Le 26/04/2017 à 16:16, James Hogarth a écrit :
I'm not 100% on any differences in ciphers available, but I don't think there should be much difference between EL7 and Fedora.
This config gets my an A+ rating on the sslabs test:
SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite "EECDH+aRSA+AESGCM EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !MEDIUM !SEED !3DES !CAMELLIA !MD5 !EXP !PSK !SRP !DSS !RC4"
<IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" </IfModule>
https://www.ssllabs.com/ssltest/analyze.html?d=www.hogarthuk.com
IIRC the Red Hat defaults are somewhat conservative on their limitations in order to simplify and maximise client connectivity - as some stuff (especially java apps or older mobile devices) tend to struggle otherwise with only a strict set of secure ciphers.
Thanks for the detailed explanation!