[CentOS] Centos 8 crypto-policy to get SSL Labs A rating

Wed Jun 30 14:08:54 UTC 2021
Paul Heinlein <heinlein at madboa.com>

On Wed, 30 Jun 2021, Adrian Jenzer wrote:

> Dear Community
> I try to get an SSL Labs A rating for my CentOS8 Apache-server.
> I'am sure it has to do with my lack of understanding the crypto-policies configuration, can anybody give me an advice where i am wrong?
> My understanding is that the configuration in the pmod-file will override the ssl.conf values if PROFILE=SYSTEM is active.

I personally skip the crypto-policy for Apache, relying on a 
traditional httpd.conf stanza instead:

<IfModule mod_ssl.c>
   # ...
   SSLProtocol -all +TLSv1.3 +TLSv1.2

In conjunction with other TLS best practices, these settings seem to 
do the trick (read: Qualys likes them), albeit while excluding some 
older browsers.

Paul Heinlein
heinlein at madboa.com
45.38° N, 122.59° W