Deprecate tlsv1.1 protocol for apache

author Ismaël Bouya <ismael.bouya@normalesup.org>

Fri, 21 Feb 2020 22:27:43 +0000 (23:27 +0100)

committer Ismaël Bouya <ismael.bouya@normalesup.org>

Fri, 24 Apr 2020 22:04:49 +0000 (00:04 +0200)
author Ismaël Bouya <ismael.bouya@normalesup.org>
Fri, 21 Feb 2020 22:27:43 +0000 (23:27 +0100)
committer Ismaël Bouya <ismael.bouya@normalesup.org>
Fri, 24 Apr 2020 22:04:49 +0000 (00:04 +0200)
diff --git a/modules/websites/default.nix b/modules/websites/default.nix

index e69080e9dc2ae14c43f785796c8379468e5aeb9c..767a7b2324a1bf45acec546b23c5544e974f76a5 100644 (file)
--- a/modules/websites/default.nix
+++ b/modules/websites/default.nix
@@ -204,6 +204,14 @@ in
        stateDir = "/run/httpd_${name}";
        logPerVirtualHost = true;
        multiProcessingModule = "worker";
+      # https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.0.2t&guideline=5.4
+      sslProtocols = "all -SSLv3 -TLSv1 -TLSv1.1";
+      sslCiphers = builtins.concatStringsSep ":" [
+        "ECDHE-ECDSA-AES128-GCM-SHA256" "ECDHE-RSA-AES128-GCM-SHA256"
+        "ECDHE-ECDSA-AES256-GCM-SHA384" "ECDHE-RSA-AES256-GCM-SHA384"
+        "ECDHE-ECDSA-CHACHA20-POLY1305" "ECDHE-RSA-CHACHA20-POLY1305"
+        "DHE-RSA-AES128-GCM-SHA256" "DHE-RSA-AES256-GCM-SHA384"
+      ];
        inherit (icfg) adminAddr;
        logFormat = "combinedVhost";
        extraModules = lists.unique icfg.modules;
author	Ismaël Bouya <ismael.bouya@normalesup.org>
	Fri, 21 Feb 2020 22:27:43 +0000 (23:27 +0100)
committer	Ismaël Bouya <ismael.bouya@normalesup.org>
	Fri, 24 Apr 2020 22:04:49 +0000 (00:04 +0200)