From: Marcin Krol Date: Mon, 21 Jan 2019 14:15:26 +0000 (+0100) Subject: - disable selected protocols rather than disabling all and enabing selected ones X-Git-Url: https://git.tld-linux.org/?a=commitdiff_plain;h=c29d090fefac5d4cfdb754c15d33cbd11addd715;p=packages%2Fapache.git - disable selected protocols rather than disabling all and enabing selected ones - drop SSL ciphers using RSA key exchange, they're now considered weak due to not supporting forward secrecy - disable session tickets to ensure forward secrecy is not compromised --- diff --git a/apache-mod_ssl.conf b/apache-mod_ssl.conf index 2bd073b..cc1a2a2 100644 --- a/apache-mod_ssl.conf +++ b/apache-mod_ssl.conf @@ -64,16 +64,15 @@ SSLSessionCacheTimeout 300 # This directive can be used to control the SSL protocol flavors mod_ssl # should use when establishing its server environment. Clients then can only # connect with one of the provided protocols. -SSLProtocol -all TLSv1.2 +SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. -SSLCipherSuite HIGH:!aNULL:!MD5:!3DES:!CAMELLIA128:!AES128 - +SSLCipherSuite HIGH:!aNULL:!MD5:!3DES:!CAMELLIA128:!AES128:!RSA SSLHonorCipherOrder on - SSLCompression off +SSLSessionTickets off # Use this command to generate 4096 DH parameters (it will take long time): # openssl dhparam -out /etc//httpd/ssl/dhparams.pem 4096