nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-05-13 10:30:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
FreedomBox/data/etc/apache2/conf-available/freedombox-tls-site-macro.conf
Joseph Nuthalapati 956b17da06
apache: Drop support for SSLv3, TLSv1 and TLSv1.1 
- As recommended by Mozilla SSL Configuration Generator for 'intermediate'
compatibility configuration: https://ssl-config.mozilla.org/

- As recommended by IETF RFC 7525:
https://datatracker.ietf.org/doc/html/rfc7525#section-3.1.1

- As recommended by NIST: Guidelines for the Selection, Configuration, and Use
of Transport Layer Security (TLS) Implementations:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf

- The following are now the client version requirements for FreedomBox web
interface: Firefox: 27, Android: 4.4.2, Chrome: 31, Edge: 12, IE: 11 (Win7),
Java: 8u31, OpenSSL: 1.0.1, Opera: 20, Safari: 9

Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
[sunil: Drop SSLv2, it is not valid anymore as per Apache manual]
[sunil: More detailed commit message and comments]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
2021-09-01 18:11:20 -07:00

54 lines
2.0 KiB
Plaintext
Raw Blame History

<Macro FreedomBoxTLSSiteMacro $domain>
# mod_gnutls default options. See /etc/apache2/sites-available/default-tls.conf
<IfModule mod_gnutls.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
ServerName $domain
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
GnuTLSEnable On
# Automatically obtained certificates from Let's Encrypt
GnuTLSCertificateFile /etc/letsencrypt/live/$domain/fullchain.pem
GnuTLSKeyFile /etc/letsencrypt/live/$domain/privkey.pem
# See http://www.outoforder.cc/projects/httpd/mod_gnutls/docs/#GnuTLSPriorities
GnuTLSPriorities NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
</VirtualHost>
</IfModule>
# mod_ssl default options. See /etc/apache2/sites-available/default-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
ServerName $domain
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
# Disable TLS1.1 and below. Client support: Firefox: 27, Android:
# 4.4.2, Chrome: 31, Edge: 12, IE: 11 (Win7), Java: 8u31, OpenSSL:
# 1.0.1, Opera: 20, Safari: 9. See:
# https://wiki.mozilla.org/Security/Server_Side_TLS
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
# Automatically obtained certificates from Let's Encrypt
SSLCertificateFile /etc/letsencrypt/live/$domain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/$domain/privkey.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
</Macro>
Reference in New Issue View Git Blame Copy Permalink