mirror of
https://github.com/certbot/certbot.git
synced 2026-04-15 22:20:28 -04:00
b1a8e7175b
Part of #7204. Makes the smaller changes described at https://github.com/certbot/certbot/issues/7204#issuecomment-571838185 to disable many old ciphersuites and TLS versions < 1.2. Does not add checks for OpenSSL version or modify session tickets. Since Apache uses TLS protocol blacklisting instead of whitelisting (as in NGINX), we additionally may not need to determine if the server supports TLS1.3 and turn it on or off based on Apache version. * Update SSL versions and ciphersuites based on Mozilla intermediate recommendations for apache * Update constants with hashes of new config files * Update changelog
19 lines
952 B
Text
19 lines
952 B
Text
# This file contains important security parameters. If you modify this file
|
|
# manually, Certbot will be unable to automatically provide future security
|
|
# updates. Instead, Certbot will print and log an error message with a path to
|
|
# the up-to-date file that you will need to refer to when manually updating
|
|
# this file.
|
|
|
|
SSLEngine on
|
|
|
|
# Intermediate configuration, tweak to your needs
|
|
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
|
|
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
|
SSLHonorCipherOrder off
|
|
SSLCompression off
|
|
|
|
SSLOptions +StrictRequire
|
|
|
|
# Add vhost name to log entries:
|
|
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
|
|
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
|