diff --git a/data/etc/apache2/conf-available/freedombox-tls-site-macro.conf b/data/etc/apache2/conf-available/freedombox-tls-site-macro.conf index 8d5549b34..168dec448 100644 --- a/data/etc/apache2/conf-available/freedombox-tls-site-macro.conf +++ b/data/etc/apache2/conf-available/freedombox-tls-site-macro.conf @@ -1,6 +1,6 @@ - # mod_gnutls default options. See /etc/apache2/site-available/default-tls.conf + # mod_gnutls default options. See /etc/apache2/sites-available/default-tls.conf ServerAdmin webmaster@localhost @@ -11,15 +11,16 @@ CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined GnuTLSEnable On + # Automatically obtained certificates from Let's Encrypt GnuTLSCertificateFile /etc/letsencrypt/live/$domain/fullchain.pem GnuTLSKeyFile /etc/letsencrypt/live/$domain/privkey.pem - # See http://www.outoforder.cc/projects/apache/mod_gnutls/docs/#GnuTLSPriorities - GnuTLSPriorities NORMAL + # See http://www.outoforder.cc/projects/httpd/mod_gnutls/docs/#GnuTLSPriorities + GnuTLSPriorities NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1 - # mod_ssl default options. See /etc/apache2/site-available/default-ssl.conf + # mod_ssl default options. See /etc/apache2/sites-available/default-ssl.conf ServerAdmin webmaster@localhost @@ -30,6 +31,13 @@ CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on + + # Disable TLS1.1 and below. Client support: Firefox: 27, Android: + # 4.4.2, Chrome: 31, Edge: 12, IE: 11 (Win7), Java: 8u31, OpenSSL: + # 1.0.1, Opera: 20, Safari: 9. See: + # https://wiki.mozilla.org/Security/Server_Side_TLS + SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 + # Automatically obtained certificates from Let's Encrypt SSLCertificateFile /etc/letsencrypt/live/$domain/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/$domain/privkey.pem