From 956b17da062715990024684be6c969c4e40d21c7 Mon Sep 17 00:00:00 2001
From: Joseph Nuthalapati <njoseph@riseup.net>
Date: Sat, 10 Jul 2021 10:12:48 +0530
Subject: [PATCH] apache: Drop support for SSLv3, TLSv1 and TLSv1.1

- As recommended by Mozilla SSL Configuration Generator for 'intermediate'
compatibility configuration: https://ssl-config.mozilla.org/

- As recommended by IETF RFC 7525:
https://datatracker.ietf.org/doc/html/rfc7525#section-3.1.1

- As recommended by NIST: Guidelines for the Selection, Configuration, and Use
of Transport Layer Security (TLS) Implementations:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf

- The following are now the client version requirements for FreedomBox web
interface: Firefox: 27, Android: 4.4.2, Chrome: 31, Edge: 12, IE: 11 (Win7),
Java: 8u31, OpenSSL: 1.0.1, Opera: 20, Safari: 9

Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
[sunil: Drop SSLv2, it is not valid anymore as per Apache manual]
[sunil: More detailed commit message and comments]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
---
 .../freedombox-tls-site-macro.conf               | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/data/etc/apache2/conf-available/freedombox-tls-site-macro.conf b/data/etc/apache2/conf-available/freedombox-tls-site-macro.conf
index 8d5549b34..168dec448 100644
--- a/data/etc/apache2/conf-available/freedombox-tls-site-macro.conf
+++ b/data/etc/apache2/conf-available/freedombox-tls-site-macro.conf
@@ -1,6 +1,6 @@
 <Macro FreedomBoxTLSSiteMacro $domain>
 
-    # mod_gnutls default options. See /etc/apache2/site-available/default-tls.conf
+    # mod_gnutls default options. See /etc/apache2/sites-available/default-tls.conf
     <IfModule mod_gnutls.c>
         <VirtualHost _default_:443>
             ServerAdmin webmaster@localhost
@@ -11,15 +11,16 @@
             CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
 
             GnuTLSEnable On
+
             # Automatically obtained certificates from Let's Encrypt
             GnuTLSCertificateFile /etc/letsencrypt/live/$domain/fullchain.pem
             GnuTLSKeyFile /etc/letsencrypt/live/$domain/privkey.pem
-            # See http://www.outoforder.cc/projects/apache/mod_gnutls/docs/#GnuTLSPriorities
-            GnuTLSPriorities NORMAL
+            # See http://www.outoforder.cc/projects/httpd/mod_gnutls/docs/#GnuTLSPriorities
+            GnuTLSPriorities NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
         </VirtualHost>
     </IfModule>
 
-    # mod_ssl default options. See /etc/apache2/site-available/default-ssl.conf
+    # mod_ssl default options. See /etc/apache2/sites-available/default-ssl.conf
     <IfModule mod_ssl.c>
         <VirtualHost _default_:443>
             ServerAdmin webmaster@localhost
@@ -30,6 +31,13 @@
             CustomLog ${APACHE_LOG_DIR}/access.log combined
 
             SSLEngine on
+
+            # Disable TLS1.1 and below. Client support: Firefox: 27, Android:
+            # 4.4.2, Chrome: 31, Edge: 12, IE: 11 (Win7), Java: 8u31, OpenSSL:
+            # 1.0.1, Opera: 20, Safari: 9. See:
+            # https://wiki.mozilla.org/Security/Server_Side_TLS
+            SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+
             # Automatically obtained certificates from Let's Encrypt
             SSLCertificateFile /etc/letsencrypt/live/$domain/fullchain.pem
             SSLCertificateKeyFile /etc/letsencrypt/live/$domain/privkey.pem