namnamir/ssl.conf

## ssl.conf
# Protocols to be enabled/diabled
##### CHOSE ONE OF THEM #####
# 1- Requires Apache 2.4.36 & OpenSSL 1.1.1
SSLProtocol -all +TLSv1.3 +TLSv1.2
# 2- If there is Apache 2.4.29 & OpenSSL 1.1.1
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

# Enable HTTP/2, if available
Protocols h2 http/1.1

Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff

# Necessary for Perfect Forward Secrecy (PFS)
SSLSessionTickets        off

# Disable TLS compression
SSLCompression           off

# The order of cipher suites matters
SSLHonorCipherOrder      on
SSLInsecureRenegotiation off

# OCSP Stapling improves performance by providing the clients with up-to-date status of your certificate.
SSLUseStapling           on

# specify the OCSP cache response location and size
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

# Specify the standards
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1

# Enable only secure ciphers:
##### CHOSE ONE OF THEM #####
# 1-
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
# 2- OWASP suggestion:
#    Suppors Android 4.4.2, BingPreview Jan 2015, Chrome 32/Win 7, Chrome 34/OS X, Edge 12/Win 10, Firefox 27/Win 8, Googlebot Feb 2015, IE11/Win 7 + MS14-066, Java8b132, OpenSSL 1.0.1e, Safari 9/iOS 9, Yahoo Slurp Jun 2014, YandexBot Sep 2014
SSLCipherSUite TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
# 4- Mozila Suggestion:
#    Supports Firefox 27, Android 4.4.2, Chrome 31, Edge, IE 11 on Windows 7, Java 8u31, OpenSSL 1.0.1, Opera 20, and Safari 9
SSLCipherSUite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
# 5- Acunetix Suggestion:
#    Supports Firefox 26, Android 4.3, Chrome 29, IE 10, Java 6u45, Java 7u25, OpenSSL 0.9.8y, and Safari 6.0
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
# 6- Digicert Suggestion:
#
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"


###########
# Sources #
###########
## https://cipherli.st/
## https://ssl-config.mozilla.org/
## https://owasp.org/www-project-cheat-sheets/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html
## https://gist.github.com/GAS85/42a5469b32659a0aecc60fa2d4990308
## https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/
## https://www.virtualmin.com/node/52164
## https://www.leaderssl.om/news/471-how-to-disable-outdated-versions-of-ssl-tls-in-apache
## https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
## https://www.digicert.com/ssl-support/ssl-enabling-perfect-forward-secrecy.htm
	# Protocols to be enabled/diabled
	##### CHOSE ONE OF THEM #####
	# 1- Requires Apache 2.4.36 & OpenSSL 1.1.1
	SSLProtocol -all +TLSv1.3 +TLSv1.2
	# 2- If there is Apache 2.4.29 & OpenSSL 1.1.1
	SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

	# Enable HTTP/2, if available
	Protocols h2 http/1.1

	Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
	Header always set X-Frame-Options DENY
	Header always set X-Content-Type-Options nosniff

	# Necessary for Perfect Forward Secrecy (PFS)
	SSLSessionTickets off

	# Disable TLS compression
	SSLCompression off

	# The order of cipher suites matters
	SSLHonorCipherOrder on
	SSLInsecureRenegotiation off

	# OCSP Stapling improves performance by providing the clients with up-to-date status of your certificate.
	SSLUseStapling on

	# specify the OCSP cache response location and size
	SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

	# Specify the standards
	SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1

	# Enable only secure ciphers:
	##### CHOSE ONE OF THEM #####
	# 1-
	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
	# 2- OWASP suggestion:
	# Suppors Android 4.4.2, BingPreview Jan 2015, Chrome 32/Win 7, Chrome 34/OS X, Edge 12/Win 10, Firefox 27/Win 8, Googlebot Feb 2015, IE11/Win 7 + MS14-066, Java8b132, OpenSSL 1.0.1e, Safari 9/iOS 9, Yahoo Slurp Jun 2014, YandexBot Sep 2014
	SSLCipherSUite TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
	# 4- Mozila Suggestion:
	# Supports Firefox 27, Android 4.4.2, Chrome 31, Edge, IE 11 on Windows 7, Java 8u31, OpenSSL 1.0.1, Opera 20, and Safari 9
	SSLCipherSUite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
	# 5- Acunetix Suggestion:
	# Supports Firefox 26, Android 4.3, Chrome 29, IE 10, Java 6u45, Java 7u25, OpenSSL 0.9.8y, and Safari 6.0
	SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
	# 6- Digicert Suggestion:
	#
	SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"



	###########
	# Sources #
	###########
	## https://cipherli.st/
	## https://ssl-config.mozilla.org/
	## https://owasp.org/www-project-cheat-sheets/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html
	## https://gist.github.com/GAS85/42a5469b32659a0aecc60fa2d4990308
	## https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/
	## https://www.virtualmin.com/node/52164
	## https://www.leaderssl.om/news/471-how-to-disable-outdated-versions-of-ssl-tls-in-apache
	## https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
	## https://www.digicert.com/ssl-support/ssl-enabling-perfect-forward-secrecy.htm