From 1789ce6a87ccf1d83edf335c3ae3a4ac5ad8c5f6 Mon Sep 17 00:00:00 2001
From: Ian Kelling <iank@fsf.org>
Date: Sat, 12 May 2018 14:41:47 -0400
Subject: [PATCH] update ciphers from upstream, small changes

---
 web-conf | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/web-conf b/web-conf
index 61b735b..274f1eb 100755
--- a/web-conf
+++ b/web-conf
@@ -115,12 +115,13 @@ fi
 
 if $ssl; then
     f=$cert_dir/fullchain.pem
-    if [[ ! -e $f ]] || openssl x509 -checkend 86400 -noout -in $f; then
+    threedays=259200 # in seconds
+    if [[ ! -e $f ]] || openssl x509 -checkend $threedays -noout -in $f; then
         # cerbot needs an existing virtualhost.
         $0 -p 80 $t $h
         # when generating an example config, add all relevant security options:
-        # --hsts --staple-ocsp --uir
-        certbot certonly -n --must-staple --email $email --no-self-upgrade \
+        # --hsts --staple-ocsp --uir --must-staple
+        certbot certonly -n --email $email --no-self-upgrade \
                 --agree-tos --${t%2} -d $h
         rm $vhost_file
     fi
@@ -226,13 +227,17 @@ EOF
         # this is a copy of a file certbot, see below.
         echo "$0: creating $common_ssl_conf"
         cat >$common_ssl_conf <<'EOF'
-# Baseline setting to Include for SSL sites
+# This file contains important security parameters. If you modify this file
+# manually, Certbot will be unable to automatically provide future security
+# updates. Instead, Certbot will print and log an error message with a path to
+# the up-to-date file that you will need to refer to when manually updating
+# this file.
 
 SSLEngine on
 
 # Intermediate configuration, tweak to your needs
 SSLProtocol             all -SSLv2 -SSLv3
-SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
 SSLHonorCipherOrder     on
 SSLCompression          off
 
@@ -251,7 +256,7 @@ LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
 EOF
 
         upstream=https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf
-        if ! diff -c <(wget -q -O - $upstream) $common_ssl_conf; then
+        if ! diff -u <(wget -q -O - $upstream) $common_ssl_conf; then
             cat <<EOF
 WARNING!!!!!!!!!
 WARNING!!!!!!!!!
-- 
2.30.2