Refresh cipher suites and protocols

The last update was 2016, and it's time to drop TLSv1 and TLSv1.1 as the base configuration recommended by Mozilla. https://wiki.mozilla.org/Security/Server_Side_TLS This is equivalent to a charm-helper's change: 27d6ceb385 Change-Id: Ic7c3751d5cfce33517072bfca865e03f6f84f423 Closes-Bug: #1886630
2020-08-24 11:34:48 +09:00 · 2020-08-24 11:34:48 +09:00 · 0a24820971
parent 8f80afe8c3
commit 0a24820971
1 changed files with 8 additions and 2 deletions
--- a/templates/openstack_https_frontend.conf
+++ b/templates/openstack_https_frontend.conf
@ -6,8 +6,14 @@ Listen {{ ext_port }}
 <VirtualHost {{ address }}:{{ ext }}>
    ServerName {{ endpoint }}
    SSLEngine on
-    SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
-    SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!EXP:!LOW:!MEDIUM
+
+    # This section is based on Mozilla's recommendation
+    # as the "intermediate" profile as of July 7th, 2020.
+    # https://wiki.mozilla.org/Security/Server_Side_TLS
+    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+    SSLHonorCipherOrder off
+
    SSLCertificateFile /etc/apache2/ssl/{{ options.service_name }}/cert_{{ endpoint }}
    SSLCertificateKeyFile /etc/apache2/ssl/{{ options.service_name }}/key_{{ endpoint }}
    ProxyPass / http://localhost:{{ int }}/