Security/Server Side TLS: Difference between revisions

Jump to navigation Jump to search

Security/Server Side TLS (view source)

Revision as of 16:20, 3 October 2014

492 bytes added ,  3 October 2014
→‎Apache
Line 277: Line 277:


== Apache ==
== Apache ==
Originally published on https://www.insecure.ws/2013/10/11/ssltls-configuration-for-apache-mod_ssl/
Apache supports OCSP Stapling, but only in httpd 2.3.3 and later.
 
OCSP Stapling is only available in httpd 2.3.3 and later.


In Apache 2.4.6, the DH parameter is always set to 1024 bits and is not user configurable. Future versions of Apache will automatically select a better value for the DH parameter.
In Apache 2.4.6, the DH parameter is always set to 1024 bits and is not user configurable. Future versions of Apache will automatically select a better value for the DH parameter.
Line 291: Line 289:
     SSLCertificateKeyFile  /path/to/private/key
     SSLCertificateKeyFile  /path/to/private/key
     SSLCACertificateFile    /path/to/all_ca_certs
     SSLCACertificateFile    /path/to/all_ca_certs
     SSLProtocol            all -SSLv2
 
     SSLCipherSuite          <recommended ciphersuite from top of this page>
    # Intermediate configuration, tweak to your needs
     SSLProtocol            all -SSLv2 -SSLv3
     SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
     SSLHonorCipherOrder    on
     SSLHonorCipherOrder    on
     SSLCompression          off
     SSLCompression          off
Line 302: Line 302:
     SSLStaplingCache        shmcb:/var/run/ocsp(128000)
     SSLStaplingCache        shmcb:/var/run/ocsp(128000)
   
   
     # Enable this if your want HSTS (recommended, but be careful)
     # Enable this if your want HSTS (recommended)
     # Header add Strict-Transport-Security "max-age=15768000"
     # Header add Strict-Transport-Security "max-age=15768000"
   
   
Ulfr
Confirmed users
529

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1022080"

Navigation menu