On Wed, 30 Jun 2021, Adrian Jenzer wrote:
Dear Community
I try to get an SSL Labs A rating for my CentOS8 Apache-server.
I'am sure it has to do with my lack of understanding the crypto-policies configuration, can anybody give me an advice where i am wrong?
My understanding is that the configuration in the pmod-file will override the ssl.conf values if PROFILE=SYSTEM is active.
I personally skip the crypto-policy for Apache, relying on a
traditional httpd.conf stanza instead:
<IfModule mod_ssl.c>
# ...
SSLCipherSuite "EECDH+AESGCM:EDH+AESGCM"
SSLProtocol -all +TLSv1.3 +TLSv1.2
</IfModule>
In conjunction with other TLS best practices, these settings seem to
do the trick (read: Qualys likes them), albeit while excluding some
older browsers.
--
Paul Heinlein
heinlein@xxxxxxxxxx
45.38° N, 122.59° W
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
