diff options
author | Brad Warren <bmw@users.noreply.github.com> | 2019-08-09 02:36:45 +0300 |
---|---|---|
committer | ohemorange <ebportnoy@gmail.com> | 2019-08-09 02:36:45 +0300 |
commit | e21401004b9a57c5c721ee0b914a73b39e6e4a42 (patch) | |
tree | 374026d79f587eece4c4979fa6091037b17fb105 | |
parent | 987ce2c6b29d30d898e8032f3f19d174adbd4c48 (diff) |
Revert disabling TLS session tickets in Apache (#7315) (#7316)
See https://community.letsencrypt.org/t/ssl-error-after-cert-renew/99430.
The first commit of this PR is a simple, clean revert of #7191. Subsequent commits add back pieces of that PR we want to keep.
I also reverted #7299 which landed in a separate PR, but needs to be reverted to keep including the TLS config files in the certbot-apache package when it is built.
I tested this on Ubuntu 18.04 by installing a cert to Apache using Certbot master and then running certbot renew with this branch. I watched the Apache plugin update the configuration file to remove SSLSessionTickets off.
* Revert "Disable TLS session tickets for Apache 2.4.11+ (#7191)"
This reverts commit 9174c631d9965834f263ea7ff842d8d2087f47c7.
* Keep hashes with TLS session tickets disabled.
* dont delete changelog entries
* add changelog entry
* Revert "Clean the useless entries in MANIFEST.in (#7299)"
This reverts commit f4d17d9a6b0f2ba997cdc8da75dd60c1bbf5ebf1.
(cherry picked from commit 120137eb8dc0640cc4bd8c66e710415bf9b164c2)
17 files changed, 63 insertions, 108 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 4e0533bae..a52ee7585 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,15 @@ Certbot adheres to [Semantic Versioning](https://semver.org/). +## 0.37.1 - master + +### Fixed + +* Stop disabling TLS session tickets in Apache as it caused TLS failures on + some systems. + +More details about these changes can be found on our GitHub repo. + ## 0.37.0 - 2019-08-07 ### Added diff --git a/certbot-apache/MANIFEST.in b/certbot-apache/MANIFEST.in index c1f79fcc7..3e594a953 100644 --- a/certbot-apache/MANIFEST.in +++ b/certbot-apache/MANIFEST.in @@ -2,5 +2,6 @@ include LICENSE.txt include README.rst recursive-include docs * recursive-include certbot_apache/tests/testdata * +include certbot_apache/centos-options-ssl-apache.conf +include certbot_apache/options-ssl-apache.conf recursive-include certbot_apache/augeas_lens *.aug -recursive-include certbot_apache/tls_configs *.conf diff --git a/certbot-apache/certbot_apache/apache_util.py b/certbot-apache/certbot_apache/apache_util.py index f338c0407..7a2ecf49b 100644 --- a/certbot-apache/certbot_apache/apache_util.py +++ b/certbot-apache/certbot_apache/apache_util.py @@ -1,8 +1,6 @@ """ Utility functions for certbot-apache plugin """ import binascii -import pkg_resources - from certbot import util from certbot.compat import os @@ -107,15 +105,3 @@ def parse_define_file(filepath, varname): def unique_id(): """ Returns an unique id to be used as a VirtualHost identifier""" return binascii.hexlify(os.urandom(16)).decode("utf-8") - - -def find_ssl_apache_conf(prefix): - """ - Find a TLS Apache config file in the dedicated storage. - :param str prefix: prefix of the TLS Apache config file to find - :return: the path the TLS Apache config file - :rtype: str - """ - return pkg_resources.resource_filename( - "certbot_apache", - os.path.join("tls_configs", "{0}-options-ssl-apache.conf".format(prefix))) diff --git a/certbot-apache/certbot_apache/tls_configs/centos-current-options-ssl-apache.conf b/certbot-apache/certbot_apache/centos-options-ssl-apache.conf index 2d99f6219..56c946a4e 100644 --- a/certbot-apache/certbot_apache/tls_configs/centos-current-options-ssl-apache.conf +++ b/certbot-apache/certbot_apache/centos-options-ssl-apache.conf @@ -10,10 +10,16 @@ SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLHonorCipherOrder on -SSLSessionTickets off SSLOptions +StrictRequire # Add vhost name to log entries: LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common + +#CustomLog /var/log/apache2/access.log vhost_combined +#LogLevel warn +#ErrorLog /var/log/apache2/error.log + +# Always ensure Cookies have "Secure" set (JAH 2012/1) +#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4" diff --git a/certbot-apache/certbot_apache/configurator.py b/certbot-apache/certbot_apache/configurator.py index ecc7c83ab..f7c27bf76 100644 --- a/certbot-apache/certbot_apache/configurator.py +++ b/certbot-apache/certbot_apache/configurator.py @@ -9,6 +9,7 @@ import time from collections import defaultdict +import pkg_resources import six import zope.component @@ -109,24 +110,14 @@ class ApacheConfigurator(common.Installer): handle_modules=False, handle_sites=False, challenge_location="/etc/apache2", + MOD_SSL_CONF_SRC=pkg_resources.resource_filename( + "certbot_apache", "options-ssl-apache.conf") ) def option(self, key): """Get a value from options""" return self.options.get(key) - def pick_apache_config(self): - """ - Pick the appropriate TLS Apache configuration file for current version of Apache and OS. - :return: the path to the TLS Apache configuration file to use - :rtype: str - """ - # Disabling TLS session tickets is supported by Apache 2.4.11+. - # So for old versions of Apache we pick a configuration without this option. - if self.version < (2, 4, 11): - return apache_util.find_ssl_apache_conf("old") - return apache_util.find_ssl_apache_conf("current") - def _prepare_options(self): """ Set the values possibly changed by command line parameters to @@ -2348,9 +2339,8 @@ class ApacheConfigurator(common.Installer): # XXX if we ever try to enforce a local privilege boundary (eg, running # certbot for unprivileged users via setuid), this function will need # to be modified. - apache_config_path = self.pick_apache_config() - return common.install_version_controlled_file( - options_ssl, options_ssl_digest, apache_config_path, constants.ALL_SSL_OPTIONS_HASHES) + return common.install_version_controlled_file(options_ssl, options_ssl_digest, + self.option("MOD_SSL_CONF_SRC"), constants.ALL_SSL_OPTIONS_HASHES) def enable_autohsts(self, _unused_lineage, domains): """ diff --git a/certbot-apache/certbot_apache/tls_configs/current-options-ssl-apache.conf b/certbot-apache/certbot_apache/options-ssl-apache.conf index c32e83148..8113ee81e 100644 --- a/certbot-apache/certbot_apache/tls_configs/current-options-ssl-apache.conf +++ b/certbot-apache/certbot_apache/options-ssl-apache.conf @@ -11,10 +11,16 @@ SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLHonorCipherOrder on SSLCompression off -SSLSessionTickets off SSLOptions +StrictRequire # Add vhost name to log entries: LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common + +#CustomLog /var/log/apache2/access.log vhost_combined +#LogLevel warn +#ErrorLog /var/log/apache2/error.log + +# Always ensure Cookies have "Secure" set (JAH 2012/1) +#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4" diff --git a/certbot-apache/certbot_apache/override_arch.py b/certbot-apache/certbot_apache/override_arch.py index 02891548d..c5620e9f9 100644 --- a/certbot-apache/certbot_apache/override_arch.py +++ b/certbot-apache/certbot_apache/override_arch.py @@ -1,4 +1,6 @@ """ Distribution specific override class for Arch Linux """ +import pkg_resources + import zope.interface from certbot import interfaces @@ -24,4 +26,6 @@ class ArchConfigurator(configurator.ApacheConfigurator): handle_modules=False, handle_sites=False, challenge_location="/etc/httpd/conf", + MOD_SSL_CONF_SRC=pkg_resources.resource_filename( + "certbot_apache", "options-ssl-apache.conf") ) diff --git a/certbot-apache/certbot_apache/override_centos.py b/certbot-apache/certbot_apache/override_centos.py index d4a7d7137..7c7492dbf 100644 --- a/certbot-apache/certbot_apache/override_centos.py +++ b/certbot-apache/certbot_apache/override_centos.py @@ -1,6 +1,7 @@ """ Distribution specific override class for CentOS family (RHEL, Fedora) """ import logging +import pkg_resources import zope.interface from certbot import errors @@ -38,6 +39,8 @@ class CentOSConfigurator(configurator.ApacheConfigurator): handle_modules=False, handle_sites=False, challenge_location="/etc/httpd/conf.d", + MOD_SSL_CONF_SRC=pkg_resources.resource_filename( + "certbot_apache", "centos-options-ssl-apache.conf") ) def config_test(self): @@ -72,18 +75,6 @@ class CentOSConfigurator(configurator.ApacheConfigurator): # Finish with actual config check to see if systemctl restart helped super(CentOSConfigurator, self).config_test() - def pick_apache_config(self): - """ - Pick the appropriate TLS Apache configuration file for current version of Apache and OS. - :return: the path to the TLS Apache configuration file to use - :rtype: str - """ - # Disabling TLS session tickets is supported by Apache 2.4.11+. - # So for old versions of Apache we pick a configuration without this option. - if self.version < (2, 4, 11): - return apache_util.find_ssl_apache_conf("centos-old") - return apache_util.find_ssl_apache_conf("centos-current") - def _prepare_options(self): """ Override the options dictionary initialization in order to support diff --git a/certbot-apache/certbot_apache/override_darwin.py b/certbot-apache/certbot_apache/override_darwin.py index e825b66b8..4e2a6acac 100644 --- a/certbot-apache/certbot_apache/override_darwin.py +++ b/certbot-apache/certbot_apache/override_darwin.py @@ -1,4 +1,6 @@ """ Distribution specific override class for macOS """ +import pkg_resources + import zope.interface from certbot import interfaces @@ -24,4 +26,6 @@ class DarwinConfigurator(configurator.ApacheConfigurator): handle_modules=False, handle_sites=False, challenge_location="/etc/apache2/other", + MOD_SSL_CONF_SRC=pkg_resources.resource_filename( + "certbot_apache", "options-ssl-apache.conf") ) diff --git a/certbot-apache/certbot_apache/override_debian.py b/certbot-apache/certbot_apache/override_debian.py index 1fc32670b..58492bd01 100644 --- a/certbot-apache/certbot_apache/override_debian.py +++ b/certbot-apache/certbot_apache/override_debian.py @@ -1,6 +1,7 @@ """ Distribution specific override class for Debian family (Ubuntu/Debian) """ import logging +import pkg_resources import zope.interface from certbot import errors @@ -34,6 +35,8 @@ class DebianConfigurator(configurator.ApacheConfigurator): handle_modules=True, handle_sites=True, challenge_location="/etc/apache2", + MOD_SSL_CONF_SRC=pkg_resources.resource_filename( + "certbot_apache", "options-ssl-apache.conf") ) def enable_site(self, vhost): diff --git a/certbot-apache/certbot_apache/override_fedora.py b/certbot-apache/certbot_apache/override_fedora.py index 77f31efe8..786ada0fc 100644 --- a/certbot-apache/certbot_apache/override_fedora.py +++ b/certbot-apache/certbot_apache/override_fedora.py @@ -1,4 +1,5 @@ """ Distribution specific override class for Fedora 29+ """ +import pkg_resources import zope.interface from certbot import errors @@ -30,6 +31,9 @@ class