Cite Mozilla ssl-config in Apache/NGINX TLS configs (#8670) (#9295)

* Cite Mozilla ssl-config in Apache/nginx TLS configs (certbot#8670) * Update CHANGELOG * Add TLS config hashes to ALL_SSL_OPTIONS_HASHES * Update wording in CHANGELOG
2026-06-08 16:22:18 -04:00 · 2022-05-13 13:59:49 -04:00 · 2022-05-13 13:59:49 -04:00 · 5c111d0bd1
commit 5c111d0bd1
parent ec49b94acb
10 changed files with 14 additions and 7 deletions
--- a/AUTHORS.md
+++ b/AUTHORS.md
@ -18,6 +18,7 @@ Authors
 * [Alex Jordan](https://github.com/strugee)
 * [Alex Zorin](https://github.com/alexzorin)
 * [Amjad Mashaal](https://github.com/TheNavigat)
+* [amplifi](https://github.com/amplifi)
 * [Andrew Murray](https://github.com/radarhere)
 * [Andrzej Górski](https://github.com/andrzej3393)
 * [Anselm Levskaya](https://github.com/levskaya)
--- a/certbot-apache/certbot_apache/_internal/constants.py
+++ b/certbot-apache/certbot_apache/_internal/constants.py
@ -32,6 +32,8 @@ ALL_SSL_OPTIONS_HASHES: List[str] = [
    '5cc003edd93fb9cd03d40c7686495f8f058f485f75b5e764b789245a386e6daf',
    '007cd497a56a3bb8b6a2c1aeb4997789e7e38992f74e44cc5d13a625a738ac73',
    '34783b9e2210f5c4a23bced2dfd7ec289834716673354ed7c7abf69fe30192a3',
+    '61466bc2f98a623c02be8a5ee916ead1655b0ce883bdc936692076ea499ff5ce',
+    '3fd812e3e87fe5c645d3682a511b2a06c8286f19594f28e280f17cd6af1301b5',
 ]
 """SHA256 hashes of the contents of previous versions of all versions of MOD_SSL_CONF_SRC"""

--- a/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
+++ b/certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
@ -2,7 +2,7 @@
 # manually, Certbot will be unable to automatically provide future security
 # updates. Instead, Certbot will print and log an error message with a path to
 # the up-to-date file that you will need to refer to when manually updating
-# this file.
+# this file. Contents are based on https://ssl-config.mozilla.org

 SSLEngine on

--- a/certbot-apache/certbot_apache/_internal/tls_configs/old-options-ssl-apache.conf
+++ b/certbot-apache/certbot_apache/_internal/tls_configs/old-options-ssl-apache.conf
@ -2,7 +2,7 @@
 # manually, Certbot will be unable to automatically provide future security
 # updates. Instead, Certbot will print and log an error message with a path to
 # the up-to-date file that you will need to refer to when manually updating
-# this file.
+# this file. Contents are based on https://ssl-config.mozilla.org

 SSLEngine on

--- a/certbot-nginx/certbot_nginx/_internal/constants.py
+++ b/certbot-nginx/certbot_nginx/_internal/constants.py
@ -49,6 +49,10 @@ ALL_SSL_OPTIONS_HASHES = [
    'af85f6193808a44789a1d293e6cffa249cad9a21135940800958b8e3c72dbc69',
    'a2a612fd21b02abaa32d9d11ac63d987d6e3054dbfa356de5800eea0d7ce17f3',
    '2d9648302e3588a172c318e46bff88ade46fc7a16d6afc85322776a04800d473',
+    '5e21cc66989f26ec46116d979421e538131cf8ab33ffff3f682fbfe491b0ace8',
+    'f5615544105c4eee44f02a604e3e9ae55b3d5bad247160bb18731a0ac531af02',
+    '05a799c4db12f8e15e68219c98056824cbd5ae7b05863225318ae112f343880b',
+    'dc81acfd9670f137d5abbccfe3438d9306d4b6a906439b0fbf6a6756272e7cc7',
 ]
 """SHA256 hashes of the contents of all versions of MOD_SSL_CONF_SRC"""

--- a/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx-old.conf
+++ b/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx-old.conf
@ -2,7 +2,7 @@
 # manually, Certbot will be unable to automatically provide future security
 # updates. Instead, Certbot will print and log an error message with a path to
 # the up-to-date file that you will need to refer to when manually updating
-# this file.
+# this file. Contents are based on https://ssl-config.mozilla.org

 ssl_session_cache shared:le_nginx_SSL:10m;
 ssl_session_timeout 1440m;
--- a/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx-tls12-only.conf
+++ b/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx-tls12-only.conf
@ -2,7 +2,7 @@
 # manually, Certbot will be unable to automatically provide future security
 # updates. Instead, Certbot will print and log an error message with a path to
 # the up-to-date file that you will need to refer to when manually updating
-# this file.
+# this file. Contents are based on https://ssl-config.mozilla.org

 ssl_session_cache shared:le_nginx_SSL:10m;
 ssl_session_timeout 1440m;
--- a/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx-tls13-session-tix-on.conf
+++ b/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx-tls13-session-tix-on.conf
@ -2,7 +2,7 @@
 # manually, Certbot will be unable to automatically provide future security
 # updates. Instead, Certbot will print and log an error message with a path to
 # the up-to-date file that you will need to refer to when manually updating
-# this file.
+# this file. Contents are based on https://ssl-config.mozilla.org

 ssl_session_cache shared:le_nginx_SSL:10m;
 ssl_session_timeout 1440m;
--- a/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf
+++ b/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf
@ -2,7 +2,7 @@
 # manually, Certbot will be unable to automatically provide future security
 # updates. Instead, Certbot will print and log an error message with a path to
 # the up-to-date file that you will need to refer to when manually updating
-# this file.
+# this file. Contents are based on https://ssl-config.mozilla.org

 ssl_session_cache shared:le_nginx_SSL:10m;
 ssl_session_timeout 1440m;
--- a/certbot/CHANGELOG.md
+++ b/certbot/CHANGELOG.md
@ -6,7 +6,7 @@ Certbot adheres to [Semantic Versioning](https://semver.org/).

 ### Added

-*
+* Updated Apache/NGINX TLS configs to document contents are based on ssl-config.mozilla.org

 ### Changed