As hinted during the previous post about DigitalOcean and a missing .htaccess file, I had some issues with SSL out of the box. The wizard was great but when I went to https://ssllabs.com/ssltest to perform a test on my site, I wasn’t too happy to find both TLS1.0 and TLS1.1 both enable!
I was less than impressed with this as would have thought it normal these days to disable such insecure protocols from the start and manually enable if you really, really need them.
Anyway, it took me a bit of time digging around the Apache configs with Ubuntu 18.04 as not that familiar with Apache, but I did find the following config files was referenced within the main config file:
A quick look in the file did show some tuning of protocols but really not much. So I made a copy of this file and then replaced a couple of lines with my own which have worked in the past:
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 SSLHonorCipherOrder off
A quick save and a “service apache2 restart” for me the following, more respectable result!