This tool might be of interest to you:
https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.6
Don't forget to configure to match your software versions and requirements.
Cheers,
Jamie
On Wed, 30 Jun 2021 at 10:03, Adrian Jenzer <a.jenzer@xxxxxxxxxxxxxxxxxx>
wrote:
> Dear Community
>
> I try to get an SSL Labs A rating for my CentOS8 Apache-server.
> I'am sure it has to do with my lack of understanding the crypto-policies
> configuration, can anybody give me an advice where i am wrong?
> My understanding is that the configuration in the pmod-file will override
> the ssl.conf values if PROFILE=SYSTEM is active.
>
>
> ***
> # Current runtime policy dump
> # DEFAULT:HTTPS
> arbitrary_dh_groups = 1
> cipher = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CTR AES-256-CBC
> AES-128-GCM AES-128-CCM AES-128-CTR AES-128-CBC
> group = X25519 X448 SECP256R1 SECP384R1 SECP521R1 FFDHE-2048 FFDHE-3072
> FFDHE-4096 FFDHE-6144 FFDHE-8192
> hash = SHA2-256 SHA2-384 SHA2-512 SHA3-256 SHA3-384 SHA3-512 SHA2-224 SHA1
> ike_protocol = IKEv2
> key_exchange = ECDHE DHE DHE-RSA DHE-PSK ECDHE-PSK ECDHE-GSS DHE-GSS
> mac = AEAD HMAC-SHA2-256 HMAC-SHA1 UMAC-128 HMAC-SHA2-384 HMAC-SHA2-512
> min_dh_size = 2048
> min_dsa_size = 2048
> min_dtls_version = DTLS1.2
> min_rsa_size = 2048
> min_tls_version = TLS1.2
> protocol = TLS1.3 TLS1.2 DTLS1.2
> sha1_in_certs = 1
> sign = ECDSA-SHA3-256 ECDSA-SHA2-256 ECDSA-SHA3-384 ECDSA-SHA2-384
> ECDSA-SHA3-512 ECDSA-SHA2-512 EDDSA-ED25519 EDDSA-ED448 RSA-PSS-SHA2-256
> RSA-PSS-SHA2-384 RSA-PSS-SHA2-512 RSA-SHA3-256 RSA-SHA2-256 RSA-SHA3-384
> RSA-$
> ssh_certs = 1
> ssh_cipher = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 CAMELLIA-256-GCM
> AES-256-CTR AES-256-CBC CAMELLIA-256-CBC AES-128-GCM AES-128-CCM
> CAMELLIA-128-GCM AES-128-CTR AES-128-CBC CAMELLIA-128-CBC
> ssh_etm = 1
> ssh_group = X25519 X448 SECP256R1 SECP384R1 SECP521R1 FFDHE-2048
> FFDHE-3072 FFDHE-4096 FFDHE-6144 FFDHE-8192
> tls_cipher = AES-256-GCM AES-256-CCM CHACHA20-POLY1305 AES-256-CBC
> AES-128-GCM AES-128-CCM AES-128-CBC
>
> ***
> cat /etc/crypto-policies/policies/modules/HTTPS.pmod
> cipher =
> ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
> ***
>
> Part of /etc/httpd/conf.d/ssl.conf
> ***
> # SSL Engine Switch:
> # Enable/Disable SSL for this virtual host.
> SSLEngine on
>
> # List the protocol versions which clients are allowed to connect with.
> # The OpenSSL system profile is used by default. See
> # update-crypto-policies(8) for more details.
> #SSLProtocol all -SSLv3
> #SSLProxyProtocol all -SSLv3
> SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
>
> # User agents such as web browsers are not configured for the user's
> # own preference of either security or performance, therefore this
> # must be the prerogative of the web server administrator who manages
> # cpu load versus confidentiality, so enforce the server's cipher order.
> SSLHonorCipherOrder on
>
> # SSL Cipher Suite:
> # List the ciphers that the client is permitted to negotiate.
> # See the mod_ssl documentation for a complete list.
> # The OpenSSL system profile is configured by default. See
> # update-crypto-policies(8) for more details.
> SSLCipherSuite PROFILE=SYSTEM
> #SSLProxyCipherSuite PROFILE=SYSTEM
> #SSLCipherSuite HIGH:!aNULL:!MD5
> #SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256
>
>
>
> Thanks for any hint!
> Adrian
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> https://lists.centos.org/mailman/listinfo/centos
>
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