FedoraConfigurator(configurator.ApacheConfigurator): handle_modules=False, handle_sites=False, challenge_location="/etc/httpd/conf.d", + MOD_SSL_CONF_SRC=pkg_resources.resource_filename( + # TODO: eventually newest version of Fedora will need their own config + "certbot_apache", "centos-options-ssl-apache.conf") ) def config_test(self): diff --git a/certbot-apache/certbot_apache/override_gentoo.py b/certbot-apache/certbot_apache/override_gentoo.py index 6fa033857..c358a10fa 100644 --- a/certbot-apache/certbot_apache/override_gentoo.py +++ b/certbot-apache/certbot_apache/override_gentoo.py @@ -1,4 +1,6 @@ """ Distribution specific override class for Gentoo Linux """ +import pkg_resources + import zope.interface from certbot import interfaces @@ -27,6 +29,8 @@ class GentooConfigurator(configurator.ApacheConfigurator): handle_modules=False, handle_sites=False, challenge_location="/etc/apache2/vhosts.d", + MOD_SSL_CONF_SRC=pkg_resources.resource_filename( + "certbot_apache", "options-ssl-apache.conf") ) def _prepare_options(self): diff --git a/certbot-apache/certbot_apache/override_suse.py b/certbot-apache/certbot_apache/override_suse.py index 4baa57497..3d0043afe 100644 --- a/certbot-apache/certbot_apache/override_suse.py +++ b/certbot-apache/certbot_apache/override_suse.py @@ -1,4 +1,6 @@ """ Distribution specific override class for OpenSUSE """ +import pkg_resources + import zope.interface from certbot import interfaces @@ -24,4 +26,6 @@ class OpenSUSEConfigurator(configurator.ApacheConfigurator): handle_modules=False, handle_sites=False, challenge_location="/etc/apache2/vhosts.d", + MOD_SSL_CONF_SRC=pkg_resources.resource_filename( + "certbot_apache", "options-ssl-apache.conf") ) diff --git a/certbot-apache/certbot_apache/tests/centos_test.py b/certbot-apache/certbot_apache/tests/centos_test.py index 5c8cff3b3..dddbf489e 100644 --- a/certbot-apache/certbot_apache/tests/centos_test.py +++ b/certbot-apache/certbot_apache/tests/centos_test.py @@ -190,13 +190,6 @@ class MultipleVhostsTestCentOS(util.ApacheTest): errors.SubprocessError] self.assertRaises(errors.MisconfigurationError, self.config.restart) - def test_pick_correct_tls_config(self): - self.config.version = (2, 4, 10) - self.assertTrue('centos-old' in self.config.pick_apache_config()) - - self.config.version = (2, 4, 11) - self.assertTrue('centos-current' in self.config.pick_apache_config()) - if __name__ == "__main__": unittest.main() # pragma: no cover diff --git a/certbot-apache/certbot_apache/tests/configurator_test.py b/certbot-apache/certbot_apache/tests/configurator_test.py index 2bc2271a1..1eafae982 100644 --- a/certbot-apache/certbot_apache/tests/configurator_test.py +++ b/certbot-apache/certbot_apache/tests/configurator_test.py @@ -1706,7 +1706,7 @@ class InstallSslOptionsConfTest(util.ApacheTest): self.config.updated_mod_ssl_conf_digest) def _current_ssl_options_hash(self): - return crypto_util.sha256sum(self.config.pick_apache_config()) + return crypto_util.sha256sum(self.config.option("MOD_SSL_CONF_SRC")) def _assert_current_file(self): self.assertTrue(os.path.isfile(self.config.mod_ssl_conf)) @@ -1742,7 +1742,7 @@ class InstallSslOptionsConfTest(util.ApacheTest): self.assertFalse(mock_logger.warning.called) self.assertTrue(os.path.isfile(self.config.mod_ssl_conf)) self.assertEqual(crypto_util.sha256sum( - self.config.pick_apache_config()), + self.config.option("MOD_SSL_CONF_SRC")), self._current_ssl_options_hash()) self.assertNotEqual(crypto_util.sha256sum(self.config.mod_ssl_conf), self._current_ssl_options_hash()) @@ -1758,31 +1758,18 @@ class InstallSslOptionsConfTest(util.ApacheTest): "%s has been manually modified; updated file " "saved to %s. We recommend updating %s for security purposes.") self.assertEqual(crypto_util.sha256sum( - self.config.pick_apache_config()), + self.config.option("MOD_SSL_CONF_SRC")), self._current_ssl_options_hash()) # only print warning once with mock.patch("certbot.plugins.common.logger") as mock_logger: self._call() self.assertFalse(mock_logger.warning.called) - def test_ssl_config_files_hash_in_all_hashes(self): - """ - It is really critical that all TLS Apache config files have their SHA256 hash registered in - constants.ALL_SSL_OPTIONS_HASHES. Otherwise Certbot will mistakenly assume that the config - file has been manually edited by the user, and will refuse to update it. - This test ensures that all necessary hashes are present. - """ + def test_current_file_hash_in_all_hashes(self): from certbot_apache.constants import ALL_SSL_OPTIONS_HASHES - import pkg_resources - tls_configs_dir = pkg_resources.resource_filename("certbot_apache", "tls_configs") - all_files = [os.path.join(tls_configs_dir, name) for name in os.listdir(tls_configs_dir) - if name.endswith('options-ssl-apache.conf')] - self.assertTrue(all_files) - for one_file in all_files: - file_hash = crypto_util.sha256sum(one_file) - self.assertTrue(file_hash in ALL_SSL_OPTIONS_HASHES, - "Constants.ALL_SSL_OPTIONS_HASHES must be appended with the sha256 " - "hash of {0} when it is updated.".format(one_file)) + self.assertTrue(self._current_ssl_options_hash() in ALL_SSL_OPTIONS_HASHES, + "Constants.ALL_SSL_OPTIONS_HASHES must be appended" + " with the sha256 hash of self.config.mod_ssl_conf when it is updated.") if __name__ == "__main__": diff --git a/certbot-apache/certbot_apache/tls_configs/centos-old-options-ssl-apache.conf b/certbot-apache/certbot_apache/tls_configs/centos-old-options-ssl-apache.conf deleted file mode 100644 index 277c8954a..000000000 --- a/certbot-apache/certbot_apache/tls_configs/centos-old-options-ssl-apache.conf +++ /dev/null @@ -1,18 +0,0 @@ -# This file contains important security parameters. If you modify this file -# manually, Certbot will be unable to automatically provide future security -# updates. Instead, Certbot will print and log an error message with a path to -# the up-to-date file that you will need to refer to when manually updating -# this file. - -SSLEngine on - -# Intermediate configuration, tweak to your needs -SSLProtocol all -SSLv2 -SSLv3 -SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS -SSLHonorCipherOrder on - -SSLOptions +StrictRequire - -# Add vhost name to log entries: -LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined -LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common diff --git a/certbot-apache/certbot_apache/tls_configs/old-options-ssl-apache.conf b/certbot-apache/certbot_apache/tls_configs/old-options-ssl-apache.conf deleted file mode 100644 index cd7c9bc4b..000000000 --- a/certbot-apache/certbot_apache/tls_configs/old-options-ssl-apache.conf +++ /dev/null @@ -1,19 +0,0 @@ -# This file contains important security parameters. If you modify this file -# manually, Certbot will be unable to automatically provide future security -# updates. Instead, Certbot will print and log an error message with a path to -# the up-to-date file that you will need to refer to when manually updating -# this file. - -SSLEngine on - -# Intermediate configuration, tweak to your needs -SSLProtocol all -SSLv2 -SSLv3 -SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS -SSLHonorCipherOrder on -SSLCompression off - -SSLOptions +StrictRequire - -# Add vhost name to log entries: -LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined -LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common |