Author Topic: Make Your Server FQDN [Lets Encrypt/Auto SSL] SSL certificate A+ Grade  (Read 5957 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Hello Everybody

Hope you are doing well. I am using CWP6.admin in CentOS 6.9 with Lets Encrypt .
But My SSL certificate grade is B and My Cipher list is not so strong.
So I am going use Strong Cipher list and I will show you that how to make your SSL certificate A+ grade .

Visit https://www.ssllabs.com/ssltest/ and Provide your Server FQDN & wait for the result .
You will see that your SSL is not A+ grade .

Login to your server using SSH .

1.Change the directory
#cd /usr/local/apache/conf.d/

2.Backup ssl.conf

3. Edit ssl.conf & paste the below code
#vi ssl.conf

<IfModule !ssl_module>
LoadModule ssl_module modules/mod_ssl.so
</IfModule>
Listen 443
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off

# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off


SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000)
 
#NameVirtualHost server_ip:443


4.save & close

5. Open httpd.conf file

#vi /usr/local/apache/conf/httpd.conf
Enable the below module , just uncomment

LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

6.save & close

6.Restart Apache & cwp server


7. Finally visit https://www.ssllabs.com/ssltest/ & provide your server FQDN , And See result , your server SSL certificate is A+ grade.


Source : Cipherli.st Strong Ciphers for Apache, nginx and Lighttpd
https://cipherli.st/


If you need any further assistance , just post a comment below , i will try to assist you.


Offline
*
Though this thread is quite old, but some may still be following it to the letter or taking it as reference, hence I would like to add that if you set

Code: [Select]
Header always set X-Frame-Options DENY
Roundcube webmail will stop loading the reading pane, user will be able to login, but reading pane will not load, you may get error as "connection refused" or "this site can not be loaded".

To avoid the issue or to fix it, better use

Code: [Select]
Header always set X-Frame-Options SAMEORIGIN