Re: Centos 8 crypto-policy to get SSL Labs A rating

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Hi Paul

Thanks, but how do you "skip the crypto-policy for Apache"?
It seems like crypto-policies configuration is overwriting my values in httpd-configuration.
How I enforce the values in httpd.conf ? 



Gregards
Adrian


-----Original Message-----
From: CentOS <centos-bounces@xxxxxxxxxx> On Behalf Of Paul Heinlein
Sent: Mittwoch, 30. Juni 2021 16:09
To: CentOS mailing list <centos@xxxxxxxxxx>
Subject: Re:  Centos 8 crypto-policy to get SSL Labs A rating

On Wed, 30 Jun 2021, Adrian Jenzer wrote:

> Dear Community
>
> I try to get an SSL Labs A rating for my CentOS8 Apache-server.
> I'am sure it has to do with my lack of understanding the crypto-policies configuration, can anybody give me an advice where i am wrong?
> My understanding is that the configuration in the pmod-file will override the ssl.conf values if PROFILE=SYSTEM is active.

I personally skip the crypto-policy for Apache, relying on a traditional httpd.conf stanza instead:

<IfModule mod_ssl.c>
   # ...
   SSLCipherSuite "EECDH+AESGCM:EDH+AESGCM"
   SSLProtocol -all +TLSv1.3 +TLSv1.2
</IfModule>

In conjunction with other TLS best practices, these settings seem to do the trick (read: Qualys likes them), albeit while excluding some older browsers.

--
Paul Heinlein
heinlein@xxxxxxxxxx
45.38° N, 122.59° W
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]

  Powered by Linux