forked from Hitchwiki/hitchwiki
-
Notifications
You must be signed in to change notification settings - Fork 1
/
ssl-params.conf
43 lines (37 loc) · 2.15 KB
/
ssl-params.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
# HSTS (mod_headers is required) (15768000 seconds = 6 months)
#Header always set Strict-Transport-Security "max-age=15768000"
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
## For Newer Apache+OpenSSL:
## If you have Apache 2.4.8 or later and OpenSSL 1.0.2 or later, you can
## generate and specify your DH params file:
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html#Forward_Secrecy_&_Diffie_Hellman_Ephemeral_Parameters
## https://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslopensslconfcmd
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
# https://github.com/mozilla/server-side-tls
# apache 2.4.18 | modern profile | OpenSSL 1.1.0
# Oldest compatible clients: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge,
# Opera 17, Safari 9, Android 5.0, and Java 8
# modern configuration, tweak to your needs
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
# https://wiki.mozilla.org/Security/Server_Side_TLS
# Test configuration:
# https://github.com/mozilla/tls-observatory
# https://github.com/jvehent/cipherscan
# https://www.ssllabs.com/ssltest/