-
Notifications
You must be signed in to change notification settings - Fork 20
Transport Layer Security
Andrew Bonney edited this page Jun 7, 2019
·
4 revisions
This page covers configuration of certificate stores, cipher suites and similar on common platforms and for common web server implementations.
The following parameters can be added to Apache 2 TLS configuration in order to meet the requirements of BCP-003-01. Note that a suitable version of Apache 2 and OpenSSL will be required in order for all of these parameters to take effect.
# Turn on TLS and identify RSA and ECDSA certificates
SSLEngine on
SSLCertificateFile /path/to/rsa/certificate/chain.pem
SSLCertificateKeyFile /path/to/rsa/key.pem
SSLCertificateFile /path/to/ecdsa/certificate/chain.pem
SSLCertificateKeyFile /path/to/ecdsa/key.pem
# Enable TLS 1.2 and 1.3 only
SSLProtocol -all +TLSv1.2 +TLSv1.3
# Enable BCP-003-01 recommended ciphers
SSLHonorCipherOrder on
SSLCipherSuite TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-CCM8
# Enable OCSP stapling
SSLUseStapling on
# Enable HTTP Strict Transport Security (HSTS)
Header always set Strict-Transport-Security "max-age=154656000"
NMOS is brought to you by the Advanced Media Workflow Association