Good day, I would like to suggest the following enhancement to the Apache/SSL config that is delivered with aapanel 6.6.7 on modern Centos 7.7+ (I only use Centos/Redhat so this is not tested with other distros)
With current config the following is in the apache SSL configuration:
From this config:
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder On
This configuration is not a modern configuration, allows TLS 1.1, and enables some weak ciphers. Also, it does not provide good qualifications when performing automated tests with SSL LABS.
I have modified the configuration with the following changes and went from B to A in SSL Labs test and guarantee PFS enabled:
`
Old values in original configuration
#SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
#SSLProtocol All -SSLv2 -SSLv3 -TLSv1
#SSLHonorCipherOrder On
New values in modified configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305πHE-RSA-AES128-GCM-SHA256πHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
`
Please comment. The reports included are from a live site.
thanks,
Configuration report BEFORE changes:
Configuration report AFTER changes:
