Skip to content

Commit 9759a37

Browse files
hennaboyhennaboy
committed
improved ssl configs
1 parent 2a4fa86 commit 9759a37

File tree

1 file changed

+33
-4
lines changed

1 file changed

+33
-4
lines changed

plogical/sslUtilities.py

Lines changed: 33 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -78,9 +78,16 @@ def installSSLForDomain(virtualHostName, adminEmail='usman@cyberpersons.com'):
7878
address = " address *:443" + "\n"
7979
secure = " secure 1" + "\n"
8080
keyFile = " keyFile /etc/letsencrypt/live/" + virtualHostName + "/privkey.pem\n"
81-
certFile = " certFile /etc/letsencrypt/live/" + virtualHostName + "/fullchain.pem\n"
81+
certFile = " certFile /etc/letsencrypt/live/" + virtualHostName + "/cert.pem\n"
8282
certChain = " certChain 1" + "\n"
83-
sslProtocol = " sslProtocol 30" + "\n"
83+
sslProtocol = " sslProtocol 24" + "\n"
84+
ciphers = " ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4" + "\n"
85+
enableECDHE = " enableECDHE 1" + "\n"
86+
renegProtection = " renegProtection 1" + "\n"
87+
sslSessionCache = " sslSessionCache 1" + "\n"
88+
enableSpdy = " enableSpdy 15" + "\n"
89+
enableStapling = " enableStapling 1" + "\n"
90+
ocspRespMaxAge = " ocspRespMaxAge 86400" + "\n"
8491
map = " map " + virtualHostName + " " + virtualHostName + "\n"
8592
final = "}" + "\n" + "\n"
8693

@@ -92,6 +99,13 @@ def installSSLForDomain(virtualHostName, adminEmail='usman@cyberpersons.com'):
9299
writeDataToFile.writelines(certFile)
93100
writeDataToFile.writelines(certChain)
94101
writeDataToFile.writelines(sslProtocol)
102+
writeDataToFile.writelines(ciphers)
103+
writeDataToFile.writelines(enableECDHE)
104+
writeDataToFile.writelines(renegProtection)
105+
writeDataToFile.writelines(sslSessionCache)
106+
writeDataToFile.writelines(enableSpdy)
107+
writeDataToFile.writelines(enableStapling)
108+
writeDataToFile.writelines(ocspRespMaxAge)
95109
writeDataToFile.writelines(map)
96110
writeDataToFile.writelines(final)
97111
writeDataToFile.writelines("\n")
@@ -137,7 +151,14 @@ def installSSLForDomain(virtualHostName, adminEmail='usman@cyberpersons.com'):
137151
keyFile = " keyFile /etc/letsencrypt/live/" + virtualHostName + "/privkey.pem\n"
138152
certFile = " certFile /etc/letsencrypt/live/" + virtualHostName + "/fullchain.pem\n"
139153
certChain = " certChain 1" + "\n"
140-
sslProtocol = " sslProtocol 30" + "\n"
154+
sslProtocol = " sslProtocol 24" + "\n"
155+
ciphers = " ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4" + "\n"
156+
enableECDHE = " enableECDHE 1" + "\n"
157+
renegProtection = " renegProtection 1" + "\n"
158+
sslSessionCache = " sslSessionCache 1" + "\n"
159+
enableSpdy = " enableSpdy 15" + "\n"
160+
enableStapling = " enableStapling 1" + "\n"
161+
ocspRespMaxAge = " ocspRespMaxAge 86400" + "\n"
141162
final = "}"
142163

143164
writeSSLConfig.writelines("\n")
@@ -147,6 +168,13 @@ def installSSLForDomain(virtualHostName, adminEmail='usman@cyberpersons.com'):
147168
writeSSLConfig.writelines(certFile)
148169
writeSSLConfig.writelines(certChain)
149170
writeSSLConfig.writelines(sslProtocol)
171+
writeSSLConfig.writelines(ciphers)
172+
writeSSLConfig.writelines(enableECDHE)
173+
writeSSLConfig.writelines(renegProtection)
174+
writeSSLConfig.writelines(sslSessionCache)
175+
writeSSLConfig.writelines(enableSpdy)
176+
writeSSLConfig.writelines(enableStapling)
177+
writeSSLConfig.writelines(ocspRespMaxAge)
150178
writeSSLConfig.writelines(final)
151179

152180
writeSSLConfig.writelines("\n")
@@ -323,4 +351,5 @@ def issueSSLForDomain(domain, adminEmail, sslpath, aliasDomain = None):
323351
return [0, "283 Failed to obtain SSL for domain. [issueSSLForDomain]"]
324352

325353
except BaseException,msg:
326-
return [0, "347 "+ str(msg)+ " [issueSSLForDomain]"]
354+
return [0, "347 "+ str(msg)+ " [issueSSLForDomain]"]
355+

0 commit comments

Comments
 (0)