Hi Paul
Thanks, but how do you "skip the crypto-policy for Apache"? It seems like crypto-policies configuration is overwriting my values in httpd-configuration. How I enforce the values in httpd.conf ?
Gregards Adrian
-----Original Message----- From: CentOS centos-bounces@centos.org On Behalf Of Paul Heinlein Sent: Mittwoch, 30. Juni 2021 16:09 To: CentOS mailing list centos@centos.org Subject: Re: [CentOS] Centos 8 crypto-policy to get SSL Labs A rating
On Wed, 30 Jun 2021, Adrian Jenzer wrote:
Dear Community
I try to get an SSL Labs A rating for my CentOS8 Apache-server. I'am sure it has to do with my lack of understanding the crypto-policies configuration, can anybody give me an advice where i am wrong? My understanding is that the configuration in the pmod-file will override the ssl.conf values if PROFILE=SYSTEM is active.
I personally skip the crypto-policy for Apache, relying on a traditional httpd.conf stanza instead:
<IfModule mod_ssl.c> # ... SSLCipherSuite "EECDH+AESGCM:EDH+AESGCM" SSLProtocol -all +TLSv1.3 +TLSv1.2 </IfModule>
In conjunction with other TLS best practices, these settings seem to do the trick (read: Qualys likes them), albeit while excluding some older browsers.
-- Paul Heinlein heinlein@madboa.com 45.38° N, 122.59° W _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos