summaryrefslogtreecommitdiff
path: root/puppet/modules/site_static
diff options
context:
space:
mode:
authorMicah <micah@riseup.net>2015-05-28 14:41:23 +0000
committerMicah <micah@riseup.net>2015-05-28 14:41:23 +0000
commite7651410cfc8f67be1deaa5354a7f88219086719 (patch)
tree6a8e58662845b4cf03f7f6c1b280aa9ad88f2595 /puppet/modules/site_static
parentd3ba83a4825b8296217e1f21190728772fc32133 (diff)
parentb77e3f7e87bc64ffaaa608e5b6a6ef385b8054d3 (diff)
Merge branch '0.7.0' into '0.7.0'
Implement weakdh recommendations for cipher suites (#7024) This is a first step mitigation until we can have a newer apache that will allow us to specify dh parameters other than the default. Change-Id: Ibfcee53b331e8919466027dde1a93117b5210d9d See merge request !48
Diffstat (limited to 'puppet/modules/site_static')
-rw-r--r--puppet/modules/site_static/templates/apache.conf.erb8
1 files changed, 2 insertions, 6 deletions
diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb
index 9b516a10..4d61cc08 100644
--- a/puppet/modules/site_static/templates/apache.conf.erb
+++ b/puppet/modules/site_static/templates/apache.conf.erb
@@ -45,12 +45,8 @@
#RewriteLog "/var/log/apache2/rewrite.log"
#RewriteLogLevel 3
- SSLEngine on
- SSLProtocol all -SSLv2 -SSLv3
- SSLHonorCipherOrder on
- SSLCompression off
- SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"
-
+ Include include.d/ssl_common.inc
+
<%- if @tls_only -%>
Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
<%- end -%>