From b0f6964b42fb33396fc18e5333aa9dc20216cfbb Mon Sep 17 00:00:00 2001
From: =?utf8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Fri, 21 Feb 2020 23:27:43 +0100
Subject: [PATCH] Deprecate tlsv1.1 protocol for apache

---
 modules/websites/default.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/modules/websites/default.nix b/modules/websites/default.nix
index e69080e9..767a7b23 100644
--- a/modules/websites/default.nix
+++ b/modules/websites/default.nix
@@ -204,6 +204,14 @@ in
       stateDir = "/run/httpd_${name}";
       logPerVirtualHost = true;
       multiProcessingModule = "worker";
+      # https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.0.2t&guideline=5.4
+      sslProtocols = "all -SSLv3 -TLSv1 -TLSv1.1";
+      sslCiphers = builtins.concatStringsSep ":" [
+        "ECDHE-ECDSA-AES128-GCM-SHA256" "ECDHE-RSA-AES128-GCM-SHA256"
+        "ECDHE-ECDSA-AES256-GCM-SHA384" "ECDHE-RSA-AES256-GCM-SHA384"
+        "ECDHE-ECDSA-CHACHA20-POLY1305" "ECDHE-RSA-CHACHA20-POLY1305"
+        "DHE-RSA-AES128-GCM-SHA256" "DHE-RSA-AES256-GCM-SHA384"
+      ];
       inherit (icfg) adminAddr;
       logFormat = "combinedVhost";
       extraModules = lists.unique icfg.modules;
-- 
2.41.0