From f5f039eeb4b3a707bed82b3abecd16779e7c2bf5 Mon Sep 17 00:00:00 2001
From: zimbatm <zimbatm@zimbatm.com>
Date: Sun, 4 Oct 2015 22:13:50 +0100
Subject: [PATCH] apache-httpd: harden default SSL cipher list

A couple of tweaks on the SSL cipher list.

Disabled RC4 which is now considered broken.
https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what

Enabled Forward Secrecy for modern browsers.
https://en.wikipedia.org/wiki/Forward_secrecy

Without the change, NixOS servers are capped at Grade B on
https://www.ssllabs.com/ssltest/index.html
---
 nixos/modules/services/web-servers/apache-httpd/default.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix
index 7350a6a68c7..2b0bb0c3873 100644
--- a/nixos/modules/services/web-servers/apache-httpd/default.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/default.nix
@@ -173,7 +173,8 @@ let
     SSLRandomSeed connect builtin
 
     SSLProtocol All -SSLv2 -SSLv3
-    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!EXP
+    SSLCipherSuite HIGH:!aNULL:!MD5:!EXP
+    SSLHonorCipherOrder on
   '';