From c29d090fefac5d4cfdb754c15d33cbd11addd715 Mon Sep 17 00:00:00 2001 From: Marcin Krol Date: Mon, 21 Jan 2019 15:15:26 +0100 Subject: [PATCH] - disable selected protocols rather than disabling all and enabing selected ones - drop SSL ciphers using RSA key exchange, they're now considered weak due to not supporting forward secrecy - disable session tickets to ensure forward secrecy is not compromised --- apache-mod_ssl.conf | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/apache-mod_ssl.conf b/apache-mod_ssl.conf index 2bd073b..cc1a2a2 100644 --- a/apache-mod_ssl.conf +++ b/apache-mod_ssl.conf @@ -64,16 +64,15 @@ SSLSessionCacheTimeout 300 # This directive can be used to control the SSL protocol flavors mod_ssl # should use when establishing its server environment. Clients then can only # connect with one of the provided protocols. -SSLProtocol -all TLSv1.2 +SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. -SSLCipherSuite HIGH:!aNULL:!MD5:!3DES:!CAMELLIA128:!AES128 - +SSLCipherSuite HIGH:!aNULL:!MD5:!3DES:!CAMELLIA128:!AES128:!RSA SSLHonorCipherOrder on - SSLCompression off +SSLSessionTickets off # Use this command to generate 4096 DH parameters (it will take long time): # openssl dhparam -out /etc//httpd/ssl/dhparams.pem 4096 -- 2.46.0