Apache
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder On Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" Header always set X-Frame-Options DENY Header always set X-Content-Type-Options nosniff # Requires Apache >= 2.4 SSLCompression off SSLUseStapling on SSLStaplingCache "shmcb:logs/stapling-cache(150000)" # Requires Apache >= 2.4.11 SSLSessionTickets Off
nginx
ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2 ssl_prefer_server_ciphers on; ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096 ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; # Requires nginx >= 1.5.9 ssl_stapling on; # Requires nginx >= 1.3.7 ssl_stapling_verify on; # Requires nginx => 1.3.7 resolver $DNS-IP-1 $DNS-IP-2 valid=300s; resolver_timeout 5s; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none;
Lighttpd
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
ssl.use-compression = "disable"
setenv.add-response-header = (
"Strict-Transport-Security" => "max-age=63072000; includeSubDomains; preload",
"X-Frame-Options" => "DENY",
"X-Content-Type-Options" => "nosniff"
)
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
Warning
These examples are meant for sysadmins who have done this before (and sysadmins are forced to support Windows XP with IE < 9, therefore des3cbc), as an easily copy-pastable example, not for newbies who have no idea what all this means. The settings are very secure, but if you don't know what you are doing might make your website and subdomains unavailable for a long, long time (see HSTS). Research what you are doing and think before you act. Hier niet poepen zegmaar. Other suggestions
- sha256 certificates
- 4096-bit private key
- >2048 DH Pool size –
openssl dhparam -out dhparams.pem 4096
Other Software
Pull requests for other software welcome
haproxy
global
ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12
ssl-default-bind-ciphers AES128+EECDH:AES128+EDH
frontend http-in
mode http
option httplog
option forwardfor
option http-server-close
option httpclose
bind 192.0.2.10:80
redirect scheme https code 301 if !{ ssl_fc }
frontend https-in
option httplog
option forwardfor
option http-server-close
option httpclose
rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains;\ preload
rspadd X-Frame-Options:\ DENY
bind 192.0.2.10:443 ssl crt /etc/haproxy/haproxy.pem ciphers AES128+EECDH:AES128+EDH force-tlsv12 no-sslv3
Postfix
smtpd_use_tls=yes smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_cert_file=/etc/ssl/postfix.cert smtpd_tls_key_file=/etc/ssl/postfix.key smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_mandatory_ciphers = medium tls_medium_cipherlist = AES128+EECDH:AES128+EDH
Exim
tls_certificate = /etc/exim.cert tls_privatekey = /etc/exim.key tls_advertise_hosts = * tls_require_ciphers = AES128+EECDH:AES128+EDH openssl_options = +no_sslv2 +no_sslv3
ProFTPd
TLSEngine on TLSLog /var/ftpd/tls.log TLSProtocol TLSv1.2 TLSRequired on TLSCipherSuite AES128+EECDH:AES128+EDH TLSRSACertificateFile /etc/proftpd.cert TLSRSACertificateKeyFile /etc/proftpd.key
Dovecot
ssl = yes ssl_cert = </etc/dovecot.cert ssl_key = </etc/dovecot.key ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = AES128+EECDH:AES128+EDH ssl_prefer_server_ciphers = yes # >Dovecot 2.2.6 ssl_dh_parameters_length = 4096 # >Dovecot 2.2
Hitch TLS Proxy
ciphers = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" prefer-server-ciphers = on
Zarafa
These settings can be set in /etc/zarafa/server.cfg and gateway.cfg.
Medium security
server_ssl_protocols = !SSLv2 !SSLv3 server_ssl_ciphers = ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL server_ssl_prefer_server_ciphers = yes or no
High security
server_ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 # >= Debian 7 / CentOS 7 server_ssl_ciphers = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS server_ssl_prefer_server_ciphers = yes or no
MySQL
[mysqld] ssl-ca=/etc/mysql-ssl/ca-cert.pem ssl-cert=/etc/mysql-ssl/server-cert.pem ssl-key=/etc/mysql-ssl/server-key.pem ssl-cipher=AES128+EECDH:AES128+EDH # replication: GRANT REPLICATION SLAVE ON *.* to ‘repl’@’%’ REQUIRE SSL; STOP SLAVE; CHANGE MASTER MASTER_SSL=1, MASTER_SSL_CA=’/etc/mysql-ssl/ca-cert.pem’, MASTER_SSL_CERT=’/etc/mysql-ssl/client-cert.pem’, MASTER_SSL_KEY=’/etc/mysql-ssl/client-key.pem'; SHOW SLAVE STATUS\G; START SLAVE; SHOW SLAVE STATUS\G;
DirectAdmin
ssl_cipher=AES128+EECDH:AES128+EDH SSL=1 cacert=/usr/local/directadmin/conf/cacert.pem cakey=/usr/local/directadmin/conf/cakey.pem carootcert=/usr/local/directadmin/conf/carootcert.pem
Postgresql
ssl = on ssl_ciphers = 'AES128+EECDH:AES128+EDH' password_encryption = on
OpenSSH Server
Protocol 2 HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
OpenSSH Client
HashKnownHosts yes
Host github.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512
Host *
ConnectTimeout 30
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
ServerAliveInterval 10
ControlMaster auto
ControlPersist yes
ControlPath ~/.ssh/socket-%r@%h:%p
Recent Comments