From c4f4e67e6a1bb6543ed0c20dfdef50a88e6e95ef Mon Sep 17 00:00:00 2001 From: Owen McGonagle Date: Sun, 10 May 2026 19:08:18 -0400 Subject: [PATCH] Harden Apache SSL config for PQC compliance SSLCipherSuite: Remove MEDIUM-strength ciphers and add !kRSA to block quantum-vulnerable RSA key exchange suites that lack forward secrecy. SSLProtocol: Switch from blacklist (all -old) to whitelist (-all +new) style, explicitly allowing only TLS 1.3 and TLS 1.2. This removes implicit TLS 1.1 support that remained under the old configuration. These changes address the Harvest Now, Decrypt Later (HNDL) threat model by ensuring Apache cannot negotiate quantum-vulnerable cipher suites or legacy protocol versions. Related: OSPRH-28891 Closes: OSPRH-28892 Co-Authored-By: Claude Opus 4.6 Signed-off-by: Owen McGonagle --- templates/horizon/config/ssl.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/horizon/config/ssl.conf b/templates/horizon/config/ssl.conf index e3da4ecb..1ce11444 100644 --- a/templates/horizon/config/ssl.conf +++ b/templates/horizon/config/ssl.conf @@ -15,7 +15,7 @@ SSLHonorCipherOrder On SSLUseStapling Off SSLStaplingCache "shmcb:/run/httpd/ssl_stapling(32768)" - SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4:!3DES - SSLProtocol all -SSLv2 -SSLv3 -TLSv1 + SSLCipherSuite HIGH:!aNULL:!MD5:!RC4:!3DES:!kRSA + SSLProtocol -all +TLSv1.3 +TLSv1.2 SSLOptions StdEnvVars