iankelling.org
/
git
/
basic-https-conf
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
1a4204b
)
update ciphers from upstream, small changes
author
Ian Kelling
<iank@fsf.org>
Sat, 12 May 2018 18:41:47 +0000
(14:41 -0400)
committer
Ian Kelling
<iank@fsf.org>
Sat, 12 May 2018 18:41:47 +0000
(14:41 -0400)
web-conf
patch
|
blob
|
history
diff --git
a/web-conf
b/web-conf
index 61b735be95269f415e84e152d4ae86df49120e22..274f1eb91191274651dd6acacaec6a43a53ef74f 100755
(executable)
--- a/
web-conf
+++ b/
web-conf
@@
-115,12
+115,13
@@
fi
if $ssl; then
f=$cert_dir/fullchain.pem
if $ssl; then
f=$cert_dir/fullchain.pem
- if [[ ! -e $f ]] || openssl x509 -checkend 86400 -noout -in $f; then
+ threedays=259200 # in seconds
+ if [[ ! -e $f ]] || openssl x509 -checkend $threedays -noout -in $f; then
# cerbot needs an existing virtualhost.
$0 -p 80 $t $h
# when generating an example config, add all relevant security options:
# cerbot needs an existing virtualhost.
$0 -p 80 $t $h
# when generating an example config, add all relevant security options:
- # --hsts --staple-ocsp --uir
- certbot certonly -n --
must-staple --
email $email --no-self-upgrade \
+ # --hsts --staple-ocsp --uir
--must-staple
+ certbot certonly -n --email $email --no-self-upgrade \
--agree-tos --${t%2} -d $h
rm $vhost_file
fi
--agree-tos --${t%2} -d $h
rm $vhost_file
fi
@@
-226,13
+227,17
@@
EOF
# this is a copy of a file certbot, see below.
echo "$0: creating $common_ssl_conf"
cat >$common_ssl_conf <<'EOF'
# this is a copy of a file certbot, see below.
echo "$0: creating $common_ssl_conf"
cat >$common_ssl_conf <<'EOF'
-# Baseline setting to Include for SSL sites
+# This file contains important security parameters. If you modify this file
+# manually, Certbot will be unable to automatically provide future security
+# updates. Instead, Certbot will print and log an error message with a path to
+# the up-to-date file that you will need to refer to when manually updating
+# this file.
SSLEngine on
# Intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3
SSLEngine on
# Intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3
-SSLCipherSuite ECDHE-
RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+SSLCipherSuite ECDHE-
ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
SSLHonorCipherOrder on
SSLCompression off
@@
-251,7
+256,7
@@
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
EOF
upstream=https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf
EOF
upstream=https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf
- if ! diff -
c
<(wget -q -O - $upstream) $common_ssl_conf; then
+ if ! diff -
u
<(wget -q -O - $upstream) $common_ssl_conf; then
cat <<EOF
WARNING!!!!!!!!!
WARNING!!!!!!!!!
cat <<EOF
WARNING!!!!!!!!!
WARNING!!!!!!!!!