[ADDED] Ability to enable certain security options

Reported by: RickoT
Created: 10 months 13 days ago
Last reply: 10 months 12 days ago
Views: 64

Thank you for the security tip.
Why not, we can do it as an option or enabled by default.

[ACCEPTED]

If you are interested, I fine tuned the changes I made to my config files to get an A+ on SSLabs site tester:

Domain level Apache.conf:

#Enforce HSTS (requires mod_headers)
   Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;"

# Enable only TLSv1.2
   SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
# Use only high grade CipherSuites, disable low grade/vulnerable suites.
   SSLCipherSuite "ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !DES"

These changes disable TLSv1 and TLSv2 as well as configure apache to use only high quality CipherSuites and leaving out suites that have vulnerabilities or are low encryption

/etc/apache2/mods-enabled/ssl.conf

# Enforce highest key exchange grade
   SSLOpenSSLConfCmd ECDHParameters Automatic
   SSLOpenSSLConfCmd Curves secp521r1:secp384r1:prime256v1

I know you said you didn't want to mainipulate original apache files, but I just wanted to provide this for you

Update: For the last item (ssl.conf) those 2 lines can be added to the :443 virtualhost with the same result, modifying the ssl.conf file is not necessary

Write a reply Edit a reply