httpd: Disable insecure protocols/ciphers by default

This makes us resistant to FREAK and similar attacks.
2015-03-09 14:09:43 +01:00 · 2015-03-09 14:09:43 +01:00 · 8cb3e3b864
parent 7b2adc0039
commit 8cb3e3b864
1 changed files with 3 additions and 0 deletions
--- a/nixos/modules/services/web-servers/apache-httpd/default.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/default.nix
@ -171,6 +171,9 @@ let

    SSLRandomSeed startup builtin
    SSLRandomSeed connect builtin
+
+    SSLProtocol All -SSLv2 -SSLv3
+    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!EXP
  '';