From 22f1dcfaa25237a059218334c26712ba3a1cfa00 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Rapha=C3=ABl=20Gertz?= <git@rapsys.eu>
Date: Sun, 28 Jan 2024 06:47:16 +0000
Subject: [PATCH] Fix default bind ciphersuites and options

---
 Fixture/BlogFixture.php | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/Fixture/BlogFixture.php b/Fixture/BlogFixture.php
index 08e1792..599a761 100644
--- a/Fixture/BlogFixture.php
+++ b/Fixture/BlogFixture.php
@@ -857,13 +857,13 @@ global
 	key-base /etc/pki/tls/private
 	# Don\'t load extra files
 	ssl-load-extra-files none
-	# Disable SSL-v3 TLSv1.0 TLSv1.1 and TLS tickets
-	ssl-default-server-options ssl-min-ver TLSv1.2 no-tls-tickets
 	# Do not verify certificate
 	ssl-server-verify none
-	# Supported bind ciphers
+	# Supported bind ciphersuites
 	#XXX: https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended-configurations
-	ssl-default-bind-ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+	ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+	# Disable SSL-v3 TLSv1.0 TLSv1.1 and TLSv1.2 without TLS tickets
+	ssl-default-bind-options ssl-min-ver TLSv1.3
 
 	# SSL/TLS session cache size
 	tune.ssl.cachesize 20000
@@ -1384,13 +1384,13 @@ global
 	key-base /etc/pki/tls/private
 	# Don\'t load extra files
 	ssl-load-extra-files none
-	# Disable SSL-v3 TLSv1.0 TLSv1.1 and TLS tickets
-	ssl-default-server-options ssl-min-ver TLSv1.2 no-tls-tickets
 	# Do not verify certificate
 	ssl-server-verify none
-	# Supported bind ciphers
+	# Supported bind ciphersuites
 	#XXX: https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended-configurations
-	ssl-default-bind-ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+	ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+	# Disable SSL-v3 TLSv1.0 TLSv1.1 and TLSv1.2 without TLS tickets
+	ssl-default-bind-options ssl-min-ver TLSv1.3
 
 	# SSL/TLS session cache size
 	tune.ssl.cachesize 20000
-- 
2.41.3