I got a secure certificate from StartSSL which is completely free. This has the advantage that it is a fully validated certificate so you will no longer get those warning messages from browsers.
I used a 2048 bit key which seems perfectly fine or you can get a 4096 bit key. The certificate is limited to one sub domain which would normally be www.
Edit /etc/apache2/sites-enabled/default-ssl.conf and add the following.
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCompression off
#SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SH$
SSLHonorCipherOrder on
This disables older protocol versions, turns off compression and forces the use of the best cipher suite first and the clients will use the first one they support in the list.
Comments powered by Disqus.