![]() ![]() The recommended cipher suite: SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH The following two ciphersuites are recommended by me, and the latter by the Overhead, which can be improved by using the elliptic curve variants. The cipher suites that provide Perfect Forward Secrecy are those that use anĮphemeral form of the Diffie-Hellman key exchange. This means that when the private key gets compromised it cannot be used to PFS accomplishes this by enforcing theĭerivation of a new key for each and every session. (Perfect) Forward Secrecy ensures the integrity of a session key in the event More info on the apache website The Cipher Suite The above lineĮnables everything except SSLv2 and SSLv3. Later - +SSLv2 +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2, respectively. # SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1Īll is a shortcut for +SSLv2 +SSLv3 +TLSv1 or - when using OpenSSL 1.0.1 and Make sure you back up the files before editing them! SSL ProtocolsĪll protocols other than TLS 1.2 and TLS 1.3 are considered unsafe.Įdit the config file: # Requires Apache 2.4.36 & OpenSSL 1.1.1 You can find more info on the topics by following the links below: This tutorial is also available for NGINX This tutorial is also availableįor Lighttpd This tutorial is also available for FreeBSD, NetBSD and This tutorial works with the strict requirements of the SSL Labs test With this referral link you'll get $100 credit for 60 days. You can also sponsor me by getting a Digital Ocean VPS. It means the world to me if you show your appreciation and you'll help pay the server costs. Go check it out!Ĭonsider sponsoring me on Github. I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Please, if you found this content useful, consider a small donation using any of the options below: Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. It is open source so you can host it yourself internally and I've also written a handy tool which notifies you when your certificates areĪbout to expire. ![]() (no ratings), and the results are saved so you can compare different settings. It isįast, shows you all the information so you can make your own informed decision Source so you can host it yourself internally to test local resources. You can use it to test yourĬonfiguration, as an addition to the other SSL tests our there. I've written an Open Source SSL server test. This tutorial and Īre updated continuously as new vulnerabilities are discovered. I've created a website with Copy-pastable strong cipherssuites for NGINX,Īpache, Lighttpd and other software. Have a strong and future proof ssl configuration and we get an A+ on the Qually Of vulnerabilities in the protocol and we will set up a strong ciphersuite thatĮnables Forward Secrecy when possible. Mitigate attacks like FREAK, CRIME and LogJAM, disabling SSLv3 and below because ![]() We do this by updating OpenSSL to the latest version to mitigateĪttacks like Heartbleed, disabling SSL Compression and EXPORT ciphers to This tutorial shows you how to set up strong SSL security on the Apache2 ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |