diff options
author | Micah Anderson <micah@leap.se> | 2015-05-26 22:23:22 -0400 |
---|---|---|
committer | Micah Anderson <micah@leap.se> | 2015-05-26 22:23:22 -0400 |
commit | b77e3f7e87bc64ffaaa608e5b6a6ef385b8054d3 (patch) | |
tree | da8392e93b81f1ea68d0af2d170afa4e64f7b52c /puppet/modules/site_apache | |
parent | 4105838757e1843ece8935ddae82a3cbb9febc7a (diff) |
Implement weakdh recommendations for cipher suites (#7024)
This is a first step mitigation until we can have a newer apache that
will allow us to specify dh parameters other than the default.
Change-Id: Ibfcee53b331e8919466027dde1a93117b5210d9d
Diffstat (limited to 'puppet/modules/site_apache')
-rw-r--r-- | puppet/modules/site_apache/files/include.d/ssl_common.inc | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/puppet/modules/site_apache/files/include.d/ssl_common.inc b/puppet/modules/site_apache/files/include.d/ssl_common.inc index 08b993cc..2d282c84 100644 --- a/puppet/modules/site_apache/files/include.d/ssl_common.inc +++ b/puppet/modules/site_apache/files/include.d/ssl_common.inc @@ -2,6 +2,6 @@ SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCompression off -SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" +SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!RC4:!MD5:!PSK!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" RequestHeader set X_FORWARDED_PROTO 'https'
\ No newline at end of file |