nixos/httpd: add options sslCiphers & sslProtocols

2019-01-09 11:30:19 -05:00 · 2019-01-09 11:30:19 -05:00 · fd5a88687c
commit fd5a88687c
parent 43d4f07bf1
1 changed files with 15 additions and 2 deletions
--- a/nixos/modules/services/web-servers/apache-httpd/default.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/default.nix
@ -187,8 +187,8 @@ let
    SSLRandomSeed startup builtin
    SSLRandomSeed connect builtin

-    SSLProtocol All -SSLv2 -SSLv3
-    SSLCipherSuite HIGH:!aNULL:!MD5:!EXP
+    SSLProtocol ${mainCfg.sslProtocols}
+    SSLCipherSuite ${mainCfg.sslCiphers}
    SSLHonorCipherOrder on
  '';

@ -630,6 +630,19 @@ in
        description =
          "Maximum number of httpd requests answered per httpd child (prefork), 0 means unlimited";
      };
+
+      sslCiphers = mkOption {
+        type = types.str;
+        default = "HIGH:!aNULL:!MD5:!EXP";
+        description = "Cipher Suite available for negotiation in SSL proxy handshake.";
+      };
+
+      sslProtocols = mkOption {
+        type = types.str;
+        default = "All -SSLv2 -SSLv3";
+        example = "All -SSLv2 -SSLv3 -TLSv1";
+        description = "Allowed SSL/TLS protocol versions.";
+      };
    }

    # Include the options shared between the main server and virtual hosts.