mirror of
https://github.com/freedombox/FreedomBox.git
synced 2026-01-21 07:55:00 +00:00
ae541ca752
- TLS configuration as recommended by Mozilla's SSL Configuration Generator with 'Intermediate' configuration. See: https://wiki.mozilla.org/Security/Server_Side_TLS - Disable ciphers that are weak or without forward secrecy. - Allow client to choose ciphers as they will know best if they have support for hardware-accelerated AES. - TLS session tickets (RFC 5077) require restarting web server with an appropriate frequency. See: https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslsessiontickets - Send OCSP responses to the client and reduce their round trips. - No need to increment apache app version number as it has already been incremented in this release cycle for enabling HTTP/2 module. Tests: - FreedomBox interface is reachable with the changes. - ssllabs.com gives an A+ rating on a server with these changes. - All ciphers are shown as secure. - Forward Secrecy rating is ROBUST. - OCSP stapling shows as enabled. - Client support seems to match the expected after dropping <= TLS1.1. - Session resumption with tickets shows as disabled. Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: James Valleroy <jvalleroy@mailbox.org>