Paul Heinlein
2021-Jun-30 14:08 UTC
[CentOS] Centos 8 crypto-policy to get SSL Labs A rating
On Wed, 30 Jun 2021, Adrian Jenzer wrote:> Dear Community > > I try to get an SSL Labs A rating for my CentOS8 Apache-server. > I'am sure it has to do with my lack of understanding the crypto-policies configuration, can anybody give me an advice where i am wrong? > My understanding is that the configuration in the pmod-file will override the ssl.conf values if PROFILE=SYSTEM is active.I personally skip the crypto-policy for Apache, relying on a traditional httpd.conf stanza instead: <IfModule mod_ssl.c> # ... SSLCipherSuite "EECDH+AESGCM:EDH+AESGCM" SSLProtocol -all +TLSv1.3 +TLSv1.2 </IfModule> In conjunction with other TLS best practices, these settings seem to do the trick (read: Qualys likes them), albeit while excluding some older browsers. -- Paul Heinlein heinlein at madboa.com 45.38? N, 122.59? W
Adrian Jenzer
2021-Jul-05 13:29 UTC
[CentOS] Centos 8 crypto-policy to get SSL Labs A rating
Hi Paul Thanks, but how do you "skip the crypto-policy for Apache"? It seems like crypto-policies configuration is overwriting my values in httpd-configuration. How I enforce the values in httpd.conf ? Gregards Adrian -----Original Message----- From: CentOS <centos-bounces at centos.org> On Behalf Of Paul Heinlein Sent: Mittwoch, 30. Juni 2021 16:09 To: CentOS mailing list <centos at centos.org> Subject: Re: [CentOS] Centos 8 crypto-policy to get SSL Labs A rating On Wed, 30 Jun 2021, Adrian Jenzer wrote:> Dear Community > > I try to get an SSL Labs A rating for my CentOS8 Apache-server. > I'am sure it has to do with my lack of understanding the crypto-policies configuration, can anybody give me an advice where i am wrong? > My understanding is that the configuration in the pmod-file will override the ssl.conf values if PROFILE=SYSTEM is active.I personally skip the crypto-policy for Apache, relying on a traditional httpd.conf stanza instead: <IfModule mod_ssl.c> # ... SSLCipherSuite "EECDH+AESGCM:EDH+AESGCM" SSLProtocol -all +TLSv1.3 +TLSv1.2 </IfModule> In conjunction with other TLS best practices, these settings seem to do the trick (read: Qualys likes them), albeit while excluding some older browsers. -- Paul Heinlein heinlein at madboa.com 45.38? N, 122.59? W _______________________________________________ CentOS mailing list CentOS at centos.org https://lists.centos.org/mailman/listinfo/centos