Secure SSL config
Here is my patch, because I am not able to push a new branch and make a merge request.
From 4b8ce94a0881306741ee3d9017a8462ac8a66bf6 Mon Sep 17 00:00:00 2001
From: Patrick Oberdorf <patrick@oberdorf.net>
Date: Thu, 1 Oct 2015 14:03:07 +0200
Subject: [PATCH] secure SSL-config
---
templates/default/vHost.conf.erb | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/templates/default/vHost.conf.erb b/templates/default/vHost.conf.erb
index 113b62b..d607645 100644
--- a/templates/default/vHost.conf.erb
+++ b/templates/default/vHost.conf.erb
@@ -138,6 +138,19 @@
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
+ ## Secure SSL config. See: https://bettercrypto.org/static/applied-crypto-hardening.pdf
+
+ SSLProtocol All -SSLv2 -SSLv3
+ SSLHonorCipherOrder On
+ SSLCompression off
+ # Add six earth month HSTS header for all users...
+ # ATTENTION! Needs header module enabled.
+ Header always set Strict-Transport-Security "max-age=15768000"
+ # If you want to protect all subdomains, use the following header
+ # ALL subdomains HAVE TO support HTTPS if you use this!
+ # Strict-Transport-Security: "max-age=15768000 ; includeSubDomains"
+ SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:$
</VirtualHost>
</IfModule>
@@ -161,4 +174,4 @@
CustomLog /var/log/apache2/access.log combined
ServerSignature On
-</VirtualHost>
\ No newline at end of file
+</VirtualHost>
--
2.6.0