]> Raphaël G. Git Repositories - blogbundle/commitdiff
Fix default bind ciphersuites and options
authorRaphaël Gertz <git@rapsys.eu>
Sun, 28 Jan 2024 06:47:16 +0000 (06:47 +0000)
committerRaphaël Gertz <git@rapsys.eu>
Sun, 28 Jan 2024 06:47:16 +0000 (06:47 +0000)
Fixture/BlogFixture.php

index 08e179201c950693bd4bd27046b1e9ff58e0b41b..599a7610a9db7d45fba0fbb839f7edf296c7ca71 100644 (file)
@@ -857,13 +857,13 @@ global
        key-base /etc/pki/tls/private
        # Don\'t load extra files
        ssl-load-extra-files none
        key-base /etc/pki/tls/private
        # Don\'t load extra files
        ssl-load-extra-files none
-       # Disable SSL-v3 TLSv1.0 TLSv1.1 and TLS tickets
-       ssl-default-server-options ssl-min-ver TLSv1.2 no-tls-tickets
        # Do not verify certificate
        ssl-server-verify none
        # Do not verify certificate
        ssl-server-verify none
-       # Supported bind ciphers
+       # Supported bind ciphersuites
        #XXX: https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended-configurations
        #XXX: https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended-configurations
-       ssl-default-bind-ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+       ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+       # Disable SSL-v3 TLSv1.0 TLSv1.1 and TLSv1.2 without TLS tickets
+       ssl-default-bind-options ssl-min-ver TLSv1.3
 
        # SSL/TLS session cache size
        tune.ssl.cachesize 20000
 
        # SSL/TLS session cache size
        tune.ssl.cachesize 20000
@@ -1384,13 +1384,13 @@ global
        key-base /etc/pki/tls/private
        # Don\'t load extra files
        ssl-load-extra-files none
        key-base /etc/pki/tls/private
        # Don\'t load extra files
        ssl-load-extra-files none
-       # Disable SSL-v3 TLSv1.0 TLSv1.1 and TLS tickets
-       ssl-default-server-options ssl-min-ver TLSv1.2 no-tls-tickets
        # Do not verify certificate
        ssl-server-verify none
        # Do not verify certificate
        ssl-server-verify none
-       # Supported bind ciphers
+       # Supported bind ciphersuites
        #XXX: https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended-configurations
        #XXX: https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended-configurations
-       ssl-default-bind-ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+       ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+       # Disable SSL-v3 TLSv1.0 TLSv1.1 and TLSv1.2 without TLS tickets
+       ssl-default-bind-options ssl-min-ver TLSv1.3
 
        # SSL/TLS session cache size
        tune.ssl.cachesize 20000
 
        # SSL/TLS session cache size
        tune.ssl.cachesize 20000