[CentOS] Apache + SSL: default configuration rated "C" by Qualys Labs

Wed Apr 26 06:58:39 UTC 2017
Nicolas Kovacs <info at microlinux.fr>


I'm currently experimenting with a public server running CentOS 7. I
have half a dozen production servers all running Slackware Linux, and I
intend to progressively migrate them to CentOS, for a host of reasons
(support cycle, package availability, SELinux, etc.) But before doing
that, I have to figure out a few things that work differently under
CentOS. Apache and SSL behave quite differently under these two

So far, Apache is running fine with HTTP and hosts a series of virtual

I have installed Certbot and created a Let's Encrypt certificate for the

I have a "dummy" website under /var/www/html/default/html.

I installed mod_ssl and only edited the following directives in
/etc/httpd/conf.d/ssl.conf. I kept the default options for everything else.

DocumentRoot "/var/www/html/default/html"
ServerName sd-41893.dedibox.fr:443
SSLCertificateFile /etc/letsencrypt/live/sd-41893.dedibox.fr/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sd-41893.dedibox.fr/privkey.pem

After restarting Apache, the website shows up correctly.


But when I test it using Qualys SSL Labs Server Test, the results are a


The site is rated "C", with the following remarks:

* This server is vulnerable to the POODLE attack. If possible, disable
SSL 3 to mitigate. Grade capped to C."

"This server accepts RC4 cipher, but only with older protocols. Grade
capped to B."

"The server does not support Forward Secrecy with the reference browsers."

"This site works only in browsers with SNI support."

I googled a bit, and to my surprise I only found articles about Apache
and SSL on CentOS that seem - more or less - to use the default ssl.conf

On a side note, my Slackware servers have a default usable
/etc/httpd/extra/httpd-ssl.conf file that gets an "A" on Qualys Labs,
and even an "A+" when you add a two-liner.

Any suggestions on improving that?


Niki Kovacs

Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Web  : http://www.microlinux.fr
Mail : info at microlinux.fr
Tél. : 04 66 63 10 32