* Sat Jan 18 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-13.sme

- use esmith::ssl to set ciphers and protocol [SME: 12821] improve cipher order to get strongers first drop SSLv2
2025-01-18 15:29:38 -05:00
parent 1bfad8c651
commit 57202723f1
5 changed files with 18 additions and 12 deletions
--- a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite
+++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite
@@ -1,5 +1,6 @@
-{
-    # When updating CipherSuite both e-smith-apache and smeserver-qpsmtpd templates should be updated.
-    $OUT  = "SSLCipherSuite ";
-    $OUT .= $modSSL{CipherSuite} || 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
+{
+    use esmith::ssl;
+    # When updating CipherSuite both e-smith-apache and smeserver-qpsmtpd templates should be updated.
+    $OUT  = "SSLCipherSuite ";
+    $OUT .= $modSSL{CipherSuite} || $smeCiphers;
 }
--- a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol
+++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol
@@ -1,9 +1,5 @@
 {
+    use esmith::ssl;
    # Specify which SSL Protocols to accept for this context
-    $OUT .= "SSLProtocol all";
-    $OUT .= " -SSLv2" unless (${'httpd-e-smith'}{'SSLv2'} || 'disabled') eq 'enabled';
-    $OUT .= " -SSLv3" unless (${'httpd-e-smith'}{'SSLv3'} || 'disabled') eq 'enabled';
-    $OUT .= " -TLSv1" unless (${'httpd-e-smith'}{'TLSv1'} || 'disabled') eq 'enabled';
-    $OUT .= " -TLSv1.1" unless (${'httpd-e-smith'}{'TLSv1.1'} || 'disabled') eq 'enabled';
-    $OUT .= " -TLSv1.2" unless (${'httpd-e-smith'}{'TLSv1.2'} || 'enabled') eq 'enabled';
+    $OUT .= "SSLProtocol ". SSLprotoApache() ;
 }