apache: Drop support for SSLv3, TLSv1 and TLSv1.1

- As recommended by Mozilla SSL Configuration Generator for 'intermediate' compatibility configuration: https://ssl-config.mozilla.org/ - As recommended by IETF RFC 7525: https://datatracker.ietf.org/doc/html/rfc7525#section-3.1.1 - As recommended by NIST: Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf - The following are now the client version requirements for FreedomBox web interface: Firefox: 27, Android: 4.4.2, Chrome: 31, Edge: 12, IE: 11 (Win7), Java: 8u31, OpenSSL: 1.0.1, Opera: 20, Safari: 9 Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net> [sunil: Drop SSLv2, it is not valid anymore as per Apache manual] [sunil: More detailed commit message and comments] Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
2026-06-03 10:50:20 +00:00 · 2021-07-10 10:12:48 +05:30 · 2021-07-10 10:12:48 +05:30 · 956b17da06
commit 956b17da06
parent 4109d087bf
1 changed files with 12 additions and 4 deletions
--- a/data/etc/apache2/conf-available/freedombox-tls-site-macro.conf
+++ b/data/etc/apache2/conf-available/freedombox-tls-site-macro.conf
@ -1,6 +1,6 @@
 <Macro FreedomBoxTLSSiteMacro $domain>

-    # mod_gnutls default options. See /etc/apache2/site-available/default-tls.conf
+    # mod_gnutls default options. See /etc/apache2/sites-available/default-tls.conf
    <IfModule mod_gnutls.c>
        <VirtualHost _default_:443>
            ServerAdmin webmaster@localhost
@ -11,15 +11,16 @@
            CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

            GnuTLSEnable On
+
            # Automatically obtained certificates from Let's Encrypt
            GnuTLSCertificateFile /etc/letsencrypt/live/$domain/fullchain.pem
            GnuTLSKeyFile /etc/letsencrypt/live/$domain/privkey.pem
-            # See http://www.outoforder.cc/projects/apache/mod_gnutls/docs/#GnuTLSPriorities
-            GnuTLSPriorities NORMAL
+            # See http://www.outoforder.cc/projects/httpd/mod_gnutls/docs/#GnuTLSPriorities
+            GnuTLSPriorities NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
        </VirtualHost>
    </IfModule>

-    # mod_ssl default options. See /etc/apache2/site-available/default-ssl.conf
+    # mod_ssl default options. See /etc/apache2/sites-available/default-ssl.conf
    <IfModule mod_ssl.c>
        <VirtualHost _default_:443>
            ServerAdmin webmaster@localhost
@ -30,6 +31,13 @@
            CustomLog ${APACHE_LOG_DIR}/access.log combined

            SSLEngine on
+
+            # Disable TLS1.1 and below. Client support: Firefox: 27, Android:
+            # 4.4.2, Chrome: 31, Edge: 12, IE: 11 (Win7), Java: 8u31, OpenSSL:
+            # 1.0.1, Opera: 20, Safari: 9. See:
+            # https://wiki.mozilla.org/Security/Server_Side_TLS
+            SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+
            # Automatically obtained certificates from Let's Encrypt
            SSLCertificateFile /etc/letsencrypt/live/$domain/fullchain.pem
            SSLCertificateKeyFile /etc/letsencrypt/live/$domain/privkey.pem