Skip to content

Commit 473f061

Browse files
ZerogivenZerogiven
committed
Updating SSL options at ispconfig vhost based on the mozilla ssl configuration generator
https://mozilla.github.io/server-side-tls/ssl-config-generator/
1 parent 6e0b35c commit 473f061

File tree

1 file changed

+17
-7
lines changed

1 file changed

+17
-7
lines changed

install/tpl/apache_ispconfig.vhost.master

Lines changed: 17 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -62,26 +62,36 @@ NameVirtualHost *:<tmpl_var name="vhost_port">
6262

6363
# SSL Configuration
6464
<tmpl_var name="ssl_comment">SSLEngine On
65+
<tmpl_if name='apache_version' op='>=' value='2.3.16' format='version'>
66+
<tmpl_var name="ssl_comment">SSLProtocol All -SSLv3
67+
<tmpl_else>
6568
<tmpl_var name="ssl_comment">SSLProtocol All -SSLv2 -SSLv3
69+
</tmpl_if>
6670
<tmpl_var name="ssl_comment">SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
6771
<tmpl_var name="ssl_comment">SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
6872
<tmpl_var name="ssl_bundle_comment">SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
6973

70-
<tmpl_var name="ssl_comment">SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
74+
<tmpl_var name="ssl_comment">SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
7175
<tmpl_var name="ssl_comment">SSLHonorCipherOrder On
76+
<tmpl_if name='apache_version' op='>=' value='2.4.3' format='version'>
77+
<tmpl_var name="ssl_comment">SSLCompression Off
78+
</tmpl_if>
79+
<tmpl_if name='apache_version' op='>=' value='2.4.11' format='version'>
80+
<tmpl_var name="ssl_comment">SSLSessionTickets Off
81+
</tmpl_if>
7282

7383
<IfModule mod_headers.c>
7484
Header always add Strict-Transport-Security "max-age=15768000"
7585
</IfModule>
7686

77-
<tmpl_if name='apache_version' op='>=' value='1.4' format='version'>
78-
<tmpl_var name="ssl_comment">SSLUseStapling on
79-
<tmpl_var name="ssl_comment">SSLStaplingResponderTimeout 5
80-
<tmpl_var name="ssl_comment">SSLStaplingReturnResponderErrors off
81-
</tmpl_if>
87+
<tmpl_if name='apache_version' op='>=' value='2.3.3' format='version'>
88+
<tmpl_var name="ssl_comment">SSLUseStapling On
89+
<tmpl_var name="ssl_comment">SSLStaplingResponderTimeout 5
90+
<tmpl_var name="ssl_comment">SSLStaplingReturnResponderErrors Off
91+
</tmpl_if>
8292
</VirtualHost>
8393

84-
<tmpl_if name='apache_version' op='>=' value='2.4' format='version'>
94+
<tmpl_if name='apache_version' op='>=' value='2.3.3' format='version'>
8595
<IfModule mod_ssl.c>
8696
<tmpl_var name="ssl_comment">SSLStaplingCache shmcb:/var/run/ocsp(128000)
8797
</IfModule>

0 commit comments

Comments
 (0)