On Wed, 30 Jun 2021, Adrian Jenzer wrote: > Dear Community > > I try to get an SSL Labs A rating for my CentOS8 Apache-server. > I'am sure it has to do with my lack of understanding the crypto-policies configuration, can anybody give me an advice where i am wrong? > My understanding is that the configuration in the pmod-file will override the ssl.conf values if PROFILE=SYSTEM is active. I personally skip the crypto-policy for Apache, relying on a traditional httpd.conf stanza instead: <IfModule mod_ssl.c> # ... SSLCipherSuite "EECDH+AESGCM:EDH+AESGCM" SSLProtocol -all +TLSv1.3 +TLSv1.2 </IfModule> In conjunction with other TLS best practices, these settings seem to do the trick (read: Qualys likes them), albeit while excluding some older browsers. -- Paul Heinlein heinlein at madboa.com 45.38° N, 122.59° W