Use more secure ssl ciphers, fixes CVE-2016-2107

commit: 2aa9e83444dca1ce4ebfdfede28af943ee464485 [log] [tgz]
author: Filip Pytloun <filip@pytloun.cz> Tue Sep 06 13:37:23 2016 +0200
committer: Filip Pytloun <filip@pytloun.cz> Tue Sep 06 13:37:23 2016 +0200
tree: 622cde65d09635745dd5bfef2e564f466ac0f38c
parent: a0378fd5e9697e6bfdbd1e4bdbf4657e05e84545 [diff]
diff --git a/apache/files/_ssl_secure.conf b/apache/files/_ssl_secure.conf
index 441f981..cebf3a5 100644
--- a/apache/files/_ssl_secure.conf
+++ b/apache/files/_ssl_secure.conf

@@ -1,4 +1,9 @@
 
 SSLHonorCipherOrder on
-SSLCipherSuite !SSLv2:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
 SSLProtocol all -SSLv2 -SSLv3
+
+SSLCompression off
+SSLUseStapling on
+SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
+SSLSessionTickets Off
commit	2aa9e83444dca1ce4ebfdfede28af943ee464485	[log] [tgz]
author	Filip Pytloun <filip@pytloun.cz>	Tue Sep 06 13:37:23 2016 +0200
committer	Filip Pytloun <filip@pytloun.cz>	Tue Sep 06 13:37:23 2016 +0200
tree	622cde65d09635745dd5bfef2e564f466ac0f38c
parent	a0378fd5e9697e6bfdbd1e4bdbf4657e05e84545 [diff]