Hardened TLS / SSL Cert

calendar2020-06-07 · 1 min read · sslcert tlscert letsencrypt hardening  ·
Share on: linkedincopy

Apache

 1SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 
 2SSLProtocol All -SSLv2 -SSLv3
 3SSLHonorCipherOrder On
 4Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
 5Header always set X-Frame-Options SAMEORIGIN
 6Header always set X-Content-Type-Options nosniff
 7# Requires Apache >= 2.4 
 8SSLCompression off
 9SSLSessionTickets Off 
10SSLUseStapling on 
11SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

Nginx

 1ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
 2ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 3ssl_prefer_server_ciphers on;
 4ssl_session_cache shared:SSL:10m;
 5# 'always' requires nginx >= 1.7.5, see http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
 6add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
 7add_header X-Frame-Options SAMEORIGIN always;
 8add_header X-Content-Type-Options nosniff always;
 9ssl_session_tickets off;
10ssl_stapling on; # Requires nginx >= 1.3.7
11ssl_stapling_verify on; # Requires nginx >= 1.3.7
12resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
13resolver_timeout 5s;

See https://web.archive.org/web/20200114095414/https://cipherli.st/

X-Frame-Options is originally set to 'DENY' in cipherli.sh.

Considering most sites uses X-Frame-Options, it's best to use 'SAMEORIGIN'