From b77e3f7e87bc64ffaaa608e5b6a6ef385b8054d3 Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@leap.se>
Date: Tue, 26 May 2015 22:23:22 -0400
Subject: Implement weakdh recommendations for cipher suites (#7024)

This is a first step mitigation until we can have a newer apache that
will allow us to specify dh parameters other than the default.

Change-Id: Ibfcee53b331e8919466027dde1a93117b5210d9d
---
 puppet/modules/site_static/templates/apache.conf.erb | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

(limited to 'puppet/modules/site_static')

diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb
index 9b516a10..4d61cc08 100644
--- a/puppet/modules/site_static/templates/apache.conf.erb
+++ b/puppet/modules/site_static/templates/apache.conf.erb
@@ -45,12 +45,8 @@
   #RewriteLog "/var/log/apache2/rewrite.log"
   #RewriteLogLevel 3
 
-  SSLEngine on
-  SSLProtocol all -SSLv2 -SSLv3
-  SSLHonorCipherOrder on
-  SSLCompression off
-  SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"
-
+  Include include.d/ssl_common.inc
+  
 <%- if @tls_only -%>
   Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
 <%- end -%>
-- 
cgit v1.2.3