From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 28 Feb 2018 11:55:35 +0000 (+0000)
Subject: apache: Require TLSv1.2 for access to the web user interface
X-Git-Tag: v2.19-core120~61
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=63b515dc260f2da9bd413fea254d2e5b634c793a;p=people%2Fstevee%2Fipfire-2.x.git

apache: Require TLSv1.2 for access to the web user interface

This will work fine for FF 27 or newer, Chrome 30 or newer,
IE 11 on Windows 7 or newer, Opera 17 or newer, Safari 9 or
newer, Android 5.0 or newer and Java 8 or newer

Since IPFire is not supposed to host any other applications and
all have been removed in the last few Core Updates, only the web
user interface is served over HTTPS here. We clearly prefer
security over compatibility.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index e51eb266c8..63e77021b6 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -10,7 +10,7 @@
     TransferLog /var/log/httpd/access_log
 
     SSLEngine on
-    SSLProtocol all -SSLv2 -SSLv3
+    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
     SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
     SSLHonorCipherOrder on
     SSLCompression off