From f8acadde2c1fcd36fa56bb39bf6058d7116f0962 Mon Sep 17 00:00:00 2001
From: Joshua Colp <jcolp@digium.com>
Date: Wed, 3 Feb 2016 14:05:20 -0400
Subject: AST-2016-001 http: Provide greater control of TLS and set modern
 defaults.

This change exposes the configuration of various aspects of the TLS
support and sets the default to the modern standards.

The TLS cipher is now set to the best values according to the
Mozilla OpSec team, different TLS versions can now be disabled, and
the cipher order can be forced to be that of the server instead of
the client.

ASTERISK-24972 #close

Change-Id: I0a10f2883f7559af5e48dee0901251dbf30d45b8
---
 configs/samples/http.conf.sample | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

(limited to 'configs/samples')

diff --git a/configs/samples/http.conf.sample b/configs/samples/http.conf.sample
index 1d23a67f6..342dff483 100644
--- a/configs/samples/http.conf.sample
+++ b/configs/samples/http.conf.sample
@@ -90,6 +90,26 @@ bindaddr=127.0.0.1
 ; private in same .pem file.
 ; openssl req -new -x509 -days 365 -nodes -out /tmp/foo.pem -keyout /tmp/foo.pem
 ;
+; tlscipher=                             ; The list of allowed ciphers
+;                                        ; if none are specified the following cipher
+;                                        ; list will be used instead:
+; ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:
+; ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:
+; kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:
+; ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:
+; ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:
+; DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:
+; AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:
+; AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:
+; !EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+;
+; tlsdisablev1=yes                ; Disable TLSv1 support - if not set this defaults to "yes"
+; tlsdisablev11=yes               ; Disable TLSv1.1 support - if not set this defaults to "no"
+; tlsdisablev12=yes               ; Disable TLSv1.2 support - if not set this defaults to "no"
+;
+; tlsservercipherorder=yes        ; Use the server preference order instead of the client order
+;                                 ; Defaults to "yes"
+;
 ; The post_mappings section maps URLs to real paths on the filesystem.  If a
 ; POST is done from within an authenticated manager session to one of the
 ; configured POST mappings, then any files in the POST will be placed in the
-- 
cgit v1.2.3