How to improve "Key Exchange" and "Cipher Strength" ranks in "ssllabs" ?

Support for security such as Firewalls and securing linux
Post Reply
hack3rcon
Posts: 693
Joined: 2014/11/24 11:04:37

How to improve "Key Exchange" and "Cipher Strength" ranks in "ssllabs" ?

Post by hack3rcon » 2020/09/01 18:22:07

Hello,
I have two questions about Apache:
1- Which config lines must be into "httpd.conf" file and which one in the Virtual Host file under "conf.d" directory? For example, below line must be into "httpd.conf" or Virtual Host file under "conf.d" directory:

Code: Select all

TraceEnable off
ServerSignature Off
ServerTokens Prod

SSLProtocol all -TLSv1.1 -TLSv1 -SSLv2 -SSLv3
SSLCipherSuite ALL:+HIGH:!ADH:!EXP:!SSLv2:!SSLv3:!MEDIUM:!LOW:!NULL:!aNULL
SSLHonorCipherOrder on
SSLCompression          off
SSLSessionTickets       off
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparams.pem"

TimeOut 60
Header always append X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
ErrorDocument 500 "Oh sorry dear."

FileETag MTime
KeepAlive On
MaxKeepAliveRequests 100
MaxConnectionsPerChild 1000
UseCanonicalName Off
LimitInternalRecursion 5
LimitRequestFields 500
AcceptPathInfo Off
MaxRanges 100
KeepAliveTimeout 4


# Modules
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule headers_module modules/mod_headers.so
RequestReadTimeout header=20-600,MinRate=500 body=20,MinRate=500
2- When I test my site on https://www.ssllabs.com/ssltest then "Key Exchange" and "Cipher Strength" are not 100. As you see I added below lines too:

Code: Select all

SSLProtocol all -TLSv1.1 -TLSv1 -SSLv2 -SSLv3
SSLCipherSuite ALL:+HIGH:!ADH:!EXP:!SSLv2:!SSLv3:!MEDIUM:!LOW:!NULL:!aNULL
SSLHonorCipherOrder on
SSLCompression          off
SSLSessionTickets       off
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparams.pem"
SSL.PNG
SSL.PNG (23.45 KiB) Viewed 109 times
How can I improve it?

Thank you.

Post Reply

Return to “CentOS 8 - Security Support”