From 74f092953760f1e0612c9a3700a9a3362609bd62 Mon Sep 17 00:00:00 2001
From: rabi <ramishra@redhat.com>
Date: Mon, 1 Jun 2026 14:58:56 +0530
Subject: [PATCH] Tighten common ssl.conf defaults

Prefer forward-secret GCM ciphers and disable TLSv1.1 in the
shared Apache SSL template so operators consuming lib-common
inherit stronger defaults.

Change-Id: I263a52c4fbfc8f2906c80febbccaeff08d3c4450
Signed-off-by: rabi <ramishra@redhat.com>
---
 modules/common/util/templates/common/config/ssl.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/common/util/templates/common/config/ssl.conf b/modules/common/util/templates/common/config/ssl.conf
index e3da4ecb..8aaabbfe 100644
--- a/modules/common/util/templates/common/config/ssl.conf
+++ b/modules/common/util/templates/common/config/ssl.conf
@@ -15,7 +15,7 @@
   SSLHonorCipherOrder On
   SSLUseStapling Off
   SSLStaplingCache "shmcb:/run/httpd/ssl_stapling(32768)"
-  SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4:!3DES
-  SSLProtocol all -SSLv2 -SSLv3 -TLSv1
+  SSLCipherSuite ECDHE+AESGCM:DHE+AESGCM:!aNULL:!MD5:!RC4:!3DES
+  SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
   SSLOptions StdEnvVars
 </IfModule>