Hardening SSL/TLS

Published on

HTTPS with Apache 2.4.29 /etc/apache2/mods-enabled/ssl.conf SSLRandomSeed startup builtin SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect builtin SSLRandomSeed connect file:/dev/urandom 512 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) SSLSessionCacheTimeout 300 #SSLCipherSuite “HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128” SSLCipherSuite “ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256” SSLHonorCipherOrder on SSLProtocol TLSv1.2 SSLUseStapling on SSLStaplingCache shmcb:/tmp/stapling_cache(128000) SSLCompression off SSLOpenSSLConfCmd Curves secp384r1 SSLOpenSSLConfCmd DHParameters “/etc/ssl/private/dhparams_4096.pem” SSLLabs Score A+ (4x … Continue reading Hardening SSL/TLS