From 9ed11360d61b777ed33705e144badde902e8a96e Mon Sep 17 00:00:00 2001
From: David Cook <dcook@prosentient.com.au>
Date: Mon, 3 Jul 2023 23:52:53 +0000
Subject: [PATCH] Bug 34193: SSLProtocol enable in use versions and disable
 deprecated versions

This patch changes the default SSLProtocol for the Let's Encrypt
HTTPS template, so that it enables in use versions of TLS while
disabling the deprecated versions of TLS.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 58893f4c0b3afdcce752d5d87219f5c161126744)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 79be336eeeb48d8227ba613cd5692a34b73fd5b3)
Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>
---
 debian/templates/apache-site-https.conf.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/debian/templates/apache-site-https.conf.in b/debian/templates/apache-site-https.conf.in
index 196a415b8e..98fb506398 100644
--- a/debian/templates/apache-site-https.conf.in
+++ b/debian/templates/apache-site-https.conf.in
@@ -12,7 +12,7 @@
 # OPAC
 <VirtualHost *:80> #https
 #  SSLEngine on
-#  SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1
+#  SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
 #  SSLCompression off
 #  SSLHonorCipherOrder on
 #  SSLCipherSuite "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-SA-
@@ -39,7 +39,7 @@
 # Intranet
 <VirtualHost *:80> #https
 #  SSLEngine on
-#  SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1
+#  SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
 #  SSLCompression off
 #  SSLHonorCipherOrder on
 #  SSLCipherSuite "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES
-- 
2.39.2