This howto describes how to keep an Apache server up to date with SSL security. Test your own server at:
https://www.ssllabs.com/ssltest/analyze.html
Run the above SSL scan first and then, if you score less than an “A”, continue on to make these changes.
Edit the following in your “/etc/httpd/conf.d/ssl.conf”:
SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 SSLCompression off SSLHonorCipherOrder on SSLCipherSuite "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA"
Update the Apache and OpenSSL software on the server:
yum update httpd openssl
And restart Apache:
systemctl restart httpd
Now run the scan again and see if you score an “A”. If not, take the scan result recommendations into account.
Here are some samples of a “C” score compared to an “A” score.