ssl-strength.erb 1.14 KB
Newer Older
Adam Lewenberg's avatar
Adam Lewenberg committed
1
2
3
# /etc/apache2/conf.d/ssl-strength -- Disable weak SSL ciphers.
#
<%
4
5
6
7
8
  # STEP 1. Set the SSL/TLS protocols
  # If @tls_protocols is set we use those strings. Otherwise, we set the
  # SSL/TLS protocols based on the Debian OS version.
  if (@tls_protocols.length() > 0) then
    ssl_protocols = @tls_protocols.dup
Adam Lewenberg's avatar
Adam Lewenberg committed
9
  else
10
11
12
13
14
15
16
17
18
19
    # We do not include TLS 1.0 or TLS 1.1. TLS 1.2 is always
    # included. TLS 1.3 is included only for buster and later.

    ssl_protocols = []

    ssl_protocols.push('+TLSv1.2')

    if ((@debian_major_version.to_i() >= 10) or @force_TLS1_3) then
      ssl_protocols.push('+TLSv1.3')
    end
Adam Lewenberg's avatar
Adam Lewenberg committed
20
  end
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

  if (ssl_protocols.length() == 0) then
    raise "no protocols!!"
  end

  # STEP 2. Now we do cipher suites. We start with the ones we feel good about.
  ssl_cipher_suites = [
    'HIGH',
    'MEDIUM',
    '!ADH',
  ]

  if (not @enable_RC4) then
    ssl_cipher_suites.push('!RC4')
  end

  if (not @enable_3DES) then
    ssl_cipher_suites.push('!3DES')
  end

  if (not @enable_RSA) then
    ssl_cipher_suites.push('!RSA')
Adam Lewenberg's avatar
Adam Lewenberg committed
43
44
  end
-%>
45
SSLProtocol    <%= ssl_protocols.join(' ') %>
46
SSLCipherSuite <%= ssl_cipher_suites.join(':') %>:@STRENGTH