Achieve Top SSL Grade

  测试地址: SSL Labs

Disabling SSLv3

  If you’re running an Apache web server that currently allows SSLv3, you will need to edit the Apache configuration. On Debian and Ubuntu systems the file is /etc/apache2/mods-available/ssl.conf. On CentOS and Fedora the file is /etc/httpd/conf.d/ssl.conf. You will need to add the following line to your Apache configuration with other SSL directives.

1
SSLProtocol All -SSLv2 -SSLv3

Then restart apache2 with

1
sudo service apache2 restart

Disabling RC4 cipher and enable Perfect Forward Secrecy

  Find the revelent section of the SSL config file and make the change as

1
2
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

Then restart apache2.

  Now you can go to the SSL Labs to test your site’s SSL grade again to see the difference.

Thank you.
@gangxiao

评论