Re: Apache + SSL: default configuration rated "C" by Qualys Labs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 26.04.2017 08:58, Nicolas Kovacs wrote:
Hi,

I'm currently experimenting with a public server running CentOS 7. I
have half a dozen production servers all running Slackware Linux, and I
intend to progressively migrate them to CentOS, for a host of reasons
(support cycle, package availability, SELinux, etc.) But before doing
that, I have to figure out a few things that work differently under
CentOS. Apache and SSL behave quite differently under these two
distributions.

So far, Apache is running fine with HTTP and hosts a series of virtual
hosts.

I have installed Certbot and created a Let's Encrypt certificate for the
server.

I have a "dummy" website under /var/www/html/default/html.

I installed mod_ssl and only edited the following directives in
/etc/httpd/conf.d/ssl.conf. I kept the default options for everything else.

--8<------------------------------------------------
...
DocumentRoot "/var/www/html/default/html"
ServerName sd-41893.dedibox.fr:443
...
SSLCertificateFile /etc/letsencrypt/live/sd-41893.dedibox.fr/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sd-41893.dedibox.fr/privkey.pem
SSLCertificateChainFile
/etc/letsencrypt/live/sd-41893.dedibox.fr/fullchain.pem
--8<------------------------------------------------

After restarting Apache, the website shows up correctly.

https://sd-41893.dedibox.fr/

But when I test it using Qualys SSL Labs Server Test, the results are a
disappointment.

with this:

SSLProtocol all -SSLv2 -SSLv3

SSLCipherSuite 'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EECDH:EDH+AESGCM:EDH:ECDH+AESGCM:ECDH+AES:ECDH:AES:HIGH:MEDIUM:!SSLv2:+SSLv3:!3DES:!RC4:!MD5:!IDEA:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!SRP'

SSLHonorCipherOrder on
SSLStrictSNIVHostCheck on

you get Grade A+


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux