projects / invirt/packages/invirt-web.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Do better at SSL/TLS with only strong ciphers
[invirt/packages/invirt-web.git] / files / etc / apache2 / sites-available / ssl.mako
diff --git a/files/etc/apache2/sites-available/ssl.mako b/files/etc/apache2/sites-available/ssl.mako
index 526f52f..6b7e414 100644 (file)
--- a/files/etc/apache2/sites-available/ssl.mako
+++ b/files/etc/apache2/sites-available/ssl.mako
@@ -42,12 +42,15 @@ ${caller.body()}
        SSLEngine on
 
        SSLCertificateFile ssl/server.crt
+       SSLCertificateChainFile ssl/server.crt
        SSLCertificateKeyFile ssl/server.key
        
        SSLCACertificateFile /etc/ssl/certs/mitCAclient.pem
        SSLVerifyDepth 10
 
        SSLOptions +StdEnvVars
+        SSLProtocol all -SSLv2
+        SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
        
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
 
@@ -104,11 +107,14 @@ ${caller.body()}
        SSLEngine on
 
        SSLCertificateFile ssl/server.crt
+       SSLCertificateChainFile ssl/server.crt
        SSLCertificateKeyFile ssl/server.key
        
        SSLVerifyClient none
 
        SSLOptions +StdEnvVars
+        SSLProtocol all -SSLv2
+        SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
        
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0        
 </VirtualHost>
Unnamed repository; edit this file 'description' to name the repository.