From 5a9249ddd433682edfca8c1c6b24b51fd6663df6 Mon Sep 17 00:00:00 2001
From: ThomasH <th-certbund@users.noreply.github.com>
Date: Tue, 17 Jul 2018 11:43:44 +0200
Subject: [PATCH 1/2] Update Apache configuration

---
 .../Webservers/Apache/default-ssl             | 30 ++++++++++++-------
 src/practical_settings/webserver.tex          |  6 ++--
 2 files changed, 22 insertions(+), 14 deletions(-)

diff --git a/src/configuration/Webservers/Apache/default-ssl b/src/configuration/Webservers/Apache/default-ssl
index bbe4ce31..4323c78e 100644
--- a/src/configuration/Webservers/Apache/default-ssl
+++ b/src/configuration/Webservers/Apache/default-ssl
@@ -159,23 +159,31 @@
 	# MSIE 7 and newer should be able to use keepalive
 	BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
 
-	SSLProtocol All -SSLv2 -SSLv3
-	SSLHonorCipherOrder On
-	SSLCompression off
-
-	# Add six earth month HSTS header for all users...
+	# "Intermediate" configuration as defined by the Mozilla Foundation's SSL Configuration Generator
+	# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.6&openssl=1.0.1e&hsts=yes&profile=intermediate
+	# Oldest compatible clients: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7 SSL
+	Protocol 	    all -SSLv3
+	SSLCipherSuite	    ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+
+	# "Modern" configuration as defined by the Mozilla Foundation's SSL Configuration Generator
+	# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.18&openssl=1.0.2g&hsts=yes&profile=modern
+	# Oldest compatible clients: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8
+	#SSLProtocol	    all -SSLv3 -TLSv1 -TLSv1.1
+	#SSLCipherSuite	    ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+
+	SSLHonorCipherOrder on
+	SSLCompression	    off
+	SSLSessionTickets   off
+
+	# Add six earth month HSTS header for all users.
 	Header always set Strict-Transport-Security "max-age=15768000"
-	# If you want to protect all subdomains, use the following header
+	# If you want to protect all subdomains, use the following instead.
 	# ALL subdomains HAVE TO support HTTPS if you use this!
-	# Strict-Transport-Security: "max-age=15768000 ; includeSubDomains"
+	#Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
 
 	# HTTP Public Key Pinning (HPKP) for 90 days (60*60*24*90=7776000)
 	# At least use one Backup-Key and/or add whole CA, think of Cert-Updates!
 	Header always set Public-Key-Pins "pin-sha256=\"YOUR_HASH=\"; pin-sha256=\"YOUR_BACKUP_HASH=\"; max-age=7776000; report-uri=\"https://YOUR.REPORT.URL\""
 
-	SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'
-
-	
-	
 </VirtualHost>
 </IfModule>
diff --git a/src/practical_settings/webserver.tex b/src/practical_settings/webserver.tex
index 7094e09f..19638da7 100644
--- a/src/practical_settings/webserver.tex
+++ b/src/practical_settings/webserver.tex
@@ -7,18 +7,18 @@ \subsection{Apache}
 
 \subsubsection{Tested with Versions}
 \begin{itemize*}
-  \item Apache 2.2.22, Debian Wheezy with OpenSSL 1.0.1e
   \item Apache 2.4.6, Debian Jessie with OpenSSL 1.0.1e
-	\item Apache 2.4.10, Debian Jessie 8.2 with OpenSSL 1.0.1k
+  \item Apache 2.4.10, Debian Jessie 8.2 with OpenSSL 1.0.1k
   \item Apache 2.4.7, Ubuntu 14.04.2 Trusty with Openssl 1.0.1f
   \item Apache 2.4.6, CentOS Linux 7 (Core) with OpenSSL 1.0.1e
   \item Apache 2.4.18, Ubuntu 16.04.3 LTS with OpenSSL 1.0.2g
+  \item Apache 2.4.25, Debian Stretch 9.5 with OpenSSL 1.1.0f
 \end{itemize*}
 
 \subsubsection{Settings}
 Enabled modules \emph{SSL} and \emph{Headers} are required.
 
-\configfile{default-ssl}{35-35,42-43,52-52,62-62,162-177}{SSL configuration for an Apache vhost}
+\configfile{default-ssl}{35-35,42-43,52-52,62-62,162-187}{SSL configuration for an Apache vhost}
 
 \subsubsection{Additional settings}
 You might want to redirect everything to \emph{https://} if possible. In Apache

From cc77e52cf4b83d18660835b674ee7be23037ac0f Mon Sep 17 00:00:00 2001
From: ThomasH <th-certbund@users.noreply.github.com>
Date: Tue, 17 Jul 2018 13:51:25 +0200
Subject: [PATCH 2/2] Fix typo

---
 src/configuration/Webservers/Apache/default-ssl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/configuration/Webservers/Apache/default-ssl b/src/configuration/Webservers/Apache/default-ssl
index 4323c78e..b45ea46c 100644
--- a/src/configuration/Webservers/Apache/default-ssl
+++ b/src/configuration/Webservers/Apache/default-ssl
@@ -161,8 +161,8 @@
 
 	# "Intermediate" configuration as defined by the Mozilla Foundation's SSL Configuration Generator
 	# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.6&openssl=1.0.1e&hsts=yes&profile=intermediate
-	# Oldest compatible clients: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7 SSL
-	Protocol 	    all -SSLv3
+	# Oldest compatible clients: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7
+	SSLProtocol 	    all -SSLv3
 	SSLCipherSuite	    ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
 
 	# "Modern" configuration as defined by the Mozilla Foundation's SSL Configuration Generator