certbot/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
Finish work on #4718. * Update in response to changes in #4720. * Update ALL_SSL_OPTIONS_HASHES. * Add warning to Apache's SSL options files. 2017-06-01 12:12:50 -04:00			`# This file contains important security parameters. If you modify this file`
			`# manually, Certbot will be unable to automatically provide future security`
			`# updates. Instead, Certbot will print and log an error message with a path to`
			`# the up-to-date file that you will need to refer to when manually updating`
Cite Mozilla ssl-config in Apache/NGINX TLS configs (#8670) (#9295) * Cite Mozilla ssl-config in Apache/nginx TLS configs (certbot#8670) * Update CHANGELOG * Add TLS config hashes to ALL_SSL_OPTIONS_HASHES * Update wording in CHANGELOG 2022-05-13 13:59:49 -04:00			`# this file. Contents are based on https://ssl-config.mozilla.org`
Added READMEs for SNI Challenge, renamed variables, added options-ssl-conf 2012-06-28 22:15:17 -04:00
Fixed issues with running multiple vhosts separately with upgrade from http vhost to https 2012-12-01 19:32:06 -05:00			`SSLEngine on`
update options-ssl.conf 2014-11-18 15:00:14 -05:00
			`# Intermediate configuration, tweak to your needs`
Disable old SSL versions and ciphersuites to follow Mozilla recommendations in Apache (#7712) Part of #7204. Makes the smaller changes described at https://github.com/certbot/certbot/issues/7204#issuecomment-571838185 to disable many old ciphersuites and TLS versions < 1.2. Does not add checks for OpenSSL version or modify session tickets. Since Apache uses TLS protocol blacklisting instead of whitelisting (as in NGINX), we additionally may not need to determine if the server supports TLS1.3 and turn it on or off based on Apache version. * Update SSL versions and ciphersuites based on Mozilla intermediate recommendations for apache * Update constants with hashes of new config files * Update changelog 2020-01-24 16:37:42 -05:00			`SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1`
			`SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384`
			`SSLHonorCipherOrder off`
Disable TLS session tickets in Apache (#7771) Fixes #7350. This PR changes the parsed modules from a `set` to a `dict`, with the filepath argument as the value. Accordingly, after calling `enable_mod` to enable `ssl_module`, modules now need to be re-parsed, so call `reset_modules`. * Add mechanism for selecting apache config file, based on work done in #7191. * Check OpenSSL version * Remove os imports * debian override still needs os * Reformat remaining apache tests with modules dict syntax * Clean up more apache tests * Switch from property to method for openssl and add tests for coverage. * Sometimes the dict location will be None in which case we should in fact return None * warn thoroughly and consistently in openssl_version function * update tests for new warnings * read file as bytes, and factor out the open for testing * normalize ssl_module_location path to account for being relative to server root * Use byte literals in a python 2 and 3 compatible way * string does need to be a literal * patch builtins open * add debug, remove space * Add test to check if OpenSSL detection is working on different systems * fix relative test location for cwd * put </IfModule> on its own line in test case * Revert test file to status in master. * Call augeas load before reparsing modules to pick up the changes * fix grep, tail, and mod_ssl location on centos * strip the trailing whitespace from fedora * just use LooseVersion in test * call apache2ctl on debian systems * Use sudo for apache2ctl command * add check to make sure we're getting a version * Add boolean so we don't warn on debian/ubuntu before trying to enable mod_ssl * Reduce warnings while testing by setting mock _openssl_version. * Make sure we're not throwing away any unwritten changes to the config * test last warning case for coverage * text changes for clarity 2020-03-23 19:49:52 -04:00			`SSLSessionTickets off`
update options-ssl.conf 2014-11-18 15:00:14 -05:00
Added READMEs for SNI Challenge, renamed variables, added options-ssl-conf 2012-06-28 22:15:17 -04:00			`SSLOptions +StrictRequire`

			`# Add vhost name to log entries:`
			`LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined`
			`LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common`