From 6203cf35475caf5eaafe1e690de0c2bfdefb5564 Mon Sep 17 00:00:00 2001
From: Patrick Oberdorf <p.oberdorf@raphael-gmbh.de>
Date: Fri, 2 Oct 2015 14:27:23 +0200
Subject: [PATCH] secure SSL-config

---
 templates/default/vHost.conf.erb | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/templates/default/vHost.conf.erb b/templates/default/vHost.conf.erb
index 113b62b..dd378b1 100644
--- a/templates/default/vHost.conf.erb
+++ b/templates/default/vHost.conf.erb
@@ -138,6 +138,20 @@
 				downgrade-1.0 force-response-1.0
 		# MSIE 7 and newer should be able to use keepalive
 		BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
+		## Secure SSL config. See: https://bettercrypto.org/static/applied-crypto-hardening.pdf
+
+		SSLProtocol All -SSLv2 -SSLv3
+		SSLHonorCipherOrder On
+		SSLCompression off
+		# Add six earth month HSTS header for all users...
+		# ATTENTION! Needs header module enabled.
+		 Header always set Strict-Transport-Security "max-age=15768000"
+		# If you want to protect all subdomains, use the following header
+		# ALL subdomains HAVE TO support HTTPS if you use this!
+		# Strict-Transport-Security: "max-age=15768000 ; includeSubDomains"
+		SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:$
+
 	</VirtualHost>
 </IfModule>
 
@@ -161,4 +175,4 @@
 
   CustomLog /var/log/apache2/access.log combined
   ServerSignature On
-</VirtualHost>
\ No newline at end of file
+</VirtualHost>
-- 
GitLab