From 8cb3e3b864f5c7fc09d84cbb57461aef236f5864 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Mon, 9 Mar 2015 14:09:43 +0100
Subject: [PATCH] httpd: Disable insecure protocols/ciphers by default

This makes us resistant to FREAK and similar attacks.
---
 nixos/modules/services/web-servers/apache-httpd/default.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix
index 6a830827fd78..2b5cba68d457 100644
--- a/nixos/modules/services/web-servers/apache-httpd/default.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/default.nix
@@ -171,6 +171,9 @@ let
 
     SSLRandomSeed startup builtin
     SSLRandomSeed connect builtin
+
+    SSLProtocol All -SSLv2 -SSLv3
+    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!EXP
   '';