[CentOS] Centos 8 crypto-policy to get SSL Labs A rating

Mon Jul 5 13:29:37 UTC 2021
Adrian Jenzer <a.jenzer at herzogdemeuron.com>

Hi Paul

Thanks, but how do you "skip the crypto-policy for Apache"?
It seems like crypto-policies configuration is overwriting my values in httpd-configuration.
How I enforce the values in httpd.conf ? 


-----Original Message-----
From: CentOS <centos-bounces at centos.org> On Behalf Of Paul Heinlein
Sent: Mittwoch, 30. Juni 2021 16:09
To: CentOS mailing list <centos at centos.org>
Subject: Re: [CentOS] Centos 8 crypto-policy to get SSL Labs A rating

On Wed, 30 Jun 2021, Adrian Jenzer wrote:

> Dear Community
> I try to get an SSL Labs A rating for my CentOS8 Apache-server.
> I'am sure it has to do with my lack of understanding the crypto-policies configuration, can anybody give me an advice where i am wrong?
> My understanding is that the configuration in the pmod-file will override the ssl.conf values if PROFILE=SYSTEM is active.

I personally skip the crypto-policy for Apache, relying on a traditional httpd.conf stanza instead:

<IfModule mod_ssl.c>
   # ...
   SSLProtocol -all +TLSv1.3 +TLSv1.2

In conjunction with other TLS best practices, these settings seem to do the trick (read: Qualys likes them), albeit while excluding some older browsers.

Paul Heinlein
heinlein at madboa.com
45.38° N, 122.59° W
CentOS mailing list
CentOS at centos.org