From: Ismaël Bouya <ismael.bouya@normalesup.org>
Date: Fri, 21 Feb 2020 22:27:43 +0000 (+0100)
Subject: Deprecate tlsv1.1 protocol for apache
X-Git-Url: https://git.immae.eu/?p=perso%2FImmae%2FConfig%2FNix%2FNUR.git;a=commitdiff_plain;h=b0f6964b42fb33396fc18e5333aa9dc20216cfbb

Deprecate tlsv1.1 protocol for apache
---

diff --git a/modules/websites/default.nix b/modules/websites/default.nix
index e69080e9..767a7b23 100644
--- a/modules/websites/default.nix
+++ b/modules/websites/default.nix
@@ -204,6 +204,14 @@ in
       stateDir = "/run/httpd_${name}";
       logPerVirtualHost = true;
       multiProcessingModule = "worker";
+      # https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.0.2t&guideline=5.4
+      sslProtocols = "all -SSLv3 -TLSv1 -TLSv1.1";
+      sslCiphers = builtins.concatStringsSep ":" [
+        "ECDHE-ECDSA-AES128-GCM-SHA256" "ECDHE-RSA-AES128-GCM-SHA256"
+        "ECDHE-ECDSA-AES256-GCM-SHA384" "ECDHE-RSA-AES256-GCM-SHA384"
+        "ECDHE-ECDSA-CHACHA20-POLY1305" "ECDHE-RSA-CHACHA20-POLY1305"
+        "DHE-RSA-AES128-GCM-SHA256" "DHE-RSA-AES256-GCM-SHA384"
+      ];
       inherit (icfg) adminAddr;
       logFormat = "combinedVhost";
       extraModules = lists.unique icfg.modules;