Home Get an A+ in Qualys SSL Labs
Post
Cancel

Get an A+ in Qualys SSL Labs

Posted Aug 24, 2014
By Chris Hamer
1 min read

I got a secure certificate from StartSSL which is completely free. This has the advantage that it is a fully validated certificate so you will no longer get those warning messages from browsers.
I used a 2048 bit key which seems perfectly fine or you can get a 4096 bit key. The certificate is limited to one sub domain which would normally be www.

Edit /etc/apache2/sites-enabled/default-ssl.conf and add the following.

#   SSL Engine Switch:
                #   Enable/Disable SSL for this virtual host.
                SSLEngine on
                SSLProtocol all -SSLv2 -SSLv3
                SSLCompression off
                #SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
                SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SH$
                SSLHonorCipherOrder on

This disables older protocol versions, turns off compression and forces the use of the best cipher suite first and the clients will use the first one they support in the list.

SSL TLS Deployment Guide

technology SSL
This post is licensed under CC BY 4.0 by the author.

If you have found this site useful, please consider buying me a coffee :)

Proud supporter of the Gnome Foundation

Become a Friend of GNOME

Ubuntu/Linux WIll not sleep when MythTV Backend is running

KDE QT appearance keeps changing to GTK theme

Comments powered by Disqus.