + SSLStaplingCache "shmcb:${APACHE_RUN_DIR}/ssl_stapling(32768)"
- +
- </IfModule>
-
- # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
|
