[gentoo-commits] proj/apache:master commit in: 2.4/conf/vhosts.d/

public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-commits] proj/apache:master commit in: 2.4/conf/vhosts.d/
@ 2018-07-16  8:05 Lars Wendler
  0 siblings, 0 replies; 3+ messages in thread
From: Lars Wendler @ 2018-07-16  8:05 UTC (permalink / raw
  To: gentoo-commits

commit:     2e25601450315b6343daec1c7b928dabbd4c374d
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Mon Jul 16 08:03:43 2018 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Mon Jul 16 08:03:43 2018 +0000
URL:        https://gitweb.gentoo.org/proj/apache.git/commit/?id=2e256014

Don't perform SSL exceptions for MSIE anymore.

Bug: https://bugs.gentoo.org/604744

 2.4/conf/vhosts.d/00_default_ssl_vhost.conf | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/2.4/conf/vhosts.d/00_default_ssl_vhost.conf b/2.4/conf/vhosts.d/00_default_ssl_vhost.conf
index bb39547..6abc21d 100644
--- a/2.4/conf/vhosts.d/00_default_ssl_vhost.conf
+++ b/2.4/conf/vhosts.d/00_default_ssl_vhost.conf
@@ -170,11 +170,6 @@ Listen 443
 	# Similarly, one has to force some clients to use HTTP/1.0 to workaround
 	# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
 	# "force-response-1.0" for this.
-	<IfModule setenvif_module>
-		BrowserMatch ".*MSIE.*" \
-			nokeepalive ssl-unclean-shutdown \
-			downgrade-1.0 force-response-1.0
-	</IfModule>
 
 	## Per-Server Logging:
 	# The home of a custom SSL log file. Use this when you want a compact 


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [gentoo-commits] proj/apache:master commit in: 2.4/conf/vhosts.d/
@ 2023-09-02  6:50 Hans de Graaff
  0 siblings, 0 replies; 3+ messages in thread
From: Hans de Graaff @ 2023-09-02  6:50 UTC (permalink / raw
  To: gentoo-commits

commit:     1f482b45baea01fc1dacad74292ba93c0a1db8bc
Author:     Hans de Graaff <graaff <AT> gentoo <DOT> org>
AuthorDate: Sat Sep  2 06:49:23 2023 +0000
Commit:     Hans de Graaff <graaff <AT> gentoo <DOT> org>
CommitDate: Sat Sep  2 06:49:23 2023 +0000
URL:        https://gitweb.gentoo.org/proj/apache.git/commit/?id=1f482b45

Update default ssl vhost config to modern standards

Only enable TLSv1.2+, update cipher suite to only include strong
ciphers, turn off ordering preference to allow clients to use the best
cipher for them.

Signed-off-by: Hans de Graaff <graaff <AT> gentoo.org>

 2.4/conf/vhosts.d/00_default_ssl_vhost.conf | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/2.4/conf/vhosts.d/00_default_ssl_vhost.conf b/2.4/conf/vhosts.d/00_default_ssl_vhost.conf
index 6abc21d..538a5cb 100644
--- a/2.4/conf/vhosts.d/00_default_ssl_vhost.conf
+++ b/2.4/conf/vhosts.d/00_default_ssl_vhost.conf
@@ -21,22 +21,22 @@ Listen 443
 	# Enable/Disable SSL for this virtual host.
 	SSLEngine on
 
+  # TLS defaults are set according to the Mozilla intermediate
+  # configuration: https://ssl-config.mozilla.org/
+
 	## SSLProtocol:
-	# Don't use SSLv2 anymore as it's considered to be broken security-wise.
-	# Also disable SSLv3 as most modern browsers are capable of TLS.
-	SSLProtocol ALL -SSLv2 -SSLv3
+  # Disable old protocol versions that have known flaws or are deprecated.
+	SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
 
 	## SSL Cipher Suite:
 	# List the ciphers that the client is permitted to negotiate.
 	# See the mod_ssl documentation for a complete list.
-	# This list of ciphers is recommended by mozilla and was stripped off
-	# its RC4 ciphers. (bug #506924)
-	SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
+  SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 
 	## SSLHonorCipherOrder:
-	# Prefer the server's cipher preference order as the client may have a
-	# weak default order.
-	SSLHonorCipherOrder On
+	# Don't enforce cipher order since all ciphers are strong and
+	# clients may have preferences on e.g. hardware capabilities.
+	SSLHonorCipherOrder Off
 
 	## Server Certificate:
 	# Point SSLCertificateFile at a PEM encoded certificate. If the certificate


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [gentoo-commits] proj/apache:master commit in: 2.4/conf/vhosts.d/
@ 2023-11-03 12:35 Hans de Graaff
  0 siblings, 0 replies; 3+ messages in thread
From: Hans de Graaff @ 2023-11-03 12:35 UTC (permalink / raw
  To: gentoo-commits

commit:     9c28e541a6a46a3c8bfbc5cc6a859e844762c283
Author:     Hans de Graaff <graaff <AT> gentoo <DOT> org>
AuthorDate: Fri Nov  3 12:34:20 2023 +0000
Commit:     Hans de Graaff <graaff <AT> gentoo <DOT> org>
CommitDate: Fri Nov  3 12:35:00 2023 +0000
URL:        https://gitweb.gentoo.org/proj/apache.git/commit/?id=9c28e541

Use consistent indentation with tabs

Bug: https://bugs.gentoo.org/916043
Signed-off-by: Hans de Graaff <graaff <AT> gentoo.org>

 2.4/conf/vhosts.d/00_default_ssl_vhost.conf | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/2.4/conf/vhosts.d/00_default_ssl_vhost.conf b/2.4/conf/vhosts.d/00_default_ssl_vhost.conf
index 538a5cb..d068f61 100644
--- a/2.4/conf/vhosts.d/00_default_ssl_vhost.conf
+++ b/2.4/conf/vhosts.d/00_default_ssl_vhost.conf
@@ -21,17 +21,17 @@ Listen 443
 	# Enable/Disable SSL for this virtual host.
 	SSLEngine on
 
-  # TLS defaults are set according to the Mozilla intermediate
-  # configuration: https://ssl-config.mozilla.org/
+	# TLS defaults are set according to the Mozilla intermediate
+	# configuration: https://ssl-config.mozilla.org/
 
 	## SSLProtocol:
-  # Disable old protocol versions that have known flaws or are deprecated.
+	# Disable old protocol versions that have known flaws or are deprecated.
 	SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
 
 	## SSL Cipher Suite:
 	# List the ciphers that the client is permitted to negotiate.
 	# See the mod_ssl documentation for a complete list.
-  SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+	SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 
 	## SSLHonorCipherOrder:
 	# Don't enforce cipher order since all ciphers are strong and


^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2023-11-03 12:35 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-07-16  8:05 [gentoo-commits] proj/apache:master commit in: 2.4/conf/vhosts.d/ Lars Wendler
  -- strict thread matches above, loose matches on Subject: below --
2023-09-02  6:50 Hans de Graaff
2023-11-03 12:35 Hans de Graaff

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox