https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25948 --- Comment #1 from M. Tompsett <mtompset@hotmail.com> --- Created attachment 106645 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=106645&action=edit Bug 25948: Clean up apache-site-https a little - removed ECDHE-RSA-AES256-SHA384, as it downgrades to CBC use https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384/ - added DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256 - added ECDHE-ECDSA-AES256-SHA384 - removed cut-off ECDHE-RSA-SA- and ECDHE-RSA-AES - made OPAC and Intranet sections match - removed TLSv1 https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html https://blogs.windows.com/msedgedev/2020/03/31/tls-1-0-tls-1-1-schedule-upda... https://www.entrustdatacard.com/blog/2018/november/deprecating-tls - did not remove TLSv1.1 as this would break support for older browsers probably still in use. - did not add TLSv1.3 as it depends on OS used and version of openSSL if it is supported or not. This may break support for some things, but nothing semi-current. I don't care about ie 11 on windows 8.1 phones, or safari 6-8. Also, people using letsencrypt.org should look into using a DNS CAA record for their opac site URL, issued by letsencrypt.org with flags set to 0. This affects the installation using: sudo koha-create --letsencrypt --create-db instance BEFORE using this command recently, I needed to disable the 000-default site, and had to create a directory /usr/share/koha/intranet/htdocs/.well-known/acme-challenge which I also softlinked from /usr/share/koha/opac/htdocs/.well-known/acme-challenge to the intranet one. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.