X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fapache2%2Ftemplates%2Fpuppet-config.erb;h=b01b5f0ef0b1a4696790358b460ab38f3782c875;hb=87f172c79bc34b54df8919127862ef3250f29236;hp=fca5a8b4428a160fa86b1d7d2946137f188d433f;hpb=b2a383c3f6d04206e8bae15f34022d691720d0c0;p=mirror%2Fdsa-puppet.git diff --git a/modules/apache2/templates/puppet-config.erb b/modules/apache2/templates/puppet-config.erb index fca5a8b44..b01b5f0ef 100644 --- a/modules/apache2/templates/puppet-config.erb +++ b/modules/apache2/templates/puppet-config.erb @@ -4,9 +4,35 @@ # this is a list that seems suitable as of 2014-10, when running wheezy. It # probably requires re-visiting regularly. - <% if @lsbmajdistrelease <= '7' -%> - SSLCipherSuite ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!RC4:!SEED:!DSS - <% else -%> - SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!RC4:!SEED:!DSS + # 2017-07-02 + # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.18&openssl=1.0.1p&hsts=no&profile=intermediate + # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.25&openssl=1.0.1p&hsts=no&profile=intermediate + # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.25&openssl=1.1.0&hsts=no&profile=intermediate + SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS + + <%- if has_variable?("apache2deb9") && @apache2deb9 -%> + SSLUseStapling On + + # the default size is 32k, but we make it 1M. + # | If more than a few SSL certificates are used for the server + # | + # | OCSP responses are stored in the SSL stapling cache. While the + # | responses are typically a few hundred to a few thousand bytes in size, + # | mod_ssl supports OCSP responses up to around 10K bytes in size. With more + # | than a few certificates, the stapling cache size (32768 bytes in the + # | example above) may need to be increased. Error message AH01929 will be + # | logged in case of an error storing a response. + # [ https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html#ocspstapling ] + + SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(1048576) + SSLStaplingReturnResponderErrors off + SSLStaplingResponderTimeout 5 + SSLStaplingFakeTryLater off <% end -%> + + + IndexOptions SuppressDescription + + +BufferedLogs On