update to latest secure ssl directives

3 files changed, 8 insertions, 4 deletions

diff --git a/files/include.d/CentOS/ssl_defaults.inc b/files/include.d/CentOS/ssl_defaults.inc
index 04d3077..b57cbb9 100644
--- a/files/include.d/CentOS/ssl_defaults.inc
+++ b/files/include.d/CentOS/ssl_defaults.inc
@@ -11,14 +11,16 @@ SSLEngine on
 #   SSL Protocol support:
 # List the enable protocol levels with which clients will be able to
 # connect.  Disable SSLv2 access by default:
-SSLProtocol all -SSLv2
+#SSLProtocol all -SSLv2
+SSLProtocol -all +SSLv3 +TLSv1
 
 #   SSL Cipher Suite:
 # List the ciphers that the client is permitted to negotiate.
 # See the mod_ssl documentation for a complete list.
 #SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2
-SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:@STRENGTH
+SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
 
+SSLHonorCipherOrder on
 
 #   Server Certificate:
 # Point SSLCertificateFile at a PEM encoded certificate.  If
diff --git a/files/include.d/Debian/ssl_defaults.inc b/files/include.d/Debian/ssl_defaults.inc
index 3889cff..949fe58 100644
--- a/files/include.d/Debian/ssl_defaults.inc
+++ b/files/include.d/Debian/ssl_defaults.inc
@@ -1 +1,3 @@
-SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:@STRENGTH
+SSLProtocol -all +SSLv3 +TLSv1
+SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
+SSLHonorCipherOrder on
diff --git a/files/include.d/OpenBSD/ssl_defaults.inc b/files/include.d/OpenBSD/ssl_defaults.inc
index 91b14e0..67cf36f 100644
--- a/files/include.d/OpenBSD/ssl_defaults.inc
+++ b/files/include.d/OpenBSD/ssl_defaults.inc
@@ -1,5 +1,5 @@
 SSLEngine on
 #SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2
-SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:@STRENGTH
+SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
 SSLCertificateFile    /etc/ssl/server.crt
 SSLCertificateKeyFile /etc/ssl/private/server.key