upstream/certbot
1
0
Fork 0
mirror of https://github.com/certbot/certbot.git synced 2026-02-20 00:10:12 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
certbot/certbot-apache
History
ohemorange 5c30a180a2
Apache config update (#10443) 
Part of https://github.com/certbot/certbot/issues/10183

There are two changes made here:

1. Add `DHE-RSA-CHACHA20-POLY1305` to `SSLCipherSuite` list. Nice to
have for compliance reasons. See
https://github.com/mozilla/server-side-tls/issues/285 DHE ciphers in
general are the topic of
[some](https://github.com/mozilla/server-side-tls/issues/268)
[debate](https://github.com/mozilla/server-side-tls/issues/299) over on
the generator repo; my opinion is that certbot should match whatever
they currently recommend, and if they do decide to change it, we can
also update to match them again later.
2. Configure curves with `SSLOpenSSLConfCmd`. Needed for OpenSSL 3.0
support, so FFDH won't be used. This option requires apache `>=2.4.8`
but we already require `>=2.4.11` to use this conf file in the first
place, so that's fine. When the file in their repo was converted from
`.hbs` to `.js` the version requirement was changed to `>=2.4.11` but I
suspect that's a bug, and either way it's still fine. See
https://github.com/mozilla/ssl-config-generator/issues/270 and
https://github.com/mozilla/ssl-config-generator/pull/297

You can see a generated Apache config file here:
https://ssl-config.mozilla.org/#server=apache&version=2.4.60&config=intermediate&openssl=3.4.0&guideline=5.7

Originally, I had planned to switch `SSLProtocol` list to allowlist
format. It's a little nicer, though it did the same thing, technically,
and would let us match mozilla, who does this because it makes their
code cleaner. See
https://github.com/mozilla/ssl-config-generator/pull/286/. But TLSv1.3
is only
[supported](https://github.com/mozilla/ssl-config-generator/blob/master/src/js/configs.js#L12C5-L12C21)
in `apache >= 2.4.36`, so we on the other hand would have to include it
conditionally. Whereas despite `SSLv2` [not being
available](https://github.com/mozilla/ssl-config-generator/pull/286/files#diff-3d067ee1b10453909ca9c86397a6b235fcb961ed3ca1cfbdda4daa2cb4b30b97L41)
in `apache >= 2.3.16`, it still recognizes it just fine in a config.
We're always `>= 2.3.16` now so we could remove it proactively, I
suppose, in case apache stops recognizing it. I left it as-is here but
could change it.
2025-08-27 16:38:08 -07:00
..
src/certbot_apache Apache config update (#10443) 2025-08-27 16:38:08 -07:00
LICENSE.txt s/letsencrypt/certbot letsencrypt-apache 2016-04-13 16:30:57 -07:00
MANIFEST.in Add --use-pep517 flag to pip to silence warning in tools/venv.py, and switch codebase to src-layout (#10249) 2025-04-11 19:30:33 +00:00
pyproject.toml Set up released packages minus dns plugins to use pyproject.toml (#10417) 2025-08-15 08:33:16 -07:00
README.rst s/Let's Encrypt/Certbot certbot-apache 2016-04-13 16:36:53 -07:00
setup.py Set up released packages minus dns plugins to use pyproject.toml (#10417) 2025-08-15 08:33:16 -07:00

README.rst 

Apache plugin for Certbot