Last active
March 28, 2021 02:42
-
-
Save hroling/85f36e86d48285f08161 to your computer and use it in GitHub Desktop.
Apache 2.4 SSL config for A+ on SSLLabs.com
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| OLD stuff. This was not enough for an A+ anymore. |
I would avoid configuring HPKP which is the Header set Public-Key-Pins... line, it's depreciated and can cause serious downtime if you fail to use it correctly, like if you don't have backup certificates. E.g. Chrome 67 (and Google altogether) recently dropped support for it, and the end user has to enable it manually via Chrome flags. TLSv1 still might be required if you need to support older browsers and devices like IE10 and Android 4.3 or below versions.
This does not give A+ anymore!
This does not give A+ anymore!
True. I will delete this.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm not entirely sure below is correct, but using suggested config
SSLProtocol -ALL -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2- triggers https://www.whynopadlock.com/ to show warning that TLSv1 is enabled - which is not good. We are usingSSLProtocol TLSv1.2which is the current standard with upcoming TLSv1.3.