From bace8a39b4e0af30c130aaa61ccd10b1ae73300e Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Fri, 28 Aug 2020 10:05:44 +0000
Subject: [PATCH] apache: Just use Mozilla recommended settings

Removed all RedHat default settings and just added Mozilla recommended
modern settings.
---
 roles/apache/files/ssl.conf         | 42 +++++------------------------
 roles/apache/templates/site.conf.j2 |  5 ----
 2 files changed, 6 insertions(+), 41 deletions(-)

diff --git a/roles/apache/files/ssl.conf b/roles/apache/files/ssl.conf
index 053e4aa..a35a845 100644
--- a/roles/apache/files/ssl.conf
+++ b/roles/apache/files/ssl.conf
@@ -7,40 +7,10 @@
 
 Listen 443
 
-#   Pass Phrase Dialog:
-#   Configure the pass phrase gathering process.
-#   The filtering dialog program (`builtin' is a internal
-#   terminal dialog) has to provide the pass phrase on stdout.
-SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
+# Use Mozilla recommended modern ciphers
+SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
+SSLHonorCipherOrder off
+SSLSessionTickets off
 
-#   Inter-Process Session Cache:
-#   Configure the SSL Session Cache: First the mechanism 
-#   to use and second the expiring timeout (in seconds).
-SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
-SSLSessionCacheTimeout  300
-
-#   Pseudo Random Number Generator (PRNG):
-#   Configure one or more sources to seed the PRNG of the 
-#   SSL library. The seed data should be of good random quality.
-#   WARNING! On some platforms /dev/random blocks if not enough entropy
-#   is available. This means you then cannot use the /dev/random device
-#   because it would lead to very long connection times (as long as
-#   it requires to make more entropy available). But usually those
-#   platforms additionally provide a /dev/urandom device which doesn't
-#   block. So, if available, use this one instead. Read the mod_ssl User
-#   Manual for more details.
-SSLRandomSeed startup file:/dev/urandom  256
-SSLRandomSeed connect builtin
-#SSLRandomSeed startup file:/dev/random  512
-#SSLRandomSeed connect file:/dev/random  512
-#SSLRandomSeed connect file:/dev/urandom 512
-
-#
-# Use "SSLCryptoDevice" to enable any supported hardware
-# accelerators. Use "openssl engine -v" to list supported
-# engine names.  NOTE: If you enable an accelerator and the
-# server does not start, consult the error logs and ensure
-# your accelerator is functioning properly. 
-#
-SSLCryptoDevice builtin
-#SSLCryptoDevice ubsec
+SSLUseStapling On
+SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
diff --git a/roles/apache/templates/site.conf.j2 b/roles/apache/templates/site.conf.j2
index 9a65b98..700260e 100644
--- a/roles/apache/templates/site.conf.j2
+++ b/roles/apache/templates/site.conf.j2
@@ -3,12 +3,7 @@
   DocumentRoot /srv/web/{{ inventory_hostname }}
 
   Protocols h2 http/1.1
-
   SSLEngine on
-  SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
-  SSLCipherSuite {{ tls_ciphers }}
-  SSLHonorCipherOrder off
-  SSLSessionTickets off
 
   # Server certificates
   SSLCertificateKeyFile {{ tls_private }}/{{ inventory_hostname }}.key