Modernize TLS configuration

h5bp/ssl/policy_intermediate.conf → h5bp/tls/policy_balanced.conf

@@ -1,13 +1,9 @@
 # ----------------------------------------------------------------------
-# | SSL policy - Intermediate                                          |
+# | SSL policy - Balanced                                              |
 # ----------------------------------------------------------------------
 
-# For services that don't need backward compatibility, the parameters below
-# provide a higher level of security.
-#
-# (!) This policy enforces a mildly strong SSL configuration, which may raise
-#     errors with old clients.
-#     If a more compatible profile is required, use the "deprecated" policy.
+# For services that need to support a wide range of clients, this configuration
+# is raisonnably balanced.
 #
 # https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
 # https://httpd.apache.org/docs/current/ssl/ssl_howto.html

h5bp/ssl/policy_modern.conf → h5bp/tls/policy_strict.conf

@@ -1,9 +1,13 @@
 # ----------------------------------------------------------------------
-# | SSL policy - Modern                                                |
+# | SSL policy - Strict                                                |
 # ----------------------------------------------------------------------
 
-# For services that want to be on the bleeding edge, the parameters below
-# sacrifice compatibility for the highest level of security and performance.
+# For services that don't need backward compatibility, the parameters below
+# provide the highest level of security and performance.
+#
+# (!) This policy enforces a strong TLS configuration, which may raise
+#     errors with old clients.
+#     If a more compatible profile is required, use the "balanced" policy.
 #
 # (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known to be weak
 #     and potentially vulnerable.

test/vhosts/000-default.conf

@@ -3,7 +3,7 @@
 </VirtualHost>
 
 <VirtualHost *:443>
-    Include h5bp/ssl/ssl_engine.conf
-    Include h5bp/ssl/certificate_files.conf
-    Include h5bp/ssl/policy_intermediate.conf
+    Include h5bp/tls/ssl_engine.conf
+    Include h5bp/tls/certificate_files.conf
+    Include h5bp/tls/policy_balanced.conf
 </VirtualHost>

test/vhosts/secure.server.localhost.conf

@@ -5,9 +5,9 @@
 
     DocumentRoot "/usr/local/apache2/htdocs"
 
-    Include h5bp/ssl/ssl_engine.conf
-    Include h5bp/ssl/certificate_files.conf
-    Include h5bp/ssl/policy_intermediate.conf
+    Include h5bp/tls/ssl_engine.conf
+    Include h5bp/tls/certificate_files.conf
+    Include h5bp/tls/policy_balanced.conf
 
     Include h5bp/rewrites/rewrite_nowww.conf
 

vhosts/.000-default.conf

@@ -10,7 +10,7 @@
 # as the first loaded one.
 
 <VirtualHost *:443>
-    Include h5bp/ssl/ssl_engine.conf
-    Include h5bp/ssl/certificate_files.conf
-    Include h5bp/ssl/policy_intermediate.conf
+    Include h5bp/tls/ssl_engine.conf
+    Include h5bp/tls/certificate_files.conf
+    Include h5bp/tls/policy_intermediate.conf
 </VirtualHost>

vhosts/templates/example.com.conf

@@ -17,9 +17,9 @@
     # Path for static files
     DocumentRoot "/var/www/example.com/public"
 
-    Include h5bp/ssl/ssl_engine.conf
-    Include h5bp/ssl/certificate_files.conf
-    Include h5bp/ssl/policy_intermediate.conf
+    Include h5bp/tls/ssl_engine.conf
+    Include h5bp/tls/certificate_files.conf
+    Include h5bp/tls/policy_intermediate.conf
 
     # (1)
     Include h5bp/rewrites/rewrite_nowww.conf