[CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs
Leon Fauster
leonfauster at googlemail.com
Wed Apr 26 16:39:39 UTC 2017
> Am 26.04.2017 um 17:17 schrieb Fabian Arrotin <arrfab at centos.org>:
>
> On 26/04/17 16:16, James Hogarth wrote:
>> On 26 April 2017 at 13:16, Steven Tardy <sjt5atra at gmail.com> wrote:
>>>
>>>> On Apr 26, 2017, at 2:58 AM, Nicolas Kovacs <info at microlinux.fr> wrote:
>>>>
>>>> The site is rated "C"
>>>
>>> The RHEL/CentOS out-of-the-box apache tls is a little old but operational. This Mozilla resource is excellent for getting apache tls config up-to-date.
>>>
>>> https://wiki.mozilla.org/Security/Server_Side_TLS
>>
>> I'm not 100% on any differences in ciphers available, but I don't
>> think there should be much difference between EL7 and Fedora.
>>
>> This config gets my an A+ rating on the sslabs test:
>>
>> SSLEngine on
>> SSLProtocol all -SSLv2 -SSLv3
>> SSLCipherSuite "EECDH+aRSA+AESGCM EECDH+aRSA+SHA384 EECDH+aRSA+SHA256
>> EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !MEDIUM !SEED !3DES
>> !CAMELLIA !MD5 !EXP !PSK !SRP !DSS !RC4"
>>
>> <IfModule mod_headers.c>
>> Header always set Strict-Transport-Security "max-age=15768000;
>> includeSubDomains; preload"
>> </IfModule>
>>
>> https://www.ssllabs.com/ssltest/analyze.html?d=www.hogarthuk.com
>>
>> IIRC the Red Hat defaults are somewhat conservative on their
>> limitations in order to simplify and maximise client connectivity - as
>> some stuff (especially java apps or older mobile devices) tend to
>> struggle otherwise with only a strict set of secure ciphers.
>
> Outside of Qualys, I found the following sites interesting :
>
> https://cipherli.st/ (recommandations)
> https://ssldecoder.org (testing tool)
+
https://access.redhat.com/articles/1462183
--
LF
More information about the CentOS
mailing list