All Linux HowTo's Security HowTo's

Securing Apache SSL on CentOS 7

This howto describes how to keep an Apache server up to date with SSL security. Test your own server at:

https://www.ssllabs.com/ssltest/analyze.html

Run the above SSL scan first and then, if you score less than an “A”, continue on to make these changes.

Edit the following in your “/etc/httpd/conf.d/ssl.conf”:

SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1
SSLCompression off
SSLHonorCipherOrder on
SSLCipherSuite "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA"

Update the Apache and OpenSSL software on the server:

yum update httpd openssl

And restart Apache:

systemctl restart httpd

Now run the scan again and see if you score an “A”. If not, take the scan result recommendations into account.

Here are some samples of a “C” score compared to an “A” score.

ssl_a_png

ssl_c_png

Similar Posts:

Leave a Reply

Your email address will not be published. Required fields are marked *