Disabled TLS 1.0 and 1.1 in the proxy.

services/proxy/Dockerfile

@@ -38,6 +38,7 @@ RUN rm /etc/apache2/sites-available/default-ssl.conf
 
 # Apache conf
 COPY apache2.conf /etc/apache2/apache2.conf
+COPY ssl.conf /etc/apache2/mods-enabled/ssl.conf
 
 # Copy self-signed (snakeoil) certificates
 RUN mkdir /root/certificates

services/proxy/ssl.conf

+<IfModule mod_ssl.c>
+
+    # Pseudo Random Number Generator (PRNG):
+    # Configure one or more sources to seed the PRNG of the SSL library.
+    # The seed data should be of good random quality.
+    # WARNING! On some platforms /dev/random blocks if not enough entropy
+    # is available. This means you then cannot use the /dev/random device
+    # because it would lead to very long connection times (as long as
+    # it requires to make more entropy available). But usually those
+    # platforms additionally provide a /dev/urandom device which doesn't
+    # block. So, if available, use this one instead. Read the mod_ssl User
+    # Manual for more details.
+    #
+    SSLRandomSeed startup builtin
+    SSLRandomSeed startup file:/dev/urandom 512
+    SSLRandomSeed connect builtin
+    SSLRandomSeed connect file:/dev/urandom 512
+
+    ##
+    ##  SSL Global Context
+    ##
+    ##  All SSL configuration in this context applies both to
+    ##  the main server and all SSL-enabled virtual hosts.
+    ##
+
+    #
+    #   Some MIME-types for downloading Certificates and CRLs
+    #
+    AddType application/x-x509-ca-cert .crt
+    AddType application/x-pkcs7-crl .crl
+
+    #   Pass Phrase Dialog:
+    #   Configure the pass phrase gathering process.
+    #   The filtering dialog program (`builtin' is a internal
+    #   terminal dialog) has to provide the pass phrase on stdout.
+    SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase
+
+    #   Inter-Process Session Cache:
+    #   Configure the SSL Session Cache: First the mechanism 
+    #   to use and second the expiring timeout (in seconds).
+    #   (The mechanism dbm has known memory leaks and should not be used).
+    #SSLSessionCache         dbm:${APACHE_RUN_DIR}/ssl_scache
+    SSLSessionCache     shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
+    SSLSessionCacheTimeout  300
+
+    #   Semaphore:
+    #   Configure the path to the mutual exclusion semaphore the
+    #   SSL engine uses internally for inter-process synchronization. 
+    #   (Disabled by default, the global Mutex directive consolidates by default
+    #   this)
+    #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
+
+
+    #   SSL Cipher Suite:
+    #   List the ciphers that the client is permitted to negotiate. See the
+    #   ciphers(1) man page from the openssl package for list of all available
+    #   options.
+    #   Enable only secure ciphers:
+    SSLCipherSuite HIGH:!aNULL
+
+    # SSL server cipher order preference:
+    # Use server priorities for cipher algorithm choice.
+    # Clients may prefer lower grade encryption.  You should enable this
+    # option if you want to enforce stronger encryption, and can afford
+    # the CPU cost, and did not override SSLCipherSuite in a way that puts
+    # insecure ciphers first.
+    # Default: Off
+    #SSLHonorCipherOrder on
+
+    #   The protocols to enable.
+    #   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
+    #   SSL v2  is no longer supported
+    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+
+    #   Allow insecure renegotiation with clients which do not yet support the
+    #   secure renegotiation protocol. Default: Off
+    #SSLInsecureRenegotiation on
+
+    #   Whether to forbid non-SNI clients to access name based virtual hosts.
+    #   Default: Off
+    #SSLStrictSNIVHostCheck On
+
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
\ No newline at end of file