Skip to content

apache: Several configuration improvements

Sunil Mohan Adapa requested to merge sunilmohan/freedombox:apache-conf-updates into master

  • Enable HTTP/2 protocol.

  • TLS configuration as recommended by Mozilla's SSL Configuration Generator with 'Intermediate' configuration. See: https://wiki.mozilla.org/Security/Server_Side_TLS

  • Disable ciphers that are weak or without forward secrecy.

  • Allow client to choose ciphers as they will know best if they have support for hardware-accelerated AES.

  • TLS session tickets (RFC 5077) require restarting web server with an appropriate frequency. See: https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslsessiontickets

  • Send OCSP responses to the client and reduce their round trips.

  • No need to increment apache app version number as it has already been incremented in this release cycle for enabling HTTP/2 module.

Tests:

  • FreedomBox interface is reachable with the changes.

  • ssllabs.com gives an A+ rating on a server with these changes.

    • All ciphers are shown as secure.

    • Forward Secrecy rating is ROBUST.

    • OCSP stapling shows as enabled.

    • Client support seems to match the expected after dropping <= TLS1.1.

    • Session resumption with tickets shows as disabled.

Merge request reports