Just a quick one to improve things!
Beginning January 2020, SSLLabs.com will give you a grade B if you still have TLS 1.0 or 1.1 enabled, as it’s considered insecure.
The following is an example warning you might see:
So let’s disable that weak stuff, and only allow strong ciphers while we’re at it!
Strong Ciphers
To only allow strong ciphers on your website, add the following at the end of your VirtualHost config:
SSLCipherSuite HIGH:!aNULL:!MD5
Stupid simple, right?
Disable insecure SSL/TLS
To disable SSL entirely, and disable TLS 1.0 and 1.1, add the following to the end of your VirtualHost config:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
Again stupid simple!
Reload
Now simply reload (or restart) your web server:
systemctl reload apache2
While there is always more you can do, this is a good start!
HSTS
Check out my previous post on HSTS to further improve things!
Excellent!
Two bits of information that might help future readers:
1) You can test if the change worked in the terminal with
openssl s_client -connect ricard.blog:443 -tls1
SSLLabs is good but takes too long.
2) If you have Let’s Encrypt, you need to edit:
/etc/letsencrypt/options-ssl-apache.conf
Thank you for the tips!
Have a great day.