The fine tuning of the SSL server side configuration is slow and tedious but necessary procedure. It’s always good to have your SSL site to conform the most latest security standards. It boosts ego and makes customer happy too. It turns out that all you need for that is already at your disposal the point is to properly configure it.
The most complicated part in is the proper balance between security by excluding all vulnerable protocols and cyphers, and compatibility – you don’t really want to block out all these poor souls who still use Microsoft Internet Explorer.
Prerequisites: CentOS 6, latest OpenSSL, mod_ssl and httpd packages, valid SSL certificate, and configured SSL virtual host.
The proper configuration consists of 2 lines that have to be added into
|
1 2 3 4 5 6 7 8 |
SSLHonorCipherOrder on SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA -AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-S HA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256: ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256- SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SH A384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC 3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 |
Now, you can head out to the excellent SSLLabs test page and verify your site compliance to the latest security standards and clients compatibility.
0 Comments.