Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / apache / 66c545eae1e2ddcfd219281b294f356ef75160bc^! / .
commit66c545eae1e2ddcfd219281b294f356ef75160bc[log] [tgz]
authorFilip Pytloun <filip@pytloun.cz>Thu Nov 12 09:30:11 2015 +0100
committerFilip Pytloun <filip@pytloun.cz>Thu Nov 12 09:30:11 2015 +0100
treedf5c08461c6598fc544a7f5050fb3ca4fc9888d4
parentd075dd2e07fb2f17a566fcca2a0fc575792eea71 [diff]
Fix forward secrecy and strict transport security

diff --git a/apache/files/_ssl.conf b/apache/files/_ssl.conf
index 5007ec7..ea7a6c4 100644
--- a/apache/files/_ssl.conf
+++ b/apache/files/_ssl.conf

@@ -6,7 +6,7 @@
   SSLCertificateKeyFile /etc/ssl/private/{{ site.host.name }}.key
   SSLCertificateChainFile /etc/ssl/certs/ca-chain.crt
 
-  {%- if site.ssl.get('forward_secrecy', False) %}
+  {%- if site.ssl.get('strict_transport_security', False) %}
   Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
   {%- endif %}
 

diff --git a/apache/files/_ssl_secure.conf b/apache/files/_ssl_secure.conf
index e22e611..441f981 100644
--- a/apache/files/_ssl_secure.conf
+++ b/apache/files/_ssl_secure.conf

@@ -1,3 +1,4 @@
 
-SSLCipherSuite HIGH:!aNULL:!MD5
+SSLHonorCipherOrder on
+SSLCipherSuite !SSLv2:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA:AES128-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
 SSLProtocol all -SSLv2 -SSLv3