tighten up default TLS settings in apache.conf to exclude weak ciphers

svn path=/trunk/; revision=6068

1 files changed, 20 insertions, 0 deletions

diff --git a/ca/rpkigui-apache-conf-gen b/ca/rpkigui-apache-conf-gen
index 27fa3e93..6f71c7b1 100755
--- a/ca/rpkigui-apache-conf-gen
+++ b/ca/rpkigui-apache-conf-gen
@@ -114,6 +114,26 @@ vhost_template = """\
   SSLCertificateKeyFile  %(sysconfdir)s/rpki/apache.key
 
   #
+  # Recommended settings based on
+  # https://wiki.mozilla.org/Security/Server_Side_TLS
+  # (Currently using the Intermediate cipher suite)
+  #
+  SSLProtocol             all -SSLv2 -SSLv3
+  SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+  SSLHonorCipherOrder     on
+  SSLCompression          off
+
+  # OCSP Stapling, only in httpd 2.3.3 and later
+  #SSLUseStapling          on
+  #SSLStaplingResponderTimeout 5
+  #SSLStaplingReturnResponderErrors off
+  # On Apache 2.4+, SSLStaplingCache must be set *outside* of the VirtualHost
+  #SSLStaplingCache        shmcb:/var/run/ocsp(128000)
+
+  # Enable this if your want HSTS (recommended)
+  # Header add Strict-Transport-Security "max-age=15768000"
+
+  #
   # Take pity on users running Internet Exploder
   #
   BrowserMatch "MSIE [2-6]"  ssl-unclean-shutdown nokeepalive downgrade-1.0 force-response-1.0