diff options
author | Daniel Hansson <github@hanssonit.se> | 2020-10-17 00:22:34 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-10-17 00:22:34 +0300 |
commit | a75e64897e6b6bce734174ee93bd1d68ee10ae77 (patch) | |
tree | 48c6e07b5cfdc972cd91a5fa8073a47d1985f85a /apps/tmbitwarden.sh | |
parent | 16b472f95a7f5ec227ea2c7e6468aadf522c7341 (diff) |
TLS1.3 and improvements (#1578)
Signed-off-by: enoch85 <github@hanssonit.se>
Diffstat (limited to 'apps/tmbitwarden.sh')
-rw-r--r-- | apps/tmbitwarden.sh | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/apps/tmbitwarden.sh b/apps/tmbitwarden.sh index b6824a09..a0cfb7e3 100644 --- a/apps/tmbitwarden.sh +++ b/apps/tmbitwarden.sh @@ -235,6 +235,12 @@ a2enmod ssl a2enmod headers a2enmod remoteip +# Only add TLS 1.3 on Ubuntu later than 20.04 +if version 20.04 "$DISTRO" 20.04.10 +then + TLS13="+TLSv1.3" +fi + if [ -f "$HTTPS_CONF" ] then a2dissite "$SUBDOMAIN.conf" @@ -246,19 +252,25 @@ then cat << HTTPS_CREATE > "$HTTPS_CONF" <VirtualHost *:443> ServerName $SUBDOMAIN:443 - SSLEngine on - ServerSignature On - SSLHonorCipherOrder on SSLCertificateChainFile $CERTFILES/$SUBDOMAIN/chain.pem SSLCertificateFile $CERTFILES/$SUBDOMAIN/cert.pem SSLCertificateKeyFile $CERTFILES/$SUBDOMAIN/privkey.pem SSLOpenSSLConfCmd DHParameters $DHPARAMS_SUB - SSLProtocol TLSv1.2 - SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS + # Intermediate configuration + SSLEngine on + SSLCompression off + SSLProtocol -all +TLSv1.2 $TLS13 + SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + SSLHonorCipherOrder off + SSLSessionTickets off + ServerSignature off + + # Logs LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined ErrorLog ${APACHE_LOG_DIR}/error.log + # Just in case - see below SSLProxyEngine On SSLProxyVerify None |