diff options
| author | Patrick Uiterwijk <puiterwijk@redhat.com> | 2016-08-30 19:36:53 +0000 |
|---|---|---|
| committer | Patrick Uiterwijk <puiterwijk@redhat.com> | 2016-08-31 19:28:26 +0000 |
| commit | f1dd7a74327b5c9a22e159b0fa5a4de815303864 (patch) | |
| tree | d3b103f11ba13961a4eb2d5ec7bbb0c7daa3b5c0 /roles/httpd | |
| parent | 215c38198e4a7a70b3ef4c7935e16e5a61ee2fef (diff) | |
| download | ansible-f1dd7a74327b5c9a22e159b0fa5a4de815303864.tar.gz ansible-f1dd7a74327b5c9a22e159b0fa5a4de815303864.tar.xz ansible-f1dd7a74327b5c9a22e159b0fa5a4de815303864.zip | |
Unify all ssl cipher suite configurations
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Diffstat (limited to 'roles/httpd')
| -rw-r--r-- | roles/httpd/templates/website.conf.j2 | 4 | ||||
| -rw-r--r-- | roles/httpd/website/templates/website.conf | 4 |
2 files changed, 4 insertions, 4 deletions
diff --git a/roles/httpd/templates/website.conf.j2 b/roles/httpd/templates/website.conf.j2 index 466b2b0d1..f22546dbe 100644 --- a/roles/httpd/templates/website.conf.j2 +++ b/roles/httpd/templates/website.conf.j2 @@ -42,8 +42,8 @@ # https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14 # If you change the protocols or cipher suites, you should probably update # modules/squid/files/squid.conf-el6 too, to keep it in sync. - SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 - SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK + SSLProtocol {{ ssl_protocols }} + SSLCipherSuite {{ ssl_ciphers }} Include "conf.d/{{ name }}/*.conf" </VirtualHost> diff --git a/roles/httpd/website/templates/website.conf b/roles/httpd/website/templates/website.conf index e45e805c2..654745225 100644 --- a/roles/httpd/website/templates/website.conf +++ b/roles/httpd/website/templates/website.conf @@ -42,8 +42,8 @@ # https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14 # If you change the protocols or cipher suites, you should probably update # modules/squid/files/squid.conf-el6 too, to keep it in sync. - SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 - SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK + SSLProtocol {{ ssl_protocols }} + SSLCipherSuite {{ ssl_ciphers }} {% if sslonly %} Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" |