-
generic cipher suites to be used:
For Apache2.2: this enables FS on all clients
ALL:!COMPLEMENTOFDEFAULT:!EXPORT:!LOW:!MD5:!aNull:!eNull:!RC4:-3DES:+ECDHE:+RSA:!DHApache 2.4 with Current openssl:
SSLCipherSuite aRSA+CHACHA20:aRSA:!kPSK:!kRSAPSK:!SHA:!NULL:!CAMELLIA:+kECDH:+kEDH:+SHA384:+SHA256:!kRSA
EECDH+CHACHA20:EDH+CHACHA20:EECDH+AESGCM:EDH+AESGCM:EECDH+AES256TLSv1.3 Suites can be defined similar SSLCipherSuite TLSv1.3 [SUITES]
-
generally disable SSL and old TLS versions; so there's only TLS 1.2 (and 1.3) left
-
apply the server's order to the cipher-suite-match
-
to enable long term forward secrecy add the "Strict-Transport-Security"-Header
-
generate strong DH-parameters
openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
Last active
April 29, 2020 06:26
-
-
Save rjaeckel/7ea61913b43cb96d6411 to your computer and use it in GitHub Desktop.
Apache and nginx ciphersuite settings
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SSLCipherSuite ALL:!COMPLEMENTOFDEFAULT:!EXPORT:!LOW:!MD5:!aNull:!eNull:!RC4:-3DES:+ECDHE:+RSA:!DH | |
| # SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2 | |
| SSLCipherSuite aRSA+CHACHA20:aRSA:!kPSK:!kRSAPSK:!SHA:!NULL:!CAMELLIA:+kECDH:+kEDH:+SHA384:+SHA256:!kRSA | |
| SSLProtocol +TLSv1.2 +TLSv1.3 | |
| #http://httpd.apache.org/docs/2.4/mod/mod_ssl.html | |
| #http://httpd.apache.org/docs/2.2/mod/mod_ssl.html | |
| SSLHonorCipherOrder on | |
| <ifmodule mod_headers.c> | |
| Header always set Strict-Transport-Security "max-age=63072000" | |
| # optioally enbale hsts-preload and include subdomains | |
| # Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;" | |
| </ifmodule> | |
| SSLUseStapling On | |
| SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_staplingcache(512000) | |
| # openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096 | |
| SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ########################### | |
| # nginx config | |
| # for hardened ssl-security | |
| ########################### | |
| ssl_protocols TLSv1.2 TLSv1.3; | |
| ssl_ciphers aRSA+CHACHA20:aRSA:!kPSK:!kRSAPSK:!SHA:!NULL:!CAMELLIA:+kECDH:+kEDH:+SHA384:+SHA256:!kRSA; | |
| # perfer server's order of ciphers | |
| ssl_prefer_server_ciphers on; | |
| # enable HTTP Strict Transport Security with long duration with or without subdomains | |
| # add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload;"; | |
| # add_header Strict-Transport-Security "max-age=31536000;"; | |
| # tweak session cache | |
| # ssl_session_cache shared:SSL:50m; | |
| # ssl_session_timeout 15m; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment