summaryrefslogtreecommitdiff
path: root/puppet/modules/site_apache
diff options
context:
space:
mode:
authorMicah Anderson <micah@leap.se>2014-04-02 13:17:20 -0400
committerMicah Anderson <micah@leap.se>2014-04-02 13:25:13 -0400
commit5cca6d100ffd991e6f943d916361bf0497728d70 (patch)
tree64b5d93cf5fe407c19a7fb18fa036a6ea5e41eb7 /puppet/modules/site_apache
parentb12c315edef56515321306a692d0f2098f4e8ee0 (diff)
Update TLS apache vhost TLS configuration (#5137):
. We want to allow for TLS1.2 to be enabled (supported in wheezy) . Explicitly disable SSLCompression. This aids in protecting against the BREACH attack: see http://breachattack.com), and SPDY version 3 is vulnerable to the CRIME attack when compression is on . Switch the cipher suites to match https://wiki.mozilla.org/Security/Server_Side_TLS#Apache for these reasons: . Prefer PFS, with ECDHE first then DHE (TLS 1.2, not many implementations support this, and there are no known attacks). . Prefer AES128 to AES256 because the key schedule in AES256 is considered weaker, and maybe AES128 is more resistant to timing attacks . Prefer AES to RC4. BEAST attacks on AES are mitigated in >=TLS1.1, and difficult in TLS1.0. They are not in RC4, and likely to become more dangerous . RC4 is on the path to removal, but still present for backward compatibility Change-Id: I99a7f0ebf2ac438f075835d1cb38f63080321043
Diffstat (limited to 'puppet/modules/site_apache')
-rw-r--r--puppet/modules/site_apache/templates/vhosts.d/api.conf.erb5
-rw-r--r--puppet/modules/site_apache/templates/vhosts.d/common.conf.erb5
2 files changed, 6 insertions, 4 deletions
diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
index 5f1f4c1d..3360ac59 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
@@ -10,9 +10,10 @@ Listen 0.0.0.0:<%= api_port %>
ServerName <%= api_domain %>
SSLEngine on
- SSLProtocol -all +SSLv3 +TLSv1
- SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
+ SSLProtocol all -SSLv2
SSLHonorCipherOrder on
+ SSLCompression off
+ SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"
SSLCACertificatePath /etc/ssl/certs
SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt
diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
index 30f0a6b1..ed430510 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
@@ -11,9 +11,10 @@
ServerAlias www.<%= domain %>
SSLEngine on
- SSLProtocol -all +SSLv3 +TLSv1
- SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
+ SSLProtocol all -SSLv2
SSLHonorCipherOrder on
+ SSLCompression off
+ SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"
SSLCACertificatePath /etc/ssl/certs
SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt