[CentOS] easy way to stop old ssl's

Fri Oct 11 20:40:42 UTC 2019
Warren Young <warren at etr-usa.com>

On Oct 11, 2019, at 12:12 PM, Jerry Geis <jerry.geis at gmail.com> wrote:
> 
> is there a script that is available that can be ran to bring
> a box up to current "accepted" levels ?

I don’t know why you’d use a script for this at all.  Just ship a new HTTPS configuration to each server.  Apache loads all *.conf files in its configuration directory, so you might be able to just add another file to the existing config set.  If not, then replace the existing config file instead.

If you’re asking for a pre-crafted config, there are bunches of them floating around:

   https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html
   https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2.0-in-apache.html
   https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

etc.

I’m also surprised by the premise implied by the question, which is that a stable OS vendor would switch HTTPS configurations for you on a point upgrade.  That’s pretty much the anti-Red Hat position.  If you want local breaking changes like this, you develop and test it locally, then deploy the change locally.

Yes, breaking changes.  Doing this *will* cut off support for older browsers.  On purpose.