On 26.04.2017 08:58, Nicolas Kovacs wrote:
Hi,
I'm currently experimenting with a public server running CentOS 7. I have half a dozen production servers all running Slackware Linux, and I intend to progressively migrate them to CentOS, for a host of reasons (support cycle, package availability, SELinux, etc.) But before doing that, I have to figure out a few things that work differently under CentOS. Apache and SSL behave quite differently under these two distributions.
So far, Apache is running fine with HTTP and hosts a series of virtual hosts.
I have installed Certbot and created a Let's Encrypt certificate for the server.
I have a "dummy" website under /var/www/html/default/html.
I installed mod_ssl and only edited the following directives in /etc/httpd/conf.d/ssl.conf. I kept the default options for everything else.
--8<------------------------------------------------ ... DocumentRoot "/var/www/html/default/html" ServerName sd-41893.dedibox.fr:443 ... SSLCertificateFile /etc/letsencrypt/live/sd-41893.dedibox.fr/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/sd-41893.dedibox.fr/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/sd-41893.dedibox.fr/fullchain.pem --8<------------------------------------------------
After restarting Apache, the website shows up correctly.
But when I test it using Qualys SSL Labs Server Test, the results are a disappointment.
with this:
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite 'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+SSLv3:!3DES:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!SRP'
SSLHonorCipherOrder on SSLStrictSNIVHostCheck on
you get Grade A+