On Wed, 30 Jun 2021, Adrian Jenzer wrote:
Dear Community
I try to get an SSL Labs A rating for my CentOS8 Apache-server. I'am sure it has to do with my lack of understanding the crypto-policies configuration, can anybody give me an advice where i am wrong? My understanding is that the configuration in the pmod-file will override the ssl.conf values if PROFILE=SYSTEM is active.
I personally skip the crypto-policy for Apache, relying on a traditional httpd.conf stanza instead:
<IfModule mod_ssl.c> # ... SSLCipherSuite "EECDH+AESGCM:EDH+AESGCM" SSLProtocol -all +TLSv1.3 +TLSv1.2 </IfModule>
In conjunction with other TLS best practices, these settings seem to do the trick (read: Qualys likes them), albeit while excluding some older browsers.