As I was looking to make some edits to ssl.conf, I realized that it isn’t templated–NS 7.4 just uses the default ssl.conf file from the upstream mod_ssl package. This seems kind of odd, given that pretty much every other configuration file is templated, and it means there’s simply no way to configure any HTTPS-related settings through the config system.
There are a couple of things that really need to be changed, as they compromise the security of a Neth installation:
- SSLv3 is enabled, which is quite insecure (even TLS 1.0 is questionable, as I understand it).
- The RC4 cipher is also enabled with some protocols.
Templating would also allow for properties for SSL key/cert/chain, removing the need to, for example, copy the Let’s Encrypt cert from /etc/letsencrypt every time it’s issued.
The particular thing I was looking to do was enable OCSP stapling, which is a straightforward enough setting (and I could, of course, just make the changes to ssl.conf).