SSLEngine on
# generated 2023-01-11, Mozilla Guideline v5.6, Apache 2.4.41, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1k&guideline=5.6
# this configuration requires mod_ssl, mod_socache_shmcb, mod_rewrite, and mod_headers
SSLCertificateFile /path/to/signed_cert_and_intermediate_certs_and_dhparams
SSLCertificateKeyFile /path/to/private_key
Protocols h2 http/1.1
Header always set Strict-Transport-Security 'max-age=63072000'
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
SSLUseStapling On
SSLStaplingCache 'shmcb:logs/ssl_stapling(32768)'
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /path/to/dhparam;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security 'max-age=63072000' always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
# replace with the IP address of your resolver
resolver 8.8.8.8;
}
ca fullchain.crt #The full chain of certificate
cert cert-server.pem #Your certificate
tls-verify /etc/openvpn/script.sh #Execute a script (see below)
#!/bin/bash
if [[ $1 -ne 0 ]];
then
exit 0;
fi
if [[ $X509_0_O != "SSL VPN" ]]; #Change it to the name of your organization!
then
exit 1;
fi
issuer="issuer.crt" #Intermediate certificate
CA="ca.cert" #Root certificate
serial=$tls_serial_0
#cert=$($peer_cert)
url="http://vpntls.eu/ocsp"
if [[ -z $serial ]];
then
exit 1;
fi
status=$(openssl ocsp -issuer $issuer \
-url $url \
-no_nonce \
-CAfile $CA \
-serial "$serial" 2>&1)
if [ $? -eq 0 ]; then
# check if ocsp didn't report any errors
if echo "$status" | grep -Eq "(error|fail)"; then
exit 1
fi
# check that the reported status of certificate is ok
if echo "$status" | grep -Eq "^$serial: good"; then
# check if signature on the OCSP response verified correctly
if echo "$status" | grep -Eq "^Response verify OK"; then
exit 0
This website uses cookies or similar technologies, to provide its service, enhance your browsing experience and provide personalized recommendations. By continuing to use our website, you agree to our Privacy Policy.