diff --git a/apache/files/Debian/ssl.conf.jinja b/apache/files/Debian/ssl.conf.jinja index ae701d9..cf4d69f 100644 --- a/apache/files/Debian/ssl.conf.jinja +++ b/apache/files/Debian/ssl.conf.jinja @@ -39,7 +39,7 @@ SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase # Inter-Process Session Cache: - # Configure the SSL Session Cache: First the mechanism + # Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). # (The mechanism dbm has known memory leaks and should not be used). #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache @@ -48,7 +48,7 @@ # Semaphore: # Configure the path to the mutual exclusion semaphore the - # SSL engine uses internally for inter-process synchronization. + # SSL engine uses internally for inter-process synchronization. # (Disabled by default, the global Mutex directive consolidates by default # this) #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache @@ -59,7 +59,7 @@ # ciphers(1) man page from the openssl package for list of all available # options. # Enable only secure ciphers: - {# default from https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29 #} + {#- default from https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29 #} SSLCipherSuite {{ salt['pillar.get']('apache:ssl:SSLCipherSuite', 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS') }} # SSL server cipher order preference: @@ -84,18 +84,25 @@ # Default: Off #SSLStrictSNIVHostCheck On - {% set use_stapling = salt['pillar.get']('apache:ssl:SSLUseStapling', 'Off') %} - {% if use_stapling == 'On' %} + {% set use_stapling = salt['pillar.get']('apache:ssl:SSLUseStapling', 'Off') -%} + {% if use_stapling == 'On' -%} # Stapling configuration # Default: Off # # See https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html for more details # Defaults values taken from https://mozilla.github.io/server-side-tls/ssl-config-generator/ SSLUseStapling {{ use_stapling }} - SSLStaplingResponderTimeout {{ salt['pillar.get']('SSLStaplingResponderTimeout', '5') }} - SSLStaplingReturnResponderErrors {{ salt['pillar.get']('SSLStaplingReturnResponderErrors', 'Off') }} - SSLStaplingCache {{ salt['pillar.get']('SSLStaplingCache', 'shmcb:/var/run/ocsp(128000)') }} - {% endif %} + SSLStaplingResponderTimeout {{ salt['pillar.get']('apache:ssl:SSLStaplingResponderTimeout', '5') }} + SSLStaplingReturnResponderErrors {{ salt['pillar.get']('apache:ssl:SSLStaplingReturnResponderErrors', 'Off') }} + SSLStaplingCache {{ salt['pillar.get']('apache:ssl:SSLStaplingCache', 'shmcb:/var/run/ocsp(128000)') }} + {%- endif %} + + {% set ssl_session_ticket = salt['pillar.get']('apache:ssl:SSLSessionTickets') -%} + {% if ssl_session_ticket -%} + # Enable or disable use of TLS session tickets + # Default: On + SSLSessionTickets {{ ssl_session_ticket }} + {%- endif %} # vim: syntax=apache ts=4 sw=4 sts=4 sr noet