From eab79ceedff48a68a9e53c1a1be5a37def9d45dd Mon Sep 17 00:00:00 2001
From: Thomas Bellman <bellman@nsc.liu.se>
Date: Wed, 18 Mar 2020 10:27:14 +0100
Subject: [PATCH] mod_ssl: Default to not support known bad modes.

All the SSL versions, as well as TLS 1.0 and 1.1, are known to have
security problems.  Default to not use them when enabling mod_ssl.
Likewise, by default don't support low encryption cipher suites.

Unfortunately, what is considered secure changes with time, and in
particular the cipher suites we have selected is likely to quickly
become outdated.  Oh well, users can always override...
---
 manifests/mod_ssl.pp | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/manifests/mod_ssl.pp b/manifests/mod_ssl.pp
index 73a6509..d7a0bb5 100644
--- a/manifests/mod_ssl.pp
+++ b/manifests/mod_ssl.pp
@@ -21,8 +21,13 @@ class apache::mod_ssl($options={}, $directives=[])
 	'SSLRandomSeed startup'	 => 'file:/dev/urandom 256',
 	'SSLRandomSeed connect'	 => 'builtin',
 	'SSLCryptoDevice'	 => 'builtin',
-	# Both SSLv2 and SSLv3 are broken, security-wise
-	'SSLProtocol'		 => 'all -SSLv2 -SSLv3',
+	# Both SSLv2 and SSLv3 are broken, security-wise.  TLS 1 and 1.1
+	# also have security problems
+	'SSLProtocol'		 => 'all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1',
+	# Default to only use reasonably secure ciphersuite.
+	# (But this list is likely to become obosolete in the future...)
+	'SSLCipherSuite' => 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH',
+	'SSLHonorCipherOrder' => 'on',
     }
     package {
 	'mod_ssl':
-- 
GitLab