Re: Apache + SSL: default configuration rated "C" by Qualys Labs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Le 26/04/2017 à 16:16, James Hogarth a écrit :
> I'm not 100% on any differences in ciphers available, but I don't
> think there should be much difference between EL7 and Fedora.
> 
> This config gets my an A+ rating on the sslabs test:
> 
> SSLEngine on
> SSLProtocol all -SSLv2 -SSLv3
> SSLCipherSuite "EECDH+aRSA+AESGCM EECDH+aRSA+SHA384 EECDH+aRSA+SHA256
> EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !MEDIUM !SEED !3DES
> !CAMELLIA !MD5 !EXP !PSK !SRP !DSS !RC4"
> 
> <IfModule mod_headers.c>
>       Header always set Strict-Transport-Security "max-age=15768000;
> includeSubDomains; preload"
> </IfModule>
> 
> https://www.ssllabs.com/ssltest/analyze.html?d=www.hogarthuk.com
> 
> IIRC the Red Hat defaults are somewhat conservative on their
> limitations in order to simplify and maximise client connectivity - as
> some stuff (especially java apps or older mobile devices) tend to
> struggle otherwise with only a strict set of secure ciphers.

Thanks for the detailed explanation!

-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Web  : http://www.microlinux.fr
Mail : info@xxxxxxxxxxxxx
Tél. : 04 66 63 10 32
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux