X-Files Wiki

User Tools

Site Tools

Trace: centos_ssl_a_rating
archive:centos_ssl_a_rating

CentOS A+ rating on SSL Labs

Now we all know that it's quite important to get a high score at SSL Labs But on CentOS it can be a bit tricky to get above B or even get an A+ this guide will walk you through it.

Apache settings

Add the following to apache vhost.conf entry replacing the certificate files path with where you store yours. 

SSLEngine on
# Globalsign Cert Start
SSLCertificateFile /etc/ssl/globalsign/yourcert.csr
SSLCertificateKeyFile /etc/ssl/globalsign/yourcertkey.key
SSLCertificateChainFile /etc/ssl/globalsign/yourcert-intermediate.csr
# Globalsign Cert Stop

# SSL security Start
Header always set Strict-Transport-Security "max-age=15768000"
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384::ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384
SSLHonorCipherOrder     on
SSLCompression          off
# SSL security Stop

SSL settings

Add the following to apache ssl.conf entry replacing the certificate files path with where you store yours.

Find this line 

# SSLProtocol all -SSLv2 -SSLv3

And replace it with the following 

SSLProtocol   all -SSLv3 -TLSv1 -TLSv1.1

Next find this line 

SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA

Replace it with this one "This is one long line" 

SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384::ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384

Find this line 

#SSLHonorCipherOrder on

And remove the # and also add an extra line so it looks like this 

SSLHonorCipherOrder  on
SSLCompression       off

Now this should give you an A+ rating right ? Well unfortunatly it doesnt, cause CentOS apache does only come with an ECDH curve of either prime256v1 or X25519. Once CentOS shippes with a newer build of apache we will need to modify the certificate to support secp384r1 which will give an A+ there are no compatibility issues in doing so.

Right so let's specify a new curve for the certificate. 

openssl ecparam -name secp384r1 >> /your/certificate/file.csr

Note it doesn't make any difference if your cert ends in csr or crt

Restart Apache

Restart apache in order for the changes to take effect. 

apachectl restart
archive/centos_ssl_a_rating.txt · Last modified: 24/11/2023 12:42 by Allan