-
-
Save hroling/85f36e86d48285f08161 to your computer and use it in GitHub Desktop.
| OLD stuff. This was not enough for an A+ anymore. |
Does the above keyword support Apache/2.2.22 ?
Where is the "Default-SSL.conf" file?
Also when I put "SSLStaplingCache shmcb:/tmp/stapling_cache(128000)" in the SSL.conf file (the one in Httpd/conf.d/) httpd wouldn't start.
Great Info
Just used this, thanks for sharing! I omitted the public key pins and still received A+.
I'm not entirely sure below is correct, but using suggested config SSLProtocol -ALL -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2 - triggers https://www.whynopadlock.com/ to show warning that TLSv1 is enabled - which is not good. We are using SSLProtocol TLSv1.2 which is the current standard with upcoming TLSv1.3.
I would avoid configuring HPKP which is the Header set Public-Key-Pins... line, it's depreciated and can cause serious downtime if you fail to use it correctly, like if you don't have backup certificates. E.g. Chrome 67 (and Google altogether) recently dropped support for it, and the end user has to enable it manually via Chrome flags. TLSv1 still might be required if you need to support older browsers and devices like IE10 and Android 4.3 or below versions.
This does not give A+ anymore!
This does not give A+ anymore!
True. I will delete this.
very good