Benjamin Neff
4 years ago
1 changed files with 6 additions and 6 deletions
+ 6
- 6
apache/files/Debian/ssl.conf.jinja
View File
| SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase | SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase | ||||
| # Inter-Process Session Cache: | # Inter-Process Session Cache: | ||||
| # Configure the SSL Session Cache: First the mechanism | |||||
| # Configure the SSL Session Cache: First the mechanism | |||||
| # to use and second the expiring timeout (in seconds). | # to use and second the expiring timeout (in seconds). | ||||
| # (The mechanism dbm has known memory leaks and should not be used). | # (The mechanism dbm has known memory leaks and should not be used). | ||||
| #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache | #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache | ||||
| # Semaphore: | # Semaphore: | ||||
| # Configure the path to the mutual exclusion semaphore the | # Configure the path to the mutual exclusion semaphore the | ||||
| # SSL engine uses internally for inter-process synchronization. | |||||
| # SSL engine uses internally for inter-process synchronization. | |||||
| # (Disabled by default, the global Mutex directive consolidates by default | # (Disabled by default, the global Mutex directive consolidates by default | ||||
| # this) | # this) | ||||
| #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache | #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache | ||||
| # ciphers(1) man page from the openssl package for list of all available | # ciphers(1) man page from the openssl package for list of all available | ||||
| # options. | # options. | ||||
| # Enable only secure ciphers: | # Enable only secure ciphers: | ||||
| {# default from https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29 #} | |||||
| {#- default from https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29 #} | |||||
| SSLCipherSuite {{ salt['pillar.get']('apache:ssl:SSLCipherSuite', 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS') }} | SSLCipherSuite {{ salt['pillar.get']('apache:ssl:SSLCipherSuite', 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS') }} | ||||
| # SSL server cipher order preference: | # SSL server cipher order preference: | ||||
| # Default: Off | # Default: Off | ||||
| #SSLStrictSNIVHostCheck On | #SSLStrictSNIVHostCheck On | ||||
| {% set use_stapling = salt['pillar.get']('apache:ssl:SSLUseStapling', 'Off') %} | |||||
| {% if use_stapling == 'On' %} | |||||
| {% set use_stapling = salt['pillar.get']('apache:ssl:SSLUseStapling', 'Off') -%} | |||||
| {% if use_stapling == 'On' -%} | |||||
| # Stapling configuration | # Stapling configuration | ||||
| # Default: Off | # Default: Off | ||||
| # | # | ||||
| SSLStaplingResponderTimeout {{ salt['pillar.get']('SSLStaplingResponderTimeout', '5') }} | SSLStaplingResponderTimeout {{ salt['pillar.get']('SSLStaplingResponderTimeout', '5') }} | ||||
| SSLStaplingReturnResponderErrors {{ salt['pillar.get']('SSLStaplingReturnResponderErrors', 'Off') }} | SSLStaplingReturnResponderErrors {{ salt['pillar.get']('SSLStaplingReturnResponderErrors', 'Off') }} | ||||
| SSLStaplingCache {{ salt['pillar.get']('SSLStaplingCache', 'shmcb:/var/run/ocsp(128000)') }} | SSLStaplingCache {{ salt['pillar.get']('SSLStaplingCache', 'shmcb:/var/run/ocsp(128000)') }} | ||||
| {% endif %} | |||||
| {%- endif %} | |||||
| </IfModule> | </IfModule> | ||||
| # vim: syntax=apache ts=4 sw=4 sts=4 sr noet | # vim: syntax=apache ts=4 sw=4 sts=4 sr noet |
Loading…