Want an A on the SSLLabs server test?
https://www.ssllabs.com/ssltest/
For Plesk create a file here:
|
/etc/httpd/conf.d/zz050-psa-disable-weak-ssl-ciphers.conf |
and add the following:
|
SSLProtocol all -TLSv1 -SSLv2 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \ EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" |
For WHM/CPanel do this:
a. go to Service Configuration -> Apache Configuration -> Global Configuration and set “SSL Cipher Suite” to:
|
+ECDHE:+DHE:HIGH:!DHE-RSA-AES128-SHA:!ECDHE-RSA-AES128-SHA:!MD5:!ADH:!aNULL:!eNULL:!EXP |
b. go to Service Configuration -> Apache Configuration -> Include Editor -> Pre Main Include and add the following lines:
|
SSLHonorCipherOrder On SSLProtocol ALL -TLSv1 -SSLv2 # CVE-2011-3389 SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown |
For a standalone Apache server try these:
|
SSLProtocol all -TLSv1 -SSLv2 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \ EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" |
For Nginx try these lines:
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \ EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \ EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; |
If you get capped at a B due to TLS Compression support you can add:
For older Apache versions this setting may not be available. In this case you can edit the init script (/etc/init.d/httpd) and add this line:
|
export OPENSSL_NO_DEFAULT_ZLIB=1 |
Qualys has a blog post on this subject which provided the Apache and Nginx configs:
https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
This forum post provided the WHM/Cpanel config:
http://forums.cpanel.net/f185/cpanel-openssl-1-0-1c-higher-332001-p3.html#post1561101