Last active
December 11, 2015 22:49
-
-
Save radiosilence/4672462 to your computer and use it in GitHub Desktop.
Secure and fast SSL configurations. Beats BEAST and also CRIME, rated A on SSLTest Can take off TLS 1.0 and RC4 when NSS/other browsers get TLS 1.1/1.2 support (not for a while yet, vote here to get it! https://bugzilla.mozilla.org/show_bug.cgi?id=480514 )
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Apache | |
| SSLEngine on | |
| SSLProtocol -ALL +TLSv1.2 +TLSv1.1 +TLSv1 | |
| SSLHonorCipherOrder On | |
| SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-GCM-SHA384:RC4-SHA:!ADH:!MD5:!aNULL:!EDH | |
| SSLCompression Off | |
| # Nginx | |
| ssl on; | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-GCM-SHA384:RC4-SHA:!ADH:!MD5:!aNULL:!EDH; | |
| ssl_prefer_server_ciphers on; | |
| ssl_session_cache shared:live:10m; |
Other tips, for NGINX just provide your server.crt in the format:
ssl_certificate /etc/nginx/ssl/server.crt;
And inside that file basically put your issued server certificate directly followed by the intermediate certificate. Your certificate MUST COME FIRST.
Do not include the root CA as it's unnecessary because the client already has it and nginx sends all 3 all the time ;-)
On Apache, you put them in separate files:
SSLCertificateFile "/etc/httpd/conf/certs/server.crt"
SSLCertificateChainFile "/etc/httpd/conf/certs/intermediate.pem"
SSLCACertificateFile "/etc/httpd/conf/certs/ca.pem"
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
RC4 will only be used for TLS 1 connections, and the two nicer 256-bit elliptical curve ones for anything better.