As a person who focuses on IT security, some items like HSTS and PFS are important to me
The ability to enable/disable these security items would be greatly appreciated.
This might be a handy guide for working to ensure that all of the requirements for Perfect Forward Secrecy are met
https://www.digicert.com/ssl-support/ssl-enabling-perfect-forward-secrecy.htm
This particularly pertains to Apache configuration
Thank you for the security tip.
Why not, we can do it as an option or enabled by default.
[ACCEPTED]
[ADDED]
Perfect Forward Secrecy by default
Awesome! I am excited for this
If you are interested, I fine tuned the changes I made to my config files to get an A+ on SSLabs site tester:
Domain level Apache.conf:
#Enforce HSTS (requires mod_headers) Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;" # Enable only TLSv1.2 SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 # Use only high grade CipherSuites, disable low grade/vulnerable suites. SSLCipherSuite "ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !DES"
These changes disable TLSv1 and TLSv2 as well as configure apache to use only high quality CipherSuites and leaving out suites that have vulnerabilities or are low encryption
/etc/apache2/mods-enabled/ssl.conf
# Enforce highest key exchange grade SSLOpenSSLConfCmd ECDHParameters Automatic SSLOpenSSLConfCmd Curves secp521r1:secp384r1:prime256v1
I know you said you didn't want to mainipulate original apache files, but I just wanted to provide this for you
Update: For the last item (ssl.conf) those 2 lines can be added to the :443 virtualhost with the same result, modifying the ssl.conf file is not necessary
