On 26/04/17 16:16, James Hogarth wrote: > On 26 April 2017 at 13:16, Steven Tardy <sjt5atra@xxxxxxxxx> wrote: >> >>> On Apr 26, 2017, at 2:58 AM, Nicolas Kovacs <info@xxxxxxxxxxxxx> wrote: >>> >>> The site is rated "C" >> >> The RHEL/CentOS out-of-the-box apache tls is a little old but operational. This Mozilla resource is excellent for getting apache tls config up-to-date. >> >> https://wiki.mozilla.org/Security/Server_Side_TLS > > I'm not 100% on any differences in ciphers available, but I don't > think there should be much difference between EL7 and Fedora. > > This config gets my an A+ rating on the sslabs test: > > SSLEngine on > SSLProtocol all -SSLv2 -SSLv3 > SSLCipherSuite "EECDH+aRSA+AESGCM EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 > EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !MEDIUM !SEED !3DES > !CAMELLIA !MD5 !EXP !PSK !SRP !DSS !RC4" > > <IfModule mod_headers.c> > Header always set Strict-Transport-Security "max-age=15768000; > includeSubDomains; preload" > </IfModule> > > https://www.ssllabs.com/ssltest/analyze.html?d=www.hogarthuk.com > > IIRC the Red Hat defaults are somewhat conservative on their > limitations in order to simplify and maximise client connectivity - as > some stuff (especially java apps or older mobile devices) tend to > struggle otherwise with only a strict set of secure ciphers. Outside of Qualys, I found the following sites interesting : https://cipherli.st/ (recommandations) https://ssldecoder.org (testing tool) -- Fabian Arrotin The CentOS Project | http://www.centos.org gpg key: 56BEC54E | twitter: @arrfab
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos
