diff --git a/manifests/mod_ssl.pp b/manifests/mod_ssl.pp index 73a6509966fffa014953ba5b777cb240180ad684..d7a0bb5ed850b4b1491df1a4169b2a30f55b10c9 100644 --- a/manifests/mod_ssl.pp +++ b/manifests/mod_ssl.pp @@ -21,8 +21,13 @@ class apache::mod_ssl($options={}, $directives=[]) 'SSLRandomSeed startup' => 'file:/dev/urandom 256', 'SSLRandomSeed connect' => 'builtin', 'SSLCryptoDevice' => 'builtin', - # Both SSLv2 and SSLv3 are broken, security-wise - 'SSLProtocol' => 'all -SSLv2 -SSLv3', + # Both SSLv2 and SSLv3 are broken, security-wise. TLS 1 and 1.1 + # also have security problems + 'SSLProtocol' => 'all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1', + # Default to only use reasonably secure ciphersuite. + # (But this list is likely to become obosolete in the future...) + 'SSLCipherSuite' => 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH', + 'SSLHonorCipherOrder' => 'on', } package { 'mod_ssl':