[CentOS] easy way to stop old ssl's
Warren Young
warren at etr-usa.com
Fri Oct 11 20:40:42 UTC 2019
On Oct 11, 2019, at 12:12 PM, Jerry Geis <jerry.geis at gmail.com> wrote:
>
> is there a script that is available that can be ran to bring
> a box up to current "accepted" levels ?
I don’t know why you’d use a script for this at all. Just ship a new HTTPS configuration to each server. Apache loads all *.conf files in its configuration directory, so you might be able to just add another file to the existing config set. If not, then replace the existing config file instead.
If you’re asking for a pre-crafted config, there are bunches of them floating around:
https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html
https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2.0-in-apache.html
https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
etc.
I’m also surprised by the premise implied by the question, which is that a stable OS vendor would switch HTTPS configurations for you on a point upgrade. That’s pretty much the anti-Red Hat position. If you want local breaking changes like this, you develop and test it locally, then deploy the change locally.
Yes, breaking changes. Doing this *will* cut off support for older browsers. On purpose.
More information about the CentOS
mailing list