[CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs

Wed Apr 26 15:17:10 UTC 2017
Fabian Arrotin <arrfab at centos.org>

On 26/04/17 16:16, James Hogarth wrote:
> On 26 April 2017 at 13:16, Steven Tardy <sjt5atra at gmail.com> wrote:
>>> On Apr 26, 2017, at 2:58 AM, Nicolas Kovacs <info at microlinux.fr> wrote:
>>> The site is rated "C"
>> The RHEL/CentOS out-of-the-box apache tls is a little old but operational. This Mozilla resource is excellent for getting apache tls config up-to-date.
>> https://wiki.mozilla.org/Security/Server_Side_TLS
> I'm not 100% on any differences in ciphers available, but I don't
> think there should be much difference between EL7 and Fedora.
> This config gets my an A+ rating on the sslabs test:
> SSLEngine on
> SSLProtocol all -SSLv2 -SSLv3
> <IfModule mod_headers.c>
>       Header always set Strict-Transport-Security "max-age=15768000;
> includeSubDomains; preload"
> </IfModule>
> https://www.ssllabs.com/ssltest/analyze.html?d=www.hogarthuk.com
> IIRC the Red Hat defaults are somewhat conservative on their
> limitations in order to simplify and maximise client connectivity - as
> some stuff (especially java apps or older mobile devices) tend to
> struggle otherwise with only a strict set of secure ciphers.

Outside of Qualys, I found the following sites interesting :

https://cipherli.st/ (recommandations)
https://ssldecoder.org (testing tool)

Fabian Arrotin
The CentOS Project | http://www.centos.org
gpg key: 56BEC54E | twitter: @arrfab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20170426/50efa8b2/attachment-0005.sig>