[CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs
Nicolas Kovacs
info at microlinux.frWed Apr 26 06:58:39 UTC 2017
- Previous message: [CentOS] kde panels not retaining launcher icon
- Next message: [CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi, I'm currently experimenting with a public server running CentOS 7. I have half a dozen production servers all running Slackware Linux, and I intend to progressively migrate them to CentOS, for a host of reasons (support cycle, package availability, SELinux, etc.) But before doing that, I have to figure out a few things that work differently under CentOS. Apache and SSL behave quite differently under these two distributions. So far, Apache is running fine with HTTP and hosts a series of virtual hosts. I have installed Certbot and created a Let's Encrypt certificate for the server. I have a "dummy" website under /var/www/html/default/html. I installed mod_ssl and only edited the following directives in /etc/httpd/conf.d/ssl.conf. I kept the default options for everything else. --8<------------------------------------------------ ... DocumentRoot "/var/www/html/default/html" ServerName sd-41893.dedibox.fr:443 ... SSLCertificateFile /etc/letsencrypt/live/sd-41893.dedibox.fr/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/sd-41893.dedibox.fr/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/sd-41893.dedibox.fr/fullchain.pem --8<------------------------------------------------ After restarting Apache, the website shows up correctly. https://sd-41893.dedibox.fr/ But when I test it using Qualys SSL Labs Server Test, the results are a disappointment. https://www.ssllabs.com/ssltest/ The site is rated "C", with the following remarks: * This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C." "This server accepts RC4 cipher, but only with older protocols. Grade capped to B." "The server does not support Forward Secrecy with the reference browsers." "This site works only in browsers with SNI support." I googled a bit, and to my surprise I only found articles about Apache and SSL on CentOS that seem - more or less - to use the default ssl.conf configuration. On a side note, my Slackware servers have a default usable /etc/httpd/extra/httpd-ssl.conf file that gets an "A" on Qualys Labs, and even an "A+" when you add a two-liner. Any suggestions on improving that? Cheers, Niki Kovacs -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Web : http://www.microlinux.fr Mail : info at microlinux.fr Tél. : 04 66 63 10 32
- Previous message: [CentOS] kde panels not retaining launcher icon
- Next message: [CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list