Skip to content

Commit

Permalink
Modernize TLS configuration
Browse files Browse the repository at this point in the history
  • Loading branch information
LeoColomb committed Jun 14, 2021
1 parent 6d6e4d5 commit 55c364d
Show file tree
Hide file tree
Showing 10 changed files with 22 additions and 45 deletions.
23 changes: 0 additions & 23 deletions h5bp/ssl/policy_deprecated.conf

This file was deleted.

File renamed without changes.
File renamed without changes.
Original file line number Diff line number Diff line change
@@ -1,13 +1,9 @@
# ----------------------------------------------------------------------
# | SSL policy - Intermediate |
# | SSL policy - Balanced |
# ----------------------------------------------------------------------

# For services that don't need backward compatibility, the parameters below
# provide a higher level of security.
#
# (!) This policy enforces a mildly strong SSL configuration, which may raise
# errors with old clients.
# If a more compatible profile is required, use the "deprecated" policy.
# For services that need to support a wide range of clients, this configuration
# is raisonnably balanced.
#
# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
# https://httpd.apache.org/docs/current/ssl/ssl_howto.html
Expand Down
10 changes: 7 additions & 3 deletions h5bp/ssl/policy_modern.conf → h5bp/tls/policy_strict.conf
Original file line number Diff line number Diff line change
@@ -1,9 +1,13 @@
# ----------------------------------------------------------------------
# | SSL policy - Modern |
# | SSL policy - Strict |
# ----------------------------------------------------------------------

# For services that want to be on the bleeding edge, the parameters below
# sacrifice compatibility for the highest level of security and performance.
# For services that don't need backward compatibility, the parameters below
# provide the highest level of security and performance.
#
# (!) This policy enforces a strong TLS configuration, which may raise
# errors with old clients.
# If a more compatible profile is required, use the "balanced" policy.
#
# (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known to be weak
# and potentially vulnerable.
Expand Down
File renamed without changes.
6 changes: 3 additions & 3 deletions test/vhosts/000-default.conf
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
</VirtualHost>

<VirtualHost *:443>
Include h5bp/ssl/ssl_engine.conf
Include h5bp/ssl/certificate_files.conf
Include h5bp/ssl/policy_intermediate.conf
Include h5bp/tls/ssl_engine.conf
Include h5bp/tls/certificate_files.conf
Include h5bp/tls/policy_balanced.conf
</VirtualHost>
6 changes: 3 additions & 3 deletions test/vhosts/secure.server.localhost.conf
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,9 @@

DocumentRoot "/usr/local/apache2/htdocs"

Include h5bp/ssl/ssl_engine.conf
Include h5bp/ssl/certificate_files.conf
Include h5bp/ssl/policy_intermediate.conf
Include h5bp/tls/ssl_engine.conf
Include h5bp/tls/certificate_files.conf
Include h5bp/tls/policy_balanced.conf

Include h5bp/rewrites/rewrite_nowww.conf

Expand Down
6 changes: 3 additions & 3 deletions vhosts/.000-default.conf
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
# as the first loaded one.

<VirtualHost *:443>
Include h5bp/ssl/ssl_engine.conf
Include h5bp/ssl/certificate_files.conf
Include h5bp/ssl/policy_intermediate.conf
Include h5bp/tls/ssl_engine.conf
Include h5bp/tls/certificate_files.conf
Include h5bp/tls/policy_intermediate.conf
</VirtualHost>
6 changes: 3 additions & 3 deletions vhosts/templates/example.com.conf
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,9 @@
# Path for static files
DocumentRoot "/var/www/example.com/public"

Include h5bp/ssl/ssl_engine.conf
Include h5bp/ssl/certificate_files.conf
Include h5bp/ssl/policy_intermediate.conf
Include h5bp/tls/ssl_engine.conf
Include h5bp/tls/certificate_files.conf
Include h5bp/tls/policy_intermediate.conf

# (1)
Include h5bp/rewrites/rewrite_nowww.conf
Expand Down

0 comments on commit 55c364d

Please sign in to comment.